Harbor Scanner Adapter for Sysdig Secure
The Sysdig Secure Harbor Scanner Adapter enables Harbor to use Sysdig Secure scanning engine to analyze the container images managed by the platform.
See Pluggable Scanner API Spec for more details.
This adapter also provides a service that translates the Harbor scanning API requests into Sysdig Secure API calls, allowing Harbor to retrieve vulnerability reports and additional information from the scanning adapter. This information will be presented in the Harbor UI, transparently for the user.
You can follow a detailed guide to deploy the Scanner Adapter.
Inline and Backend Scanning
This scanning adapter has two operation modes:
- Backend Scanning: Image scanning happens in the Sysdig Secure Backend
- Inline Scanning: Image scanning happens in the infrastructure where Harbor is hosted
This is the default mode. The Sysdig Harbor adapter will forward the container image path to the Sysdig Secure backend (either SaaS or Onprem), for example
docker.io/alpine:latest. The backend will use this path to retrieve and scan the container image, providing the results back to the Sysdig Harbor adapter.
- Easier to install
- Sysdig Secure Backend needs to have network visibility in order to fetch images from Harbor
Using inline scanning, the scanning operation itself will be triggered and performed on your own infrastructure. It spawns a Kubernetes job when a new image is pushed, this job will communicate only the container metadata to the Sysdig Secure Backend, which will perform the evaluation based on the configured image scanning policies.
- No need to configure registry credentials in the Sysdig Secure Backend
- No need to expose your registry externally, so it can be reached by Sysdig Secure (see CON in the section above)
- Image contents are never transmitted outside the pipeline, just the image metadata
- The job performing the inline scanning needs to have access to the host-local Docker daemon
Configuration of the adapter is done via environment variables at startup.
||Sysdig Secure URL|
||Sysdig Secure API Token|
||Enable Inline Scanning instead of Backend|
||Namespace where Inline Scanning will spawn jobs|
||ConfigMap name where Harbor Certificate is available|
||Secret name where Sysdig Secure API Token and Robot Account are available|