aquasecurity / Harbor Scanner Trivy
Licence: apache-2.0
Use Trivy as a plug-in vulnerability scanner in the Harbor registry
Stars: ✭ 62
Programming Languages
go
31211 projects - #10 most used programming language
Labels
Projects that are alternatives of or similar to Harbor Scanner Trivy
Libellux-Up-and-Running
Libellux: Up & Running provides documentation on how-to install open-source software from source. The focus is Zero Trust Network to enhance the security for existing applications or install tools to detect and prevent threats.
Stars: ✭ 19 (-69.35%)
Mutual labels: vulnerability-scanner
Cwe checker
cwe_checker finds vulnerable patterns in binary executables
Stars: ✭ 372 (+500%)
Mutual labels: vulnerability-scanner
Rapidscan
🆕 The Multi-Tool Web Vulnerability Scanner.
Stars: ✭ 775 (+1150%)
Mutual labels: vulnerability-scanner
sub404
A python tool to check subdomain takeover vulnerability
Stars: ✭ 205 (+230.65%)
Mutual labels: vulnerability-scanner
Sqli Hunter
SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy.
Stars: ✭ 340 (+448.39%)
Mutual labels: vulnerability-scanner
Sifter
Sifter aims to be a fully loaded Op Centre for Pentesters
Stars: ✭ 403 (+550%)
Mutual labels: vulnerability-scanner
log4j-detector
Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!
Stars: ✭ 622 (+903.23%)
Mutual labels: vulnerability-scanner
Burpbounty
Burp Bounty (Scan Check Builder in BApp Store) is a extension of Burp Suite that allows you, in a quick and simple way, to improve the active and passive scanner by means of personalized rules through a very intuitive graphical interface.
Stars: ✭ 1,026 (+1554.84%)
Mutual labels: vulnerability-scanner
Crlfuzz
A fast tool to scan CRLF vulnerability written in Go
Stars: ✭ 354 (+470.97%)
Mutual labels: vulnerability-scanner
Awvs12 docker
AWVS12 最新版本12.0.190902105_x64
Stars: ✭ 288 (+364.52%)
Mutual labels: vulnerability-scanner
Nuclei
Fast and customizable vulnerability scanner based on simple YAML based DSL.
Stars: ✭ 6,307 (+10072.58%)
Mutual labels: vulnerability-scanner
Xray
一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档
Stars: ✭ 6,218 (+9929.03%)
Mutual labels: vulnerability-scanner
avain
A Modular Framework for the Automated Vulnerability Analysis in IP-based Networks
Stars: ✭ 56 (-9.68%)
Mutual labels: vulnerability-scanner
Marsnake
System Optimizer and Monitoring, Security Auditing, Vulnerability scanner for Linux, macOS, and UNIX-based systems
Stars: ✭ 16 (-74.19%)
Mutual labels: vulnerability-scanner
erebus
Erebus is a fast tool for parameter-based vulnerability scanning using a Yaml based template engine like nuclei.
Stars: ✭ 72 (+16.13%)
Mutual labels: vulnerability-scanner
Sqlmap
Automatic SQL injection and database takeover tool
Stars: ✭ 21,907 (+35233.87%)
Mutual labels: vulnerability-scanner
Crawlergo
A powerful dynamic crawler for web vulnerability scanners
Stars: ✭ 1,088 (+1654.84%)
Mutual labels: vulnerability-scanner
Xattacker
X Attacker Tool ☣ Website Vulnerability Scanner & Auto Exploiter
Stars: ✭ 897 (+1346.77%)
Mutual labels: vulnerability-scanner
Silver
Mass scan IPs for vulnerable services
Stars: ✭ 588 (+848.39%)
Mutual labels: vulnerability-scanner
Harbor Scanner Adapter for Trivy
The Harbor Scanner Adapter for Trivy is a service that translates the Harbor scanning API into Trivy commands and allows Harbor to use Trivy for providing vulnerability reports on images stored in Harbor registry as part of its vulnerability scan feature.
TOC
Deployment
Harbor >= 2.0 on Kubernetes
In Harbor >= 2.0 Trivy can be configured as the default vulnerability scanner, therefore you can install it with the
official Harbor Helm chart, where HARBOR_CHART_VERSION >= 1.4:
$ helm repo add harbor https://helm.goharbor.io
$ HARBOR_CHART_VERSION=<chart version>
$
$ helm install harbor harbor/harbor \
--version=$HARBOR_CHART_VERSION \
--namespace harbor \
--set clair.enabled=false \
--set trivy.enabled=true
The adapter service is automatically registered under the Interrogation Service in the Harbor interface and designated as the default scanner.
Harbor 1.10 on Kubernetes
- Generate certificate and private key files:
$ openssl genrsa -out tls.key 2048 $ openssl req -new -x509 \ -key tls.key \ -out tls.crt \ -days 365 \ -subj /CN=harbor-scanner-trivy.harborNOTE: The Common Name (CN) is the fully qualified domain name of the adapter service. In this example we assumed that it is exposed as the
harbor-scanner-trivyservice in theharbornamespace. - Install the
harbor-scanner-trivychart:$ helm repo add aqua https://helm.aquasec.com$ helm install harbor-scanner-trivy aqua/harbor-scanner-trivy \ --namespace harbor \ --set service.port=8443 \ --set scanner.api.tlsEnabled=true \ --set scanner.api.tlsCertificate="$(cat tls.crt)" \ --set scanner.api.tlsKey="$(cat tls.key)" - Configure the scanner adapter in the Harbor interface.
- Navigate to Interrogation Services and click + NEW SCANNER.
- Enter https://harbor-scanner-trivy.harbor:8443 as the Endpoint URL and click TEST CONNECTION.
- If everything is fine click ADD to save the configuration.
- Navigate to Interrogation Services and click + NEW SCANNER.
- Select the Trivy scanner and set it as default by clicking SET AS DEFAULT.
Make sure the Default label is displayed next to the Trivy scanner's name.
Configuration
Configuration of the adapter is done via environment variables at startup.
| Name | Default | Description |
|---|---|---|
SCANNER_LOG_LEVEL |
info |
The log level of trace, debug, info, warn, warning, error, fatal or panic. The standard logger logs entries with that level or anything above it. |
SCANNER_API_SERVER_ADDR |
:8080 |
Binding address for the API server |
SCANNER_API_SERVER_TLS_CERTIFICATE |
N/A | The absolute path to the x509 certificate file |
SCANNER_API_SERVER_TLS_KEY |
N/A | The absolute path to the x509 private key file |
SCANNER_API_SERVER_CLIENT_CAS |
N/A | A list of absolute paths to x509 root certificate authorities that the api use if required to verify a client certificate |
SCANNER_API_SERVER_READ_TIMEOUT |
15s |
The maximum duration for reading the entire request, including the body |
SCANNER_API_SERVER_WRITE_TIMEOUT |
15s |
The maximum duration before timing out writes of the response |
SCANNER_API_SERVER_IDLE_TIMEOUT |
60s |
The maximum amount of time to wait for the next request when keep-alives are enabled |
SCANNER_TRIVY_CACHE_DIR |
/home/scanner/.cache/trivy |
Trivy cache directory |
SCANNER_TRIVY_REPORTS_DIR |
/home/scanner/.cache/reports |
Trivy reports directory |
SCANNER_TRIVY_DEBUG_MODE |
false |
The flag to enable or disable Trivy debug mode |
SCANNER_TRIVY_VULN_TYPE |
os,library |
Comma-separated list of vulnerability types. Possible values are os and library. |
SCANNER_TRIVY_SEVERITY |
UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL |
Comma-separated list of vulnerabilities severities to be displayed |
SCANNER_TRIVY_IGNORE_UNFIXED |
false |
The flag to display only fixed vulnerabilities |
SCANNER_TRIVY_SKIP_UPDATE |
false |
The flag to enable or disable Trivy DB downloads from GitHub |
SCANNER_TRIVY_GITHUB_TOKEN |
N/A | The GitHub access token to download Trivy DB (see GitHub rate limiting) |
SCANNER_TRIVY_INSECURE |
false |
The flag to skip verifying registry certificate |
SCANNER_STORE_REDIS_NAMESPACE |
harbor.scanner.trivy:store |
The namespace for keys in the Redis store |
SCANNER_STORE_REDIS_SCAN_JOB_TTL |
1h |
The time to live for persisting scan jobs and associated scan reports |
SCANNER_JOB_QUEUE_REDIS_NAMESPACE |
harbor.scanner.trivy:job-queue |
The namespace for keys in the scan jobs queue backed by Redis |
SCANNER_JOB_QUEUE_WORKER_CONCURRENCY |
1 |
The number of workers to spin-up for the scan jobs queue |
SCANNER_REDIS_URL |
redis://harbor-harbor-redis:6379 |
The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. redis://:[email protected]_host:port/db-number and Redis Sentinel deployment, i.e. redis+sentinel://:[email protected]_host1:port1,sentinel_host2:port2/monitor-name/db-number. |
SCANNER_REDIS_POOL_MAX_ACTIVE |
5 |
The max number of connections allocated by the Redis connection pool |
SCANNER_REDIS_POOL_MAX_IDLE |
5 |
The max number of idle connections in the Redis connection pool |
SCANNER_REDIS_POOL_IDLE_TIMEOUT |
5m |
The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. |
SCANNER_REDIS_POOL_CONNECTION_TIMEOUT |
1s |
The timeout for connecting to the Redis server |
SCANNER_REDIS_POOL_READ_TIMEOUT |
1s |
The timeout for reading a single Redis command reply |
SCANNER_REDIS_POOL_WRITE_TIMEOUT |
1s |
The timeout for writing a single Redis command. |
HTTP_PROXY |
N/A | The URL of the HTTP proxy server |
HTTPS_PROXY |
N/A | The URL of the HTTPS proxy server |
NO_PROXY |
N/A | The URLs that the proxy settings do not apply to |
Documentation
- Architecture - architectural decisions behind designing harbor-scanner-trivy.
- Releases - how to release a new version of harbor-scanner-trivy.
Troubleshooting
Error: database error: --skip-update cannot be specified on the first run
If you set the value of the SCANNER_TRIVY_SKIP_UPDATE to true, make sure that you download the Trivy DB
from GitHub and mount it in the /home/scanner/.cache/trivy/db/trivy.db path.
Error: failed to list releases: GET https://api.github.com/repos/aquasecurity/trivy-db/releases: 403 API rate limit exceeded
Trivy DB downloads from GitHub are subject to rate limiting. Make sure that the Trivy DB is mounted
and cached in the /home/scanner/.cache/trivy/db/trivy.db path. If, for any reason, it's not enough you can set the
value of the SCANNER_TRIVY_GITHUB_TOKEN environment variable (authenticated requests get a higher rate limit).
Contributing
Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].