1. Log in to the Harbor interface with an account that has at least project administrator privileges.

  2. Go to Projects and select a project.

  3. Select the Scanner tab.

    The Scanner tab shows the details of the scanner that is currently set as the scanner to use for this project.

    Project scanner tab
  4. Click Edit to select a different scanner from the list of scanners that are connected to this Harbor instance, and click OK.

    Project scanner tab

    If you have selected the Prevent vulnerable images from running option in the project Configuration tab, the prevention of pulling vulnerable artifacts is determined by the scanner that is set in the project, or by the global default scanner if no scanner is configured specifically for the project. Different scanners might apply different levels of severity to artifact vulnerabilities.

  5. Select the Repositories tab and select a repository.

    For each artifact in the repository, the Vulnerabilities column displays the vulnerability scanning status and related information.

    Artifact vulnerability status
  6. Select a artifact, or use the check box at the top to select all artifacts in the repository, and click the Scan button to run the vulnerability scan on this artifact.

    Scan an artifact

    NOTE: You can start a scan at any time, unless the status is Queued or Scanning. If the database has not been fully populated, you should not run a scan. The following statuses are displayed in the Vulnerabilities column:

    • Not Scanned: The artifact has never been scanned.
    • Unsupported: The artifact is not supported by the scanner.
    • Queued: The scanning task is scheduled but has not run yet.
    • Scanning: The scanning task is in progress and a progress bar is displayed.
    • Scan stopped: The scanning task has been cancelled by a stop scan request.
    • View log: The scanning task failed to complete. Click View Log link to view the related logs.
    • Complete: The scanning task completed successfully.

    If the process completes successfully, the result indicates the overall severity level, with the total number of vulnerabilities found for each severity level, and the number of fixable vulnerabilities.

    Scan result
    • Red: At least one critical vulnerability found
    • Orange: At least one high level vulnerability found
    • Yellow: At least one medium level vulnerability found
    • Blue: At least one low level vulnerability found
    • Green: No vulnerabilities found
    • Grey: Unknown vulnerabilities
  7. Hover over the number of fixable vulnerabilities to see a summary of the vulnerability report.

    Vulnerability summary
  8. Click on the artifact digest to see a detailed vulnerability report.

    Vulnerability report

    In addition to information about the artifact, all of the vulnerabilities found in the last scan are listed. You can order or filter the list by the different columns. You can also click Scan in the report page to run a scan on this artifact.

Vulnerability scanning for OCI image index

When scanning an OCI image index, Harbor will send scan requests for each of the referenced artifact which is supported by the scanner to the scanner. If the image scanning status of any referenced image is Scanning, the status for the OCI image index as a whole will also be Scanning. The scan for the index is considered successful only if all referenced images are successfully scanned. It is considered limited successful when not all referenced images are successfully scanned but at least one of referenced image is successfully scanned, otherwise it is considered failed.

Limited successful

When an OCI image index is successfully scanned, the summary of the vulnerability report for the OCI image index is aggregated from the individual scan results of the the artifacts referenced by the index. The vulnerability report will show both sets of statistics.

Export Vulnerability Scans

As a project administrator, maintainer, or developer you are able to export vulnerability scan results from your projects as a CVS and download it from your Harbor instance. Note that you can only export vulnerability data from one project at a time.

  1. Log in to the Harbor interface.
  2. Go to Projects and select a project.
  3. Select Action and then Export CVE(s).
Export CVE
  1. In the Export CVE window you can apply any filters you want to the data included in the CVS.
  • Repositories: Filters by repository name. Enter multiple repository names in a comma separated list, repositories match a name repo*,or ** for all repositories in the projects.

  • Tags: Filters by tags. Enter multiple tags in a comma separated list, tags match a name tag*,or ** for all tags in the projects.

  • Labels: Filters by labels. Select multiple labels from the drop down.

  • CVE IDs: Filters by CVE number. Enter comma separated list of CVE IDs.

    Export CVE filter options
  1. Click Export. Harbor will begin creating the CVS file with your exported CVE details. The generated CVE file will be named csv_file_ and the current date and time formatted as yyyyMMddHHmmss. For example, csv_file_20220804123037.csv was created on 08/04/2022 at 12:30:37.

  2. Download the CVE file from the Event Log window. Expand the Event Log window by clicking on Event Log from the Harbor interface.

  3. Click the download icon next to the CSV file you want to download. Once you download the file, Harbor will delete it.

Download CSV file of vulnerability data