github.com/khulnasoft/harbor-scanner-tunnel
The Harbor Scanner Adapter for Tunnel is a service that translates the Harbor scanning API into Tunnel commands and allows Harbor to use Tunnel for providing vulnerability reports on images stored in Harbor registry as part of its vulnerability scan feature.
Harbor Scanner Adapter for Tunnel is the default static vulnerability scanner in Harbor >= 2.2.
For compliance with core components Harbor builds the adapter service binaries into Docker images based on Photos OS
(goharbor/tunnel-adapter-photon), whereas in this repository we build Docker images based on Alpine
(khulnasoft/harbor-scanner-tunnel). There is no difference in functionality though.
The following matrix indicates the version of Tunnel and Tunnel adapter installed in each Harbor release.
In Harbor >= 2.0 Tunnel can be configured as the default vulnerability scanner, therefore you can install it with the
official Harbor Helm chart, where HARBOR_CHART_VERSION >= 1.4:
helm repo add harbor https://helm.goharbor.io
helm install harbor harbor/harbor \
--create-namespace \
--namespace harbor
The adapter service is automatically registered under the Interrogation Service in the Harbor interface and designated as the default scanner.
Install the harbor-scanner-tunnel chart:
helm repo add khulnasoft https://khulnasoft.github.io/helm-charts
helm install harbor-scanner-tunnel khulnasoft/harbor-scanner-tunnel \
--namespace harbor --create-namespace
Configure the scanner adapter in the Harbor interface.
Select the Tunnel scanner and set it as default by clicking SET AS DEFAULT.
Make sure the Default label is displayed next to the Tunnel scanner's name.
Configuration of the adapter is done via environment variables at startup.
| Name | Default | Description |
|---|---|---|
SCANNER_LOG_LEVEL | info | The log level of trace, debug, info, warn, warning, error, fatal or panic. The standard logger logs entries with that level or anything above it. |
SCANNER_API_SERVER_ADDR | :8080 | Binding address for the API server |
SCANNER_API_SERVER_TLS_CERTIFICATE | N/A | The absolute path to the x509 certificate file |
SCANNER_API_SERVER_TLS_KEY | N/A | The absolute path to the x509 private key file |
SCANNER_API_SERVER_CLIENT_CAS | N/A | A list of absolute paths to x509 root certificate authorities that the api use if required to verify a client certificate |
SCANNER_API_SERVER_READ_TIMEOUT | 15s | The maximum duration for reading the entire request, including the body |
SCANNER_API_SERVER_WRITE_TIMEOUT | 15s | The maximum duration before timing out writes of the response |
SCANNER_API_SERVER_IDLE_TIMEOUT | 60s | The maximum amount of time to wait for the next request when keep-alives are enabled |
SCANNER_API_SERVER_METRICS_ENABLED | true | Whether to enable metrics |
SCANNER_TUNNEL_CACHE_DIR | /home/scanner/.cache/tunnel | Tunnel cache directory |
SCANNER_TUNNEL_REPORTS_DIR | /home/scanner/.cache/reports | Tunnel reports directory |
SCANNER_TUNNEL_DEBUG_MODE | false | The flag to enable or disable Tunnel debug mode |
SCANNER_TUNNEL_VULN_TYPE | os,library | Comma-separated list of vulnerability types. Possible values are os and library. |
SCANNER_TUNNEL_SECURITY_CHECKS | vuln,config,secret | comma-separated list of what security issues to detect. Possible values are vuln, config and secret. Defaults to vuln. |
SCANNER_TUNNEL_SEVERITY | UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL | Comma-separated list of vulnerabilities severities to be displayed |
SCANNER_TUNNEL_IGNORE_UNFIXED | false | The flag to display only fixed vulnerabilities |
SCANNER_TUNNEL_IGNORE_POLICY | `` | The path for the Tunnel ignore policy OPA Rego file |
SCANNER_TUNNEL_SKIP_UPDATE | false | The flag to disable Tunnel DB downloads. |
SCANNER_TUNNEL_SKIP_JAVA_DB_UPDATE | false | The flag to disable [Tunnel JAVA DB] downloads. |
SCANNER_TUNNEL_OFFLINE_SCAN | false | The flag to disable external API requests to identify dependencies. |
SCANNER_TUNNEL_GITHUB_TOKEN | N/A | The GitHub access token to download Tunnel DB (see GitHub rate limiting) |
SCANNER_TUNNEL_INSECURE | false | The flag to skip verifying registry certificate |
SCANNER_TUNNEL_TIMEOUT | 5m0s | The duration to wait for scan completion |
SCANNER_STORE_REDIS_NAMESPACE | harbor.scanner.tunnel:store | The namespace for keys in the Redis store |
SCANNER_STORE_REDIS_SCAN_JOB_TTL | 1h | The time to live for persisting scan jobs and associated scan reports |
SCANNER_JOB_QUEUE_REDIS_NAMESPACE | harbor.scanner.tunnel:job-queue | The namespace for keys in the scan jobs queue backed by Redis |
SCANNER_JOB_QUEUE_WORKER_CONCURRENCY | 1 | The number of workers to spin-up for the scan jobs queue |
SCANNER_REDIS_URL | redis://harbor-harbor-redis:6379 | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. redis://:password@standalone_host:port/db-number and Redis Sentinel deployment, i.e. redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number. |
SCANNER_REDIS_POOL_MAX_ACTIVE | 5 | The max number of connections allocated by the Redis connection pool |
SCANNER_REDIS_POOL_MAX_IDLE | 5 | The max number of idle connections in the Redis connection pool |
SCANNER_REDIS_POOL_IDLE_TIMEOUT | 5m | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. |
SCANNER_REDIS_POOL_CONNECTION_TIMEOUT | 1s | The timeout for connecting to the Redis server |
SCANNER_REDIS_POOL_READ_TIMEOUT | 1s | The timeout for reading a single Redis command reply |
SCANNER_REDIS_POOL_WRITE_TIMEOUT | 1s | The timeout for writing a single Redis command. |
HTTP_PROXY | N/A | The URL of the HTTP proxy server |
HTTPS_PROXY | N/A | The URL of the HTTPS proxy server |
NO_PROXY | N/A | The URLs that the proxy settings do not apply to |
If you set the value of the SCANNER_TUNNEL_SKIP_UPDATE to true, make sure that you download the Tunnel DB
and mount it in the /home/scanner/.cache/tunnel/db/tunnel.db path.
Most likely it's a Docker DNS server or network firewall configuration issue. Tunnel requires internet connection to periodically download vulnerability database from GitHub to show up-to-date risks.
Try adding a DNS server to docker-compose.yml created by Harbor installer.
version: 2
services:
tunnel-adapter:
# NOTE Adjust IPs to your environment.
dns:
- 8.8.8.8
- 192.168.1.1
Alternatively, configure Docker daemon to use the same DNS server as host operating system. See DNS services section in the Docker container networking documentation for more details.
Tunnel DB downloads from GitHub are subject to rate limiting. Make sure that the Tunnel DB is mounted
and cached in the /home/scanner/.cache/tunnel/db/tunnel.db path. If, for any reason, it's not enough you can set the
value of the SCANNER_TUNNEL_GITHUB_TOKEN environment variable (authenticated requests get a higher rate limit).
Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests.
Harbor Scanner Adapter for Tunnel is an Khulnasoft Security open source project.
Learn about our open source work and portfolio here.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Ransomware negotiators share how modern cybercriminals operate like corporations, using specialized teams, negotiation tactics, and reputation management.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.