Vulnerability Scanning

Mirantis Secure Registry (MSR) 4, built on the Harbor open-source project, includes powerful tools for vulnerability scanning. Scanning container images for vulnerabilities is a critical step in ensuring your applications are secure before deploying them into production environments. This document provides detailed instructions for configuring and using the vulnerability scanning features in MSR 4. By default, MSR 4 leverages Trivy, an efficient and fast vulnerability scanner. Additionally, MSR supports advanced capabilities, including integration with other scanners like Grype and Anchore, as well as third-party security tools.

Prerequisites

Before configuring vulnerability scanning, ensure the following:

  • MSR 4 is installed and operational, deployed on your Swarm or Kubernetes cluster.

  • You have administrator-level access to the MSR web console.

  • Network access is configured for any external vulnerability scanners you plan to use.

Configuring Vulnerability Scanning in MSR 4

To get started with vulnerability scanning, follow these steps:

Enabling Vulnerability Scanning with Trivy (Default Scanner)

  1. Log in to the MSR web console using your administrator credentials.

  2. Navigate to the Administration section from the left-hand navigation menu.

  3. Under Interrogation Services, select Scanners.

  4. Trivy is enabled as the default scanner in MSR 4.

    • If Trivy is not marked as “Default” select the scanner and click the “SET AS DEFAULT” button.

  5. To test connection, select the scanner, click ACTION drop down, and select EDIT. In the popup click Test Connection to verify Trivy is functional. If the connection is successful, save the configuration by clicking Save.

Trivy provides fast, lightweight scanning for common vulnerabilities and exposures (CVEs) in container images. This setup ensures all images pushed to MSR 4 are scanned for security issues by default.

Adding and Configuring Additional Scanners

To enhance your vulnerability scanning strategy, you can integrate additional scanners, such as Grype and Anchore, into MSR 4. These tools provide broader coverage and specialized features for detecting vulnerabilities.

  1. Deploy the scanner you want to add (e.g., Grype or Anchore) according to its documentation.

  2. In the MSR web console, navigate to Administration > Interrogation Services > Scanners and click + New Scanner.

    • Provide the required details for the new scanner:

      • Name: A unique identifier for the scanner (e.g., Grype-Primary).

      • Endpoint URL: The API endpoint for the scanner.

      • Select the appropriate Authorization mechanism and provide the appropriate credentials, tokens, or key.

  3. Click Test Connection to validate the configuration, and then click Add.

Once additional scanners are configured, they can be used alongside Trivy or set as the default scanner for specific projects.

Configuring Automated Scans

Automated scans ensure that images are evaluated for vulnerabilities immediately when they are pushed to the registry. This helps enforce security policies consistently across your container ecosystem.

To enable automated scans,

  • Navigate to Projects in the MSR web console.

  • Select a Project, then click Configuration.

  • enable the Automatically Scan Images on Push option.

  • Save the configuration to apply the change.

Viewing and Managing Scan Results

After a scan is completed, results are accessible in the MSR web console.

  1. Navigate to the image repository in the desired project, select the image

  2. Then select the artifact digest.

  3. Scroll down to Artifacts then Vulnerabilities

  4. The report includes detailed information about detected vulnerabilities, categorized by severity (Critical, High, Medium, Low, Unknown). Export the results in JSON or CSV format for further analysis if needed.

Enhancing Security with Third-Party Scanners

In addition to using Trivy and integrating scanners like Grype and Anchore, MSR 4 supports third-party scanners to create a comprehensive vulnerability management strategy. Leveraging multiple tools enables a layered security approach, enhancing protection against various types of vulnerabilities and compliance risks.

Supported Third-Party Scanners

MSR 4 can integrate with a wide range of third-party security tools, including:

  • Aqua Trivy: Provides enhanced compliance checks and detailed vulnerability information.

  • Clair: A simple, lightweight scanner suitable for cloud-native environments.

  • Aqua CSP: Offers runtime protection and advanced vulnerability scanning.

  • DoSec Scanner: Focuses on detecting and mitigating sophisticated vulnerabilities.

  • Sysdig Secure: Provides runtime monitoring and vulnerability analysis with policy enforcement.

  • TensorSecurity: Uses AI-driven insights for identifying vulnerabilities in containerized applications.

Benefits of Third-Party Scanners

Each of these tools brings unique advantages to your container security strategy. For instance, Aqua CSP and Sysdig Secure extend vulnerability scanning into runtime environments, ensuring your containers remain protected after deployment. TensorSecurity uses machine learning to identify patterns in vulnerability data, uncovering risks that traditional scanners might miss.

Configuring a Third-Party Scanner

  1. Deploy the third-party scanner on your infrastructure or subscribe to its hosted service.

  2. Retrieve API credentials and endpoint details from the scanner’s documentation.

  3. Add the scanner to MSR 4 by navigating to Administration > Interrogation Services and using the Add Scanner workflow described earlier.

  4. Validate the scanner’s functionality by running test scans and analyzing the results.

By integrating third-party scanners, MSR 4 empowers you to customize your security strategy to meet specific organizational needs and regulatory requirements.

Conclusion

Mirantis Secure Registry (MSR) 4 provides a robust and flexible vulnerability scanning solution. With Trivy enabled by default, organizations can quickly detect and mitigate vulnerabilities in container images. The ability to integrate additional scanners, including third-party tools, allows you to create a comprehensive security strategy tailored to your needs.