├── README.md └── README_en.md /README.md: -------------------------------------------------------------------------------- 1 | # Harbor-Scanner 2 | 3 | 一个免费的镜像漏洞扫描工具, 可以扫描镜像中已安装软件包的漏洞,支持中文漏洞库,可与 [Harbor](https://github.com/goharbor/harbor) 无缝集成。 4 | 5 | > Dosec 的商业客户可以使用企业版扫描功能,例如扫描开源框架中的漏洞以及扫描容器镜像中包含的敏感数据。同时企业版增加了WEB UI, 提供仪表板,资产管理,用户管理,镜像漏洞修复建议, 安全和策略评估报告,容器运行时防护,Docker 和 Kubernetes 合规检查以及其他功能和模块。 6 | 7 | ## 特点 8 | 9 | * 漏洞扫描快速准确,支持CVE和CNNVD双漏洞编号,漏洞中文描述信息 10 | * 自动更新漏洞库(在配置中开启自动更新参数) 11 | * 快速部署使用,最新的发布版中已包含最近日期之前的全量漏洞库,安装完成即可立即扫描出结果 12 | 13 | ## 安装 14 | 15 | 推荐将 Harbor-Scanner 和 Harbor 镜像仓库部署在同一台服务器。 16 | 17 | 1. 下载 Harbor-Scanner 的离线安装包并解压 18 | 19 | ```shell 20 | wget https://github.com/dosec-cn/harbor-scanner/releases/download/v1.3/dosec-scanner.tgz 21 | # 解压 22 | tar zxf dosec-scanner.tgz 23 | # 进入项目 24 | cd dosec-scanner 25 | ``` 26 | 27 | 2. 运行 Install 脚本 28 | 29 | > 需要提前安装 docker-compose 30 | 31 | ```shell 32 | ./Install.sh 33 | ``` 34 | 35 | 3. 配置 Harbor 仓库 36 | 37 | 登录 Harbor 管理界面 -> 审查服务 -> 扫描器 -> 新建扫描器 38 | 39 | ![新建扫描工具](http://img.dosec.cn/20191223112547.png) 40 | 41 | 填写扫描器配置 -> 点击 ADD 确认添加 42 | 43 | ![扫描工具配置](http://img.dosec.cn/20200112194526.png) 44 | 45 | ① 填写扫描工具的名称 46 | 47 | ② 填写扫描工具的 IP 和端口 48 | 49 | ③ 测试 Harbor 和扫描工具是否能正常连接 50 | 51 | ④ 只有测试连接成功后才能添加 52 | 53 | ## 自定义配置 54 | 55 | 可根据需要更改 `docker-compose.yaml` 文件 56 | 57 | ```yaml 58 | version: '2.2' 59 | 60 | services: 61 | dosec-db-hb: 62 | image: hub.dosec.cn/library/dosec-db-hb:2022-07-07T16.56.50V2.0-20220706 63 | restart: always 64 | 65 | dosec-scannerapp: 66 | depends_on: 67 | - dosec-db-hb 68 | image: hub.dosec.cn/library/dosec-scannerapp:2022-07-19T13.14.25V1.0.1_prod 69 | # 默认映射了主机的 8899 端口 70 | ports: 71 | - "8899:8899" 72 | restart: always 73 | # 默认将程序日志映射到了主机的 /var/log/dosec-scanner 目录 74 | volumes: 75 | - /var/log/dosec-scanner:/dosec/log 76 | 77 | dosec-scanner-hb: 78 | depends_on: 79 | - dosec-db-hb 80 | - dosec-scannerapp 81 | image: hub.dosec.cn/library/dosec-scanner-hb:2022-07-19T13.04.06V1.3_release 82 | # command: ["-update_cve"] 83 | # 默认注释了在线更新 CVE 功能, 会消耗大量 CPU 和内存 84 | restart: always 85 | # 默认将程序日志映射到了主机的 /var/log/dosec-scanner 目录 86 | volumes: 87 | - /var/log/dosec-scanner:/dosec/log 88 | ``` 89 | 90 | ## 卸载 91 | 92 | 进入 Harbor-Scanner 项目目录, 执行以下命令即可完全卸载 93 | 94 | ```shell 95 | docker-compose down 96 | ``` 97 | 98 | ## 支持扫描的操作系统 99 | 100 | - Debian >= 7, unstable 101 | - Ubuntu LTS releases >= 12.04 102 | - Red Hat Enterprise Linux >= 5 103 | - CentOS >= 5 104 | - Alpine >= 3.3 105 | - Oracle Linux >= 5 106 | 107 | ## Dosec 安全产品对比 108 | 109 | | 功能 | Harbor-Scanner | [镜界容器安全防护平台](https://www.dosec.cn/) | 110 | | ------------------ | :----------------: | :-------------------------------------------: | 111 | | 许可 | 免费 | 企业版 | 112 | | 支持与 Harbor 集成 | :heavy_check_mark: | :heavy_check_mark: | 113 | | 系统软件包漏洞扫描 | :heavy_check_mark: | :heavy_check_mark: | 114 | | 开源组件漏洞扫描 | | :heavy_check_mark: | 115 | | 恶意软件扫描 | | :heavy_check_mark: | 116 | | 敏感数据扫描 | | :heavy_check_mark: | 117 | | 镜像配置检查 | | :heavy_check_mark: | 118 | | 镜像历史行为分析 | | :heavy_check_mark: | 119 | | 阻止非信任镜像运行 | | :heavy_check_mark: | 120 | | 运行时保护 | | :heavy_check_mark: | 121 | | 合规检查 | | :heavy_check_mark: | 122 | 123 | ## 社区交流 124 | 125 | **微信群**: Harbor-Scanner 交流群, 扫描社区成员微信二维码, 添加时请备注姓名-公司/学校/组织/机构等。 126 | 127 | ![二维码](http://img.dosec.cn/2019_10_28_1838167633.png) 128 | -------------------------------------------------------------------------------- /README_en.md: -------------------------------------------------------------------------------- 1 | # Harbor-Scanner 2 | 3 | A free image vulnerability scanner, implement [Harbor's](https://github.com/goharbor/harbor) pluggable scanner adapter. 4 | 5 | ## Features 6 | 7 | * Accurate vulnerability scan result, support CVE and CNNVD vulnerability ID, Chinese vulnerability description 8 | * CVE database auto update(config it in docker compose's yaml file) 9 | * Avaliable immediately after deploy, without waiting for updating database, the offline package already include newest CVE database 10 | 11 | ## Install 12 | 13 | 1. Download Harbor-Scanner offline install package 14 | 15 | ```shell 16 | wget https://github.com/dosec-cn/harbor-scanner/releases/download/v1.3/dosec-scanner.tgz 17 | # decompress 18 | tar zxf dosec-scanner.tgz 19 | # change work directory 20 | cd dosec-scanner 21 | ``` 22 | 23 | 2. Run Install Shell 24 | 25 | > Requirement:docker-compose need to be installed 26 | 27 | ```shell 28 | ./Install.sh 29 | ``` 30 | 31 | 3. Config Harbor 32 | 33 | Login Harbor UI -> Interrogation Services -> Scanners -> NEW SCANNER 34 | 35 | ![new scanner](http://img.dosec.cn/20191223112746.png) 36 | 37 | fill in the configuration -> click ADD to finish 38 | 39 | ![scanner config](http://img.dosec.cn/20200112194526.png) 40 | 41 | ① scanner name 42 | 43 | ② scanner service's IP and port 44 | 45 | ③ test scanner connection 46 | 47 | ④ the scanner can only be added after ping test success 48 | 49 | ## Custom Configuration 50 | 51 | modify `docker-compose.yaml` if need 52 | 53 | ```yaml 54 | version: '2.2' 55 | 56 | services: 57 | dosec-db-hb: 58 | image: hub.dosec.cn/library/dosec-db-hb:2022-07-07T16.56.50V2.0-20220706 59 | restart: always 60 | 61 | dosec-scannerapp: 62 | depends_on: 63 | - dosec-db-hb 64 | image: hub.dosec.cn/library/dosec-scannerapp:2022-07-19T13.14.25V1.0.1_prod 65 | # map port to host's 8899 66 | ports: 67 | - "8899:8899" 68 | restart: always 69 | # map log directory to host's /var/log/dosec-scanner 70 | volumes: 71 | - /var/log/dosec-scanner:/dosec/log 72 | 73 | dosec-scanner-hb: 74 | depends_on: 75 | - dosec-db-hb 76 | - dosec-scannerapp 77 | image: hub.dosec.cn/library/dosec-scanner-hb:2022-07-19T13.04.06V1.3_release 78 | # command: ["-update_cve"] 79 | # uncomment this command if you need auto updating cve database 80 | restart: always 81 | # map log directory to host's /var/log/dosec-scanner 82 | volumes: 83 | - /var/log/dosec-scanner:/dosec/log 84 | ``` 85 | 86 | ## Uninstall 87 | 88 | cd Harbor-Scanner's project directory, execute command below 89 | 90 | ```shell 91 | docker-compose down 92 | ``` 93 | 94 | ## Image OS Support 95 | 96 | - Debian >= 7, unstable 97 | - Ubuntu LTS releases >= 12.04 98 | - Red Hat Enterprise Linux >= 5 99 | - CentOS >= 5 100 | - Alpine >= 3.3 101 | - Oracle Linux >= 5 102 | 103 | ## Dosec Production Compare 104 | 105 | | Function | Harbor-Scanner | [Dosec Container Security Platform](https://www.dosec.cn/) | 106 | | ----------------------------------- | :----------------: | :--------------------------------------------------------: | 107 | | Edition | Free | Enterprise Edition | 108 | | Integration with Harbor | :heavy_check_mark: | :heavy_check_mark: | 109 | | OS package vulnerability | :heavy_check_mark: | :heavy_check_mark: | 110 | | Open source component vulnerability | | :heavy_check_mark: | 111 | | Malware Detection | | :heavy_check_mark: | 112 | | Sensitive Files Detection | | :heavy_check_mark: | 113 | | Image Configuration Analysis | | :heavy_check_mark: | 114 | | Docker File Analysis | | :heavy_check_mark: | 115 | | Runtime Protection | | :heavy_check_mark: | 116 | | Benchmark Check | | :heavy_check_mark: | 117 | 118 | ## Community 119 | 120 | Wechat Group:Scan QR Code below to add community member and get invitation to join community group, please comment Name-Company/Organization/Others information when you add. 121 | 122 | ![QR Code](http://img.dosec.cn/2019_10_28_1838167633.png) 123 | --------------------------------------------------------------------------------