Server that provides REST API for the SafeHarbor container security scanning system. See also the Safe Harbor command line client.
- Enables you to add container image scanning for multiple scanners to your dev/test/deploy pipeline without having to learn the nuances of each scanner.
- You can run any or all of the scanners that are supported by SafeHarborServer.
- You can add an additional scanner, using the ScanProvider API.
- You can define access control lists to give access to your container images to partners in your organization or in other organizations, at an individual level, a team level, or an organization level.
- You can examine the scan history of an image.
- You can define and save a re-usable scan profile.
- Images can be in any registry that supports the Docker Registery v2 REST protocol.
You can still use the value added features of each scanner. E.g., Twistlock has powerful scan results examination features, and you can still use those features for scans that are triggered by SafeHarborServer. The native scanner platforms are not bypassed - they are connected to by SafeHarborServer.
The container scanners that are currently supported are,
- Clair
- Twistlock
Under development:
- OpenScap
- Lynis
You can add another scanner by implementing the ScanProvider API. At present, to add a scan provider, you must also add code to the Server module and recompile SafeHarborServer, but we have plans to create a provider API that will not require recompilation.
See https://drive.google.com/open?id=1r6Xnfg-XwKvmF4YppEZBcxzLbuqXGAA2YCIiPb_9Wfo
- Go to the
build/Centosdirectory. - Run
vagrant up
- Go to the
deploy/(target-OS) directory. - Run
make -f ../../certs.mk(if you have not already done this) - Edit
safeharbor.conf(usually does not need to change) - Run
./deploy.sh - Log into the server using
vagrant ssh. - Edit
conf.json(usually does not need to change) - Edit
auth_config.yml(usually does not need to change) - Log out of the server.
./start.sh
./stop.sh
trigger