Securing Container Registry with Harbor

Overview

Harbor is an open-source container registry that provides security features including vulnerability scanning (integrated Trivy), image signing (Notary/Cosign), RBAC, content trust policies, replication, and audit logging. Securing Harbor involves configuring these features to enforce image provenance, prevent vulnerable image deployment, and maintain registry access control.

Prerequisites

• Harbor 2.10+ installed (Helm or Docker Compose)
• TLS certificates for HTTPS
• Trivy scanner integration
• OIDC/LDAP for authentication
• Kubernetes cluster (for deployment target)

Implementation Steps

Step 1: Install Harbor with Security Configuration

# harbor-values.yaml for Helm deployment
expose:
  type: ingress
  tls:
    enabled: true
    certSource: secret
    secret:
      secretName: harbor-tls
      notarySecretName: harbor-tls
  ingress:
    hosts:
      core: harbor.example.com
      notary: notary.example.com

externalURL: https://harbor.example.com

persistence:
  enabled: true
  resourcePolicy: "keep"

harborAdminPassword: "<strong-password>"

trivy:
  enabled: true
  gitHubToken: "<github-token>"
  severity: "CRITICAL,HIGH,MEDIUM"
  autoScan: true

notary:
  enabled: true

core:
  secretKey: "<32-char-secret>"

database:
  type: external
  external:
    host: postgres.example.com
    port: "5432"
    username: harbor
    password: "<db-password>"
    sslmode: require

helm repo add harbor https://helm.getharbor.io
helm install harbor harbor/harbor -f harbor-values.yaml -n harbor --create-namespace

Step 2: Configure Vulnerability Scanning Policies

# Enable auto-scan on push (via Harbor API)
curl -k -X PUT "https://harbor.example.com/api/v2.0/projects/myproject" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "metadata": {
      "auto_scan": "true",
      "severity": "critical",
      "prevent_vul": "true",
      "reuse_sys_cve_allowlist": "true"
    }
  }'

Step 3: Configure Content Trust

# Enable content trust at project level
curl -k -X PUT "https://harbor.example.com/api/v2.0/projects/myproject" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "metadata": {
      "enable_content_trust": "true",
      "enable_content_trust_cosign": "true"
    }
  }'

# Sign image with Cosign
cosign sign --key cosign.key harbor.example.com/myproject/myapp:v1.0.0

# Verify signature
cosign verify --key cosign.pub harbor.example.com/myproject/myapp:v1.0.0

Step 4: Configure RBAC and Project Isolation

# Create project with private visibility
curl -k -X POST "https://harbor.example.com/api/v2.0/projects" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "project_name": "production",
    "metadata": {
      "public": "false",
      "auto_scan": "true",
      "prevent_vul": "true",
      "severity": "high"
    }
  }'

# Harbor roles: ProjectAdmin, Maintainer, Developer, Guest, LimitedGuest
# Add member with specific role
curl -k -X POST "https://harbor.example.com/api/v2.0/projects/production/members" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "role_id": 3,
    "member_user": {"username": "developer1"}
  }'

Step 5: Configure Immutable Tags and Retention

# Create tag immutability rule (prevent overwriting release tags)
curl -k -X POST "https://harbor.example.com/api/v2.0/projects/production/immutabletagrules" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "tag_filter": "v*",
    "scope_selectors": {
      "repository": [{"kind": "doublestar", "decoration": "repoMatches", "pattern": "**"}]
    }
  }'

# Configure retention policy (keep last 10 tags, delete untagged after 7 days)
curl -k -X POST "https://harbor.example.com/api/v2.0/retentions" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "algorithm": "or",
    "rules": [
      {
        "action": "retain",
        "template": "latestPushedK",
        "params": {"latestPushedK": 10},
        "tag_selectors": [{"kind": "doublestar", "decoration": "matches", "pattern": "**"}],
        "scope_selectors": {"repository": [{"kind": "doublestar", "decoration": "repoMatches", "pattern": "**"}]}
      }
    ],
    "trigger": {"kind": "Schedule", "settings": {"cron": "0 0 * * *"}}
  }'

Step 6: OIDC Authentication Integration

# Harbor configuration for OIDC
auth_mode: oidc_auth
oidc_name: "Okta"
oidc_endpoint: "https://company.okta.com/oauth2/default"
oidc_client_id: "harbor-client-id"
oidc_client_secret: "harbor-client-secret"
oidc_groups_claim: "groups"
oidc_admin_group: "harbor-admins"
oidc_scope: "openid,profile,email,groups"
oidc_verify_cert: true
oidc_auto_onboard: true

Validation Commands

# Test vulnerability prevention (should block pull of vulnerable image)
docker pull harbor.example.com/production/vulnerable-app:latest
# Expected: Error - image blocked due to vulnerabilities

# Verify content trust enforcement
DOCKER_CONTENT_TRUST=0 docker push harbor.example.com/production/unsigned:latest
# Expected: Push rejected due to content trust policy

# Check scan results via API
curl -k "https://harbor.example.com/api/v2.0/projects/production/repositories/myapp/artifacts/v1.0.0/additions/vulnerabilities" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)"

# Audit log check
curl -k "https://harbor.example.com/api/v2.0/audit-logs?page=1&page_size=10" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)"

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

• SOC 2: CC6.1 (Logical Access), CC7.1 (Monitoring), CC8.1 (Change Management)
• ISO 27001: A.14.2 (Secure Development), A.12.6 (Technical Vulnerability Mgmt)
• NIST 800-53: CM-7 (Least Functionality), SI-2 (Flaw Remediation), SC-28 (Protection at Rest)
• NIST CSF: PR.IP (Information Protection), PR.DS (Data Security)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add securing-container-registry-with-harbor

# Or load dynamically via MCP
grc.load_skill("securing-container-registry-with-harbor")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

• SHA-256 chain hashing ensures no step can be modified after execution
• Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
• Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

References

• Harbor Documentation
• Harbor Security Best Practices
• Harbor GitHub Repository