Harbor is an open-source container registry that secures artifacts with policies and role-based access control, scans images for vulnerabilities, and signs images as trusted.
What Is Harbor?
Harbor is a CNCF graduated project that extends Docker Distribution with security, identity, and management features needed by enterprises. It manages container images, Helm charts, and OCI artifacts.
Key Features:
- Vulnerability scanning (Trivy, Clair)
- Image signing and verification
- Role-based access control
- Image replication across registries
- Garbage collection
- Quota management
- Audit logging
- REST API v2.0
Installation
wget https://github.com/goharbor/harbor/releases/download/v2.11.0/harbor-offline-installer-v2.11.0.tgz
tar xzf harbor-offline-installer-*.tgz
cd harbor
cp harbor.yml.tmpl harbor.yml
# Edit harbor.yml (set hostname, passwords)
./install.sh --with-trivy
Harbor API
import requests
HARBOR = "https://harbor.example.com/api/v2.0"
AUTH = ("admin", "Harbor12345")
# List projects
projects = requests.get(f"{HARBOR}/projects", auth=AUTH, verify=False).json()
for p in projects:
print(f"Project: {p['name']}, Repos: {p['repo_count']}, Public: {p['metadata']['public']}")
# Create project
requests.post(f"{HARBOR}/projects", auth=AUTH, verify=False, json={
"project_name": "production",
"metadata": {"public": "false"},
"storage_limit": 10737418240 # 10GB
})
# List repositories in project
repos = requests.get(f"{HARBOR}/projects/production/repositories", auth=AUTH, verify=False).json()
for repo in repos:
print(f"Repo: {repo['name']}, Pull count: {repo['pull_count']}")
# List tags/artifacts
artifacts = requests.get(
f"{HARBOR}/projects/production/repositories/myapp/artifacts",
auth=AUTH, verify=False
).json()
for a in artifacts:
tags = [t['name'] for t in a.get('tags', [])]
vulns = a.get('scan_overview', {}).get('application/vnd.security.vulnerability.report; version=1.1', {})
print(f"Digest: {a['digest'][:16]}, Tags: {tags}, Vulnerabilities: {vulns.get('summary', {})}")
Vulnerability Scanning
# Trigger scan on artifact
requests.post(
f"{HARBOR}/projects/production/repositories/myapp/artifacts/latest/scan",
auth=AUTH, verify=False
)
# Get scan results
scan = requests.get(
f"{HARBOR}/projects/production/repositories/myapp/artifacts/latest/additions/vulnerabilities",
auth=AUTH, verify=False
).json()
for report_key, report in scan.items():
for vuln in report.get('vulnerabilities', [])[:5]:
print(f"[{vuln['severity']}] {vuln['id']}: {vuln['package']} {vuln['version']}")
Replication Policy
# Create replication from Docker Hub
requests.post(f"{HARBOR}/replication/policies", auth=AUTH, verify=False, json={
"name": "pull-nginx",
"src_registry": {"id": 1}, # Docker Hub registry
"dest_namespace": "library",
"filters": [{"type": "name", "value": "library/nginx"}],
"trigger": {"type": "scheduled", "trigger_settings": {"cron": "0 0 * * *"}},
"enabled": True
})
Docker Push/Pull
# Login to Harbor
docker login harbor.example.com -u admin -p Harbor12345
# Tag and push
docker tag myapp:latest harbor.example.com/production/myapp:v1.0
docker push harbor.example.com/production/myapp:v1.0
# Pull
docker pull harbor.example.com/production/myapp:v1.0
Resources
- Harbor Docs
- Harbor GitHub — 24K+ stars
- API Reference
Need to scrape web data for your container workflows? Check out my web scraping tools on Apify — production-ready actors for Reddit, Google Maps, and more. Questions? Email me at spinov001@gmail.com
Top comments (0)