TNS
SUBSCRIBE
Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.
REQUIRED
 
It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.
Welcome and thank you for joining The New Stack community!
Please answer a few simple questions to help us deliver the news and resources you are interested in.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Great to meet you!
Tell us a bit about your job so we can cover the topics you find most relevant.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

PREV
of
NEXT
VOXPOP
Tech Conferences: Does Your Employer Pay?
Does your employer pay for you to attend tech conferences?
Yes, registration and travel are comped.
0%
Yes, just registration but not travel expenses.
0%
Yes, travel expenses but not registration.
0%
Only virtual conferences.
0%
No reimbursement.
0%
 
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Your Engineering Organization Is too Expensive
Apr 17th 2024 11:19am, by Luca Galante
Tetrate Enterprise Gateway for Envoy Graduates
Apr 10th 2024 9:00am, by Steven J. Vaughan-Nichols
The Open Source Market’s in Flux. How Can IT Managers Cope?
Apr 8th 2024 10:57am, by Joe Fay
Use Podman to Create and Work with Virtual Machines
Apr 6th 2024 6:00am, by Jack Wallen
KubeCon EU Q&A: Red Hat Engineer Bethany Griggs on Backstage
Apr 5th 2024 1:00pm, by Raghavan Srinivas
Kubernetes vs. YARN for Resource Management: How to Choose
Apr 10th 2024 8:16am, by Jacob Simkovich
Use Podman to Create and Work with Virtual Machines
Apr 6th 2024 6:00am, by Jack Wallen
Podman 5 Arrives with Multiplatform Images, VM Support
Apr 4th 2024 5:00am, by Jack Wallen
Chainguard: Outdated Containers Accumulate Vulnerabilities
Mar 29th 2024 3:00am, by Joab Jackson
Evolve Manual and Templated Dockerfiles with Automation
Mar 26th 2024 10:33am, by Rak Siva
Chipmakers Putting a Laser Focus on Edge AI
Apr 12th 2024 10:06am, by Jeffrey Burt
The Future of AI: Hybrid Edge Deployments Are Indispensable
Mar 22nd 2024 10:00am, by Luis Ceze
How RapidAI Uses Edge, Kubernetes and AI to Boost Stroke Care
Mar 15th 2024 10:30am, by Charles Humble
Trusted Boot: What to Know About Securing Devices at the Edge
Mar 14th 2024 7:15am, by Ettore di Giacinto
Architecting for Industrial IoT Workloads: A Blueprint
Jan 31st 2024 7:34am, by Dunith Danushka
API Design Is Pretty Bad — Here's How to Fix It
Apr 3rd 2024 6:01am, by Lebin Cheng
Will Spotify Open Source its Microservices Framework?
Apr 2nd 2024 7:45am, by Loraine Lawson
Enhancing Business Security and Compliance with Service Mesh
Apr 1st 2024 10:00am, by Ninad Desai
10 Ways Kubernetes Observability Boosts Productivity, Cuts Costs
Mar 27th 2024 6:08am, by Eric Schabell
Evolve Manual and Templated Dockerfiles with Automation
Mar 26th 2024 10:33am, by Rak Siva
Enhancing Kubernetes Network Security with Microsegmentation
Apr 11th 2024 6:23am, by Dhiraj Sehgal
Tetrate Enterprise Gateway for Envoy Graduates
Apr 10th 2024 9:00am, by Steven J. Vaughan-Nichols
Zero Trust for Legacy Apps: Load Balancer Layer Can Be a Solution
Apr 10th 2024 7:22am, by Prabhat Dixit
How Observability Is Different for Web3 Apps
Mar 15th 2024 12:00pm, by Sarah Morgan
Simplify Kubernetes Hosted Control Planes with K0smotron
Mar 11th 2024 10:00am, by Jussi Nummelin
Meet DBOS: A Database Alternative to Kubernetes 
Mar 12th 2024 4:00am, by Joab Jackson
Pulumi Templates for GenAI Stacks: Pinecone, LangChain First
Feb 21st 2024 9:00am, by Joab Jackson
CNCF CloudEvents: A Li'l Message Envelope That Travels Far
Jan 31st 2024 4:00am, by Joab Jackson
Bringing the AWS Serverless Strategy to Azure
Jan 19th 2024 6:00am, by Rak Siva
Serverless Computing In 2024: GenAI Influence, Security, 5G
Jan 4th 2024 5:00am, by Chris J. Preimesberger
How to Get Peak Performance without a Vast Amount of Memory
Apr 9th 2024 10:17am, by Behrad Babaee
From Postgres to ScyllaDB NoSQL, with a 349x Speed Boost 
Apr 1st 2024 11:27am, by Cynthia Dunlop
The Architect’s Guide: A Modern Data Lake Reference Architecture
Mar 26th 2024 9:17am, by Keith Pijanowski
Cloud Data Migration or Cloud Data Tiering?
Mar 25th 2024 10:00am, by Kumar Goswami
KubeCon24: MinIO Object Store Equipped with Enterprise Features
Mar 19th 2024 2:00pm, by Joab Jackson
AI Large Language Models Frontend Development Software Development API Management Python JavaScript TypeScript WebAssembly Cloud Services Data Security
Applying Agile Techniques to AI: Lessons from Amazon Fresh
Apr 17th 2024 5:00am, by
Key Infrastructure Takeaways from Google Cloud Next 2024
Apr 16th 2024 12:00pm, by
Python Tutorial: Use TensorFlow to Generate Predictive Text
Apr 16th 2024 11:00am, by
How One Programmer Built an AI-Powered Interactive FAQ
Apr 16th 2024 9:04am, by
GenAI Acceleration Depends on Infrastructure as Code
Apr 16th 2024 6:13am, by
How One Programmer Built an AI-Powered Interactive FAQ
Apr 16th 2024 9:04am, by
A Developer's Guide to Getting Started with LlamaIndex
Apr 13th 2024 5:00am, by
Tool Fragmentation — Is There a Fix?
Apr 12th 2024 9:37am, by
3 Reasons Tech Execs Are Slowing Down GenAI Projects
Apr 12th 2024 6:04am, by
A Coder Perspective: What It's Like to Develop an AI App
Apr 11th 2024 9:47am, by
Did Signals Just Land in React?
Apr 18th 2024 5:00am, by
Top 5 Underutilized JavaScript Features
Apr 16th 2024 10:30am, by
How One Programmer Built an AI-Powered Interactive FAQ
Apr 16th 2024 9:04am, by
Dev News: AI Coding Agent, Nue Glows, and New Android Beta
Apr 13th 2024 4:00am, by
Tool Fragmentation — Is There a Fix?
Apr 12th 2024 9:37am, by
Scala Creator Proposes 'Lean Scala' for Simpler Code
Apr 17th 2024 10:14am, by
Linux Foundation Overture Maps the Globe with Open Data
Apr 17th 2024 9:04am, by
Zero-Day Vulnerabilities: A Beginner’s Guide
Apr 17th 2024 8:31am, by
What Are Python 'Sets' and How Do You Use Them?
Apr 17th 2024 6:17am, by
Meet the System Package Data Exchange: SPDX 3.0, with Profiles
Apr 16th 2024 3:28pm, by
Is Platform Engineering Really Just API Governance?
Apr 15th 2024 12:10pm, by
Why You Should Have 100% Faith in Zero Trust
Apr 15th 2024 8:11am, by
Why Don’t API Platform Efforts Deliver?
Apr 15th 2024 6:54am, by
Ingress: Kubernetes Example with ngrok
Apr 11th 2024 9:34am, by
Hasura Visualizes Data API Integration into a 'Supergraph'
Apr 4th 2024 3:00am, by
What Are Python 'Sets' and How Do You Use Them?
Apr 17th 2024 6:17am, by
Python Tutorial: Use TensorFlow to Generate Predictive Text
Apr 16th 2024 11:00am, by
JavaScript, Python Neck and Neck in GitHub Developer Usage
Apr 15th 2024 9:45am, by
A Coder Perspective: What It's Like to Develop an AI App
Apr 11th 2024 9:47am, by
How (and When) to Use a Python While Loop
Apr 10th 2024 7:55am, by
Did Signals Just Land in React?
Apr 18th 2024 5:00am, by
Top 5 Underutilized JavaScript Features
Apr 16th 2024 10:30am, by
JavaScript, Python Neck and Neck in GitHub Developer Usage
Apr 15th 2024 9:45am, by
Dev News: React 19, Nuxt 3.11, a Python GUI, Tabnine LLMs
Apr 6th 2024 5:00am, by
Dev News: Deno Supports Open Source Repository JSR and an Offline AI
Mar 30th 2024 4:00am, by
Dev News: Deno Supports Open Source Repository JSR and an Offline AI
Mar 30th 2024 4:00am, by
Advanced OOP in TypeScript: Interfaces and Abstract Classes
Mar 22nd 2024 10:30am, by
How to Get Advantages of TypeScript in JavaScript
Oct 27th 2023 10:51am, by
Dev News: Udemy's New Docker Program, Plus TypeScript Beta
Oct 7th 2023 5:01am, by
The Angular Renaissance: Why Frontend Devs Should Revisit It
Sep 26th 2023 8:15am, by
WebAssembly Adoption: Is Slow and Steady Winning the Race?
Apr 10th 2024 5:00am, by
Why WASI Preview 2 Makes WebAssembly Production Ready
Apr 5th 2024 6:21am, by
KubeCon Europe: WebAssembly, eBPF Are Huge for Cloud Native
Mar 29th 2024 8:24am, by
Fermyon Says WebAssembly on Kubernetes Is Now Doable
Mar 28th 2024 6:19am, by
Why Wasm Wins Where Java Applets Failed
Mar 12th 2024 10:22am, by
Answers to the 5 Most Common Cloud Cost-Optimization Questions
Apr 17th 2024 7:38am, by
Key Infrastructure Takeaways from Google Cloud Next 2024
Apr 16th 2024 12:00pm, by
Google Vaunts New Gemini Code Assist Tool at Cloud Next 2024
Apr 10th 2024 9:05am, by
If Dev and Ops Had a Baby — It Would Be Called Winglang
Apr 5th 2024 10:00am, by
Lack of Data Mobility Is a Root Cause of Cloud Native Ills 
Apr 5th 2024 9:17am, by
Python Tutorial: Use TensorFlow to Generate Predictive Text
Apr 16th 2024 11:00am, by
Query Apache Kafka with SQL
Apr 16th 2024 7:51am, by
How to Get Peak Performance without a Vast Amount of Memory
Apr 9th 2024 10:17am, by
Using SQL-Powered RAG to Better Analyze Database Data with GenAI
Apr 9th 2024 9:08am, by
5 Key Considerations for Chatbot Design
Apr 5th 2024 12:00pm, by
Zero-Day Vulnerabilities: A Beginner’s Guide
Apr 17th 2024 8:31am, by
Meet the System Package Data Exchange: SPDX 3.0, with Profiles
Apr 16th 2024 3:28pm, by
Lessons Learned about Secrets Protection after the Sisense Breach
Apr 15th 2024 10:42am, by
Why You Should Have 100% Faith in Zero Trust
Apr 15th 2024 8:11am, by
Attack (or Penetrate Test) Cloud Native the Easy Way
Apr 15th 2024 7:21am, by
Platform Engineering Operations CI/CD Tech Careers Tech Culture DevOps Kubernetes Observability Service Mesh
Your Engineering Organization Is too Expensive
Apr 17th 2024 11:19am, by Luca Galante
Drive Developer Self-Service with Crossplane, K8s and a Portal
Apr 17th 2024 9:46am, by Mor Paz
What Comes after Internal Developer Platforms?
Apr 15th 2024 12:56pm, by Valerie Slaughter
Is Platform Engineering Really Just API Governance?
Apr 15th 2024 12:10pm, by Jennifer Riggins
Integrating AI to Make Platform Engineering Intelligent
Apr 12th 2024 8:40am, by Michel Murabito
Golang: How to Write a For Loop
Apr 16th 2024 5:00pm, by Jack Wallen
Want to Be a Tech Company? Try Platform Engineering!
Apr 10th 2024 10:26am, by Luca Galante
Zero Trust for Legacy Apps: Load Balancer Layer Can Be a Solution
Apr 10th 2024 7:22am, by Prabhat Dixit
Highlight.io: Open Source Application Monitoring for Developers
Apr 9th 2024 10:00am, by Jay Khatri
2 Ways AI Assistants Are Changing Kubernetes Troubleshooting
Apr 8th 2024 12:00pm, by Blair Rampling
Are You Delivering on Developer Experience?
Apr 16th 2024 10:00am, by Nočnica Mellifera
What Comes after Internal Developer Platforms?
Apr 15th 2024 12:56pm, by Valerie Slaughter
Lessons Learned about Secrets Protection after the Sisense Breach
Apr 15th 2024 10:42am, by David Melamed
Why Don’t API Platform Efforts Deliver?
Apr 15th 2024 6:54am, by Sagar Batchu
GitOps Makes for Great DevEx, but Pragmatism Matters
Apr 9th 2024 6:30am, by Steve Fenton
Why Military Vets Are the Drama-Free Problem Solvers You Need
Mar 28th 2024 9:20am, by Joe Fay
Using AI to Improve Bad Business Writing
Mar 26th 2024 5:00am, by Jon Udell
Developers Share What Helped Them Land New Roles
Mar 25th 2024 6:45am, by Jeff James
US Tech Cannot Comprehend the Digital Nomad Way of Life
Mar 23rd 2024 3:00am, by Paul Scanlon
Tech Works: How to Identify and Address Burnout on Your Team
Mar 22nd 2024 5:00am, by Jennifer Riggins
Are You Delivering on Developer Experience?
Apr 16th 2024 10:00am, by Nočnica Mellifera
IT Pioneers Assess the Future Impact of AI
Apr 14th 2024 6:00am, by David Cassel
C# Compiler Lead Jared Parsons on 20 Years at Microsoft
Apr 7th 2024 6:00am, by David Cassel
Customer-Obsessed? 4 Steps to Improve Your Culture
Apr 5th 2024 8:21am, by Bharani Manapragada
Developer Joy is the Productivity Metric You’re Missing
Apr 4th 2024 12:06pm, by Jennifer Riggins
Query Apache Kafka with SQL
Apr 16th 2024 7:51am, by Stéphane Derosiaux
GitOps Makes for Great DevEx, but Pragmatism Matters
Apr 9th 2024 6:30am, by Steve Fenton
Platform Engineering and GenAI: ‘Get Your House in Order’
Apr 9th 2024 5:00am, by Loraine Lawson
How Platform Engineering Takes on DevOps Challenges
Apr 8th 2024 6:49am, by Kenn Hussey
Why Flux Isn’t Dying after Weaveworks
Apr 8th 2024 5:00am, by B. Cameron Gain
Drive Developer Self-Service with Crossplane, K8s and a Portal
Apr 17th 2024 9:46am, by Mor Paz
Grafana 11: No Need to Create PromQL Queries for Prometheus
Apr 17th 2024 4:00am, by B. Cameron Gain
Attack (or Penetrate Test) Cloud Native the Easy Way
Apr 15th 2024 7:21am, by B. Cameron Gain
Ingress: Kubernetes Example with ngrok
Apr 11th 2024 9:34am, by Eric Goebelbecker
Enhancing Kubernetes Network Security with Microsegmentation
Apr 11th 2024 6:23am, by Dhiraj Sehgal
Grafana 11: No Need to Create PromQL Queries for Prometheus
Apr 17th 2024 4:00am, by B. Cameron Gain
Highlight.io: Open Source Application Monitoring for Developers
Apr 9th 2024 10:00am, by Jay Khatri
How Conviva Uses Endpoint Event Data to Measure UX at Scale
Mar 29th 2024 9:16am, by Vicki Walker
Large Language Model Observability: The Breakdown
Mar 28th 2024 1:46pm, by Alex Williams
Will the Real Test Observability Please Stand up?
Mar 27th 2024 7:27am, by Ken Hamric
Enhancing Business Security and Compliance with Service Mesh
Apr 1st 2024 10:00am, by Ninad Desai
Some Linkerd Users Must Pay: Fear and Anger Explained
Feb 28th 2024 9:21am, by B. Cameron Gain
Buoyant Revises Release Model for the Linkerd Service Mesh
Feb 21st 2024 9:30am, by Joab Jackson
Istio Advisor Plus GPT: Expert System Meets AI for Service Mesh
Dec 14th 2023 12:15pm, by Steven J. Vaughan-Nichols
Using JWTs to Authenticate Services Unravels API Gateways
Nov 8th 2023 6:53am, by Christian Posta and Peter Jausovec
Containers

How to Scan Docker Images for Vulnerabilities with Harbor

A conatiner tutorial on how to successfully upload and scan images to Harbor.
Jul 30th, 2019 12:00pm by
Featued image for: How to Scan Docker Images for Vulnerabilities with Harbor
Feature image by Gerd Altmann from Pixabay.

Your containers have become an absolute necessity for your company. Without them, you couldn’t be nearly as agile as needed to keep up with the ever-rising demands placed on your business. Because of this, you might well be deploying more and more services, by way of containers.

That means you might be pulling down more and more images from various sources. With the rising number of vulnerabilities found in images today, you could easily fall prey to a vulnerability that could cause your company problems. In some cases … big problems.

How do you avoid that? You make use of a Docker registry capable of scanning those images. One such registry is Harbor. In the first part of this series, I walked you through the process of installing Harbor on Ubuntu 18.04. (Read: “Install the Docker Harbor Registry Server on Ubuntu 18.04”). This time around, I’ll show you how to successfully upload and scan images to Harbor.

What You’ll Need

The only things you’ll need to make this work are:

  • A running instance of Harbor with Clair support.
  • Images to upload and scan.
  • A user account on the Harbor server.

The images to be uploaded can be those you’ve created yourself or those you’ve pulled down from various registries (such as Docker Hub).

With those pieces at the ready, let’s get to work.

Installing Certificates

In order to push images to your Harbor registry, from machines on your network, each machine must have a copy of the Harbor server SSL certificates. In the test case I outlined in the original piece, I used self-signed certificates. I’ll continue with that example here. If you’ve purchased certificates from a trusted CA, you’ll only have to modify the names of the certificates copies.

Here are the steps to copy the certificates:

  1. Secure shell into your Harbor server (or log in if you have physical access).
  2. Gain root access with the command sudo -s.
  3. Change into the certificate directory with the command cd /etc/docker/certs.d/SERVER_IP (Where SERVER_IP is the IP address of your server).
  4. Copy the ca.cert key to the client with the command scp ca.cert USER@CLIENT_IP:/home/USER (Where USER is a username on the client machine and CLIENT_IP is the IP address of the client machine).
  5. Copy the ca.crt key to the client with the command scp ca.crt USER@CLIENT_IP:/home/USER (Where USER is a username on the client machine and CLIENT_IP is the IP address of the client machine).
  6. Copy the ca.key key the client with the command scp ca.key USER@CLIENT_IP:/home/USER (Where USER is a username on the client machine and CLIENT_IP is the IP address of the client machine).
  7. SSH to the client machine with the command ssh USER@CLIENT_IP (Where USER is a username on the client machine and CLIENT_IP is the IP address of the client machine).
  8. Create the new certificate directory with the command sudo mkdir -p /etc/docker/certs.d/SERVER_IP (Where SERVER_IP is the IP address of the Harbor server).
  9. Copy the files with the command sudo cp ca.* /etc/docker/certs.d/SERVER_IP (Where SERVER_IP is the IP address of the Harbor server).

Your client is now ready to upload images to the harbor server. Make sure to do this for any client on your network that needs to be able to upload images to the Harbor server.

Tagging Images

Before an image can be pushed to the Harbor server, it must be first tagged. A Docker image tag is a piece of attached data that conveys useful information about an image. Say, for example, you have different developers working from one image, but each creates something completely different. Each of those developers could tag their image with their username, so the purpose of each image is clear. Or maybe you create similar images for different purposes (like security, dev, web, database, etc.). By tagging these images, you don’t have to guess the purpose they serve.

To tag an image, such that it can be then pushed to the Harbor registry, you’d issue a command like so:


Where:

  • IMAGE is the name of the base image being used.
  • SERVER_IP is the IP address of the Harbor server.
  • PROJECT_NAME is the name of the Project on the Harbor server.
  • TAG: is the name of the tag you want to add.

Say, for example, developer jack is using the official ubuntu image, and wants to tag it so it can be sent to the test project on the Harbor server at IP address 192.168.1.75. The command for this would be:


With the image tagged, it’s ready to be pushed to the Harbor server.

Pushing the Image

Now it’s time to push that tagged image to the Harbor server. Before you can successfully do this, you must log into the Harbor server from the client. To do this, open a terminal window on the client and issue the command:

docker login SERVER_IP

Where SERVER_IP is the IP address of the Harbor server.

You will be prompted for your Harbor user account credentials. If you don’t already have a user account, have the Harbor server admin create one for you. Once you’ve successfully authenticated, you’re ready to push your image. Do so with the command:

docker push SERVER_IP/PROJECT_NAME/IMAGE:TAG

  • SERVER_IP is the IP address of the Harbor server.
  • PROJECT_NAME is the name of the Project on the Harbor server.
  • IMAGE is the name of the image.
  • TAG: is the tag associated with the image.

To push our example tagged image from above, the command would be:

docker push 192.168.1.75/test/ubuntu:jack

Once the push completes, the image is ready to be scanned.

Scanning an Image

Log into the Harbor registry and make your way to the project housing the newly-pushed image. You should see the tagged image listed (Figure A).

 

Figure A: Our test image is ready for us.

Click on the image name. This will reveal the tagged image (Figure B).

Our tagged image.

Click the checkbox associated with the tagged image and then click SCAN. Once you’ve clicked SCAN, the image will be queued and then scanned. Depending on the size and complexity of the image, the scan can take some time.

When the scan completes, click the tag name to reveal the scan results. You should see a listing of all relevant CVE entries, along with their severity, associated package, and current version of the package (Figure C).

The results of the image scan.

With the results in hand, you can then determine if the image is safe enough to be used. If it is not, you can act accordingly (by either scrapping the image or resolving the vulnerabilities).

And that’s how you scan a Docker image for vulnerabilities, with the Harbor Registry. If you’re serious about using Docker containers for your business, you should treat the security of those images with a measure of caution.

TRENDING STORIES
Group Created with Sketch.
Jack Wallen is what happens when a Gen Xer mind-melds with present-day snark. Jack is a seeker of truth and a writer of words with a quantum mechanical pencil and a disjointed beat of sound and soul. Although he resides...
Read more from Jack Wallen
SHARE THIS STORY
TRENDING STORIES
TNS owner Insight Partners is an investor in: Docker.
TRENDING STORIES
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.