securing-container-registry-with-harbor

Harbor 是一个开源容器镜像仓库,提供安全功能包括漏洞扫描(集成 Trivy)、镜像签名(Notary/Cosign)、RBAC、内容信任策略(Content Trust)、复制和审计日志。配置这些功能以强制执行镜像来源验证、防止有漏洞镜像部署并维护仓库访问控制。

9 stars

Best use case

securing-container-registry-with-harbor is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Harbor 是一个开源容器镜像仓库,提供安全功能包括漏洞扫描(集成 Trivy)、镜像签名(Notary/Cosign)、RBAC、内容信任策略(Content Trust)、复制和审计日志。配置这些功能以强制执行镜像来源验证、防止有漏洞镜像部署并维护仓库访问控制。

Teams using securing-container-registry-with-harbor should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/securing-container-registry-with-harbor/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/securing-container-registry-with-harbor/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/securing-container-registry-with-harbor/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How securing-container-registry-with-harbor Compares

Feature / Agentsecuring-container-registry-with-harborStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Harbor 是一个开源容器镜像仓库,提供安全功能包括漏洞扫描(集成 Trivy)、镜像签名(Notary/Cosign)、RBAC、内容信任策略(Content Trust)、复制和审计日志。配置这些功能以强制执行镜像来源验证、防止有漏洞镜像部署并维护仓库访问控制。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用 Harbor 保护容器镜像仓库

## 概述

Harbor 是一个开源容器镜像仓库,提供安全功能包括漏洞扫描(集成 Trivy)、镜像签名(Notary/Cosign)、RBAC、内容信任策略、复制和审计日志。保护 Harbor 需要配置这些功能来强制执行镜像来源验证、防止有漏洞的镜像部署,并维护仓库访问控制。

## 前置条件

- Harbor 2.10+(通过 Helm 或 Docker Compose 安装)
- HTTPS 的 TLS 证书
- Trivy 扫描器集成
- 用于认证的 OIDC/LDAP
- Kubernetes 集群(部署目标)

## 实施步骤

### 步骤 1:使用安全配置安装 Harbor

```yaml
# 用于 Helm 部署的 harbor-values.yaml
expose:
  type: ingress
  tls:
    enabled: true
    certSource: secret
    secret:
      secretName: harbor-tls
      notarySecretName: harbor-tls
  ingress:
    hosts:
      core: harbor.example.com
      notary: notary.example.com

externalURL: https://harbor.example.com

persistence:
  enabled: true
  resourcePolicy: "keep"

harborAdminPassword: "<强密码>"

trivy:
  enabled: true
  gitHubToken: "<github-token>"
  severity: "CRITICAL,HIGH,MEDIUM"
  autoScan: true

notary:
  enabled: true

core:
  secretKey: "<32字符密钥>"

database:
  type: external
  external:
    host: postgres.example.com
    port: "5432"
    username: harbor
    password: "<数据库密码>"
    sslmode: require
```

```bash
helm repo add harbor https://helm.getharbor.io
helm install harbor harbor/harbor -f harbor-values.yaml -n harbor --create-namespace
```

### 步骤 2:配置漏洞扫描策略

```bash
# 启用推送时自动扫描(通过 Harbor API)
curl -k -X PUT "https://harbor.example.com/api/v2.0/projects/myproject" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "metadata": {
      "auto_scan": "true",
      "severity": "critical",
      "prevent_vul": "true",
      "reuse_sys_cve_allowlist": "true"
    }
  }'
```

### 步骤 3:配置内容信任

```bash
# 在项目级别启用内容信任
curl -k -X PUT "https://harbor.example.com/api/v2.0/projects/myproject" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "metadata": {
      "enable_content_trust": "true",
      "enable_content_trust_cosign": "true"
    }
  }'

# 使用 Cosign 签署镜像
cosign sign --key cosign.key harbor.example.com/myproject/myapp:v1.0.0

# 验证签名
cosign verify --key cosign.pub harbor.example.com/myproject/myapp:v1.0.0
```

### 步骤 4:配置 RBAC 和项目隔离

```bash
# 创建具有私有可见性的项目
curl -k -X POST "https://harbor.example.com/api/v2.0/projects" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "project_name": "production",
    "metadata": {
      "public": "false",
      "auto_scan": "true",
      "prevent_vul": "true",
      "severity": "high"
    }
  }'

# Harbor 角色:ProjectAdmin、Maintainer、Developer、Guest、LimitedGuest
# 以特定角色添加成员
curl -k -X POST "https://harbor.example.com/api/v2.0/projects/production/members" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "role_id": 3,
    "member_user": {"username": "developer1"}
  }'
```

### 步骤 5:配置不可变标签和保留策略

```bash
# 创建标签不可变规则(防止覆盖发布标签)
curl -k -X POST "https://harbor.example.com/api/v2.0/projects/production/immutabletagrules" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "tag_filter": "v*",
    "scope_selectors": {
      "repository": [{"kind": "doublestar", "decoration": "repoMatches", "pattern": "**"}]
    }
  }'

# 配置保留策略(保留最新 10 个标签,7 天后删除未标记的镜像)
curl -k -X POST "https://harbor.example.com/api/v2.0/retentions" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)" \
  -H "Content-Type: application/json" \
  -d '{
    "algorithm": "or",
    "rules": [
      {
        "action": "retain",
        "template": "latestPushedK",
        "params": {"latestPushedK": 10},
        "tag_selectors": [{"kind": "doublestar", "decoration": "matches", "pattern": "**"}],
        "scope_selectors": {"repository": [{"kind": "doublestar", "decoration": "repoMatches", "pattern": "**"}]}
      }
    ],
    "trigger": {"kind": "Schedule", "settings": {"cron": "0 0 * * *"}}
  }'
```

### 步骤 6:OIDC 认证集成

```yaml
# Harbor OIDC 配置
auth_mode: oidc_auth
oidc_name: "Okta"
oidc_endpoint: "https://company.okta.com/oauth2/default"
oidc_client_id: "harbor-client-id"
oidc_client_secret: "harbor-client-secret"
oidc_groups_claim: "groups"
oidc_admin_group: "harbor-admins"
oidc_scope: "openid,profile,email,groups"
oidc_verify_cert: true
oidc_auto_onboard: true
```

## 验证命令

```bash
# 测试漏洞防护(应阻止拉取有漏洞的镜像)
docker pull harbor.example.com/production/vulnerable-app:latest
# 预期:错误 - 镜像因漏洞被阻止

# 验证内容信任执行
DOCKER_CONTENT_TRUST=0 docker push harbor.example.com/production/unsigned:latest
# 预期:因内容信任策略拒绝推送

# 通过 API 检查扫描结果
curl -k "https://harbor.example.com/api/v2.0/projects/production/repositories/myapp/artifacts/v1.0.0/additions/vulnerabilities" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)"

# 审计日志检查
curl -k "https://harbor.example.com/api/v2.0/audit-logs?page=1&page_size=10" \
  -H "Authorization: Basic $(echo -n admin:Harbor12345 | base64)"
```

## 参考资料

- [Harbor 文档](https://goharbor.io/docs/)
- [Harbor 安全最佳实践](https://goharbor.io/docs/2.10.0/administration/vulnerability-scanning/)
- [Harbor GitHub 仓库](https://github.com/goharbor/harbor)

Related Skills

securing-serverless-functions

9
from killvxk/cybersecurity-skills-zh

本技能涵盖 AWS Lambda、Azure Functions 和 Google Cloud Functions 等无服务器计算平台的安全加固,涉及最小权限 IAM 角色、依赖漏洞扫描、密钥管理集成、输入验证、函数 URL 认证以及运行时监控,以防范注入攻击、凭证窃取和供应链攻击。

securing-remote-access-to-ot-environment

9
from killvxk/cybersecurity-skills-zh

本技能涵盖为操作员、工程师和供应商实施OT/ICS环境的安全远程访问,同时防止可能危害工业运营的未授权访问。涉及跳板服务器架构、多因素认证、会话记录、特权访问管理、供应商远程访问控制,以及符合IEC 62443和NERC CIP-005远程访问要求。

securing-kubernetes-on-cloud

9
from killvxk/cybersecurity-skills-zh

本技能涵盖通过实施 Pod 安全标准(Pod Security Standards)、网络策略、工作负载身份、RBAC 权限控制、镜像准入控制和运行时安全监控,对 EKS、AKS 和 GKE 上的托管 Kubernetes 集群进行加固。涉及云平台特定安全功能,包括 EKS 的 IRSA、GKE 的工作负载身份(Workload Identity)以及 AKS 的托管身份(Managed Identity)。

securing-historian-server-in-ot-environment

9
from killvxk/cybersecurity-skills-zh

本技能涵盖在OT环境中加固和保护过程历史数据服务器(OSIsoft PI、Honeywell PHD、GE Proficy、AVEVA Historian)。涉及跨Purdue模型各层级的网络部署、历史数据服务器接口的访问控制、通过数据二极管或PI-to-PI连接器在DMZ中进行数据复制、历史数据查询中的SQL注入防护,以及用于安全分析、法规报告和过程优化的过程数据完整性保护。

securing-helm-chart-deployments

9
from killvxk/cybersecurity-skills-zh

通过验证 Chart 完整性、扫描模板中的错误配置并在 Kubernetes 发布中强制执行安全上下文,保护 Helm Chart 部署安全。

securing-github-actions-workflows

9
from killvxk/cybersecurity-skills-zh

本技能涵盖加固 GitHub Actions 工作流以防范供应链攻击、凭据盗窃和权限提升。 内容包括将 action 固定到 SHA 摘要、最小化 GITHUB_TOKEN 权限、防止机密泄露、 防止工作流表达式中的脚本注入,以及为工作流变更实施必要的审阅者机制。

securing-container-registry-images

9
from killvxk/cybersecurity-skills-zh

通过使用 Trivy 和 Grype 实施漏洞扫描、使用 Cosign 和 Sigstore 强制执行镜像签名、配置镜像仓库访问控制,以及构建阻止部署未扫描或未签名镜像的 CI/CD 流水线,来保护容器仓库(Container Registry)中的镜像安全。

securing-aws-iam-permissions

9
from killvxk/cybersecurity-skills-zh

本技能引导从业者加固 AWS 身份和访问管理(Identity and Access Management)配置,在云账户中强制执行最小权限(Least Privilege)访问。涵盖 IAM 策略范围界定、权限边界(Permission Boundary)、Access Analyzer 集成和凭据轮换策略,以降低受损身份的影响范围。

securing-api-gateway-with-aws-waf

9
from killvxk/cybersecurity-skills-zh

通过配置 OWASP Top 10 防护托管规则组(Managed Rule Group)、创建自定义速率限制规则、实施机器人(Bot)控制、设置 IP 信誉过滤以及监控 WAF 指标,使用 AWS WAF 保护 API Gateway 端点。

scanning-containers-with-trivy-in-cicd

9
from killvxk/cybersecurity-skills-zh

本技能涵盖将 Aqua Security 的 Trivy 扫描器集成到 CI/CD 流水线中,用于全面的容器镜像漏洞检测。包括扫描 Docker 镜像中的操作系统包和应用依赖 CVE、检测 Dockerfile 中的错误配置、扫描文件系统和 Git 仓库,以及建立基于严重性的质量门禁以阻止有漏洞的镜像部署。

scanning-container-images-with-grype

9
from killvxk/cybersecurity-skills-zh

使用 Anchore Grype 扫描容器镜像的已知漏洞(Vulnerability),支持基于 SBOM 的匹配和可配置的严重性阈值。

performing-container-security-scanning-with-trivy

9
from killvxk/cybersecurity-skills-zh

使用 Aqua Security Trivy 扫描容器镜像、文件系统和 Kubernetes 清单,检测漏洞(Vulnerability)、错误配置、暴露的密钥和许可证合规问题,并生成 SBOM(Software Bill of Materials,软件物料清单)及集成到 CI/CD 流水线。