Harbor: Allow users to choose which image vulnerability scanner to use

Hi @lizrice – thanks for reaching out. We're definitely interested in refactoring Harbor so that alternative vulnerability scanners can be leveraged in lieu of Clair. I suspect a good bit of work would be needed on the Harbor end, but the payoff would definitely be worth it IMHO.

Let me know the best way to reach out and we can open a dialog to see what work we'd need to tackle to make this happen. I'll also be at KubeCon in Seattle if you'd like to discuss in person.

Thanks!

Great, thanks @clouderati! Let's definitely plan to meet in Seattle. You can reach me at liz at lizrice.com (no rush, my hands will be full with KubeCon in Shanghai next week)

thanks for opening this, @lizrice! @clouderati ,I'm very interested in this as well and could help move it along (coding included). I'll be a KubeCon as well, and would love to help out here and be involved in the design discussion as well as meet both of you.

Fantastic! @jerbia you might like to join if you have time?
On Mon, 26 Nov 2018 at 16:53, Zach Hill notifications@github.com wrote:

thanks for opening this, @lizrice https://github.com/lizrice!
@clouderati https://github.com/clouderati ,I'm very interested in this
as well and could help move it along (coding included). I'll be a KubeCon
as well, and would love to help out here and be involved in the design
discussion as well as meet both of you.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/goharbor/harbor/issues/6234#issuecomment-441856414,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAb_eKUqjx3i5zS132vjkvpX2_nmqP1Dks5uzIz6gaJpZM4YS4hm
.

Great, thanks @lizrice and @zhill. The Harbor team is still working on getting a small Harbor "meet the maintainers" area and would love to chat there. I'll keep you both updated, but feel free to ping me if we get closer to the conference and PowerPoint took me hostage. 😄

Great, thanks @lizrice and @zhill. The Harbor team is still working on getting a small Harbor "meet the maintainers" area and would love to chat there. I'll keep you both updated, but feel free to ping me if we get closer to the conference and PowerPoint took me hostage.

Looking forward to meeting you all next week. @clouderati, any updates on when/where that meetup/meet-the-maintainers would be? No worries if not. I'l be at the Anchore booth as well so I can swing by the Harbor folks, but would like be there when this topic comes up.

Hi @zhill and @lizrice – very sorry about the delayed response. I actually got snowed in over the weekend and am unable to fly out to KubeCon. However, two of our lead maintainers are at KubeCon. @steven-zou will be at the CNCF Meet the Maintainers booth from 2:30pm - 3:30pm tomorrow (Wednesday). Can you sync up with him and then circle back and update this issue?

/cc @reasonerjt @renmaosheng

Hi @zhill and @lizrice – very sorry about the delayed response. I actually got snowed in over the weekend and am unable to fly out to KubeCon. However, two of our lead maintainers are at KubeCon. @steven-zou will be at the CNCF Meet the Maintainers booth from 2:30pm - 3:30pm tomorrow (Wednesday). Can you sync up with him and then circle back and update this issue?

/cc @reasonerjt @renmaosheng

Sorry to hear you couldn't make it, @clouderati . I'll stop by today in that time window. Looking forward to meeting folks and getting this started.

@clouderati likewise sorry you couldn't make it, and even more sorry I missed this message yesterday.

@zhill @steven-zou any chance you have some time today between 12 & 2?

@lizrice great job on the keynote!

ping @renmaosheng @reasonerjt @steven-zou

@clouderati likewise sorry you couldn't make it, and even more sorry I missed this message yesterday.

@zhill @steven-zou any chance you have some time today between 12 & 2?

I spoke with @steven-zou yesterday, but I'm available today as well. Our conversation yesterday was that the next step would be to submit a proposal via PR to the community repo to get the design conversation started.

I can be available between 12-2, but 1-2 (corrected, misread my calendar) works best for me today if possible.

How about we meet at 1pm in the seating area just outside the keynote space?

How about we meet at 1pm in the seating area just outside the keynote space?

Great! See you then @lizrice .

+1 for this. I would also love to have the ability to have multiple vuln scanners, not just one.

+1 for it. I think that connecting different (one or several) scanners will be a very good opportunity.

@shubb30 for clarification: are you asking to be able to see the results of multiple scanners' output and compare them, use different scanners for different images (I'm imagining windows images being an issue), or did I just misunderstand the comment and you want to have the ability to pick one of many options, but for a given harbor installation only one scanner is configured at a time?

I'm starting to look into this with more detail to begin some design work, and feedback is greatly appreciated.

In terms of milestones for such work, the first objective is simply supporting choice in scanning solution, then more complex configurations such as multiple scanners integrated into the system concurrently could be explored since that has a much greater impact on the apis and data model currently in harbor.

@zhill, I would like to have multiple scanners active, and to be able to see the results of all of them.

What I imagine, is that the vulnerability column when looking at images would show a collation of all of the results from the scanners. When you hover over the bar, the popup shows the details from each scanner.

There’s a proposal for this under discussion here (thanks @zhill!)

this is officially covered by https://github.com/goharbor/community/pull/98 which is in 1.10 commitments