Harbor for Beginners, Part 6: Block Risky Images

Turn the scanner’s findings into a gate. Set a severity line, and Harbor refuses to hand out any image that crosses it, while clean images pull as normal. With a real before-and-after using a vulnerable nginx.

Harbor for Beginners · Part 6 of 12

In Part 5 the scanner told you what was wrong with an image. By itself, that is just a label. Here we turn it into a rule: you pick a severity line, and Harbor refuses to hand over any image that crosses it. The risky image can sit in your project, but nobody can pull it. Let us set the rule, then watch it stop a genuinely vulnerable image.

Turn the rule on

To start, the rule is off, and the project will hand out anything you ask for.

The Configuration tab with the prevent rule unchecked
Before. The Prevent vulnerable images box is unticked, so nothing is blocked.

Now switch it on:

  1. Open your project and click the Configuration tab.
  2. Find the Deployment security section.
  3. Tick Prevent vulnerable images from running.
  4. In the dropdown, choose a severity. Pick High.
  5. Scroll down and click Save.
The Configuration tab with the prevent rule ticked and set to High
After. Anything with a High or Critical finding will now be refused.

Harbor confirms the save, and the gate is live.

A banner confirming the configuration was saved
Saved. The rule is now in force for this project.

Add a vulnerable image to test

Your hello-world is clean, so the rule will never touch it. To watch the gate work, you need an image with real problems. An older nginx is perfect.

  1. Copy an older nginx into your project. Use your real registry host where the example shows registry.lab.internal.
    ./crane copy nginx:1.21.0 registry.lab.internal/pranay-project/nginx:old --insecure
  2. It now sits in your project, right next to hello-world.
The project repositories list now showing nginx alongside hello-world
Two repositories now: your clean hello-world, and the new nginx.
  1. Open the nginx repository, tick the artifact, and click Scan Vulnerability. At first it reads Not Scanned.
The nginx artifact showing Not Scanned
Before scanning: Not Scanned, so Harbor has no idea yet what is inside.
  1. Wait for the scan to finish.

The result is striking. This older image carries 394 vulnerabilities, 309 of them with fixes already available, and plenty rated Critical.

The nginx artifact scanned, showing 394 total vulnerabilities with 309 fixable
After scanning: 394 findings. This is what a real-world base image often looks like.

Try to pull it

Now attempt to pull that nginx image:

./crane pull registry.lab.internal/pranay-project/nginx:old nginx.tar --insecure

Instead of downloading, Harbor stops you cold:

Error: PROJECTPOLICYVIOLATION: current image cannot be pulled due to
configured policy in 'Prevent images with vulnerability severity of
"High" or higher from running.' To continue with pull, please contact
your project administrator for help.

That refusal is the whole point of this part. The image is sitting right there in the registry, but the policy will not let anyone pull it.

Check a clean image still works

The gate is precise, not a blanket lockdown. Pull your clean hello-world and it comes down with no fuss:

./crane pull registry.lab.internal/pranay-project/hello-world:v1 hw.tar --insecure

No error, no policy violation. The rule only blocks what actually crosses your severity line, and lets everything else through.

Allow one CVE if you must

Sometimes a single finding is a false alarm, or a risk you have looked at and accepted. You can forgive just that one without weakening the whole rule.

  1. On the Configuration tab, find the CVE allowlist.
  2. Click Add.
  3. Paste the specific CVE ID.
  4. Save.

Harbor now ignores that one CVE when it applies the gate. Everything else stays exactly as strict.

Treat the allowlist as a scalpel, not a switch. Forgiving one reviewed CVE is fine. Allowlisting things just to make a red badge disappear defeats the point of having a gate at all.

Quick recap

  1. The scanner finds problems. This rule acts on them.
  2. Set a severity line on the Configuration tab and save it.
  3. Images at or above that line cannot be pulled. Clean and lower-risk images are unaffected.
  4. Use the CVE allowlist to forgive a single reviewed finding without dropping the rule.

Harbor for Beginners, Part 6 of 12. Product names belong to their owners. The host shown is a stand-in, not a real value.

About The Author


Discover more from Journal of Intelligent Infrastructure – By Dr Pranay Jha

Subscribe to get the latest posts sent to your email.

Leave a Reply

Your email address will not be published. Required fields are marked *

Architect’s Toolkit

About the Author

Dr. Pranay Jha is a Cloud and AI Consultant with 18+ years of experience in hybrid cloud, virtualization, and enterprise infrastructure transformation. He specializes in VMware technologies, multi-cloud strategy, and Generative AI solutions. He holds a PhD in Computer Applications with research focused on Cloud and AI, has published multiple research papers, and has been a VMware vExpert since 2016 and a VMUG Community Leader.

Discover more from Journal of Intelligent Infrastructure - By Dr Pranay Jha

Subscribe now to keep reading and get access to the full archive.

Continue reading