TL;DR
Stop Harbor → run ./prepare --with-trivy once → start Harbor. Because you previously had no scanner, Trivy becomes the default automatically. Confirm with a manual scan in the UI, then (optionally) turn on auto-scan on push per project.
Installed Harbor from my earlier guide? It’s OK that it’s 2.13.1—these steps are identical on 2.13.1–2.14.0: Install Harbor 2.13.1 on Ubuntu 24.04 with HAProxy, Let’s Encrypt (DNS-01), and Systemd
Assumptions
- Harbor 2.14.0 in
/opt/harbor, managed by systemd (harbor.service) - TLS termination at HAProxy :443; Harbor bound to 127.0.0.1:80
- No scanner existed before enabling Trivy (so it auto-defaults)
- Enable Trivy
sudo systemctl stop harbor.service
cd /opt/harbor
sudo ./prepare --with-trivy
sudo systemctl start harbor.service
That’s it—Trivy is enabled and set as Default.
- Manual scan to confirm
- Projects → your project → Repositories → repo → Artifacts
- Select a tag and click Scan Vulnerability
Before scan: shows Not Scanned with the SCAN VULNERABILITY button.
After scan: the Vulnerabilities column displays totals; click the artifact → Vulnerabilities to see CVEs, severity, package and fixed-in versions.
- Enable auto-scan on push
Auto-scan is off by default.
- Projects → your project → Configuration
- Under Vulnerability scanning, check Automatically scan images on push → Save
- Setting is per project (repeat as needed)
- Existing artifacts aren’t backfilled—use Scan Vulnerability or Scan All
- Auto-scan test (push → scan)
With the toggle enabled, push a new tag; Harbor should scan it automatically:
docker push harbor.maksonlee.com/library/ubuntu:22.04
The push refers to repository [harbor.maksonlee.com/library/ubuntu]
767e56ba346a: Pushed
22.04: digest: sha256:af98d7ce0d7867da88cb7b17604c4fac5c9fd8972602a74563f04cb71a3db79e size: 529
Back in Projects → Repositories → library → Artifacts, you’ll see the new 22.04 tag appear and, shortly after, the Vulnerabilities column populate (e.g., 26 Total – 0 Fixable), as in your screenshot.
