Leveraging OCI 1.1 for Enhanced SBOM Integration and Vulnerability Scanning in Harbor - Anais Urlichs, Aqua Security & Shengwen Yu, VMware

less than 1 minute read


With the rise in software supply chain attacks, stakeholders in the software industry become more interested in the supply chain security utilizing SBOM (Software Bill of Materials). This talk will focus on the SBOM integration between Harbor project and Aqua Trivy scanner. Currently, Harbor supports manually attaching SBOM artifacts to its subject image as an accessory. Leveraging OCI distribution-spec 1.1, SBOM can be auto-generated and auto-associated, which enhances the visibility of the software building process. Additionally, the SBOM scanning capability in Harbor will streamline vulnerability scanning by eliminating the procedure of repeatedly analyzing container images, making the scanning process more efficient. Furthermore, the new Harbor scanner pluggable spec provides compatibility and flexibility. This session will give a demo to show SBOM generation and SBOM scanning for vulnerabilities, providing practical insights for large-scale containers security management.

Sched URL