Trivy Vulnerability Scanning
Scan every pushed image with real CVE data, severity summaries, and promotion-ready policy results before the artifact moves forward.
Secure. Scan.Ship trustedartifacts.
A8S turns Harbor into a cleaner artifact workflow with Trivy scanning, project-level permissions, webhook events, and audit-ready activity trails from push to promotion.
Everything Harbor brings to your registry
Keep repository security, promotion controls, notifications, and audit visibility in one registry flow instead of scattered checks.
Project-level RBAC
Scope repository access per project so developers, maintainers, and owners see exactly what they should and nothing more.
Webhook Notifications
Send repository, scan, and promotion events to Slack, CI pipelines, or downstream automation when the registry state changes.
Immutable Audit Log
Track pushes, pulls, tag changes, scans, and permission-sensitive actions with a clear activity trail built for reviews and incident follow-up.
Trivy scans.Real CVE data.
Every image gets a full Trivy scan on push
Results are broken down by severity, package, fixed version, and CVSS score. Policy-based blocking stops vulnerable images reaching production automatically.
✓
Language runtimes: Go, Node.js, Python, Java, Ruby
✓
CVSS scores, NVD references, fix versions included
✓
Scheduled rescans as new CVEs are published
✓
Block deploy if severity ≥ CRITICAL or HIGH
Version history that stays rollback-ready
Every build lands as a tagged Docker image in Harbor, so teams can browse image history, inspect metadata, and recover older releases without rebuilding.
Repository versions
team-prod / api-servicev1.9.3
sha256:9a1f...f3c2
2 min ago
184 MB
Ready
v1.9.2
sha256:71bc...8fd4
1 day ago
183 MB
Rollback
main-3ed5148
sha256:1ce0...4ad8
3 days ago
183 MB
History
release-2026-03-22
sha256:4f2d...9d6a
12 days ago
182 MB
Archive
Browse images the same way you ship them
Each artifact stays stored with its tag, digest, size, and publish time. That keeps image browsing, history visibility, and rollback readiness in one place instead of scattered across CI logs.
Every build produces a versioned Docker image stored in Harbor.
Tags like semantic versions and commit hashes stay visible in the same repository history.
Users can open the dashboard and inspect image metadata before selecting a release.
Old versions remain available, so rollback can use an already stored image immediately.
Deploy or roll back directly from stored artifacts
Any retained image can be selected for deployment without starting a rebuild, and the same stored history gives your team instant rollback when a previous image should be restored.
1Scan image
2Store version
3Deploy tag
4Rollback release
Deploy from artifact
Select an existing image tag from the registry and ship it immediately through the deployment flow.
sha256:9a1f...f3c2team-prod / api-service
Rollback support
Previous images stay available for fast rollback, so releases can recover without creating a new build.
sha256:71bc...8fd41 day ago
Repository versions
team-prod / api-servicePrivate registry4 versions retainedDeploy-ready history
v1.9.3
sha256:9a1f...f3c2
2 min ago
184 MB
Ready
v1.9.2
sha256:71bc...8fd4
1 day ago
183 MB
Rollback
main-3ed5148
sha256:1ce0...4ad8
3 days ago
183 MB
History
release-2026-03-22
sha256:4f2d...9d6a
12 days ago
182 MB
Archive
External registry support
Connect another registry with URL, username, and token so A8S can push and pull images there too.
Registry URLregistry.team.example.com
Usernamesvc_artifact
Token••••••••••••
Harbor primary
team-prod / api-service
External target
registry.team.example.com
Helm charts
artifact://charts/team-prod
External registry links, Helm charts, and attached metadata
Artifact management is not only image storage. A8S can connect external registries, keep Helm charts as artifacts, and preserve the build and deployment context attached to every stored version.
External registries and Helm charts stay close to the release
Teams can connect a private registry with credentials, then push or pull images while storing Helm charts as versioned artifacts for GitOps-friendly delivery.
Provide registry URL, username, and token securely.
Push and pull images from external registries without changing the release flow.
Store Helm charts as artifacts for GitOps deployment and versioned infrastructure.
Registry URLregistry.team.example.com
Usernamesvc_artifact
Token••••••••••••
Metadata remains attached to every artifact
Each stored image keeps the version tag, build details, and associated deployment context so teams can trace what was released and where it was used.
Version tags and digests remain visible per image.
Build info connects the artifact to the pipeline output.
Associated deployment records show the exact runtime destination.
Project-level RBAC
Project-scoped access keeps each registry team isolated, while promotion, cleanup, and retention rules stay visible to the people who own them.
Roles stay scoped to each project.
Developers can push and verify, maintainers can manage policies and webhooks, and owners keep control of destructive operations.
Repository access stays project-bound.
Robot accounts can be limited per workflow.
Promotion paths stay visible to maintainers.
Policies and notifications stay close to the repo.
Immutable tags, scan gates, retention rules, and webhook endpoints live beside the artifact instead of in separate manual checklists.
Protect trusted tags from accidental overwrite.
Attach Slack or CI webhooks to registry events.
Keep scan, retention, and audit context together.
Permission matrix
A quick view of the common actions each project role can handle in the registry.
| Action | User | Admin |
|---|---|---|
| Pull artifacts | Yes | Yes |
| Push new tags | Yes | Yes |
| Trigger scans | Yes | Yes |
| Edit webhooks | No | Yes |
| Change retention policy | No | Yes |
| Delete immutable tags | No | Yes |