Harbor Shift Left: Bringing Runtime Intelligence to Container Security
Picture this: your development team is racing to deploy a critical update, but security scanning brings everything to a halt. The scanner reports 47 vulnerabilities, but which ones actually matter? Which are exploitable in production? And most importantly, should you block the deployment or proceed?
This is the daily reality for most DevOps teams. Traditional container scanners excel at detection, but fall short on prioritization. They flood teams with alerts, create deployment bottlenecks, and often force an impossible choice between security and speed.
That’s why we built Harbor Shift Left. Our Shift Left capability for Harbor is more than a scanner, it’s a security intelligence platform that integrates directly with the Harbor container registry and connects to the Upwind Platform. By combining registry scanning with runtime-powered insights, teams can focus on vulnerabilities that actually pose risk and deploy with confidence.
The Problem
Harbor, the popular open-source container registry, offers a strong foundation for managing container images. However, its built-in scanning may not always meet the needs of security-conscious organizations.
We saw the need for a solution that:
- Integrates seamlessly with Harbor’s infrastructure
- Leverages the Upwind Shift Left engine for advanced scanning
- Scales natively in Kubernetes
- Provides results in Harbor’s expected formats
- Connects to the Upwind Platform for enriched, runtime-informed analysis
Because finding vulnerabilities is only half the battle, the real value is knowing which ones matter in your environment.
The Shift Left Security Challenge
Traditional “shift left” security lacks real-world context. Build-time scans often generate thousands of unprioritized alerts, creating production delays and friction as teams struggle to separate theoretical vulnerabilities from actual risks. Our build-time scanner addresses this by integrating with the Upwind Platform, bringing runtime intelligence to CI/CD pipelines. By combining runtime context with build-time practices, teams can focus on the vulnerabilities that truly matter, improving both security and velocity.
Architecture Overview
The Upwind Shift Left Harbor Scanner is built on a microservices architecture designed to integrate seamlessly with Harbor through its Scanner Adapter API, while also connecting to the Upwind Platform for centralized security management.
Here’s how it works:
- Scan requests are initiated by Harbor and received by our API server.
- The API server orchestrates Kubernetes jobs to perform the scanning.
- Each scan job runs the Upwind Shift Left engine against the specified container image.
- The scan results are automatically uploaded to the Upwind Platform, where they are enriched with runtime context and advanced analysis.
This design ensures scalability in Kubernetes environments, native compatibility with Harbor, and an end-to-end workflow that ties image scanning directly into runtime-informed security insights.
Implementation Overview
1. Harbor Scanner Adapter API Compliance
The scanner is fully compliant with the Harbor Scanner Adapter API specification, which defines three core endpoints: metadata, scan, and report. This compliance ensures seamless integration into existing Harbor deployments, without requiring any changes to registry configurations.The metadata endpoint is responsible for advertising the scanner’s capabilities, so Harbor can recognize and interact with it directly.
The scan endpoint accepts scan requests from Harbor and creates a unique Kubernetes job for each request. This allows scans to run asynchronously and in parallel, ensuring scalability and isolation.
2. Asynchronous Scanning with Kubernetes Jobs
Rather than blocking API requests, the scanner creates Kubernetes jobs for each scan request. This approach provides several advantages:
- Concurrency: multiple scans can run at the same time
- Resilience: failed scans can be retried automatically
- Efficiency: Kubernetes provides built-in resource management and monitoring
3. Container Image Analysis
The core scanning logic leverages the Upwind ShiftLeft engine to analyze container images. The scanner:
- Extracts registry credentials from Harbor’s authorization headers
- Pulls container images using Skopeo (avoiding the need for a Docker daemon)
- Executes comprehensive vulnerability scanning
- Detects secret exposures and sensitive data leaks
- Processes results into Harbor-compatible formats
The Upwind Shift Left engine performs comprehensive security analysis, including:
- Vulnerability scanning: CVE detection, package analysis, and security advisories
- Secret detection: identification of API keys, passwords, tokens, and other sensitive data exposure
- Runtime context integration: leveraging Upwind’s cloud monitoring to prioritize risks based on real-world exploitability
4. Upwind Console Integration
A key differentiator of our scanner is its seamless integration with the Upwind Platform Once scans are complete, results are automatically uploaded to the Upwind Platform, where teams gain access to:
- A centralized security dashboard
- AI-powered risk scoring enriched with runtime context
- Compliance reporting to meet regulatory requirements
- Trend analysis for long-term visibility
- CI/CD integration for automated workflows
Important Note: While the Harbor UI displays vulnerability findings from our scanner, secret exposure detection results are available exclusively in the Upwind Platform. This separation allows Harbor users to view immediate vulnerability data directly within their registry, while still providing access to comprehensive secret scanning and advanced insights in the Upwind platform.
Runtime Intelligence Across Cloud Environments
The Upwind Platform extends Harbor scanning with real-time context from cloud workloads. By connecting directly to AWS, Azure, and Google Cloud, it continuously monitors services like Lambda, ECS, Function Apps, and Cloud Functions.
This runtime intelligence ensures that vulnerabilities are prioritized based on actual exposure and activity. For example, a vulnerability in a container exposed to the internet and actively receiving traffic will be ranked far higher than the same issue in an internal-only workload.
Kubernetes Architecture and Performance
The scanner runs as a Kubernetes deployment, designed for scale and efficiency. Multiple replicas provide high availability, resource limits prevent overload, and API credentials are securely managed. Network access is restricted to only what’s required for Harbor and the Upwind Platform.
Performance is further optimized through:
- Parallel scans managed by Kubernetes jobs
- Skopeo integration for lightweight image pulling
- Chunked result streaming for memory efficiency
- Batched uploads to reduce API calls
Benefits of the Upwind Platform
Together, Upwind Harbor Shift Left and the Upwind Platform deliver more than just vulnerability detection:
- Unified multi-cloud visibility across AWS, Azure, and GCP
- Machine learning-powered risk scoring and trend forecasting
- Secret exposure risk assessment with automated workflows
- Operational efficiency through automated ticketing, proactive alerts, and compliance-ready reporting
Conclusion
Building the Upwind Shift Left Harbor Scanner has been an enlightening journey into container security integration. By combining Go, Kubernetes, Harbor, and the Upwind Platform, we’ve created a scalable, production-ready solution that enhances security without slowing development.
Already running in production, the scanner helps organizations move beyond static scans – bringing runtime intelligence into container security and empowering teams to deploy with confidence. To learn more about Upwind’s Shift Left Harbor Scanner, schedule a demo today or visit our documentation to learn how to integrate Harbor with Upwind (login required).
