overview
HummerRisk is an open-source cloud-native security platform that non-intrusively addresses security and governance issues in cloud-native environments. Core capabilities include hybrid cloud security governance and container cloud security detection.
This article will introduce how to use HummerRisk to perform "mirror detection" in the field of cloud native security. Through the "mirror detection" function, you can scan the mirror in depth, obtain the internal structure of the mirror, and detect what vulnerabilities exist in the dependencies of the mirror. The content of the article includes the use process of "mirror detection", detailed description of configuration information, use of basic functions, etc. At present, HummerRisk supports scanning according to the synchronized mirror list after binding the mirror warehouse, or manually specifying the mirror and uploading the tar package for security scanning.
This article will use the private Docker image warehouse provided by Harbor as an example to demonstrate how to scan images.
work process
To complete the "mirror detection", we need to complete the following steps:
Mirror warehouse management
The image warehouse currently supported by HummerRisk includes Harbor, DockerHub, and Nexus. If it is another type of warehouse, you can choose Other. The specific steps are as follows:
- Log in to the HummerRisk system, click Cloud Native Security;
- Click "Mirror Detection", click "Create Mirror Warehouse";
- Fill in the configuration information of the mirror warehouse;
4. Click "Confirm" after filling in
5. After the creation is complete, you can click "Synchronize Mirror" to check the validity of the account and synchronize the mirror list
| parameter |
illustrate |
| Mirror warehouse name |
The display name of the mirror repository in the HummerRisk system |
| Mirror warehouse type |
Mirror warehouse type, choose according to the actual situation, currently the warehouses that have been adapted and verified include Harbor, DockerHub, Nexus |
| Mirror warehouse address |
Mirror repository access address, usually https://<warehouse IP or domain name>:<port> |
| Mirror repository username |
Mirror repository username, especially private repository, must be filled in. Used for identity verification, otherwise the image cannot be pulled |
| Mirror warehouse password |
Mirror warehouse passwords, especially private warehouses, must be filled in. Used for identity verification, otherwise the image cannot be pulled |
Mirror management
Through the "mirror management" function, we can better manage application release mirrors. At the same time, in some public mirror warehouses without private mirror warehouses, users can manually create mirror images to complete subsequent mirror scan work.
HummerRisk associates the image with the project and version in SBOM to facilitate the management and maintenance of the safe version of the application. Before using image management, please create the project and version in "SBOM Management".
The detailed steps and parameters for creating a mirror are as follows:
- Log in to the HummerRisk system, click Cloud Native Security;
- Click the "Mirror Detection" function, and select "Mirror Management" in the menu bar;
- Click "Create Image", enter the correct image information and parameters, see the table below for the description of the parameters
| parameter |
illustrate |
| Sbom project |
Item name created in "SBOM Management" |
| project version |
Versions of items in the SBOM Management function |
| mirror name |
Mirror repository access address, usually https://<warehouse IP or domain name>:<port> |
| Whether to bind the mirror warehouse |
Mirror repository username, especially private repository, must be filled in. Used for identity verification, otherwise the image cannot be pulled |
| Whether to enable proxy |
Mirror warehouse passwords, especially private warehouses, must be filled in. Used for identity verification, otherwise the image cannot be pulled |
| Whether to upload a mirror image |
The display picture of the mirror image in the HummerRisk system is easy to distinguish |
| Remark |
Some descriptions of mirror usage |
| mirror type |
Three methods are currently supported: 1. Obtain from the mirror warehouse, select this option to directly associate with the mirror warehouse 2. Handwrite the mirror address, for example, the mirror image in the Dockerhub public library will be automatically pulled 3. Manually upload the mirror offline package, usually docker The image compression package of .tar from save |
| Mirror address: label |
Fill in the complete mirror address, including URL and TAG |
| mirror list |
If the image is in a private repository, it can be bound to the image in the image list |
| mirror address |
When manually uploading the tar package, you need to upload offline files through this item |
- After filling in the correct information, click "Confirm"
2. Click "Detect" to execute the image
Test results
After the image detection is completed, the detection result will be output, and the detection result can be used to view the risk situation, the name of the vulnerability and the solution through the visual page.
- After the image detection is performed, you can view all detection results on the image detection result page.
- All executed detection tasks will be displayed in the list.
- The detection status shows the execution status of the current task. The task being executed will be displayed as [Processing], and the task that has been executed will be displayed as [Completed] or [Exception]
The detailed steps are as follows:
- Log in to the HummerRisk system and click "Cloud Native Security";
- Click "Mirror Detection" and click "Mirror Detection Result";
- At this point, you can view the image list. If the detected image status should be "Completed", click the content in "Statistics" to view the detailed detection results. The statistical results are divided into 5 levels, which are:
| grade |
C(Critical) |
H(High) |
M(Medium) |
L(low) |
U(Unkown) |
| illustrate |
high risk |
high risk |
medium risk |
low risk |
no risk |
4. View detailed test results
5. If you need to view the details of the test results, you can click the test statistics to display the page in detail
6. Taking "Vulnerability Detection" as an example, after clicking the result of "Vulnerability Detection Statistics", you can view the following vulnerability details page. According to the information on the vulnerability details page, we can view the software name, CVEID, risk level, Fix version number etc.
Mirror detection history
Through the "Mirror Detection History" function, you can view the historical detection results of each mirror, and compare multiple detection results at the same time.
Historical mirror detection checklist:
View historical test results:
Mirroring Overview
Through the "Image Overview" page, we can quickly analyze the security status of all currently managed images, so that administrators can quickly find security problems. Including statistics based on warehouses and statistics based on vulnerability risk levels.
