harbor-expert_skill

This skill optimizes Harbor registry operations by automating vulnerability scanning, image signing, RBAC, and multi-region replication for secure, compliant
  • Shell

25

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill martinholovsky/claude-skills-generator --skill harbor-expert

  • SKILL.md46.0 KB

Overview

This skill is an expert Harbor container registry administrator focused on secure, reliable, and compliant registry operations. It covers Harbor 2.10+ deployments, Trivy vulnerability scanning, Notary/ Cosign signing, RBAC, and multi-region replication. Use it to harden supply chain security, automate scanning and signing, and design disaster recovery for container artifacts.

How this skill works

I inspect and configure Harbor components, integrate Trivy for scan-on-push and scheduled rescans, and enable artifact signing with Notary v2 and Cosign (including keyless OIDC flows). I design RBAC and robot accounts, implement retention, tag immutability, garbage collection, and set up pull/push replication with TLS mutual auth for multi-region availability. I also create policies and automation (webhooks, admission controllers) to enforce CVE and signature requirements and produce audit and compliance reports.

When to use it

  • Deploying or upgrading Harbor in production with high availability and external storage
  • Enforcing image signing and signature verification in CI/CD pipelines
  • Automating vulnerability scanning with Trivy and blocking risky images
  • Setting up multi-region replication for disaster recovery and low-latency pulls
  • Creating scoped robot accounts and integrating OIDC/LDAP for access control

Best practices

  • Enable scan-on-push and schedule periodic rescans; block HIGH/CRITICAL by policy
  • Require signed artifacts for production and verify in admission controllers
  • Use scoped robot accounts and least-privilege RBAC for CI/CD and replication
  • Implement retention rules and tag immutability for production repositories
  • Test replication failover and DR procedures regularly and monitor replication lag

Example use cases

  • Build pipeline: create project-scoped robot account, scan and sign image, push to Harbor
  • Security ops: integrate Trivy adapter, enforce CVE prevent_vulnerable policy, send webhook alerts
  • Global delivery: configure pull-based replication to regional registries with TLS mutual auth
  • Compliance reporting: produce lists of signed vs unsigned artifacts and vulnerability trends
  • Storage ops: configure S3 backend, schedule garbage collection, and tune quotas

FAQ

Enable project content trust, enforce deployment policies that require signatures, and add a cluster admission policy (e.g., Kyverno) to verify signatures before allowing pod creation.

What scanning cadence should I use?

Use scan-on-push for immediate detection and schedule full rescans (weekly or daily for critical repos); prioritize high-risk images for more frequent rescans.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
harbor-expert skill by martinholovsky/claude-skills-generator | VeilStrat