CVE Remediation Demo

A container-registry pull gate driven by central CVE approvals instead of project-wide allowlists.

This demo shows how a docker pull against a container registry is automatically blocked while the image's CVEs are not approved, and goes through again once they have been assessed/accepted in Dependency-Track. The decision is made per image, with an audit trail, and the applications stay unchanged.

The problem

Harbor's built-in CVE allowlist only works system-wide or per project (folder level), never per image (project allowlist, system allowlist). Teams need the decision per image, otherwise:

one allowlist entry unblocks many unrelated images at once;
you cannot block a CVE for one image while allowing it for another in the same project;
the risk decision loses its per-image context and audit trail;
newly added images silently inherit exemptions they were never assessed against.

How it works

Apps → Harbor (gate) → Dependency-Track (authority) → Trivy (findings)

Components

Harbor

Registry with proxy cache and a pull gate. Calls Dependency-Track as its scanner.

Dependency-Track

System of record for findings, ownership and approval decisions.

Scanner adapter

Translates DT's state into a Harbor report; approved CVEs are dropped.

Trivy

Provides the actual vulnerability findings that DT delegates to.

Interfaces

Open Harbor Open Dependency-Track

Project pages: goharbor.io · dependencytrack.org

Notes

This environment runs in a personal AWS sandbox and is a demonstration setup only, not a production system. It may be offline at times (it stops automatically to save cost) and uses a dedicated demo Harbor, not a production registry. It is served on a subdomain under squer.rocks, whose DNS is managed in the SQUER Cloud AWS account under Route 53 Hosted Zones (the cve-demo.squer.rocks zone is delegated to the sandbox account).