Skip to content

Feat/proposal selective scan all scope #267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
SoumyaRaikwar wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Feat/proposal selective scan all scope #267

SoumyaRaikwar wants to merge 2 commits into from

Conversation

@SoumyaRaikwar
Copy link

@SoumyaRaikwar SoumyaRaikwar commented Sep 29, 2025

Summary

Add design proposal to enable selective scoping for scheduled "Scan All" executions in Harbor. This proposal introduces an optional X-Scan-All-Scope header that allows administrators to limit scheduled vulnerability scans to specific projects or repositories instead of scanning all artifacts.

Background

Addresses community issue https://github.com/goharbor/harbor/issues/22266 where users requested granular control over scan scope to reduce unnecessary scanning and optimize resource usage in large Harbor installations.

Your Name and others added 2 commits September 29, 2025 23:53
feat(community): add proposal for selective scan-all scope
f6f5886 
Add design proposal to enable selective scoping for scheduled "Scan All"
executions in Harbor. This proposal introduces an optional X-Scan-All-Scope
header that allows administrators to limit scheduled vulnerability scans to
specific projects or repositories instead of scanning all artifacts.

Key features:
- Optional X-Scan-All-Scope header for schedule create/update
- Support for project_ids and repositories scope definitions
- Backward compatible implementation with no schema changes
- UI enhancements for project/repository selection
- Maintains existing behavior when scope is not specified

This addresses community issue #22266 and provides a resource-efficient
approach for large Harbor installations that need targeted scanning.

Signed-off-by: Your Name <your.email@example.com>
@SoumyaRaikwar
Update selective-scan-all-scope.md
9c001ca 
Signed-off-by: Soumya Raikwar <164396577+SoumyaRaikwar@users.noreply.github.com>
@SoumyaRaikwar SoumyaRaikwar requested review from a team as code owners September 29, 2025 18:51
@SoumyaRaikwar SoumyaRaikwar mentioned this pull request Sep 29, 2025
Open
@SoumyaRaikwar
Copy link
Author

SoumyaRaikwar commented Oct 4, 2025
edited
Loading

@stonezdj , @Vad1mo @AllForNothing , could you please review my proposal

@Vad1mo
Copy link
Member

Vad1mo commented Jan 9, 2026

I like the idea, but I don't think this is the right approach to implementing it. especially the X-Scan-All-Scope header

  • scan all should be replaced with scan policies, as Harbor is policy driven system. This way the sysadm could create policies to scan image based on various criteria.

Following criteria come into my mind:

  • cron for selected projects (similar to what you have)
  • cron for selected project + pulled/pushed images x days ago
  • scan all
  • scan all + pulled/pushed images x days ago
  • more policies possible. e.g. labels.

@SoumyaRaikwar
Copy link
Author

SoumyaRaikwar commented Jan 9, 2026
edited
Loading

@Vad1mo
I agree that Harbor is fundamentally a policy-driven system, and a unified scan policy model is the right long-term direction.

This proposal was intended as a small, incremental improvement to the existing scheduled “Scan All” feature with minimal surface-area change and full backward compatibility. I see scoped scheduling as a possible stepping stone, not an alternative to scan policies.

I’m happy to adjust the proposal based on the preferred direction. Also, I’ll make sure to update the documentation clearly describing the behavior, limitations, and intended scope of this feature.

Please let me know whether you’d prefer this to remain a short-term improvement or be reworked into a policy-based design.

@Vad1mo
Copy link
Member

Vad1mo commented Jan 9, 2026

Let's do it right in policy fashion, with backwards compatibility.
For better clarification and allignement in the community and among the maintainers, can you add mockups e.g UI. and diagrams where applicable?

@SoumyaRaikwar
Copy link
Author

SoumyaRaikwar commented Jan 18, 2026
edited
Loading

@Vad1mo i have updated the pr goharbor/harbor#22392 could you please review

@SoumyaRaikwar
Copy link
Author

SoumyaRaikwar commented Jan 18, 2026

Thanks @Vad1mo for the feedback!

Valid point regarding the policy-based approach. We can certainly iterate towards a more robust policy engine in the future. However, given the immediate need to resource optimization in large installations, this "selective scope" acts as a lightweight, backward-compatible interim solution that fits within the current scheduling architecture without a major refactor.

I've implemented the changes in the working PR including the backend logic and the UI coverage.

Here are the mockups/screenshots of the UI implementation as requested:

Selective Scan Configuration:
Screenshot from 2026-01-19 00-12-22

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Vad1mo Vad1mo

@stonezdj stonezdj

@AllForNothing AllForNothing

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SoumyaRaikwar @Vad1mo @stonezdj @AllForNothing