
81 lines
4.0 KiB
Raw Normal View History

# Harbor Incubating Stage Review
Harbor is currently a CNCF sandbox project. Please refer to Harbor's initial
[sandbox proposal](../proposals/harbor.adoc) for discussion on Harbor's
alignment with the CNCF and details on sandbox requirements.
In the time since being accepted as a sandbox project, Harbor has demonstrated
healthy growth and progress.
* [v1.6.0 is the latest
releases](, shipped on
September 7th, marking our 7th major feature release. New features include:
* [Support for hosting Helm charts](
* [Support for RBAC via LDAP groups](
* [Replication filtering via labels](
* [Major refactoring to coalesce to a single PostgreSQL database](
* A [formalized governance
policy]( has
been approved and instituted for the project, and two new maintainers from
different companies have joined the project to help Harbor continue to grow.
## Incubating Stage Criteria
In addition to sandbox requirements, a project must meet the following
criteria to become an incubation-stage project:
* Document that it is being used successfully in production by at least three
independent end users which, in the TOCs judgement, are of adequate quality
and scope.
* Adopters: [](
* Have a healthy number of committers. A committer is defined as someone with
the commit bit; i.e., someone who can accept contributions to some or all of
the project.
* Maintainers of the project are listed in
[]( There are 11 maintainers working on Harbor from 3 different
companies (VMware, Caicloud and Hyland Software)
* Maintainers are added and removed from the project as per the policies
outlined in the project governance:
* Demonstrate a substantial ongoing flow of commits and merged contributions.
* Releases: 7 major releases ([](
* Roadmap: [](
* Contributors: [](
* Commit activity: [](
* CNCF DevStats: [](
* [Last 30 days activity on GitHub](
* [Community Stats](
Further details of Harbor's growth and progress since entering the sandbox
stage as well as use case details from the Harbor community can be found in this
## Security
Harbor's codebase has been analyzed and reviewed by VMware's internal product
security team.
* Static analysis has been performed on Harbor via
* Software decomposition via AppCheck, Snyk and retire.js with goal of
discovering outdated or vulnerable packages
* Manual code analysis / review
* Vulnerability assessment via multiple scanners
* Completed threat model
In addition to this security work the Harbor maintainers are partnering with
the CNCF to schedule a third-party security audit of Harbor.