cncf-toc/reviews/incubation-harbor.md

Harbor Incubating Stage Review

Harbor is currently a CNCF sandbox project. Please refer to Harbor's initial sandbox proposal for discussion on Harbor's alignment with the CNCF and details on sandbox requirements.

In the time since being accepted as a sandbox project, Harbor has demonstrated healthy growth and progress.

• v1.6.0 is the latest releases, shipped on September 7th, marking our 7th major feature release. New features include:

  • Support for hosting Helm charts
  • Support for RBAC via LDAP groups
  • Replication filtering via labels
  • Major refactoring to coalesce to a single PostgreSQL database

• A formalized governance policy has been approved and instituted for the project, and two new maintainers from different companies have joined the project to help Harbor continue to grow.

Incubating Stage Criteria

In addition to sandbox requirements, a project must meet the following criteria to become an incubation-stage project:

• Document that it is being used successfully in production by at least three independent end users which, in the TOC’s judgement, are of adequate quality and scope.

  • Adopters: https://github.com/goharbor/harbor/blob/master/ADOPTERS.md

• Have a healthy number of committers. A committer is defined as someone with the commit bit; i.e., someone who can accept contributions to some or all of the project.

  • Maintainers of the project are listed in https://github.com/goharbor/harbor/blob/master/OWNERS.md. There are 11 maintainers working on Harbor from 3 different companies (VMware, Caicloud and Hyland Software)

  • Maintainers are added and removed from the project as per the policies outlined in the project governance: https://github.com/goharbor/community/blob/master/GOVERNANCE.md.

• Demonstrate a substantial ongoing flow of commits and merged contributions.

  • Releases: 7 major releases (https://github.com/goharbor/harbor/releases)

  • Roadmap: https://github.com/goharbor/harbor/wiki/Harbor-Roadmap

  • Contributors: https://github.com/goharbor/harbor/graphs/contributors

  • Commit activity: https://github.com/goharbor/harbor/graphs/commit-activity

  • CNCF DevStats: https://harbor.devstats.cncf.io/

    • Last 30 days activity on GitHub
    • Community Stats

Further details of Harbor's growth and progress since entering the sandbox stage as well as use case details from the Harbor community can be found in this slide deck.

Security

Harbor's codebase has been analyzed and reviewed by VMware's internal product security team.

• Static analysis has been performed on Harbor via gosec
• Software decomposition via AppCheck, Snyk and retire.js with goal of discovering outdated or vulnerable packages
• Manual code analysis / review
• Vulnerability assessment via multiple scanners
• Completed threat model

In addition to this security work the Harbor maintainers are partnering with the CNCF to schedule a third-party security audit of Harbor.