Back to Details

manage-artifacts

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Manage Artifacts

管理制品

Configure private artifact registries, security scanning policies, and cross-region replication in Harness Artifact Registry.
在Harness Artifact Registry中配置私有制品仓库、安全扫描策略和跨区域复制。

Instructions

操作说明

Step 1: Establish Scope

步骤1:确定范围

Confirm the user's org, project, and artifact format requirements.
Call MCP tool: harness_list
Parameters:
  resource_type: "project"
  org_id: "<organization>"
确认用户的组织、项目和制品格式要求。
Call MCP tool: harness_list
Parameters:
  resource_type: "project"
  org_id: "<organization>"

Step 2: Identify the AR Task

步骤2:确定AR任务类型

Determine which workflow the user needs:
  1. Private Registry Setup -- Docker, Helm, Maven, npm, PyPI repositories with RBAC
  2. Security Scanning Policy -- Vulnerability scanning with CVE thresholds and license checks
明确用户所需的工作流:
  1. 私有仓库搭建 -- 配置带有RBAC的Docker、Helm、Maven、npm、PyPI仓库
  2. 安全扫描策略配置 -- 包含CVE阈值和许可证检查的漏洞扫描

Step 3: Configure Private Registry

步骤3:配置私有仓库

Gather from the user:
  • Artifact formats to support (Docker, Helm, Maven, npm, PyPI)
  • Upstream proxy preferences (Docker Hub, ECR Public, GCR)
  • Image signing requirements (Cosign, Notary, none)
  • Multi-architecture support needs
Docker Registry:
  • Repository name and upstream proxy configuration
  • Image signing with Cosign or Notary v2
  • Multi-arch support (amd64 + arm64)
Helm Chart Repository:
  • Chart validation on push
  • Dependency resolution enabled
Additional Formats (Maven, npm, PyPI):
  • Separate repositories per format
  • Snapshot/release policies
  • Upstream proxies for public registries
Access Controls:
  • Read access: all developers in the org scope
  • Push access: CI/CD service accounts only (no personal credentials)
  • Admin: platform team
  • LDAP/SAML integration with identity provider
Replication:
  • Primary region with replication to secondary regions
  • Configurable sync interval (real-time, 15 minutes, hourly, daily)
向用户收集以下信息:
  • 需支持的制品格式(Docker、Helm、Maven、npm、PyPI)
  • 上游代理偏好(Docker Hub、ECR Public、GCR)
  • 镜像签名要求(Cosign、Notary、无)
  • 多架构支持需求
Docker仓库:
  • 仓库名称和上游代理配置
  • 使用Cosign或Notary v2进行镜像签名
  • 多架构支持(amd64 + arm64)
Helm图表仓库:
  • 推送时的图表验证
  • 启用依赖解析
其他格式(Maven、npm、PyPI):
  • 为每种格式单独配置仓库
  • 快照/发布策略
  • 公共仓库的上游代理
访问控制:
  • 读取权限:组织范围内的所有开发人员
  • 推送权限:仅CI/CD服务账号(禁止使用个人凭证)
  • 管理员权限:平台团队
  • 与身份提供商的LDAP/SAML集成
复制配置:
  • 主区域复制至次要区域
  • 可配置同步间隔(实时、15分钟、每小时、每天)

Step 4: Configure Security Scanning Policies

步骤4:配置安全扫描策略

Gather from the user:
  • Artifact types to scan
  • Security scanner (Aqua Trivy, Snyk, Grype, Prisma Cloud)
  • CVE severity thresholds (block on CRITICAL and HIGH above N)
Configure scanning policies:
  • Scan on push and periodic rescans for stored artifacts
  • Block download if critical or high CVE count exceeds thresholds
  • License compliance: block artifacts with disallowed licenses (GPL-3.0, AGPL)
  • SBOM generation: auto-generate CycloneDX or SPDX on every scan
  • Exemption workflow: security team can approve specific CVEs with expiry dates
Call MCP tool: harness_create
Parameters:
  resource_type: "pipeline"
  org_id: "<organization>"
  project_id: "<project>"
  body:
    pipeline:
      name: "artifact-security-scan"
      identifier: "artifact_security_scan"
      stages:
        - stage:
            name: Scan
            type: SecurityTests
            spec:
              # vulnerability scanning step
        - stage:
            name: Policy Gate
            type: Approval
            spec:
              # block if thresholds exceeded
向用户收集以下信息:
  • 需扫描的制品类型
  • 安全扫描器(Aqua Trivy、Snyk、Grype、Prisma Cloud)
  • CVE严重程度阈值(当CRITICAL和HIGH级别的CVE数量超过N时阻止)
配置扫描策略:
  • 推送时扫描,并对存储的制品定期重新扫描
  • 当严重或高危CVE数量超过阈值时阻止下载
  • 许可证合规性:阻止带有禁用许可证(GPL-3.0、AGPL)的制品
  • SBOM生成:每次扫描自动生成CycloneDX或SPDX格式的SBOM
  • 豁免流程:安全团队可批准特定CVE并设置过期日期
Call MCP tool: harness_create
Parameters:
  resource_type: "pipeline"
  org_id: "<organization>"
  project_id: "<project>"
  body:
    pipeline:
      name: "artifact-security-scan"
      identifier: "artifact_security_scan"
      stages:
        - stage:
            name: Scan
            type: SecurityTests
            spec:
              # vulnerability scanning step
        - stage:
            name: Policy Gate
            type: Approval
            spec:
              # block if thresholds exceeded

Examples

示例

  • "Set up a private Docker registry for our team" -- Configure Docker repository with upstream proxy and RBAC
  • "Add Helm chart repository to our artifact registry" -- Configure Helm repo with chart validation
  • "Configure vulnerability scanning for our container images" -- Set up scanning with CVE thresholds and license checks
  • "Set up cross-region replication for our artifacts" -- Configure primary and replica regions with sync interval
  • "Block images with critical CVEs from being deployed" -- Create security scanning policy with severity gates
  • "为我们团队搭建私有Docker仓库" -- 配置带有上游代理和RBAC的Docker仓库
  • "为我们的制品仓库添加Helm图表仓库" -- 配置带有图表验证的Helm仓库
  • "为我们的容器镜像配置漏洞扫描" -- 设置包含CVE阈值和许可证检查的扫描策略
  • "为我们的制品设置跨区域复制" -- 配置主区域和副本区域及同步间隔
  • "阻止带有高危CVE的镜像部署" -- 创建包含严重程度闸门的安全扫描策略

Performance Notes

性能注意事项

  • Upstream proxies significantly reduce build times by caching public images locally -- enable for all formats.
  • Security scanning on push adds latency to the push operation -- consider async scanning for large images.
  • Cross-region replication increases storage costs linearly -- only replicate to regions where artifacts are consumed.
  • Image signing adds a verification step to every pull -- ensure signing infrastructure is highly available.
  • 上游代理通过本地缓存公共镜像可显著缩短构建时间 -- 为所有格式启用该功能。
  • 推送时的安全扫描会增加推送操作的延迟 -- 对于大型镜像可考虑异步扫描。
  • 跨区域复制会线性增加存储成本 -- 仅向有制品消费需求的区域进行复制。
  • 镜像签名会为每次拉取操作添加验证步骤 -- 确保签名基础设施高可用。

Troubleshooting

故障排除

Push Rejected by Security Policy

推送被安全策略拒绝

  • Check the scan results for specific CVEs that triggered the block
  • Use the exemption workflow to approve known false positives
  • Verify the CVE threshold is not set too low for the artifact's dependency tree
  • 检查触发阻止的具体CVE扫描结果
  • 使用豁免流程批准已知的误报
  • 验证CVE阈值对于制品的依赖树而言设置得不过于严格

Replication Lag

复制延迟

  • Check network connectivity between primary and replica regions
  • Verify the sync interval is appropriate for the artifact volume
  • Large artifacts (multi-GB images) may need a longer sync window
  • 检查主区域与副本区域之间的网络连接
  • 验证同步间隔是否适合制品数量
  • 大型制品(多GB镜像)可能需要更长的同步窗口

Registry Authentication Failures

仓库认证失败

  • Verify the service account has push permissions in the target repository
  • Check that LDAP/SAML integration is syncing correctly
  • Ensure Docker login credentials are not expired
  • 验证服务账号在目标仓库中拥有推送权限
  • 检查LDAP/SAML集成是否同步正常
  • 确保Docker登录凭证未过期