Skip to content
Getting Started

Core Concepts

A dense reference for the vocabulary used in the rest of the docs. Each entry links to the page where the concept is unpacked.

Image

A container image identified by registry, repository, and digest. Discovered when a Registry is connected and synced.

Registry

A container image source HarborGuard talks to: Docker Hub, ECR, GCR, GHCR, ACR, Quay, Harbor, or a generic OCI registry. Credentials are encrypted with AES-256-GCM. A registry has a scanning policy (schedule, scanner set, tag include/exclude filters) - see Scheduling.

Tag

A named pointer at a digest within an image (nginx:1.25, app:sha-abc123). Scans run against tags. The digest is captured at scan time so retags do not silently change the scanned artifact.

Scan

One execution of one or more scanners against one tag. Has an id, an origin (cloud or sensor), an engines array, and a status (PENDING, IN_PROGRESS, COMPLETED, FAILED). See How Scanning Works.

Finding

A normalized row in the scan result. A finding may be a Vulnerability or a Misconfiguration. Findings carry a sources array - the union of scanners that reported them - so a CVE flagged by both Trivy and Grype is one finding with ["trivy","grype"], not two.

Vulnerability

A CVE-style issue against a package version: CVE-2024-1234 in openssl 3.0.2. Comes from Trivy, Grype, or OSV-Scanner. Has severity (CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN), a fixed version when known, and links to NVD/GHSA.

Misconfiguration

A non-CVE finding: an image running as root, world-writable files, missing HEALTHCHECK, hardcoded secrets. Comes from Dockle. Tracked separately from vulnerabilities but uses the same triage workflow.

SBOM

Software Bill of Materials. The complete package inventory produced by Syft - every OS package, language dependency, version, and license in the image. Available on the Packages tab of the scan and exportable as CycloneDX or SPDX JSON.

Attestation

A signed statement attached to a finding: a false-positive justification, a vendor-confirmed non-applicability, or a risk acceptance with an expiry. Attestations carry forward across rescans so triage decisions persist as new scan results arrive.

Triage state machine

Each finding moves through:

Open -> Acknowledged -> In Progress -> Fixed
                                    \-> Wont Fix

Transitions are audit-logged. Bulk triage is supported on the findings table.

SLA policy

Per-severity remediation deadlines (e.g. Critical = 7 days, High = 30, Medium = 90). Configured in Settings -> Compliance Policy. SLA timers start when a finding is first detected and pause in Wont Fix. SLA breach is independent of the Compliance Grade - a scan can be grade A while individual findings are SLA-overdue, and vice versa.

Compliance Pack

An evidence export mapped to a regulatory framework (SOC 2, PCI-DSS, HIPAA, ISO 27001, NIST 800-53). Includes scan history, triage decisions, attestations, and policy snapshots over a chosen time window. Generated from Compliance -> Overview.

Sensor

A lightweight agent you run on your own infrastructure. Sensors poll for scan jobs assigned to a specific registry, execute scans locally, and ship results back via the API. Used for air-gapped environments and data-sovereignty requirements. See Sensor Architecture.

Origin

Where a scan executed: cloud (HarborGuard runs it) or sensor (your own agent ran it). Set per-registry in the registry's scanning policy. The image bytes never leave your network in sensor mode.

API key

A bearer token scoped to a role (viewer, developer, admin, owner). Sent as x-api-key or Authorization: Bearer <key>. Used by CI pipelines and sensors. Manage keys in Settings -> API Keys.

Previous

Quickstart

Next

Connecting a Registry

On this page