Dockdock-Go — Security Gatekeeper for Harbor Registries

Overview

Dockdock-Go is a security gatekeeper system designed to enforce human approval gates and multi-layer security scanning before container images are admitted into sensitive Harbor registry projects. Built as a Master 1 student project, it demonstrates how to implement defense-in-depth security practices for container supply chains.

Key Features

• Human approval workflow — Mandatory explicit requests and approval before image admission to production projects
• Multi-layer security scanning — Combines vulnerability scanning (Trivy), static malware detection (YaraHunter), and runtime analysis
• Harbor API integration — Seamless integration with Harbor registries for artifact replication and management
• Centralized decision tracking — PostgreSQL database stores all requests, analysis results, and approval decisions
• Web interface — Modified Harbor UI with dedicated Dockdock-Go tab for managing admission requests
• Kubernetes orchestration — Security scans run as isolated Kubernetes Jobs for scalability and isolation

Technical Architecture

The system follows a microservices architecture with:

• Rust API backend (Actix-web, Diesel ORM) handling business logic and orchestration
• PostgreSQL database storing request states, analysis results, and security flags
• Kubernetes Jobs for executing isolated security scans (malware, vulnerabilities)
• Harbor API integration for artifact replication and vulnerability scanning
• Angular-based UI modifications extending Harbor’s web interface

Use Cases

• Security-conscious organizations requiring mandatory approval gates for production container images
• Compliance requirements needing audit trails for all container admissions
• Educational projects demonstrating container security best practices
• DevSecOps workflows integrating security scanning into CI/CD pipelines

Challenges & Lessons Learned

This project taught valuable lessons about:

• The importance of asynchronous workflows in security pipelines
• Challenges of patching existing monolithic applications (Harbor UI)
• Orchestrating multiple security scanning tools with different output formats
• Balancing automated security checks with human oversight

Read the full technical retrospective for detailed architecture decisions, implementation challenges, and technical debt analysis.

Project Status

Proof-of-Concept — Functional demo completed in 2024. Not maintained for production use.

Team: 4 students | Duration: 9 months | Category: Educational