Trivy is installed in Harbor and provides static analysis of vulnerabilities in container images. Project owners can trigger a scan through the web interface. Otherwise, it is run automatically every day after midnight.
After a scan, the list of known vulnerabilities is visible to everyone for public projects. For private projects, it is only visible to the Project Admin. To display a detailed list, click on the project, choose a repository, then click on the artifact, e.g.