With the Scan Controller and Grype Scanner installed (see Install Supply Chain Security Tools - Scan from Installing Individual Packages, the following Custom Resource Definitions (CRDs) are now available:
$ kubectl get crds | grep scanning.apps.tanzu.vmware.com imagescans.scanning.apps.tanzu.vmware.com 2021-09-09T15:22:07Z scanpolicies.scanning.apps.tanzu.vmware.com 2021-09-09T15:22:07Z scantemplates.scanning.apps.tanzu.vmware.com 2021-09-09T15:22:07Z sourcescans.scanning.apps.tanzu.vmware.com 2021-09-09T15:22:07Z
Both SourceScan (
sourcescans.scanning.apps.tanzu.vmware.com) and ImageScan (
imagescans.scanning.apps.tanzu.vmware.com) define what will be scanned, and ScanTemplate (
scantemplates.scanning.apps.tanzu.vmware.com) will define how to run a scan. We have provided five custom resources (CRs) pre-installed for use. You can either use them as-is or as samples to create your own.
To view the pre-installed Scan Template CRs, run:
kubectl get scantemplates
You will see the following scan templates:
|CR Name||Use Case|
||Clones and scans source code from a public repository.|
||Connects with SSH credentials to clone and scan source code from a private repository.|
||Pulls and scans images from a public registry.|
||Connects with the registry credentials to pull and scan images from a private registry.|
||To be used in a Supply Chain. Gets a
By default, three scan templates are deployed (
targetImagePullSecret is set in
private-image-scan-template is also deployed. If
targetSourceSshSecret is set in
private-source-scan-template is also deployed.
The private scan templates reference secrets created using the Docker server and credentials you provided, which means they are ready to use immediately.
For more information about the
ImageScan CRDs and how to customize your own, refer to Configuring Code Repositories and Image Artifacts to be Scanned.
The Scan Controller supports policy enforcement by using an Open Policy Agent (OPA) engine. ScanPolicy (
scanpolicies.scanning.apps.tanzu.vmware.com) allows scan results to be validated for company policy compliance and can prevent source code from being built or images from being deployed.
For more information, see Configuring Policy Enforcement using Open Policy Agent (OPA).