The following example performs an image scan on an image in a public registry. This image revision has 223 known vulnerabilities (CVEs), spanning a number of severities. ImageScan uses the ScanPolicy to run a compliance check against the CVEs.
The policy in this example is set to only consider Critical
severity CVEs as a violation, which returns 21 Critical Severity Vulnerabilities.
Note: This example ScanPolicy is deliberately constructed to showcase the features available and must not be considered an acceptable base policy.
In this example, the scan does the following (currently):
Status.Conditions
that 21 CVEs have violated policy compliance.Create sample-public-image-scan-with-compliance-check.yaml
:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
name: sample-scan-policy
spec:
regoFile: |
package policies
default isCompliant = false
# Accepted Values: "UnknownSeverity", "Critical", "High", "Medium", "Low", "Negligible"
violatingSeverities := ["Critical"]
ignoreCVEs := []
contains(array, elem) = true {
array[_] = elem
} else = false { true }
isSafe(match) {
fails := contains(violatingSeverities, match.Ratings.Rating[_].Severity)
not fails
}
isSafe(match) {
ignore := contains(ignoreCVEs, match.Id)
ignore
}
isCompliant = isSafe(input.currentVulnerability)
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
name: sample-public-image-scan-with-compliance-check
spec:
registry:
image: "nginx:1.16"
scanTemplate: public-image-scan-template
scanPolicy: sample-scan-policy
Before deploying, set up a watch in another terminal to view the process:
watch kubectl get scantemplates,scanpolicies,sourcescans,imagescans,pods,jobs
For more information about setting up a watch, see Observing and Troubleshooting.
kubectl apply -f sample-public-image-scan-with-compliance-check.yaml
kubectl describe imagescan sample-public-image-scan-with-compliance-check
Note: The
Status.Conditions
includes aReason: EvaluationFailed
andMessage: Policy violated because of 21 CVEs
.
For more information about scan status conditions, see Viewing and Understanding Scan Status Conditions.
To modify the Scan Policy, see Step 5: Sample Public Source Code Scan with Compliance Check.
To clean up, run:
kubectl delete -f sample-public-image-scan-with-compliance-check.yaml