This topic describes how you can install scanners to work with Supply Chain Security Tools (SCST) - Scan from the Tanzu Application Platform package repository.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions. Follow the instructions in this topic to install a scanner other than the out-of-the box Grype Scanner with SCST - Scan.
Before installing a new scanner, install SCST - Scan on the same cluster. The prerequisites for SCST - Scan are also required.
To install a new scanner, follow these steps:
Fulfil scanner-specific prerequisites for the scanner that you’re trying to install, such as creating an API token to connect to the scanner.
List the available packages to discover what scanners you can use by running:
tanzu package available list --namespace tap-install
For example:
$ tanzu package available list --namespace tap-install
/ Retrieving available packages...
NAME DISPLAY-NAME SHORT-DESCRIPTION
grype.scanning.apps.tanzu.vmware.com Grype Scanner for Supply Chain Security Tools - Scan Default scan templates using Anchore Grype
snyk.scanning.apps.tanzu.vmware.com Snyk for Supply Chain Security Tools - Scan Default scan templates using Snyk
carbonblack.scanning.apps.tanzu.vmware.com Carbon Black Scanner for Supply Chain Security Tools - Scan Default scan templates using Carbon Black
List version information for the scanner package by running:
tanzu package available list SCANNER-NAME --namespace tap-install
For example:
$ tanzu package available list snyk.scanning.apps.tanzu.vmware.com --namespace tap-install
/ Retrieving package versions for snyk.scanning.apps.tanzu.vmware.com...
NAME VERSION RELEASED-AT
snyk.scanning.apps.tanzu.vmware.com 1.0.0-beta.2
(Optional) Verify that the secret created earlier for scanner-specific prerequisites was created.
Create a values.yaml
file to apply custom configurations to the scanner. This step is required for some scanners but optional for others. To list the values you can configure for any scanner, run:
tanzu package available get SCANNER-NAME/VERSION --values-schema -n tap-install
Where:
SCANNER-NAME
is the name of the scanner package you retrieved earlier.VERSION
is your package version number. For example, snyk.scanning.apps.tanzu.vmware.com/1.0.0-beta.2
.For example:
$ tanzu package available get snyk.scanning.apps.tanzu.vmware.com/1.0.0-beta.2 --values-schema -n tap-install
KEY DEFAULT TYPE DESCRIPTION
metadataStore.authSecret.name string Name of deployed Secret with key auth_token
metadataStore.authSecret.importFromNamespace string Namespace from which to import the Insight Metadata Store auth_token
metadataStore.caSecret.importFromNamespace metadata-store string Namespace from which to import the Insight Metadata Store CA Cert
metadataStore.caSecret.name app-tls-cert string Name of deployed Secret with key ca.crt holding the CA Cert of the Insight Metadata Store
metadataStore.clusterRole metadata-store-read-write string Name of the deployed ClusterRole for read/write access to the Insight Metadata Store deployed in the same cluster
metadataStore.url https://metadata-store-app.metadata-store.svc.cluster.local:8443 string Url of the Insight Metadata Store
namespace default string Deployment namespace for the Scan Templates
resources.requests.cpu 250m <nil> Requests describes the minimum amount of cpu resources required.
resources.requests.memory 128Mi <nil> Requests describes the minimum amount of memory resources required.
resources.limits.cpu 1000m <nil> Limits describes the maximum amount of cpu resources allowed.
snyk.tokenSecret.name string Reference to the secret containing a Snyk API Token as snyk_token.
targetImagePullSecret string Reference to the secret used for pulling images from private registry.
Define the --values-file
flag to customize the default configuration. The values.yaml
file you created earlier is referenced with the --values-file
flag when running the tanzu package install
command:
tanzu package install REFERENCE-NAME \
--package SCANNER-NAME \
--version VERSION \
--namespace tap-install \
--values-file PATH-TO-VALUES-YAML
Where:
REFERENCE-NAME
is the name referenced by the installed package, such as grype-scanner
or snyk-scanner
.SCANNER-NAME
is the name of the scanner package you retrieved earlier. For example, snyk.scanning.apps.tanzu.vmware.com
.VERSION
is your package version number, such as 1.0.0-beta.2
.PATH-TO-VALUES-YAML
is the path that points to the values.yaml
file created earlier.For example:
$ tanzu package install snyk-scanner \
--package snyk.scanning.apps.tanzu.vmware.com \
--version 1.1.0 \
--namespace tap-install \
--values-file values.yaml
/ Installing package 'snyk.scanning.apps.tanzu.vmware.com'
| Getting namespace 'tap-install'
| Getting package metadata for 'snyk.scanning.apps.tanzu.vmware.com'
| Creating service account 'snyk-scanner-tap-install-sa'
| Creating cluster admin role 'snyk-scanner-tap-install-cluster-role'
| Creating cluster role binding 'snyk-scanner-tap-install-cluster-rolebinding'
/ Creating package resource
- Package install status: Reconciling
Added installed package 'snyk-scanner' in namespace 'tap-install'
To verify the installation create an ImageScan
or SourceScan
resource that references one of the newly added ScanTemplates
for the scanner.
NoteSome scanners do not support both
ImageScan
andSourceScan
.
(Optional) Create a ScanPolicy
, formatted for the output specific to the scanner you are installing, to reference in the ImageScan
or SourceScan
by running:
kubectl apply -n $DEV_NAMESPACE -f SCAN-POLICY-YAML
NoteAs vulnerability scanners output different formats, the
ScanPolicies
can vary. For information about policies and samples, see Enforce compliance policy by using Open Policy Agent.
Retrieve available ScanTemplates
from the namespace where the scanner is installed by running:
kubectl get scantemplates -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
For example:
$ kubectl get scantemplates
NAME AGE
blob-source-scan-template 10d
private-image-scan-template 10d
public-image-scan-template 10d
public-source-scan-template 10d
snyk-private-image-scan-template 10d
snyk-public-image-scan-template 10d
ImageScan
. Some scanners do not support both
ImageScan
and
SourceScan
.
Create the following ImageScan
YAML:
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
name: sample-scanner-public-image-scan
spec:
registry:
image: "nginx:1.16"
scanTemplate: SCAN-TEMPLATE
scanPolicy: SCAN-POLICY # Optional
Where:
SCAN-TEMPLATE
is the name of the installed ScanTemplate
in the DEV-NAMESPACE
you retrieved earlier.SCAN-POLICY
it’s an optional reference to an existing ScanPolicy
in the same DEV-NAMESPACE
.For example:
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
name: sample-snyk-public-image-scan
spec:
registry:
image: "nginx:1.16"
scanTemplate: snyk-public-image-scan-template
scanPolicy: snyk-scan-policy
Apply the ImageScan
YAML to the cluster by running:
kubectl apply -f PATH-TO-IMAGE-SCAN-YAML -n DEV-NAMESPACE
Where PATH-TO-IMAGE-SCAN-YAML
is the path to the YAML file created earlier.
To verify the integration, get the scan to see if it completed by running:
kubectl get imagescan IMAGE-SCAN-NAME -n DEV-NAMESPACE
Where IMAGE-SCAN-NAME
is the name of the ImageScan
as defined in the YAML file created earlier.
Clean up by running:
kubectl delete -f PATH-TO-SCAN-YAML -n DEV-NAMESPACE
Where PATH-TO-SCAN-YAML
is the path to the YAML file created earlier.
SourceScan
. Some scanners do not support both
ImageScan
and
SourceScan
.
Create the following SourceScan
YAML:
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
name: sample-scanner-public-source-scan
spec:
git:
url: "https://github.com/houndci/hound.git"
revision: "5805c650"
scanTemplate: SCAN-TEMPLATE
scanPolicy: SCAN-POLICY # Optional
Where:
SCAN-TEMPLATE
is the name of the installed ScanTemplate
in the DEV-NAMESPACE
you retrieved earlier.SCAN-POLICY
is an optional reference to an existing ScanPolicy
in the same DEV-NAMESPACE
.For example:
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
name: sample-grype-public-source-scan
spec:
git:
url: "https://github.com/houndci/hound.git"
revision: "5805c650"
scanTemplate: public-source-scan-template
scanPolicy: scan-policy
Apply the SourceScan
YAML to the cluster by running:
kubectl apply -f PATH-TO-SOURCE-SCAN-YAML -n DEV-NAMESPACE
Where PATH-TO-SOURCE-SCAN-YAML
is the path to the YAML file created earlier.
For example:
$ kubectl apply -f imagescan.yaml -n my-apps
imagescan.scanning.apps.tanzu.vmware.com/sample-snyk-public-image-scan created
$ kubectl apply -f sourcescan.yaml -n my-apps
sourcescan.scanning.apps.tanzu.vmware.com/sample-grype-public-source-scan created
To verify the integration, get the scan to see if it completed by running:
kubectl get sourcescan SOURCE-SCAN-NAME -n DEV-NAMESPACE
Where SOURCE-SCAN-NAME
is the name of the SourceScan
as defined in the YAML file created earlier.
For example:
$ kubectl get imagescan sample-snyk-public-image-scan -n my-apps
NAME PHASE SCANNEDIMAGE AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL
sample-snyk-public-image-scan Completed nginx:1.16 26h 0 114 58 314 0 486
$ kubectl get sourcescan sample-grype-public-source-scan -n my-apps
NAME PHASE SCANNEDREVISION SCANNEDREPOSITORY AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL
sourcescan.scanning.apps.tanzu.vmware.com/grypesourcescan-sample-public Completed 5805c650 https://github.com/houndci/hound.git 8m34s 21 121 112 9 0 263
NoteIf you define a
ScanPolicy
for the scans and the evaluation finds a violation, thePhase
isFailed
instead ofCompleted
. In both cases the scan finished.
Clean up by running:
kubectl delete -f PATH-TO-SCAN-YAML -n DEV-NAMESPACE
Where PATH-TO-SCAN-YAML
is the path to the YAML file created earlier.
To install a Scanner on multiple namespaces, VMware recommends using Namespace Provisioner.
To scan your images with the new scanner installed in the Out of the Box Supply Chain with Testing and Scanning, you must update your Tanzu Application Platform installation.
Add the ootb_supply_chain_testing_scanning.scanning
section to tap-values.yaml
and then update Tanzu Application Platform.
You can define which ScanTemplate
is used for both SourceScan
and ImageScan
. The default values are the Grype Scanner ScanTemplate
, but they are overwritten by any other ScanTemplate
present in your DEV-NAMESPACE
. The same applies to the ScanPolicies
applied to each kind of scan. For example:
ootb_supply_chain_testing_scanning:
scanning:
image:
template: IMAGE-SCAN-TEMPLATE
policy: IMAGE-SCAN-POLICY
source:
template: SOURCE-SCAN-TEMPLATE
policy: SOURCE-SCAN-POLICY
NoteFor the supply chain to work properly, the
SOURCE-SCAN-TEMPLATE
must support blob files and theIMAGE-SCAN-TEMPLATE
must support private images.
For example:
ootb_supply_chain_testing_scanning:
scanning:
image:
template: snyk-private-image-scan-template
policy: snyk-scan-policy
source:
template: blob-source-scan-template
policy: scan-policy
To replace the scanner in supply chain, follow the steps mentioned in Configure TAP Supply Chain to Use New Scanner. After the scanner is no longer required by the Supply Chain, you can remove the package by running:
tanzu package installed delete REFERENCE-NAME \
--namespace tap-install
Where REFERENCE-NAME
is the name you identified the package with, when installing in the Install section. For example, grype-scanner
, snyk-scanner
.
For example:
$ tanzu package installed delete snyk-scanner \
--namespace tap-install
In addition to providing the above supported integrations, VMware encourages the broader community to support VMware in our goal of integrating with customers’ preferred CVE scanners.
Additional integrations: