Install Supply Chain Security Tools - Scan

This topic describes how you can install Supply Chain Security Tools (SCST) - Scan from the Tanzu Application Platform package repository.

Follow the steps in this topic if you do not want to use a profile to install SCST - Scan. For information about profiles, see Components and installation profiles.

Note

This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.

Prerequisites

Before installing SCST - Scan:

  • Fulfil all prerequisites to install Tanzu Application Platform.
  • Install SCST - Store for scan results to persist. The integration with SCST - Store can be handled in different scenarios:

    • Single cluster: The SCST - Store is present in the cluster where SCST - Scan and the ScanTemplates are.
    • Multicluster: The SCST - Store is present in a different cluster (such as the View cluster) to where SCST - Scan and ScanTemplates are.
    • Integration deactivated: The SCST - Scan deployment is not required to communicate with SCST
    • Store.

    For information about SCST - Store, see Using the Supply Chain Security Tools - Store.

Note

If you are installing SCST - Scan in a cluster with restricted Kubernetes Pod Security Standards, you must update configurations for the Tekton Pipelines package. For more information, see Troubleshooting.

Configure properties

When you install the SCST - Scan (Scan controller), you can configure the following optional properties:

Key Default Type Description ScanTemplate Version
resources.limits.cpu 250m integer/string Limits describes the maximum amount of CPU resources allowed. n/a
resources.limits.memory 256Mi integer/string Limits describes the maximum amount of memory resources allowed. n/a
resources.requests.cpu 100m integer/string Requests describes the minimum amount of CPU resources required. n/a
resources.requests.memory 128Mi integer/string Requests describes the minimum amount of memory resources required. n/a
namespace scan-link-system string Deployment namespace for the Scan Controller n/a
retryScanJobsSecondsAfterError 60 integer Seconds to wait before retrying errored scans v1.3.1 and later
caCertData "" string The custom certificates trusted by the scans’ connections v1.4.0 and later
controller.pullSecret "controller-secret-ref" string Reference to the secret used for pulling the controller image from private registry. Set to empty if deploying from a public registry. v1.5.0 and later
docker.import true Boolean Import controller.pullSecret from another namespace (requires secretgen-controller). Set to false if the secret is present. v1.5.0 and later
deployedThroughTmc false Boolean Flag to configure multicluter property collectors to configure Insight Metadata Store credentials v1.7.0 and later
insertUserAndGroupID true Boolean Flag to add default pod security context runAsUser and runAsGroup to the scan job v1.7.0 and later
metadataStore.exports.namespace metadata-store-secrets string Namespace for metadata store secrets and exports v1.7.0 and later
metadataStore.exports.toNamespace "*" string Destination namespace for exported secrets, or \"*\" to allow any namespace to import v1.7.0 and later
metadataStore.exports.toNamespaces - "" array of strings List of destination namespaces for exported secrets v1.7.0 and later
metadataStore.exports.ca.secretName store-ca-cert string Name to use for created CA Cert secret of the Insight Metadata Store v1.7.0 and later
metadataStore.exports.ca.pem "" string PEM-encoded CA certificate of the Insight Metadata Store v1.7.0 and later
metadataStore.exports.auth.secretName store-auth-token string Name to use for created auth secret for the Insight Metadata Store v1.7.0 and later
metadataStore.exports.auth.token "" string Service account auth token with read-write access to the Insight Metadata Store v1.7.0 and later

When you install SCST - Scan (Grype scanner), you can configure the following optional properties:

Key Default Type Description ScanTemplate Version
resources.requests.cpu 250m integer/string Requests describes the minimum amount of CPU resources required.
resources.requests.memory 128Mi integer/string Requests describes the minimum amount of memory resources required.
scanner.serviceAccount grype-scanner string Name of scan pod’s service ServiceAccount
scanner.serviceAccountAnnotations nil object Annotations added to ServiceAccount
targetImagePullSecret n/a string Reference to the secret used for pulling images from private registry
targetSourceSshSecret n/a string Reference to the secret containing SSH credentials for cloning private repositories
namespace default string Deployment namespace for the Scan Templates n/a
metadataStore.url https://metadata-store-app.metadata-store.svc.cluster.local:8443 string URL of the Insight Metadata Store v1.2.0 and earlier
metadataStore.authSecret.name n/a string Name of deployed secret with key auth_token v1.2.0 and earlier
metadataStore.authSecret.importFromNamespace n/a string Namespace from which to import the Insight Metadata Store auth_token v1.2.0 and earlier
metadataStore.caSecret.importFromNamespace metadata-store string Namespace from which to import the Insight Metadata Store CA Cert v1.2.0 and earlier
metadataStore.caSecret.name app-tls-cert string Name of deployed secret with key ca.crt holding the CA Cert of the Insight Metadata Store v1.2.0 and earlier
metadataStore.clusterRole metadata-store-read-write string Name of the deployed ClusterRole for read/write access to the Insight Metadata Store deployed in the same cluster v1.2.0

Install

There are two options for installing SCST – Scan: You can install to multiple namespaces with Namespace Provisioner or you can install manually to each individual namespace.

Option 1: Install to multiple namespaces with Namespace Provisioner

The Namespace Provisioner enables operators to securely automate the provisioning of multiple developer namespaces in a shared cluster. To install Supply Chain Security Tools – Scan by using Namespace Provisioner, see the Namespace Provisioner documentation.

Namespace Provisioner can also create scan policies across multiple developer namespaces. For more information, see Customize installation in the Namespace Provisioner documentation for configuration steps.

Option 2: Install manually to each individual namespace

The installation for Supply Chain Security Tools – Scan involves installing two packages:

  • Scan controller
  • Grype scanner

The Scan controller enables you to use a scanner. In this case, it is the Grype scanner. Ensure that both the Grype scanner and the Scan controller are installed.

Install SCST - Scan (Scan controller)

To install SCST - Scan (Scan controller):

  1. List version information for the package by running:

    tanzu package available list scanning.apps.tanzu.vmware.com --namespace tap-install
    

    For example:

    $ tanzu package available list scanning.apps.tanzu.vmware.com --namespace tap-install
    / Retrieving package versions for scanning.apps.tanzu.vmware.com...
     NAME                             VERSION       RELEASED-AT
     scanning.apps.tanzu.vmware.com   1.1.0
    
  2. (Optional) Change the default installation settings.

    If you are using Grype Scanner v1.5.1 or later or other supported scanners included with Tanzu Application Platform v1.5.1 or later, and do not want to use the default SCST - Store integration, deactivate the integration by appending the following field in the values.yaml file:

    ---
    metadataStore:
      url: "" # Deactivate Supply Chain Security Tools - Store integration
    

    If you are using Grype Scanner v1.5.0 or other supported scanners included with Tanzu Application Platform v1.5.0, and do not want to use the default SCST - Store integration, deactivate the integration by appending the following field in the values.yaml file:

    ---
    metadataStore: {} # Deactivate Supply Chain Security Tools - Store integration
    

    If you are using Grype Scanner v1.2.0 or earlier, or the Snyk Scanner, the following scanning configuration deactivates the embedded SCST - Store integration with a scan-values.yaml file.

    ---
    metadataStore:
      url: "" # Deactivate Supply Chain Security Tools - Store integration
    

    If your Grype Scanner version is earlier than v1.2.0, the scanning configuration must configure the store parameters. For more information, see Install Supply Chain Security Tools - Scan v1.1.

    Retrieve other configurable settings and append the key-value pair to the previous scan-values.yaml file by running:

    tanzu package available get scanning.apps.tanzu.vmware.com/VERSION --values-schema -n tap-install
    

    Where VERSION is your package version number. For example, 1.1.0.

  3. Install the package by running:

    tanzu package install scan-controller \
     --package scanning.apps.tanzu.vmware.com \
     --version VERSION \
     --namespace tap-install \
     --values-file scan-values.yaml
    

    Where VERSION is your package version number. For example, 1.1.0.

Install SCST - Scan (Grype Scanner)

To install SCST - Scan (Grype Scanner):

  1. List version information for the package by running:

    tanzu package available list grype.scanning.apps.tanzu.vmware.com --namespace tap-install
    

    For example:

    $ tanzu package available list grype.scanning.apps.tanzu.vmware.com --namespace tap-install
    / Retrieving package versions for grype.scanning.apps.tanzu.vmware.com...
     NAME                                  VERSION       RELEASED-AT
     grype.scanning.apps.tanzu.vmware.com  1.1.0
    
  2. (Optional) Change the default installation settings.

    1. Define the configuration for the SCST - Store integration in the grype-values.yaml file for the Grype Scanner with this content:

      ---
      namespace: "DEV-NAMESPACE" # The developer namespace where the ScanTemplates are going to be deployed
      metadataStore:
      url: "METADATA-STORE-URL" # The base URL where the Store deployment can be reached
      caSecret:
        name: "CA-SECRET-NAME" # The name of the secret containing the ca.crt
        importFromNamespace: "SECRET-NAMESPACE" # The namespace where Store is deployed (if single cluster) or where the connection secrets were created (if multi-cluster)
      authSecret:
        name: "TOKEN-SECRET-NAME" # The name of the secret containing the auth token to connect to Store
        importFromNamespace: "SECRET-NAMESPACE" # The namespace where the connection secrets were created (if multi-cluster)
      

      In a single cluster, the connection between the scanning pod and the metadata store happens inside the cluster and does not pass through ingress. This is automatically configured. You do not need to provide an ingress connection to the store. For information about troubleshooting issues with scanner to metadata store connection configuration, see Troubleshooting Scanner to MetadataStore Configuration.

      Important

      Because METADATA-STORE-URL and CA-SECRET-NAME depend on each other, you must define both them or you must define neither of them.

      Where:

      • DEV-NAMESPACE is the namespace where you want to deploy the ScanTemplates. This is the namespace where the scanning feature runs.
      • METADATA-STORE-URL is the base URL where the SCST - Store deployment is reached. For example, https://metadata-store-app.metadata-store.svc.cluster.local:8443.
      • CA-SECRET-NAME is the name of the secret containing the ca.crt to connect to the SCST - Store deployment.
      • SECRET-NAMESPACE is the namespace where SCST - Store is deployed if you are using a single cluster. If you are using multicluster, it is where the connection secrets were created.
      • TOKEN-SECRET-NAME is the name of the secret containing the authentication token to connect to the SCST - Store deployment when installed in a different cluster if you are using multicluster. If built images are pushed to the same registry as the Tanzu Application Platform images, this can reuse the tap-registry secret created in the Add the Tanzu Application Platform package repository procedure.
    2. Retrieve other configurable settings and append the key-value pair to the previous grype-values.yaml file by running:

      tanzu package available get grype.scanning.apps.tanzu.vmware.com/VERSION --values-schema -n tap-install
      

      Where VERSION is your package version number. For example, 1.1.0.

      For example:

      $ tanzu package available get grype.scanning.apps.tanzu.vmware.com/1.1.0 --values-schema -n tap-install
      | Retrieving package details for grype.scanning.apps.tanzu.vmware.com/1.1.0...
      KEY                        DEFAULT  TYPE    DESCRIPTION
      namespace                  default  string  Deployment namespace for the Scan Templates
      resources.limits.cpu       1000m    <nil>   Limits describes the maximum amount of cpu resources allowed.
      resources.requests.cpu     250m     <nil>   Requests describes the minimum amount of cpu resources required.
      resources.requests.memory  128Mi    <nil>   Requests describes the minimum amount of memory resources required.
      targetImagePullSecret      <EMPTY>  string  Reference to the secret used for pulling images from private registry.
      targetSourceSshSecret      <EMPTY>  string  Reference to the secret containing SSH credentials for cloning private repositories.
      
      Important

      If targetSourceSshSecret is not set, the private source scan template is not installed.

  3. Install the package by running:

    tanzu package install grype-scanner \
     --package grype.scanning.apps.tanzu.vmware.com \
     --version VERSION \
     --namespace tap-install \
     --values-file grype-values.yaml
    

    Where VERSION is your package version number. For example, 1.1.0.

    For example:

    $ tanzu package install grype-scanner \
     --package grype.scanning.apps.tanzu.vmware.com \
     --version 1.1.0 \
     --namespace tap-install \
     --values-file grype-values.yaml
    / Installing package 'grype.scanning.apps.tanzu.vmware.com'
    | Getting namespace 'tap-install'
    | Getting package metadata for 'grype.scanning.apps.tanzu.vmware.com'
    | Creating service account 'grype-scanner-tap-install-sa'
    | Creating cluster admin role 'grype-scanner-tap-install-cluster-role'
    | Creating cluster role binding 'grype-scanner-tap-install-cluster-rolebinding'
    / Creating package resource
    - Package install status: Reconciling
    
    Added installed package 'grype-scanner' in namespace 'tap-install'
    
check-circle-line exclamation-circle-line close-line
Scroll to top icon