Enable SCST - Scan 2.0 for default Test and Scan supply chains
This topic tells you how to enable Supply Chain Security Tools (SCST) - Scan 2.0 and an included container image scanner for Out of the Box Supply Chain with Testing and Scanning. The default configuration for Out of the Box Supply Chain with Testing and Scanning is SCST - Scan 1.0.
Overview
SCST - Scan 2.0 includes two integrations for container image scanners:
| Container Image Scanner | Documentation | Cluster Image Template Name | Status |
|---|---|---|---|
| Aqua Trivy | Link | image-vulnerability-scan-trivy |
Recommended scanner for SCST - Scan 2.0 |
| Anchore Grype | Link | image-vulnerability-scan-grype |
Alternative to Trivy that is used in SCST - Scan 1.0 |
VMware recommends using Aqua Trivy scanner with Tanzu Application Platform for container image scanning. If you want to remain consistent with the default scanner in SCST - Scan 1.0, Anchore Grype is included as an open-source alternative. Additionally, you can build an integration for additional scanners. For more information, see Bring your own scanner with Supply Chain Security Tools - Scan 2.0.
Enable with OOTB supply chain
To enable SCST - Scan 2.0 with an OOTB supply chain using the Trivy scanner:
-
Update your
tap-values.yamlfile to specify the TrivyClusterImageTemplate. For example:ootb_supply_chain_testing_scanning: image_scanner_template_name: image-vulnerability-scan-trivy -
Update your Tanzu Application Platform installation by running:
tanzu package installed update tap -p tap.tanzu.vmware.com -v TAP-VERSION --values-file tap-values.yaml -n tap-installWhere
TAP-VERSIONis the version of Tanzu Application Platform installed. -
Verify the scan capability is working as expected by creating a workload. See Verify scanning with Supply Chain integration.
