Configure a ImageVulnerabilityScan for Carbon Black

This topic gives you an example of how to configure a secret and ImageVulnerabilityScan (IVS) for Carbon Black.

Example secret

This section contains a sample secret containing the Carbon Black credentials inside the ~/.cbctl/cbctl.yaml config file. These credentials are used to authenticate your Carbon Black account. You can find these credentials in the Carbon Black console. See the Carbon Black documentation. You must apply this once to your developer namespace.

apiVersion: v1
kind: Secret
metadata:
  name: cbctl-creds
stringData:
  cbctl: |
    cb_api_id: CB-API-ID
    cb_api_key: CB-API-KEY
    org_key: ORG-KEY
    saas_url: SAAS-URL

Where:

  • CB-API-ID is the API ID obtained from Carbon Black Cloud.
  • CB-API-KEY is the API Key obtained from Carbon Black.
  • ORG-KEY is the Org Key for your Carbon Black organization.
  • SAAS-URL is the Carbon Black Backend URL.

Example ImageVulnerabilityScan

This section contains a sample IVS that uses Carbon Black to scan a targeted image and push the results to the specified registry location. For information about the IVS specification, see Configuration Options.

Set the tekton-pipelines feature-flags configmap enable-api-fields to alpha. This lets you use the stdoutConfig which is needed to output the scan report as a file.

apiVersion: app-scanning.apps.tanzu.vmware.com/v1alpha1
kind: ImageVulnerabilityScan
metadata:
  name: carbon-black-ivs
  annotations:
    app-scanning.apps.tanzu.vmware.com/scanner-name: Carbon-Black
spec:
  image: nginx@sha256:... # The image to be scanned. Digest must be specified.
  scanResults:
    location: registry/project/scan-results
  serviceAccountNames:
    publisher: publisher
    scanner: scanner
  workspace:
    bindings:
    - name: cbctl
      secret:
        secretName: cbctl-creds
        items:
          - key: cbctl
            path: .cbctl.yaml
  steps:
  - name: carbon-black
    image: CARBON-BLACK-SCANNER-IMAGE
    imagePullPolicy: IfNotPresent
    command:
    - cbctl
    - image
    - scan
    - --force=true
    - $(params.image)
    - --config
    - /cbctl/.cbctl.yaml
    - -ocyclonedx
    stdoutConfig:
      path: /workspace/scan-results/scan-results.cdx.xml

Where CARBON-BLACK-SCANNER-IMAGE is the Carbon Black scanner image. For example, cbartifactory/cbctl:latest.

For information about publicly available Carbon Black images, see DockerHub. For more information about using the Carbon Black Scanner CLI, see the Carbon Black documentation.

The Carbon Black cbctl-creds secret is mounted as a workspace binding and the credentials are inserted into a cbctl.yaml config file that the Carbon Black CLI uses.

stdoutConfig.path is specified to take the output stream of the step to a file where you can publish it to the registry. For more information, see the Tekton documentation.

Disclaimer

For the publicly available Carbon Black scanner CLI image, CLI commands and parameters used are accurate at the time of documentation.

check-circle-line exclamation-circle-line close-line
Scroll to top icon