This topic gives you sample ImageVulnerabilityScans
for various scanners, and any associated secrets.
ImageVulnerabilityScan
samplesThis section includes ImageVulnerabilityScans
(IVS) for various scanners. To use them, copy the YAML content for the scanner you want to use in the following topics:
ImageVulnerabilityScan
samplesTo use a custom ImageVulnerabilityScan
sample:
custom-ivs.yaml
. Some scanners, such as Carbon Black, Snyk, and Prisma Scanner, require specific credentials that you must specify in the secret.Edit these fields of your ImageVulnerabilityScan
:
spec.image
is the image that you are scanning. For more information, see Retrieving an image digest.scanResults.location
is the registry URL where the publisher
service account uploads the scan results. For example, my.registry/scan-results
.serviceAccountNames
includes:
scanner
, which is the service account that runs the scan. It must have read access to image
.publisher
, which is the service account that uploads results. It must have write access to scanResults.location
.Complete any scanner-specific changes specified on the sample ImageVulnerabilityScan
page.
Incorporate your custom ImageVulnerabilityScan
into a ClusterImageTemplate or run a standalone scan by running:
kubectl apply -f custom-ivs.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the name of the developer namespace where scanning occurs.
SCST - Scan 2.0 custom resources require the digest form of the URL. For example, nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2
.
Use the Docker documentation to pull and inspect an image digest. For example, by running:
docker pull nginx:latest
docker inspect --format='{{index .RepoDigests 0}}' nginx:latest
Alternatively, you can install krane to retrieve the digest without pulling the image by running:
krane digest nginx:latest