Sample public source scan of a blob for Supply Chain Security Tools - Scan

You can do a public source scan of a blob for Supply Chain Security Tools (SCST) - Scan. This example performs a scan against source code in a .tar.gz file. This is helpful in a supply chain, where there is a GitRepository step that handles cloning a repository and exporting the source code as a compressed archive.

Note

This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.

Define the resources

Create public-blob-source-example.yaml with this content:

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
  name: public-blob-source-example
spec:
  blob:
    url: "https://gitlab.com/nina-data/ckan/-/archive/master/ckan-master.tar.gz"
  scanTemplate: blob-source-scan-template

(Optional) Set up a watch

Before deploying the resources to a user-specified namespace, set up a watch in another terminal to view the progression by running:

watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

For more information, see Observing and Troubleshooting.

Deploy the resources

Deploy the resources by running:

kubectl apply -f public-blob-source-example.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View the scan results

After the scan finishes, view the results:

  1. Print the scan results by running:
kubectl describe sourcescan public-blob-source-example -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

  1. Verify that Status.Conditions includes a Reason: JobFinished and Message: The scan job finished. For more information, see Viewing and Understanding Scan Status Conditions.

Clean up

Clean up by running:

kubectl delete -f public-blob-source-example.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View vulnerability reports

After completing the scans, query the Supply Chain Security Tools - Store to view your vulnerability results.

check-circle-line exclamation-circle-line close-line
Scroll to top icon