Sample public image scan with compliance check for Supply Chain Security Tools - Scan

This topic includes an example public image scan with a compliance check for Supply Chain Security Tools (SCST) - Scan.

Note

This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.

Public image scan

The following example performs an image scan on an image in a public registry. This image revision has 223 known vulnerabilities (CVEs), spanning a number of severities. ImageScan uses the ScanPolicy to run a compliance check against the CVEs.

The policy in this example is set to only consider Critical severity CVEs as a violation, which returns 21 Critical Severity Vulnerabilities.

Caution

This example ScanPolicy is deliberately constructed to showcase the features available and must not be considered an acceptable base policy.

In this example, the scan:

  • Finds all 223 of the CVEs
  • Ignores any CVEs with severities that are not critical
  • Indicates in Status.Conditions that 21 CVEs have violated policy compliance

Define the ScanPolicy and ImageScan

Create sample-public-image-scan-with-compliance-check.yaml with the following content:

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
  name: sample-scan-policy
  labels:
    'app.kubernetes.io/part-of': 'enable-in-gui'
spec:
  regoFile: |
    package main

    # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
    notAllowedSeverities := ["Critical"]
    ignoreCves := []

    contains(array, elem) = true {
      array[_] = elem
    } else = false { true }

    isSafe(match) {
      severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
      some i
      fails := contains(notAllowedSeverities, severities[i])
      not fails
    }

    isSafe(match) {
      ignore := contains(ignoreCves, match.id)
      ignore
    }

    deny[msg] {
      comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] }
      some i
      comp := comps[i]
      vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] }
      some j
      vuln := vulns[j]
      ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity }
      not isSafe(vuln)
      msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings])
    }

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
  name: sample-public-image-scan-with-compliance-check
spec:
  registry:
    image: "nginx:1.16"
  scanTemplate: public-image-scan-template
  scanPolicy: sample-scan-policy

(Optional) Set up a watch

Before deploying the resources to a user-specified namespace, set up a watch in another terminal to view the progression by running:

watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

For more information about setting up a watch, see Observing and Troubleshooting.

Deploy the resources

Deploy the resources by running:

kubectl apply -f sample-public-image-scan-with-compliance-check.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View the scan results

To view the scan status:

  1. After the scan has finished, run:

    kubectl describe imagescan sample-public-image-scan-with-compliance-check -n DEV-NAMESPACE

    Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

  2. Verify that Status.Conditions includes Reason: EvaluationFailed and Message: Policy violated because of 21 CVEs.

    For more information about scan status conditions, see Viewing and Understanding Scan Status Conditions.

Edit ScanPolicy

To edit ScanPolicy, update the ignoreCVEs array in ScanPolicy to include the CVEs to ignore by running:

...
spec:
  regoFile: |
    package policies

    default isCompliant = false

    # Accepted Values: "UnknownSeverity", "Critical", "High", "Medium", "Low", "Negligible"
    violatingSeverities := ["Critical"]
    # Adding the failing CVEs to the ignore array
    ignoreCVEs := ["CVE-2018-14643", "GHSA-f2jv-r9rf-7988", "GHSA-w457-6q6x-cgp9", "CVE-2021-23369", "CVE-2021-23383", "CVE-2020-15256", "CVE-2021-29940"]
...

Clean up

Clean up by running:

kubectl delete -f sample-public-image-scan-with-compliance-check.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

check-circle-line exclamation-circle-line close-line
Scroll to top icon