Sample public source code scan with compliance check for Supply Chain Security Tools - Scan

This topic includes an example public source code scan with a compliance check for Supply Chain Security Tools (SCST) - Scan.

Note
This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.

Public source scan

This example performs a source scan on a public repository. The source revision has 192 known Common Vulnerabilities and Exposures (CVEs), spanning several severities. SourceScan uses the ScanPolicy to run a compliance check against the CVEs.

The example policy is set to only consider Critical severity CVEs as violations, which returns 7 CVEs.

Caution
This example ScanPolicy is deliberately constructed to showcase the features available and must not be considered an acceptable base policy.

For this example, this scan:

Finds all 192 of the CVEs
Ignores any CVEs that have severities that are not critical
Indicates in the Status.Conditions that 7 CVEs have violated policy compliance

Run an example public source scan

To perform an example source scan on a public repository:

Create sample-public-source-scan-with-compliance-check.yaml with the following content to define ScanPolicy and SourceScan:

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
  name: sample-scan-policy
  labels:
    'app.kubernetes.io/part-of': 'enable-in-gui'
spec:
  regoFile: |
    package main

    # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
    notAllowedSeverities := ["Critical"]
    ignoreCves := []

    contains(array, elem) = true {
      array[_] = elem
    } else = false { true }

    isSafe(match) {
      severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
      some i
      fails := contains(notAllowedSeverities, severities[i])
      not fails
    }

    isSafe(match) {
      ignore := contains(ignoreCves, match.id)
      ignore
    }

    deny[msg] {
      comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] }
      some i
      comp := comps[i]
      vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] }
      some j
      vuln := vulns[j]
      ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity }
      not isSafe(vuln)
      msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings])
    }

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
  name: sample-public-source-scan-with-compliance-check
spec:
  git:
    url: "https://github.com/houndci/hound.git"
    revision: "5805c650"
  scanTemplate: public-source-scan-template
  scanPolicy: sample-scan-policy

(Optional) Before deploying the resources to a user-specified namespace, set up a watch in another terminal to view the progression by running:
```
watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE
```
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

For more information, see Observing and Troubleshooting.
Deploy the resources by running:
```
kubectl apply -f sample-public-source-scan-with-compliance-check.yaml -n DEV-NAMESPACE
```
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
When the scan completes, view the results by running:
```
kubectl describe sourcescan sample-public-source-scan-with-compliance-check -n DEV-NAMESPACE
```
The Status.Conditions includes a Reason: EvaluationFailed and Message: Policy violated because of 7 CVEs. For more information, see Viewing and Understanding Scan Status Conditions.

If the failing CVEs are acceptable, or the build must be deployed regardless of these CVEs, the app is patched to remove the vulnerabilities. Update the ignoreCVEs array in the ScanPolicy to include the CVEs to ignore by running:

...
spec:
 regoFile: |
   package policies

   default isCompliant = false

   # Accepted Values: "UnknownSeverity", "Critical", "High", "Medium", "Low", "Negligible"
   violatingSeverities := ["Critical"]
   # Adding the failing CVEs to the ignore array
   ignoreCVEs := ["CVE-2018-14643", "GHSA-f2jv-r9rf-7988", "GHSA-w457-6q6x-cgp9", "CVE-2021-23369", "CVE-2021-23383", "CVE-2020-15256", "CVE-2021-29940"]
...

The changes applied to the new ScanPolicy trigger the scan to run again. Reapply the resources by running:
```
kubectl apply -f sample-public-source-scan-with-compliance-check.yaml -n DEV-NAMESPACE
```

Re-describe the SourceScan CR by running:

kubectl describe sourcescan sample-public-source-scan-with-compliance-check -n DEV-NAMESPACE

Ensure that Status.Conditions now includes Reason: EvaluationPassed and No CVEs were found that violated the policy. You can update the violatingSeverities array in the ScanPolicy. The example Grype scan returns the following severity spread of vulnerabilities:
- Critical: 7
- High: 88
- Medium: 92
- Low: 5
- Negligible: 0
- UnknownSeverity: 0

Clean up by running:

kubectl delete -f sample-public-source-scan-with-compliance-check.yaml -n DEV-NAMESPACE