This topic tells you what scan types you can use with Scan Types for Supply Chain Security Tools (SCST) - Scan. The out-of-box test and scan supply chain supports the source and container image scan types.
The source scan step in the test and scan supply chain performs a Software Composition Analysis (SCA) scan to inspect the open-source dependencies of an application for vulnerabilities.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions. You scan by inspecting the file that the language uses for dependency declaration. This table has examples:
Language | Dependency File |
---|---|
Spring | pom.xml |
.Net | deps.json |
Node.JS | packages.json |
Python | requirements.txt |
Rather than declare specific dependency versions, some languages such as Spring, Java, and .Net resolve dependency versions at build time. For these languages, performing a SCA scan on the declaration file stored in the source code does not produce meaningful results. Instead the SCA scan often creates false positives or false negatives.
Because of this, in Tanzu Application Platform v1.6 and later the source scan step is moved to an opt-in step in the supply chain.
To add source scanning to the out-of-the-box test and scan supply chain, you can apply an overlay in the tap-values.yaml
file used for installation. This overlay adds the required resources to the supply chain in the correct location to opt in to source scanning.
For information about how overlays work with Tanzu Application Platform, see Customize your package installation.
To add source scanning to the default out-of-the-box test and scan supply chain:
Create a secret.yml
file with a Secret
that contains your ytt overlay. For example:
apiVersion: v1
kind: Secret
metadata:
name: ootb-supply-chain-testing-scanning-add-source-scanner
namespace: tap-install
annotations:
kapp.k14s.io/change-group: "tap-overlays"
type: Opaque
stringData:
ootb-supply-chain-testing-scanning-add-source-scanner.yaml: |
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"metadata":{"name":"source-test-scan-to-url"}, "kind": "ClusterSupplyChain"})
---
spec:
resources:
#@overlay/match by=overlay.index(2)
#@overlay/insert before=True
- name: source-scanner
params:
- default: scan-policy
name: scanning_source_policy
- default: blob-source-scan-template
name: scanning_source_template
sources:
- name: source
resource: source-tester
templateRef:
kind: ClusterSourceTemplate
name: source-scanner-template
#@overlay/match by="name"
- name: image-provider
sources:
#@overlay/match by="name"
- name: source
resource: source-scanner
For information about ytt overlays, see the Carvel documentation.
Apply the Secret
to your cluster by running:
kubectl apply -f secret.yml
Update your values file to include a package_overlays
field by running:
package_overlays:
- name: ootb-supply-chain-testing-scanning
secrets:
- name: ootb-supply-chain-testing-scanning-add-source-scanner
Update Tanzu Application Platform by running:
tanzu package installed update tap -p tap.tanzu.vmware.com -v 1.10.1 \
--values-file tap-values.yaml -n tap-install
For a multicluster installation, you must apply this to the build profile because that is where the scan components run. For information about Tanzu Application Platform profiles, see Installing Tanzu Application Platform package and profiles.
A container image scan inspects the contents of a built container image for vulnerabilities. This scan is performed on the container image after it is uploaded to the container image registry and at periodic intervals after the initial upload. Many container registries, such as Harbor and Docker Hub, include this capability.
Tanzu Application Platform enables scanning container images for vulnerabilities as part of your supply chain, allowing you to prevent deployment of a container image if vulnerabilities are discovered that exceed your security policy.