Add testing and scanning to your application
This topic guides you through installing the optional OOTB Supply Chain with Testing and the optional OOTB Supply Chain with Testing and Scanning.
For more information about available supply chains, see Supply chains on Tanzu Application Platform.
What you will do
- Install OOTB Supply Chain with Testing.
- Add a Tekton pipeline to the cluster and update the workload to point to the pipeline and resolve errors.
- Install OOTB Supply Chain with Testing and Scanning.
- Update the workload to point to the Tekton pipeline and resolve errors.
- (Optional) Enable recurring scanning for post-build scans.
Overview
The default Out of the Box (OOTB) Supply Chain Basic and its dependencies were installed on your cluster during the Tanzu Application Platform install. As demonstrated in this guide, you can add testing and security scanning to your application. When you activate OOTB Supply Chain with Testing, it deactivates OOTB Supply Chain Basic.
The following installations also provide a sample Tekton pipeline that tests your sample application. The pipeline is configurable. Therefore, you can customize the steps to perform either additional testing or other tasks with Tekton Pipelines.
Install OOTB Supply Chain with Testing
To install OOTB Supply Chain with Testing:
-
You can activate the OOTB Supply Chain with Testing by updating your profile to use
testingrather thanbasicas the selected supply chain for workloads in this cluster. Thetap-values.yamlis the file used to customize the profile inTanzu package install tap --values-file=.... Updatetap-values.yamlwith the following changes:- supply_chain: basic + supply_chain: testing - ootb_supply_chain_basic: + ootb_supply_chain_testing: registry: server: "SERVER-NAME" repository: "REPO-NAME"Where:
SERVER-NAMEis the name of your server.REPO-NAMEis the name of the image repository that hosts the container images.
-
Update the installed profile by running:
tanzu package installed update tap -p tap.tanzu.vmware.com -v VERSION-NUMBER --values-file tap-values.yaml -n tap-installWhere
VERSION-NUMBERis your Tanzu Application Platform version. For example,1.11.0.
Tekton pipeline config example
In this section, a Tekton pipeline is added to the cluster. In the next section, the workload is updated to point to the pipeline and resolve any current errors.
NoteDevelopers can perform this step because they know how their application must be tested. The operator can also add the Tekton pipeline to a cluster before the developer gets access.
To add the Tekton pipeline to the cluster, apply the following YAML to the cluster:
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: developer-defined-tekton-pipeline
namespace: DEVELOPER-NAMESPACE
labels:
apps.tanzu.vmware.com/pipeline: test # (!) required
spec:
params:
- name: source-url # (!) required
- name: source-revision # (!) required
tasks:
- name: test
params:
- name: source-url
value: $(params.source-url)
- name: source-revision
value: $(params.source-revision)
taskSpec:
params:
- name: source-url
- name: source-revision
steps:
- name: test
image: gradle
script: |-
cd `mktemp -d`
wget -qO- $(params.source-url) | tar xvz -m
./mvnw test
Where DEVELOPER-NAMESPACE is the name of your developer namespace.
The preceding YAML puts a Tekton pipeline in the developer namespace you specify. It defines the Tekton pipeline with a single step. The step contained in the steps pulls the code from the repository indicated in the developers workload and runs the tests within the repository. The steps of the Tekton pipeline are configurable and allow the developer to add additional items needed to test their code.
There are many steps in the supply chain. In this case, the next step is an image build. Any additional steps the developer adds to the Tekton pipeline to test their code are independent of the image being built and of any subsequent steps executed in the supply chain. This independence gives the developer freedom to focus on testing their code.
The params are templated by Supply Chain Choreographer. Additionally, Tekton pipelines require a Tekton pipelineRun to execute on the cluster. Supply Chain Choreographer handles creating the pipelineRun dynamically each time that step of the supply chain requires execution.
Workload update
To connect the new supply chain to the workload, the workload must be updated to point at your Tekton pipeline.
-
Update the workload by running the following with the Tanzu CLI:
tanzu apps workload apply tanzu-java-web-app \ --git-repo https://github.com/vmware-tanzu/application-accelerator-samples \ --sub-path tanzu-java-web-app \ --git-branch main \ --type web \ --label apps.tanzu.vmware.com/has-tests=true \ --label app.kubernetes.io/part-of=tanzu-java-web-app \ --yes -
After accepting the workload creation, monitor the creation of new resources by the workload by running:
kubectl get workload,gitrepository,pipelinerun,images.kpack,podintent,app,services.servingThe result is output similar to the following example that shows the objects created by Supply Chain Choreographer:
NAME AGE workload.carto.run/tanzu-java-web-app 109s NAME URL READY STATUS AGE gitrepository.source.toolkit.fluxcd.io/tanzu-java-web-app https://github.com/vmware-tanzu/application-accelerator-samples True Fetched revision: main/872ff44c8866b7805fb2425130edb69a9853bfdf 109s NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME pipelinerun.tekton.dev/tanzu-java-web-app-4ftlb True Succeeded 104s 77s NAME LATESTIMAGE READY image.kpack.io/tanzu-java-web-app 10.188.0.3:5000/foo/tanzu-java-web-app@sha256:1d5bc4d3d1ffeb8629fbb721fcd1c4d28b896546e005f1efd98fbc4e79b7552c True NAME READY REASON AGE podintent.conventions.carto.run/tanzu-java-web-app True 7s NAME DESCRIPTION SINCE-DEPLOY AGE app.kappctrl.k14s.io/tanzu-java-web-app Reconcile succeeded 1s 2s NAME URL LATESTCREATED LATESTREADY READY REASON service.serving.knative.dev/tanzu-java-web-app http://tanzu-java-web-app.developer.example.com tanzu-java-web-app-00001 tanzu-java-web-app-00001 Unknown IngressNotConfigured
Install OOTB Supply Chain with Testing and Scanning
To install OOTB Supply Chain with Testing and Scanning, you must install the Scan Controller and the Grype scanner.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions. Leveraging both Grype and Tanzu Build Service in your Tanzu Application Platform supply chain enables enhanced scanning coverage for languages and frameworks. For the languages and frameworks supported, see the Extended Scanning Coverage using Anchore Grype column in the Language and Framework Support Table.
The source-code scanning capability in the OOTB Supply Chain with Testing and Scanning has been changed to opt-in and is skipped by default in Tanzu Application Platform v1.6 and later. For more information, see Scan Types.
To install OOTB Supply Chain with Testing and Scanning:
-
Supply Chain Security Tools (SCST) - Scan is installed as part of the Tanzu Application Platform profiles. Verify that Scan Controller is installed by running:
tanzu package installed get scanning -n tap-installIf the package is not already installed, follow the steps in Supply Chain Security Tools - Scan to install the required scanning components.
-
Apply a ScanPolicy in the required namespace. The sample ScanPolicy provided in this step is configured with
notAllowedSeverities := ["Critical","High","UnknownSeverity"]. This blocks a supply chain when the scanner finds CVEs with critical, high, and unknown ratings.You can also configure the supply chain to use your own custom policies and apply exceptions when you want to ignore certain CVEs. See Out of the Box Supply Chain with Testing and Scanning. To apply the sample ScanPolicy, you can either add the namespace flag to the kubectl command or add the namespace field to the template by running:
kubectl apply -f - -o yaml << EOF --- apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ScanPolicy metadata: name: scan-policy labels: 'app.kubernetes.io/part-of': 'enable-in-gui' spec: regoFile: | package main # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity" notAllowedSeverities := ["Critical", "High", "UnknownSeverity"] ignoreCves := [] contains(array, elem) = true { array[_] = elem } else = false { true } isSafe(match) { severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity } some i fails := contains(notAllowedSeverities, severities[i]) not fails } isSafe(match) { ignore := contains(ignoreCves, match.id) ignore } deny[msg] { comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] } some i comp := comps[i] vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] } some j vuln := vulns[j] ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity } not isSafe(vuln) msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings]) } EOF -
(optional) The Tanzu Application Platform profiles install the Supply Chain Security Tools - Store package by default. To persist and query the vulnerability results post-scan, confirm it is installed by running:
tanzu package installed get metadata-store -n tap-installIf the package is not installed, follow the installation instructions at Install Supply Chain Security Tools - Store independent from Tanzu Application Platform profiles.
-
Update the profile to use the supply chain with testing and scanning by updating
tap-values.yaml(the file used to customize the profile intanzu package install tap --values-file=...) with the following changes:- supply_chain: testing + supply_chain: testing_scanning - ootb_supply_chain_testing: + ootb_supply_chain_testing_scanning: registry: server: "<SERVER-NAME>" repository: "<REPO-NAME>" -
Update the
tappackage:tanzu package installed update tap -p tap.tanzu.vmware.com -v VERSION-NUMBER --values-file tap-values.yaml -n tap-installWhere
VERSION-NUMBERis your Tanzu Application Platform version. For example,1.11.0. -
Because you set
supply_chain: testing_scanningin yourtap-values.yamlearlier, Grype Scanner for SCST - Scan is installed through Namespace Provisioner. Verify that Grype Scanner is present on your workload namespace:tanzu package installed get grype-scanner-YOUR-DEV-NAMESPACE -n tap-installTo install Grype Scanner to multiple namespaces, VMware recommends using Namespace Provisioner. ScanTemplates with Grype scanner are automatically installed into namespaces created by Namespace Provisioner.
Grype scanner must be present in the namespace that the workload is deployed to for scanning.
Workload update
To connect the new supply chain to the workload, update the workload to point to your Tekton pipeline:
-
Update the workload by running the following using the Tanzu CLI:
tanzu apps workload apply tanzu-java-web-app \ --git-repo https://github.com/vmware-tanzu/application-accelerator-samples \ --sub-path tanzu-java-web-app \ --git-branch main \ --type web \ --label apps.tanzu.vmware.com/has-tests=true \ --label app.kubernetes.io/part-of=tanzu-java-web-app \ --yes -
After accepting the workload creation, view the new resources that the workload created by running:
kubectl get workload,gitrepository,sourcescan,pipelinerun,images.kpack,imagescan,podintent,app,services.servingThe following is an example output, which shows the objects that Supply Chain Choreographer created:
NAME AGE workload.carto.run/tanzu-java-web-app 109s NAME URL READY STATUS AGE gitrepository.source.toolkit.fluxcd.io/tanzu-java-web-app https://github.com/vmware-tanzu/application-accelerator-samples True Fetched revision: main/872ff44c8866b7805fb2425130edb69a9853bfdf 109s NAME PHASE SCANNEDREVISION SCANNEDREPOSITORY AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL sourcescan.scanning.apps.tanzu.vmware.com/tanzu-java-web-app Completed 187850b39b754e425621340787932759a0838795 https://github.com/vmware-tanzu/application-accelerator-samples 90s NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME pipelinerun.tekton.dev/tanzu-java-web-app-4ftlb True Succeeded 104s 77s NAME LATESTIMAGE READY image.kpack.io/tanzu-java-web-app 10.188.0.3:5000/foo/tanzu-java-web-app@sha256:1d5bc4d3d1ffeb8629fbb721fcd1c4d28b896546e005f1efd98fbc4e79b7552c True NAME PHASE SCANNEDIMAGE AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL imagescan.scanning.apps.tanzu.vmware.com/tanzu-java-web-app Completed 10.188.0.3:5000/foo/tanzu-java-web-app@sha256:1d5bc4d3d1ffeb8629fbb721fcd1c4d28b896546e005f1efd98fbc4e79b7552c 14s NAME READY REASON AGE podintent.conventions.carto.run/tanzu-java-web-app True 7s NAME DESCRIPTION SINCE-DEPLOY AGE app.kappctrl.k14s.io/tanzu-java-web-app Reconcile succeeded 1s 2s NAME URL LATESTCREATED LATESTREADY READY REASON service.serving.knative.dev/tanzu-java-web-app http://tanzu-java-web-app.developer.example.com tanzu-java-web-app-00001 tanzu-java-web-app-00001 Unknown IngressNotConfiguredImportant
If the source or image scan has a “Failed” phase this means that the scan failed due to a scan policy violation and the supply chain stops. For information about the CVE triage workflow, see Out of the Box Supply Chain with Testing and Scanning.
Congratulations! You have successfully added testing and security scanning to your application on the Tanzu Application Platform.
Take the next steps to learn about recommended supply chain security best practices and gain a powerful services journey experience on the Tanzu Application Platform by enabling several advanced use cases.
(Optional) Scan for vulnerabilities after build time
When you add the capability to scan image containers to your supply chain, you can detect vulnerabilities at build time. However, as new vulnerabilities are discovered and reported daily, it is important to frequently scan the container images to detect newly reported vulnerabilities.
You can enable recurring scanning to schedule periodic scans of images built by workloads and containers running in Tanzu Application Platform clusters. When you enable recurring scanning, an option to View Latest Scan Results becomes available on the Supply Chain Choreographer plug-in. For how to enable recurring scanning, see Set up recurring scanning.
Next steps
