This topic describes the specifications and custom resources you can use with Supply Chain Security Tools (SCST) - Scan.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions. With the Scan Controller and Grype Scanner installed the following Custom Resource Definitions (CRDs) are now available:
$ kubectl get crds | grep scanning.apps.tanzu.vmware.com
imagescans.scanning.apps.tanzu.vmware.com 2021-09-09T15:22:07Z
scanpolicies.scanning.apps.tanzu.vmware.com 2021-09-09T15:22:07Z
scantemplates.scanning.apps.tanzu.vmware.com 2021-09-09T15:22:07Z
sourcescans.scanning.apps.tanzu.vmware.com 2021-09-09T15:22:07Z
For more information about installing SCST - Scan, see Installing Individual Packages.
SourceScan
(sourcescans.scanning.apps.tanzu.vmware.com
) and ImageScan
(imagescans.scanning.apps.tanzu.vmware.com
) define what is scanned. ScanTemplate
(scantemplates.scanning.apps.tanzu.vmware.com
) defines how to run a scan. VMware has provided five custom resources (CRs) preinstalled for use. You can either use them as they are or as samples for creating your own CRs.
To view the pre-installed ScanTemplate
CRs, run:
kubectl get scantemplates
You see the following scan templates:
CR Name | Use Case |
---|---|
public-source-scan-template |
Clones and scans source code from a public repository. |
private-source-scan-template |
Connects with SSH credentials to clone and scan source code from a private repository. |
public-image-scan-template |
Pulls and scans images from a public registry. |
private-image-scan-template |
Connects with the registry credentials to pull and scan images from a private registry. |
blob-source-scan-template |
To be used in a Supply Chain. Gets a .tar.gz available file with wget , uncompresses it, and scans the source code inside it. |
By default, three scan templates are deployed:
public-source-scan-template
public-image-scan-template
blob-source-scan-template
If targetImagePullSecret
is set in tap-values.yaml
, private-image-scan-template
is also deployed. If targetSourceSshSecret
is set in tap-values.yaml
, private-source-scan-template
is also deployed.
The private scan templates reference secrets created using the Docker server and credentials you provided, which means they are ready to use immediately.
For more information about the SourceScan
and ImageScan
CRDs and how to customize your own, see Configuring Code Repositories and Image Artifacts to be Scanned.
The Scan Controller supports policy enforcement by using an Open Policy Agent (OPA) engine. ScanPolicy
(scanpolicies.scanning.apps.tanzu.vmware.com
) allows scan results to be validated for company policy compliance and can prevent source code from being built or images from being deployed.
For more information, see Enforce compliance policy by using Open Policy Agent.