This topic describes the prerequisites you must complete to install Supply Chain Security Tools (SCST) - Scan (Snyk Scanner) from the Tanzu Application Platform package repository.
ImportantSnyk’s image scanning capability is in beta. Snyk might only return a partial list of CVEs when scanning Buildpack images.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions. To prepare the Snyk Scanner configuration, follow these steps.
Obtain a Snyk API Token from the Snyk documentation.
Create a Snyk secret YAML file and insert the base64-encoded Snyk API token into the snyk_token
:
apiVersion: v1
kind: Secret
metadata:
name: snyk-token-secret
namespace: my-apps
data:
snyk_token: BASE64-SNYK-API-TOKEN
Where BASE64-SNYK-API-TOKEN
is the Snyk API Token obtained earlier.
Apply the Snyk secret YAML file by running:
kubectl apply -f YAML-FILE
Where YAML-FILE
is the name of the Snyk secret YAML file you created.
Define the --values-file
flag to customize the default configuration. You must define the following fields in the values.yaml
file for the Snyk Scanner configuration. You can add fields as needed to activate or deactivate behaviors. You can append the values in this file as shown later in this topic. Create a values.yaml
file by using the following configuration:
---
namespace: DEV-NAMESPACE
targetImagePullSecret: TARGET-REGISTRY-CREDENTIALS-SECRET
snyk:
tokenSecret:
name: SNYK-TOKEN-SECRET
Where:
DEV-NAMESPACE
is your developer namespace. To use a namespace other than the default namespace, ensure that the namespace exists before you install. If the namespace does not exist, the scanner installation fails.
TARGET-REGISTRY-CREDENTIALS-SECRET
is the name of the secret that contains the credentials to pull an image from a private registry for scanning.
SNYK-TOKEN-SECRET
is the name of the secret you created that contains the snyk_token
to connect to the Snyk API. This field is required.
The Snyk Scanner integration can work with or without the SCST - Store integration. The values.yaml
file is slightly different for each configuration.
The SCST - Store integration is enabled by default. You can use the integration or deactivate it.
values.yaml
file.
The Grype and Snyk Scanner integrations both enable the Metadata Store. To prevent conflicts, the configuration values are slightly different based on whether the Grype Scanner integration is installed or not. If Tanzu Application Platform is installed by using the Full Profile, the Grype Scanner integration is installed unless it is explicitly excluded.
If the Grype Scanner integration is installed in the dev-namespace
that Snyk Scanner is installed in, apply this YAML:
#! ...
metadataStore:
#! The URL where the Store deployment is accessible.
#! Default value is: "https://metadata-store-app.metadata-store.svc.cluster.local:8443"
url: "STORE-URL"
caSecret:
#! The name of the secret that contains the ca.crt to connect to the Store Deployment.
#! Default value is: "app-tls-cert"
name: "CA-SECRET-NAME"
importFromNamespace: "" #! Because both Snyk and Grype both enable store, one must leave importFromNamespace blank
#! authSecret is for multicluster configurations.
authSecret:
#! The name of the secret that contains the auth token to authenticate to the Store Deployment.
name: "AUTH-SECRET-NAME"
importFromNamespace: "" #! Because both Snyk and Grype both enable store, one must leave importFromNamespace blank
If the Grype Scanner integration is not installed in the dev-namespace
that Snyk Scanner is installed in, apply this YAML:
#! ...
metadataStore:
#! The URL where the Store deployment is accessible.
#! Default value is: "https://metadata-store-app.metadata-store.svc.cluster.local:8443"
url: "STORE-URL"
caSecret:
#! The name of the secret that contains the ca.crt to connect to the Store Deployment.
#! Default value is: "app-tls-cert"
name: "CA-SECRET-NAME"
#! The namespace where the secrets for the Store Deployment live.
#! Default value is: "metadata-store"
importFromNamespace: "STORE-SECRETS-NAMESPACE"
#! authSecret is for multicluster configurations.
authSecret:
#! The name of the secret that contains the auth token to authenticate to the Store Deployment.
name: "AUTH-SECRET-NAME"
#! The namespace where the secrets for the Store Deployment live.
importFromNamespace: "STORE-SECRETS-NAMESPACE"
values.yaml
file:
# ...
metadataStore:
url: "" # Configuration is moved, so set this string to empty.
To make and apply ScanPolicy
for Snyk in SPDX JSON format:
Create ScanPolicy
YAML with a Rego file for scanner output in the SPDX JSON format. Here is a sample scan policy resource:
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
name: snyk-scan-policy
labels:
'app.kubernetes.io/part-of': 'enable-in-gui'
spec:
regoFile: |
package main
# Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
notAllowedSeverities := ["Critical", "High", "UnknownSeverity"]
ignoreCves := []
contains(array, elem) = true {
array[_] = elem
} else = false { true }
isSafe(match) {
fails := contains(notAllowedSeverities, match.relationships[_].ratedBy.rating[_].severity)
not fails
}
isSafe(match) {
ignore := contains(ignoreCves, match.id)
ignore
}
deny[msg] {
vuln := input.vulnerabilities[_]
ratings := vuln.relationships[_].ratedBy.rating[_].severity
comp := vuln.relationships[_].affect.to[_]
not isSafe(vuln)
msg = sprintf("CVE %s %s %s", [comp, vuln.id, ratings])
}
Apply the YAML file by running:
kubectl apply -n $DEV_NAMESPACE -f SCAN-POLICY-YAML
NoteThe Snyk Scanner integration is only available for an image scan, not a source scan.
After all prerequisites are fulfilled, follow the steps in Install another scanner for SCST - Scan to install the Snyk Scanner.