You can do a public source scan of a blob for SCST - Scan. This example performs a scan against source code in a .tar.gz
file. This is helpful in a Supply Chain, where there is a GitRepository
step that handles cloning a repository and outputting the source code as a compressed archive.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.
Create public-blob-source-example.yaml
:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
name: public-blob-source-example
spec:
blob:
url: "https://gitlab.com/nina-data/ckan/-/archive/master/ckan-master.tar.gz"
scanTemplate: blob-source-scan-template
Before deploying the resources to a user specified namespace, set up a watch in another terminal to view the progression:
watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
For more information, see Observing and Troubleshooting.
kubectl apply -f public-blob-source-example.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
When the scan completes, perform:
kubectl describe sourcescan public-blob-source-example -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
Notice the Status.Conditions
includes a Reason: JobFinished
and Message: The scan job finished
.
For more information, see Viewing and Understanding Scan Status Conditions.
kubectl delete -f public-blob-source-example.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
After completing the scans, view the vulnerability results in the Tanzu Developer Portal.