You can do a public source scan of a blob for Supply Chain Security Tools (SCST) - Scan. This example performs a scan against source code in a .tar.gz
file. This is helpful in a supply chain, where there is a GitRepository
step that handles cloning a repository and exporting the source code as a compressed archive.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.
Create public-blob-source-example.yaml
with this content:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
name: public-blob-source-example
spec:
blob:
url: "https://gitlab.com/nina-data/ckan/-/archive/master/ckan-master.tar.gz"
scanTemplate: blob-source-scan-template
Before deploying the resources to a user-specified namespace, set up a watch
in another terminal to view the progression by running:
watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
For more information, see Observing and Troubleshooting.
Deploy the resources by running:
kubectl apply -f public-blob-source-example.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
After the scan finishes, view the results:
kubectl describe sourcescan public-blob-source-example -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
Status.Conditions
includes a Reason: JobFinished
and Message: The scan job finished
. For more information, see Viewing and Understanding Scan Status Conditions.Clean up by running:
kubectl delete -f public-blob-source-example.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
After completing the scans, view the vulnerability results by using the Security Analysis plug-in.