Sample public source scan of a blob for Supply Chain Security Tools - Scan

You can do a public source scan of a blob for SCST - Scan. This example performs a scan against source code in a .tar.gz file. This is helpful in a Supply Chain, where there is a GitRepository step that handles cloning a repository and outputting the source code as a compressed archive.

Note

This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.

Define the resources

Create public-blob-source-example.yaml:

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
  name: public-blob-source-example
spec:
  blob:
    url: "https://gitlab.com/nina-data/ckan/-/archive/master/ckan-master.tar.gz"
  scanTemplate: blob-source-scan-template

(Optional) Set up a watch

Before deploying the resources to a user specified namespace, set up a watch in another terminal to view the progression:

watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

For more information, see Observing and Troubleshooting.

Deploy the resources

kubectl apply -f public-blob-source-example.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View the scan results

When the scan completes, perform:

kubectl describe sourcescan public-blob-source-example -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

Notice the Status.Conditions includes a Reason: JobFinished and Message: The scan job finished.

For more information, see Viewing and Understanding Scan Status Conditions.

Clean up

kubectl delete -f public-blob-source-example.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View vulnerability reports

After completing the scans, view the vulnerability results in the Tanzu Developer Portal.

check-circle-line exclamation-circle-line close-line
Scroll to top icon