Sample private image scan for Supply Chain Security Tools - Scan

This example describes how you can perform a scan against an image in a private registry for Supply Chain Security Tools (SCST) - Scan.

Note

This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.

Define the resources

Defining resources consists of setting up a target image pull secret and then creating a private image scan.

Set up target image pull secret

To set up the target image pull secret:

  1. See if the target image secret already exists. Typically, the target image secret is created when Tanzu Application Platform is installed. If the target image secret exists, skip to Create the private image scan later in this topic. Otherwise, proceed to the next step.

  2. Create a secret containing the credentials used to pull the target image that you want to scan by running:

    kubectl create secret docker-registry TARGET-REGISTRY-CREDENTIALS-SECRET \
     --docker-server=YOUR-REGISTRY-SERVER \
     --docker-username=YOUR-NAME \
     --docker-password=YOUR-PASSWORD \
     --docker-email=YOUR-EMAIL-ADDRESS \
     -n DEV-NAMESPACE
    

    Where:

    • TARGET-REGISTRY-CREDENTIALS-SECRET is the name of the secret that is created.
    • DEV-NAMESPACE is the developer namespace where the scanner is installed.
    • YOUR-REGISTRY-SERVER is the registry server that you want to use.
    • YOUR-NAME is the name associated with the secret.
    • YOUR-PASSWORD is the password associated with the secret.
    • YOUR-EMAIL-ADDRESS is the email address associated with the secret.

    For more information about creating a secret, see the Kubernetes documentation.

  3. Edit tap-values.yaml to include the name of the secret. For example:

    grype:
      targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"
    
  4. Upgrade Tanzu Application Platform with the modified tap-values.yaml file by running:

    tanzu package installed update tap -p tap.tanzu.vmware.com -v ${TAP-VERSION}  \
    --values-file tap-values.yaml -n tap-install
    

    Where TAP-VERSION is the Tanzu Application Platform version.

Create the private image scan

Create sample-private-image-scan.yaml with the following content:

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
  name: sample-private-image-scan
spec:
  registry:
    image: IMAGE-URL
  scanTemplate: private-image-scan-template

Where IMAGE-URL is the URL of an image in a private registry.

(Optional) Set up a watch

Before deploying the resources to a user-specified namespace, set up a watch in another terminal to view the progression by running:

watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

For more information, see Observing and Troubleshooting.

Deploy the resources

Deploy the resources by running:

kubectl apply -f sample-private-image-scan.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View the scan results

To view the scan results:

  1. When the scan finishes, run:

    kubectl describe imagescan sample-private-image-scan -n DEV-NAMESPACE
    

    Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

  2. Verify that Status.Conditions includes Reason: JobFinished and Message: The scan job finished. For more information, see Viewing and Understanding Scan Status Conditions.

Clean up

Clean up by running:

kubectl delete -f sample-private-image-scan.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View vulnerability reports

After finishing the scans, view the vulnerability results by using the Security Analysis plug-in.

check-circle-line exclamation-circle-line close-line
Scroll to top icon