This example describes how you can perform a scan against an image located in a private registry for SCST - Scan.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.
Confirm that target image secret is configured. This is completed during Tanzu Application Platform installation. If the target image secret exists, see Create the private image scan.
If the target image secret was not configured, create a secret containing the credentials used to pull the target image you want to scan. For information about secret creation, see the Kubernetes documentation.
kubectl create secret docker-registry TARGET-REGISTRY-CREDENTIALS-SECRET \
--docker-server=YOUR-REGISTRY-SERVER \
--docker-username=YOUR-NAME \
--docker-password=YOUR-PASSWORD \
--docker-email=YOUR-EMAIL \
-n DEV-NAMESPACE
Where:
TARGET-REGISTRY-CREDENTIALS-SECRET
is the name of the secret that is created.DEV-NAMESPACE
is the developer namespace where the scanner is installed.YOUR-REGISTRY-SERVER
is the registry server you want to use.YOUR-NAME
is the name associated with the secret.YOUR-PASSWORD
is the password associated with the secret.YOUR-EMAIL
is the email associated with the secret.Update the tap-values.yaml
file to include the name of secret created earlier.
grype:
targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"
Upgrade Tanzu Application Platform with the modified tap-values.yaml
file.
tanzu package installed update tap -p tap.tanzu.vmware.com -v ${TAP-VERSION} --values-file tap-values.yaml -n tap-install
Where TAP-VERSION
is the Tanzu Application Platform version.
Create sample-private-image-scan.yaml
:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
name: sample-private-image-scan
spec:
registry:
image: IMAGE-URL
scanTemplate: private-image-scan-template
Where IMAGE-URL
is the URL of an image in a private registry.
Before deploying the resources to a user specified namespace, set up a watch in another terminal to view the progression:
watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
For more information, see Observing and Troubleshooting.
kubectl apply -f sample-private-image-scan.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
When the scan completes, run:
kubectl describe imagescan sample-private-image-scan -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
NoteThe
Status.Conditions
includes aReason: JobFinished
andMessage: The scan job finished
. See Viewing and Understanding Scan Status Conditions.
kubectl delete -f sample-private-image-scan.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
After completing the scans, view the vulnerability results in the Tanzu Developer Portal.