Sample private source scan for Supply Chain Security Tools - Scan

This example shows how you can perform a private source scan for SCST - Scan.

Note

This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.

Define the resources

1. Create a Kubernetes secret with an SSH key for cloning a Git repository. See the Kubernetes documentation.

   cat <<EOF | kubectl create -f -
   apiVersion: v1
   kind: Secret
   metadata:
    name: SECRET-SSH-AUTH
    namespace: DEV-NAMESPACE
    annotations:
      tekton.dev/git-0: https://github.com
      tekton.dev/git-1: https://gitlab.com
   type: kubernetes.io/ssh-auth
   stringData:
    ssh-privatekey: |
      -----BEGIN OPENSSH PRIVATE KEY-----
      ....
      ....
      -----END OPENSSH PRIVATE KEY-----
   EOF
   

   Where:

   • SECRET-SSH-AUTH is the name of the secret that is being created.
   • DEV-NAMESPACE is the developer namespace where the scanner is installed.
   • .stringData.ssh-privatekey contains the private key with pull-permissions.

2. Update the tap-values.yaml file to include the name of secret created above.

   grype:
     targetSourceSshSecret: "SECRET-SSH-AUTH"
   

3. Upgrade Tanzu Application Platform with the modified tap-values.yaml file.

   tanzu package installed update tap -p tap.tanzu.vmware.com -v ${TAP-VERSION}  --values-file tap-values.yaml -n tap-install
   

   Where TAP-VERSION is the Tanzu Application Platform version.

4. Create sample-private-source-scan.yaml:

   ---
   apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
   kind: SourceScan
   metadata:
     name: sample-private-source-scan
   spec:
     git:
       url: URL
       revision: REVISION
       knownHosts: |
         KNOWN-HOSTS
     scanTemplate: private-source-scan-template
   

   Where:

   • URL is the Git clone repository using SSH.
   • REVISION is the commit hash.
   • KNOWN-HOSTS are the SSH client stored host keys generated by ssh-keyscan.

   For example, ssh-keyscan github.com produces:

   github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
   github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
   github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
   

   ---
   apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
   kind: SourceScan
   metadata:
     name: sample-private-source-scan
   spec:
     git:
       url: [email protected]:acme/website.git
       revision: 25as5e7df56c6401111be514a2f3666179ba04d0
       knownHosts: |
         10.254.171.53 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItb
   POVVQF/CzuAeQNv4fZVf2pLxpGHle15zkpxOosckequUDxoq
     scanTemplate: private-source-scan-template
   

(Optional) Set up a watch

Before deploying the resources to a user specified namespace, set up a watch in another terminal to view the progression:

watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

See Observing and Troubleshooting.

Deploy the resources

kubectl apply -f sample-private-source-scan.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View the scan status

After the scan has completed, run:

kubectl describe sourcescan sample-private-source-scan -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

Notice the Status.Conditions includes a Reason: JobFinished and Message: The scan job finished. See Viewing and Understanding Scan Status Conditions.

Clean up

kubectl delete -f sample-private-source-scan.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View vulnerability reports

After completing the scans, view the vulnerability results in the Tanzu Developer Portal.