This topic includes an example public image scan with compliance check for SCST - Scan.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.
The following example performs an image scan on an image in a public registry. This image revision has 223 known vulnerabilities (CVEs), spanning a number of severities. ImageScan uses the ScanPolicy to run a compliance check against the CVEs.
The policy in this example is set to only consider Critical
severity CVEs as a violation, which returns 21 Critical Severity Vulnerabilities.
NoteThis example ScanPolicy is deliberately constructed to showcase the features available and must not be considered an acceptable base policy.
In this example, the scan does the following:
Status.Conditions
that 21 CVEs have violated policy complianceCreate sample-public-image-scan-with-compliance-check.yaml
:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
name: sample-scan-policy
labels:
'app.kubernetes.io/part-of': 'enable-in-gui'
spec:
regoFile: |
package main
# Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
notAllowedSeverities := ["Critical"]
ignoreCves := []
contains(array, elem) = true {
array[_] = elem
} else = false { true }
isSafe(match) {
severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
some i
fails := contains(notAllowedSeverities, severities[i])
not fails
}
isSafe(match) {
ignore := contains(ignoreCves, match.id)
ignore
}
deny[msg] {
comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] }
some i
comp := comps[i]
vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] }
some j
vuln := vulns[j]
ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity }
not isSafe(vuln)
msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings])
}
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
name: sample-public-image-scan-with-compliance-check
spec:
registry:
image: "nginx:1.16"
scanTemplate: public-image-scan-template
scanPolicy: sample-scan-policy
Before deploying the resources to a user specified namespace, set up a watch in another terminal to view the progression:
watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
For more information about setting up a watch, see Observing and Troubleshooting.
kubectl apply -f sample-public-image-scan-with-compliance-check.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
kubectl describe imagescan sample-public-image-scan-with-compliance-check -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
NoteThe
Status.Conditions
includes aReason: EvaluationFailed
andMessage: Policy violated because of 21 CVEs
.
For more information about scan status conditions, see Viewing and Understanding Scan Status Conditions.
To edit the Scan Policy, see Step 5: Sample Public Source Code Scan with Compliance Check.
To clean up, run:
kubectl delete -f sample-public-image-scan-with-compliance-check.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.