Sample public image scan with compliance check for Supply Chain Security Tools - Scan
This topic includes an example public image scan with compliance check for SCST - Scan.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.
Public image scan
The following example performs an image scan on an image in a public registry. This image revision has 223 known vulnerabilities (CVEs), spanning a number of severities. ImageScan uses the ScanPolicy to run a compliance check against the CVEs.
The policy in this example is set to only consider Critical severity CVEs as a violation, which returns 21 Critical Severity Vulnerabilities.
NoteThis example ScanPolicy is deliberately constructed to showcase the features available and must not be considered an acceptable base policy.
In this example, the scan does the following:
- Finds all 223 of the CVEs
- Ignores any CVEs with severities that are not critical
- Indicates in the
Status.Conditionsthat 21 CVEs have violated policy compliance
Define the ScanPolicy and ImageScan
Create sample-public-image-scan-with-compliance-check.yaml:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
name: sample-scan-policy
labels:
'app.kubernetes.io/part-of': 'enable-in-gui'
spec:
regoFile: |
package main
# Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
notAllowedSeverities := ["Critical"]
ignoreCves := []
contains(array, elem) = true {
array[_] = elem
} else = false { true }
isSafe(match) {
severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
some i
fails := contains(notAllowedSeverities, severities[i])
not fails
}
isSafe(match) {
ignore := contains(ignoreCves, match.id)
ignore
}
deny[msg] {
comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] }
some i
comp := comps[i]
vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] }
some j
vuln := vulns[j]
ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity }
not isSafe(vuln)
msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings])
}
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
name: sample-public-image-scan-with-compliance-check
spec:
registry:
image: "nginx:1.16"
scanTemplate: public-image-scan-template
scanPolicy: sample-scan-policy
(Optional) Set up a watch
Before deploying the resources to a user specified namespace, set up a watch in another terminal to view the progression:
watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
For more information about setting up a watch, see Observing and Troubleshooting.
Deploy the resources
kubectl apply -f sample-public-image-scan-with-compliance-check.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
View the scan results
kubectl describe imagescan sample-public-image-scan-with-compliance-check -n DEV-NAMESPACE
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
NoteThe
Status.Conditionsincludes aReason: EvaluationFailedandMessage: Policy violated because of 21 CVEs.
For more information about scan status conditions, see Viewing and Understanding Scan Status Conditions.
Edit the ScanPolicy
To edit the Scan Policy, see Step 5: Sample Public Source Code Scan with Compliance Check.
Clean up
To clean up, run:
kubectl delete -f sample-public-image-scan-with-compliance-check.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
