Scan Types for Supply Chain Security Tools - Scan

This topic tells you what scan types you can use with Scan Types for Supply Chain Security Tools (SCST) - Scan. The out-of-box test and scan supply chain supports the source and container image scan types.

Source scan

The source scan step in the test and scan supply chain performs a Software Composition Analysis (SCA) scan to inspect the open-source dependencies of an application for vulnerabilities.

Note

This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions. You scan by inspecting the file that the language uses for dependency declaration. This table has examples:

Language Dependency File
Spring pom.xml
.Net deps.json
Node.JS packages.json
Python requirements.txt

Rather than declare specific dependency versions, some languages such as Spring, Java, and .Net resolve dependency versions at build time. For these languages, performing a SCA scan on the declaration file stored in the source code does not produce meaningful results. Instead the SCA scan often creates false positives or false negatives.

Because of this, in Tanzu Application Platform v1.6 and later the source scan step is moved to an opt-in step in the supply chain.

Adding Source Scan to the Test and Scan Supply Chain

To add source scanning to the out-of-the-box test and scan supply chain, you can apply an overlay in the tap-values.yaml file used for installation. This overlay adds the required resources to the supply chain in the correct location to opt in to source scanning.

For information about how overlays work with Tanzu Application Platform, see Customize your package installation.

To add source scanning to the default out-of-the-box test and scan supply chain:

  1. Create a secret.yml file with a Secret that contains your ytt overlay. For example:

    apiVersion: v1
    kind: Secret
    metadata:
      name: ootb-supply-chain-testing-scanning-add-source-scanner
      namespace: tap-install
      annotations:
        kapp.k14s.io/change-group: "tap-overlays"
    type: Opaque
    stringData:
      ootb-supply-chain-testing-scanning-add-source-scanner.yaml: |
        #@ load("@ytt:overlay", "overlay")
        #@overlay/match by=overlay.subset({"metadata":{"name":"source-test-scan-to-url"}, "kind": "ClusterSupplyChain"})
        ---
        spec:
          resources:
            #@overlay/match by=overlay.index(2)
            #@overlay/insert before=True
                - name: source-scanner
                  params:
                  - default: scan-policy
                    name: scanning_source_policy
                  - default: blob-source-scan-template
                    name: scanning_source_template
                  sources:
                  - name: source
                    resource: source-tester
                  templateRef:
                    kind: ClusterSourceTemplate
                    name: source-scanner-template
                #@overlay/match by="name"
                - name: image-provider
                  sources:
                  #@overlay/match by="name"
                  - name: source
                    resource: source-scanner
    

    For information about ytt overlays, see the Carvel documentation.

  2. Apply the Secret to your cluster by running:

    kubectl apply -f secret.yml
    
  3. Update your values file to include a package_overlays field by running:

    package_overlays:
    - name: ootb-supply-chain-testing-scanning
      secrets:
      - name: ootb-supply-chain-testing-scanning-add-source-scanner
    
  4. Update Tanzu Application Platform by running:

    tanzu package installed update tap -p tap.tanzu.vmware.com -v 1.11.0  \
    --values-file tap-values.yaml -n tap-install
    

For a multicluster installation, you must apply this to the build profile because that is where the scan components run. For information about Tanzu Application Platform profiles, see Installing Tanzu Application Platform package and profiles.

Container image scan

A container image scan inspects the contents of a built container image for vulnerabilities. This scan is performed on the container image after it is uploaded to the container image registry and at periodic intervals after the initial upload. Many container registries, such as Harbor and Docker Hub, include this capability.

Tanzu Application Platform enables scanning container images for vulnerabilities as part of your supply chain, allowing you to prevent deployment of a container image if vulnerabilities are discovered that exceed your security policy.

check-circle-line exclamation-circle-line close-line
Scroll to top icon