Install another scanner for Supply Chain Security Tools - Scan

This topic describes how you can install scanners to work with Supply Chain Security Tools (SCST) - Scan from the Tanzu Application Platform package repository.

Note

This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions. Follow the instructions in this topic to install a scanner other than the out-of-the box Grype Scanner with SCST - Scan.

Prerequisites

Before installing a new scanner, install SCST - Scan on the same cluster. The prerequisites for SCST - Scan are also required.

Install

To install a new scanner, follow these steps:

  1. Fulfil scanner-specific prerequisites for the scanner that you’re trying to install, such as creating an API token to connect to the scanner.

    Snyk Scanner (Beta) is available for image scanning.

  2. List the available packages to discover what scanners you can use by running:

    tanzu package available list --namespace tap-install
    

    For example:

    $ tanzu package available list --namespace tap-install
    / Retrieving available packages...
     NAME                                                 DISPLAY-NAME                                                              SHORT-DESCRIPTION
     grype.scanning.apps.tanzu.vmware.com                 Grype Scanner for Supply Chain Security Tools - Scan                      Default scan templates using Anchore Grype
     snyk.scanning.apps.tanzu.vmware.com                  Snyk for Supply Chain Security Tools - Scan                               Default scan templates using Snyk
    
  3. List version information for the scanner package by running:

    tanzu package available list SCANNER-NAME --namespace tap-install
    

    For example:

    $ tanzu package available list snyk.scanning.apps.tanzu.vmware.com --namespace tap-install
    / Retrieving package versions for snyk.scanning.apps.tanzu.vmware.com...
     NAME                                  VERSION           RELEASED-AT
     snyk.scanning.apps.tanzu.vmware.com   1.0.0-beta.2
    
  4. (Optional) Verify that the secret created earlier for scanner-specific prerequisites was created.

  5. Create a values.yaml file to apply custom configurations to the scanner. This step is required for some scanners but optional for others. To list the values you can configure for any scanner, run:

    tanzu package available get SCANNER-NAME/VERSION --values-schema -n tap-install
    

    Where:

    • SCANNER-NAME is the name of the scanner package you retrieved earlier.
    • VERSION is your package version number. For example, snyk.scanning.apps.tanzu.vmware.com/1.0.0-beta.2.

    For example:

    $ tanzu package available get snyk.scanning.apps.tanzu.vmware.com/1.0.0-beta.2 --values-schema -n tap-install
    
    KEY                                           DEFAULT                                                           TYPE    DESCRIPTION
    metadataStore.authSecret.name                                                                                   string  Name of deployed Secret with key auth_token
    metadataStore.authSecret.importFromNamespace                                                                    string  Namespace from which to import the Insight Metadata Store auth_token
    metadataStore.caSecret.importFromNamespace    metadata-store                                                    string  Namespace from which to import the Insight Metadata Store CA Cert
    metadataStore.caSecret.name                   app-tls-cert                                                      string  Name of deployed Secret with key ca.crt holding the CA Cert of the Insight Metadata Store
    metadataStore.clusterRole                     metadata-store-read-write                                         string  Name of the deployed ClusterRole for read/write access to the Insight Metadata Store deployed in the same cluster
    metadataStore.url                             https://metadata-store-app.metadata-store.svc.cluster.local:8443  string  Url of the Insight Metadata Store
    namespace                                     default                                                           string  Deployment namespace for the Scan Templates
    resources.requests.cpu                        250m                                                              <nil>   Requests describes the minimum amount of cpu resources required.
    resources.requests.memory                     128Mi                                                             <nil>   Requests describes the minimum amount of memory resources required.
    resources.limits.cpu                          1000m                                                             <nil>   Limits describes the maximum amount of cpu resources allowed.
    snyk.tokenSecret.name                                                                                           string  Reference to the secret containing a Snyk API Token as snyk_token.
    targetImagePullSecret                                                                                           string  Reference to the secret used for pulling images from private registry.
    
  6. Define the --values-file flag to customize the default configuration. The values.yaml file you created earlier is referenced with the --values-file flag when running the tanzu package install command:

    tanzu package install REFERENCE-NAME \
     --package SCANNER-NAME \
     --version VERSION \
     --namespace tap-install \
     --values-file PATH-TO-VALUES-YAML
    

    Where:

    • REFERENCE-NAME is the name referenced by the installed package, such as grype-scanner or snyk-scanner.
    • SCANNER-NAME is the name of the scanner package you retrieved earlier. For example, snyk.scanning.apps.tanzu.vmware.com.
    • VERSION is your package version number, such as 1.0.0-beta.2.
    • PATH-TO-VALUES-YAML is the path that points to the values.yaml file created earlier.

    For example:

    $ tanzu package install snyk-scanner \
     --package snyk.scanning.apps.tanzu.vmware.com \
     --version 1.1.0 \
     --namespace tap-install \
     --values-file values.yaml
    / Installing package 'snyk.scanning.apps.tanzu.vmware.com'
    | Getting namespace 'tap-install'
    | Getting package metadata for 'snyk.scanning.apps.tanzu.vmware.com'
    | Creating service account 'snyk-scanner-tap-install-sa'
    | Creating cluster admin role 'snyk-scanner-tap-install-cluster-role'
    | Creating cluster role binding 'snyk-scanner-tap-install-cluster-rolebinding'
    / Creating package resource
    - Package install status: Reconciling
    
    Added installed package 'snyk-scanner' in namespace 'tap-install'
    

Verify the installation

To verify the installation create an ImageScan or SourceScan resource that references one of the newly added ScanTemplates for the scanner.

Note

Some scanners do not support both ImageScan and SourceScan.

  1. (Optional) Create a ScanPolicy, formatted for the output specific to the scanner you are installing, to reference in the ImageScan or SourceScan by running:

    kubectl apply -n $DEV_NAMESPACE -f SCAN-POLICY-YAML
    
    Note

    As vulnerability scanners output different formats, the ScanPolicies can vary. For information about policies and samples, see Enforce compliance policy by using Open Policy Agent.

  2. Retrieve available ScanTemplates from the namespace where the scanner is installed by running:

    kubectl get scantemplates -n DEV-NAMESPACE
    

    Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

    For example:

    $ kubectl get scantemplates
    NAME                               AGE
    blob-source-scan-template          10d
    private-image-scan-template        10d
    public-image-scan-template         10d
    public-source-scan-template        10d
    snyk-private-image-scan-template   10d
    snyk-public-image-scan-template    10d
    
ImageScan
Follow these steps to create and apply ImageScan. Some scanners do not support both ImageScan and SourceScan.
  1. Create the following ImageScan YAML:

    apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
    kind: ImageScan
    metadata:
     name: sample-scanner-public-image-scan
    spec:
     registry:
       image: "nginx:1.16"
     scanTemplate: SCAN-TEMPLATE
     scanPolicy: SCAN-POLICY # Optional
    

    Where:

    • SCAN-TEMPLATE is the name of the installed ScanTemplate in the DEV-NAMESPACE you retrieved earlier.
    • SCAN-POLICY it’s an optional reference to an existing ScanPolicy in the same DEV-NAMESPACE.

    For example:

    apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
    kind: ImageScan
    metadata:
     name: sample-snyk-public-image-scan
    spec:
     registry:
       image: "nginx:1.16"
     scanTemplate: snyk-public-image-scan-template
     scanPolicy: snyk-scan-policy
    
  2. Apply the ImageScan YAML to the cluster by running:

    kubectl apply -f PATH-TO-IMAGE-SCAN-YAML -n DEV-NAMESPACE
    

    Where PATH-TO-IMAGE-SCAN-YAML is the path to the YAML file created earlier.

  3. To verify the integration, get the scan to see if it completed by running:

    kubectl get imagescan IMAGE-SCAN-NAME -n DEV-NAMESPACE
    

    Where IMAGE-SCAN-NAME is the name of the ImageScan as defined in the YAML file created earlier.

  4. Clean up by running:

    kubectl delete -f PATH-TO-SCAN-YAML -n DEV-NAMESPACE
    

    Where PATH-TO-SCAN-YAML is the path to the YAML file created earlier.

SourceScan
Follow these steps to create and apply SourceScan. Some scanners do not support both ImageScan and SourceScan.
  1. Create the following SourceScan YAML:

    apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
    kind: SourceScan
    metadata:
     name: sample-scanner-public-source-scan
    spec:
     git:
       url: "https://github.com/houndci/hound.git"
       revision: "5805c650"
     scanTemplate: SCAN-TEMPLATE
     scanPolicy: SCAN-POLICY # Optional
    

    Where:

    • SCAN-TEMPLATE is the name of the installed ScanTemplate in the DEV-NAMESPACE you retrieved earlier.
    • SCAN-POLICY is an optional reference to an existing ScanPolicy in the same DEV-NAMESPACE.

    For example:

    apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
    kind: SourceScan
    metadata:
     name: sample-grype-public-source-scan
    spec:
     git:
       url: "https://github.com/houndci/hound.git"
       revision: "5805c650"
     scanTemplate: public-source-scan-template
     scanPolicy: scan-policy
    
  2. Apply the SourceScan YAML to the cluster by running:

    kubectl apply -f PATH-TO-SOURCE-SCAN-YAML -n DEV-NAMESPACE
    

    Where PATH-TO-SOURCE-SCAN-YAML is the path to the YAML file created earlier.

    For example:

    $ kubectl apply -f imagescan.yaml -n my-apps
    imagescan.scanning.apps.tanzu.vmware.com/sample-snyk-public-image-scan created
    
    $ kubectl apply -f sourcescan.yaml -n my-apps
    sourcescan.scanning.apps.tanzu.vmware.com/sample-grype-public-source-scan created
    
  3. To verify the integration, get the scan to see if it completed by running:

    kubectl get sourcescan SOURCE-SCAN-NAME -n DEV-NAMESPACE
    

    Where SOURCE-SCAN-NAME is the name of the SourceScan as defined in the YAML file created earlier.

    For example:

    $ kubectl get imagescan sample-snyk-public-image-scan -n my-apps
    NAME                            PHASE       SCANNEDIMAGE   AGE   CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN   CVETOTAL
    sample-snyk-public-image-scan   Completed   nginx:1.16     26h   0          114    58       314   0         486
    
    $ kubectl get sourcescan sample-grype-public-source-scan -n my-apps
    NAME                                                                      PHASE       SCANNEDREVISION   SCANNEDREPOSITORY                      AGE     CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN   CVETOTAL
    sourcescan.scanning.apps.tanzu.vmware.com/grypesourcescan-sample-public   Completed   5805c650          https://github.com/houndci/hound.git   8m34s   21         121    112      9     0         263
    
    Note

    If you define a ScanPolicy for the scans and the evaluation finds a violation, the Phase is Failed instead of Completed. In both cases the scan finished.

  4. Clean up by running:

    kubectl delete -f PATH-TO-SCAN-YAML -n DEV-NAMESPACE
    

    Where PATH-TO-SCAN-YAML is the path to the YAML file created earlier.

Install the scanner on multiple namespaces

To install a Scanner on multiple namespaces, VMware recommends using Namespace Provisioner.

Configure Tanzu Application Platform Supply Chain to use the new scanner

To scan your images with the new scanner installed in the Out of the Box Supply Chain with Testing and Scanning, you must update your Tanzu Application Platform installation.

Add the ootb_supply_chain_testing_scanning.scanning section to tap-values.yaml and then update Tanzu Application Platform.

You can define which ScanTemplate is used for both SourceScan and ImageScan. The default values are the Grype Scanner ScanTemplate, but they are overwritten by any other ScanTemplate present in your DEV-NAMESPACE. The same applies to the ScanPolicies applied to each kind of scan. For example:

ootb_supply_chain_testing_scanning:
  scanning:
    image:
      template: IMAGE-SCAN-TEMPLATE
      policy: IMAGE-SCAN-POLICY
    source:
      template: SOURCE-SCAN-TEMPLATE
      policy: SOURCE-SCAN-POLICY
Note

For the supply chain to work properly, the SOURCE-SCAN-TEMPLATE must support blob files and the IMAGE-SCAN-TEMPLATE must support private images.

For example:

ootb_supply_chain_testing_scanning:
  scanning:
    image:
      template: snyk-private-image-scan-template
      policy: snyk-scan-policy
    source:
      template: blob-source-scan-template
      policy: scan-policy

Uninstall the scanner

To replace the scanner in supply chain, follow the steps mentioned in Configure TAP Supply Chain to Use New Scanner. After the scanner is no longer required by the Supply Chain, you can remove the package by running:

tanzu package installed delete REFERENCE-NAME \
    --namespace tap-install

Where REFERENCE-NAME is the name you identified the package with, when installing in the Install section. For example, grype-scanner, snyk-scanner.

For example:

$ tanzu package installed delete snyk-scanner \
    --namespace tap-install

Other Available Scanner Integrations

In addition to providing the above supported integrations, VMware encourages the broader community to support VMware in our goal of integrating with customers’ preferred CVE scanners.

Additional integrations:

check-circle-line exclamation-circle-line close-line
Scroll to top icon