Prerequisites for Snyk Scanner for Supply Chain Security Tools - Scan (Beta)

This topic describes the prerequisites you must complete to install Supply Chain Security Tools (SCST) - Scan (Snyk Scanner) from the Tanzu Application Platform package repository.

Important

Snyk’s image scanning capability is in beta. Snyk might only return a partial list of CVEs when scanning Buildpack images.

Prepare the Snyk Scanner configuration

Note

This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions. To prepare the Snyk Scanner configuration, follow these steps.

  1. Obtain a Snyk API Token from the Snyk documentation.

  2. Create a Snyk secret YAML file and insert the base64-encoded Snyk API token into the snyk_token:

    apiVersion: v1
    kind: Secret
    metadata:
      name: snyk-token-secret
      namespace: my-apps
    data:
      snyk_token: BASE64-SNYK-API-TOKEN
    

    Where BASE64-SNYK-API-TOKEN is the Snyk API Token obtained earlier.

  3. Apply the Snyk secret YAML file by running:

    kubectl apply -f YAML-FILE
    

    Where YAML-FILE is the name of the Snyk secret YAML file you created.

  4. Define the --values-file flag to customize the default configuration. You must define the following fields in the values.yaml file for the Snyk Scanner configuration. You can add fields as needed to activate or deactivate behaviors. You can append the values in this file as shown later in this topic. Create a values.yaml file by using the following configuration:

    ---
    namespace: DEV-NAMESPACE
    targetImagePullSecret: TARGET-REGISTRY-CREDENTIALS-SECRET
    snyk:
      tokenSecret:
        name: SNYK-TOKEN-SECRET
    

    Where:

    • DEV-NAMESPACE is your developer namespace. To use a namespace other than the default namespace, ensure that the namespace exists before you install. If the namespace does not exist, the scanner installation fails.

    • TARGET-REGISTRY-CREDENTIALS-SECRET is the name of the secret that contains the credentials to pull an image from a private registry for scanning.

    • SNYK-TOKEN-SECRET is the name of the secret you created that contains the snyk_token to connect to the Snyk API. This field is required.

    The Snyk Scanner integration can work with or without the SCST - Store integration. The values.yaml file is slightly different for each configuration.

Use or deactivate SCST - Store integration

The SCST - Store integration is enabled by default. You can use the integration or deactivate it.

Use the integration
To persist the results found by the Snyk Scanner, you can enable the SCST - Store integration by appending fields in the values.yaml file.

The Grype and Snyk Scanner integrations both enable the Metadata Store. To prevent conflicts, the configuration values are slightly different based on whether the Grype Scanner integration is installed or not. If Tanzu Application Platform is installed by using the Full Profile, the Grype Scanner integration is installed unless it is explicitly excluded.

  • If the Grype Scanner integration is installed in the dev-namespace that Snyk Scanner is installed in, apply this YAML:

    #! ...
    metadataStore:
    #! The URL where the Store deployment is accessible.
    #! Default value is: "https://metadata-store-app.metadata-store.svc.cluster.local:8443"
    url: "STORE-URL"
    caSecret:
      #! The name of the secret that contains the ca.crt to connect to the Store Deployment.
      #! Default value is: "app-tls-cert"
      name: "CA-SECRET-NAME"
      importFromNamespace: "" #! Because both Snyk and Grype both enable store, one must leave importFromNamespace blank
    #! authSecret is for multicluster configurations.
    authSecret:
      #! The name of the secret that contains the auth token to authenticate to the Store Deployment.
      name: "AUTH-SECRET-NAME"
      importFromNamespace: "" #! Because both Snyk and Grype both enable store, one must leave importFromNamespace blank
    
  • If the Grype Scanner integration is not installed in the dev-namespace that Snyk Scanner is installed in, apply this YAML:

    #! ...
    metadataStore:
    #! The URL where the Store deployment is accessible.
    #! Default value is: "https://metadata-store-app.metadata-store.svc.cluster.local:8443"
    url: "STORE-URL"
    caSecret:
      #! The name of the secret that contains the ca.crt to connect to the Store Deployment.
      #! Default value is: "app-tls-cert"
      name: "CA-SECRET-NAME"
      #! The namespace where the secrets for the Store Deployment live.
      #! Default value is: "metadata-store"
      importFromNamespace: "STORE-SECRETS-NAMESPACE"
    #! authSecret is for multicluster configurations.
    authSecret:
      #! The name of the secret that contains the auth token to authenticate to the Store Deployment.
      name: "AUTH-SECRET-NAME"
      #! The namespace where the secrets for the Store Deployment live.
      importFromNamespace: "STORE-SECRETS-NAMESPACE"
    
Deactivate the integration
The SCST - Store integration is enabled by default. If you do not want to use this integration, deactivate the integration by appending the following field in the values.yaml file:
# ...
metadataStore:
   url: "" # Configuration is moved, so set this string to empty.

Sample ScanPolicy for Snyk in SPDX JSON format

To make and apply ScanPolicy for Snyk in SPDX JSON format:

  1. Create ScanPolicy YAML with a Rego file for scanner output in the SPDX JSON format. Here is a sample scan policy resource:

    apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
    kind: ScanPolicy
    metadata:
      name: snyk-scan-policy
      labels:
        'app.kubernetes.io/part-of': 'enable-in-gui'
    spec:
      regoFile: |
        package main
    
        # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
        notAllowedSeverities := ["Critical", "High", "UnknownSeverity"]
        ignoreCves := []
    
        contains(array, elem) = true {
          array[_] = elem
        } else = false { true }
    
        isSafe(match) {
          fails := contains(notAllowedSeverities, match.relationships[_].ratedBy.rating[_].severity)
          not fails
        }
    
        isSafe(match) {
          ignore := contains(ignoreCves, match.id)
          ignore
        }
    
        deny[msg] {
          vuln := input.vulnerabilities[_]
          ratings := vuln.relationships[_].ratedBy.rating[_].severity
          comp := vuln.relationships[_].affect.to[_]
          not isSafe(vuln)
          msg = sprintf("CVE %s %s %s", [comp, vuln.id, ratings])
        }
    
  2. Apply the YAML file by running:

    kubectl apply -n $DEV_NAMESPACE -f SCAN-POLICY-YAML
    
Note

The Snyk Scanner integration is only available for an image scan, not a source scan.

After all prerequisites are fulfilled, follow the steps in Install another scanner for SCST - Scan to install the Snyk Scanner.

check-circle-line exclamation-circle-line close-line
Scroll to top icon