Configure code repositories and image artifacts for Supply Chain Security Tools - Scan

This topic describes how you can configure code repositories and image artifacts for Supply Chain Security Tools (SCST) - Scan.

Note

This topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.

VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.

Before you begin

Both the source and image scans require you to define a ScanTemplate. Run kubectl get scantemplates for the ScanTemplates provided with the scanner installation. For information about how to reference these ScanTemplates, see How to create a ScanTemplate.

Deploy scan custom resources

The scan controller defines two custom resources to create scans:

  • SourceScan
  • ImageScan

Create and deploy a SourceScan custom resource

The SourceScan custom resource helps you define and trigger a scan for a given repository. You can deploy SourceScan with source code existing in a public repository or a private one:

  1. Create the SourceScan custom resource as in this example:

    apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
    kind: SourceScan
    metadata:
      # set the name of the source scan CR
      name: sample-source-scan
    spec:
      # At least one of these fields (blob or git) must be defined.
      blob:
        # location to a file with the source code compressed (supported files: .tar.gz)
        url:
      git:
        # A multiline string defining the known hosts that are going to be used for the SSH client on the container
        knownHosts:
        # Branch, tag, or commit digest
        revision:
        # The name of the kubernetes secret containing the private SSH key information.
        sshKeySecret:
        # A string containing the repository URL.
        url:
        # The user name needed to SSH connection. Default value is “git”
        username:
    
      # A string defining the name of an existing ScanTemplate custom resource.
      scanTemplate: my-scan-template
    
       # A string defining the name of an existing ScanPolicy custom resource. See the "Enforcement Policies (OPA)" section.
      scanPolicy: my-scan-policy
    
  2. Deploy the SourceScan custom resource to the desired namespace on the cluster by running:

    kubectl apply -f <path_to_the_cr>/<custom_resource_filename>.yaml -n <desired_namespace>
    

    After the scanning finishes, the following fields appear in the custom resource and are filled by the scanner:

    # These fields are populated from the source scan results
    status:
      # The source code information as provided in the CycloneDX bom>metadata>component>* fields
      artifact:
        blob:
          url:
        git:
          url:
          revision:
    
      # An array populated with information about the scanning status
      # and the policy validation. These conditions might change in the lifecycle
      # of the scan, refer to the "View Scan Status and Understanding Conditions" section to learn more.
      conditions: []
    
      # The URL of the vulnerability scan results in the Metadata Store integration.
      # Only available when the integration is configured.
      metadataUrl:
    
      # When the CRD is updated to point at new revisions, this lets you know
      # if the status reflects the latest one or not
      observedGeneration: 1
      observedPolicyGeneration: 1
      observedTemplateGeneration: 1
    
      # The latest datetime when the scanning was successfully finished.
      scannedAt:
      # Information about the scanner that was used for the latest image scan.
      # This information reflects what's in the CycloneDX bom>metadata>tools>tool>* fields.
      scannedBy:
        scanner:
          # The name of the scanner that was used.
          name: my-image-scanner
    
          # The name of the scanner's development company or team
          vendor: my-image-scanner-provider
    
          # The version of the scanner used.
          version: 1.0.0
    

Create and deploy an ImageScan custom resource

The ImageScan custom resource helps you define and trigger a scan for a given image. You can deploy ImageScan with an image in a public registry or a private registry:

  1. Create the ImageScan custom resource as in this example:

    apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
    kind: ImageScan
    metadata:
      # set the name of the image scan CR
      name: sample-image-scan
    spec:
      registry:
        # Required. A string containing the image name can additionally add its tag or its digest
        image: nginx:1.16
    
        # A string containing the secret needed to pull the image from a private registry.
        # The secret needs to be deployed in the same namespace as the ImageScan
        imagePullSecret: my-image-pull-secret
    
      # A string defining the name of an existing ScanTemplate custom resource. See the "How To Create a ScanTemplate" section.
      scanTemplate: my-scan-template
    
      # A string defining the name of an existing ScanPolicy custom resource. See the "Enforcement Policies (OPA)" section.
      scanPolicy: my-scan-policy
    
  2. Deploy the ImageScan custom resource to the desired namespace on the cluster by running:

    kubectl apply -f <path_to_the_cr>/<custom_resource_filename>.yaml -n <desired_namespace>
    

    After the scanning finishes, the following fields appear in the custom resource and are filled by the scanner:

    # These fields are populated from the image scan results
    status:
      artifact:
        registry:
          # The image name with its digest as provided in the CycloneDX bom>metadata>component>* fields
          image:
          imagePullSecret:
    
      # An array that is populated with information about the scanning status
      # and the policy validation. These conditions might change in the lifecycle
      # of the scan, refer to the "View Scan Status and Understanding Conditions" section to learn more.
      conditions: []
    
      # The URL of the vulnerability scan results in the Metadata Store integration.
      # Only available when the integration is configured.
      metadataUrl:
    
      # When the CRD is updated to point at new revisions, this lets you know
      # whether the status reflects the latest one
      observedGeneration: 1
      observedPolicyGeneration: 1
      observedTemplateGeneration: 1
    
      # The latest datetime when the scanning was successfully finished.
      scannedAt:
      # Information about the scanner used for the latest image scan.
      # This information reflects what's in the CycloneDX bom>metadata>tools>tool>* fields.
      scannedBy:
        scanner:
          # The name of the scanner that was used.
          name: my-image-scanner
    
          # The name of the scanner's development company or team
          vendor: my-image-scanner-provider
    
          # The version of the scanner used.
          version: 1.0.0
    
check-circle-line exclamation-circle-line close-line
Scroll to top icon