Verify scanning with a Supply Chain integration

This topic tells you how to verify scanning with Supply Chains.

Create a workload

Create a sample workload with a pre-built image by running:

tanzu apps workload create WORKLOAD-NAME \
  --app APP-NAME \
  --git-repo GIT-REPO \
  --git-branch GIT-BRANCH \
  --type TYPE \
  --namespace DEV-NAMESPACE

Where:

  • WORKLOAD-NAME is the name you choose for your workload.
  • APP-NAME is the name of your app.
  • GIT-REPO is the Git repository from which the workload is created.
  • GIT-BRANCH is the branch in a Git repository from where the workload is created.
  • TYPE is the type of your app.
  • DEV-NAMESPACE is the name of the developer namespace where scanning occurs.
Note

For information about how to use the Tanzu CLI workload creation, see Create a Workload.

Retrieve scan results

Scan results are uploaded to the container image registry as an imgpkg bundle. To retrieve a vulnerability report:

  1. Retrieve the result location from the ImageVulnerabilityScan CR status by running:

    SCAN_RESULT_URL=$(kubectl get imagevulnerabilityscan my-scan -n DEV-NAMESPACE -o jsonpath='{.status.scanResult}')
    
  2. Download the bundle to a local directory and list the content by running:

    imgpkg pull -b $SCAN_RESULT_URL -o scan-results/
    ls scan-results/
    
check-circle-line exclamation-circle-line close-line
Scroll to top icon