Cluster-specific scanner configurations

This topic tells you how to configure clusters for specific scanners, such as vulnerability scanning, single cluster configuration, and multicluster configuration.

Connecting vulnerability scanning to Supply Chain Security Tools (SCST) - Store

You can use the scanner configuration to connect the Grype scanner or another supported scanner to SCST - Store.

For single-cluster configurations, scanners use app-tls-cert to communicate with SCST - Store. For more information, see Install your Tanzu Application Platform profile.

For multicluster configurations, scanners use ingress-cert of SCST - Store in the View cluster. For more information, see Multicluster setup for SCST - Scan 1.0.

Single-cluster configuration

In a single-cluster configuration, the connection between the scanning pod and SCST - Store exists inside the cluster and does not pass through ingress. An ingress connection to SCST - Store is not needed.

The default values automatically configure the connection between a supported scanner, such as Grype, and SCST - Store. Scanners use app-tls-cert by default from SCST - Store.

You do not need to change the grype section of tap-values.yaml provided in the Full profile installation. For more information, see Install your Tanzu Application Platform profile.

To view the default values, see Install SCST - Scan.

Multicluster configuration

In a multicluster configuration, you must provide the scanner configured on the build cluster, with the ingress URL of SCST - Store that is deployed in the view cluster. Scanners must use ingress-cert to communicate with SCST - Store.

To view a sample Build profile YAML file, see Build profile.

For information about how Build profile uses the configuration, see How to configure Grype in the Build profile values file.