Supply Chain Security Tools - Store saves software bills of materials (SBoMs) to a database and allows you to query for image, source code, package, and vulnerability relationships. It integrates with Supply Chain Security Tools - Scan to automatically store the resulting source code and image vulnerability reports. It accepts CycloneDX input and outputs in both human-readable and machine-readable formats, including JSON, text, and CycloneDX.
The following is a quick demo of configuring the tanzu insight plug-in and querying the metadata store for CVEs and scan results.
the Tanzu Insight CLI plug-in is the primary way to view results from the Supply Chain Security Tools - Scan of source code and image files. Use it to query by source code commit, image digest, and CVE identifier to understand security risks.
See Tanzu Insight plug-in overview to install, configure, and use
See Multicluster setup for information about how to set up SCST - Store in a multicluster setup.
Using the Supply Chain Choreographer in Tanzu Application Platform GUI, you can visualize your supply chain. It uses to SCST - Store to show the packages and vulnerabilities in your source code and images.
To enable this feature, see Supply Chain Choreographer in Tanzu Application Platform GUI - Enable CVE scan results.
Additional documentation includes information about the API, deployment details and configuration, AWS RDS configuration, other database backup recommendations, known issues, and other topics.