Sample private source scan

Define the resources

  1. Create a Kubernetes Secret named secret-ssh-auth with an SSH key for cloning a git repository.

  2. Create sample-private-source-scan.yaml:

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
  name: sample-private-source-scan
spec:
  git:
    url: URL
    revision: REVISION
    knownHosts: |
      KNOWN-HOSTS
  scanTemplate: private-source-scan-template

Where:

  • URL is the git clone repository using SSH.
  • REVISION is the commit hash.
  • KNOWN-HOSTS are the SSH client stored host keys generated by ssh-keyscan.
    • For example, ssh-keyscan github.com produces:
      github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
      github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
      github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
      

For example:

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
  name: sample-private-source-scan
spec:
  git:
    url: git@github.com:acme/website.git
    revision: 25as5e7df56c6401111be514a2f3666179ba04d0
    knownHosts: |
      10.254.171.53 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItb
POVVQF/CzuAeQNv4fZVf2pLxpGHle15zkpxOosckequUDxoq
  scanTemplate: private-source-scan-template

(Optional) Set up a watch

Before deploying, set up a watch in another terminal to see things process, which will be quick:

watch kubectl get scantemplates,scanpolicies,sourcescans,imagescans,pods,jobs

For more information, see Observing and Troubleshooting.

Deploy the resources

kubectl apply -f sample-private-source-scan.yaml

View the scan status

Once the scan has completed, run:

kubectl describe sourcescan sample-private-source-scan

Notice the Status.Conditions includes a Reason: JobFinished and Message: The scan job finished.

For more information, see Viewing and Understanding Scan Status Conditions.

Clean up

kubectl delete -f sample-private-source-scan.yaml

View vulnerability reports

After completing the scans, query the Supply Chain Security Tools - Store to view your vulnerability results.

check-circle-line exclamation-circle-line close-line
Scroll to top icon