RSS
 

Sample private image scan for Supply Chain Security Tools - Scan

This example describes how you can perform a scan against an image located in a private registry for SCST - Scan.

Define the resources

Set up target image pull secret

  1. Confirm that target image secret is configured. This is completed during Tanzu Application Platform installation. If the target image secret exists, see Create the private image scan.

  2. If the target image secret was not configured, create a secret containing the credentials used to pull the target image you want to scan. For information about secret creation, see the Kubernetes documentation.

    kubectl create secret docker-registry TARGET-REGISTRY-CREDENTIALS-SECRET \
--docker-server=<your-registry-server> \
--docker-username=<your-name> \
--docker-password=<your-password> \
--docker-email=<your-email> \
-n DEV-NAMESPACE

    Where:

    • TARGET-REGISTRY-CREDENTIALS-SECRET is the name of the secret that is created.
    • DEV-NAMESPACE is the developer namespace where the scanner is installed.

  3. Update the tap-values.yaml file to include the name of secret created earlier.

    grype:
namespace: "MY-DEV-NAMESPACE"
targetImagePullSecret: "TARGET-REGISTRY-CREDENTIALS-SECRET"

  4. Upgrade Tanzu Application Platform with the modified tap-values.yaml file.

    tanzu package installed update tap -p tap.tanzu.vmware.com -v ${TAP-VERSION}  --values-file tap-values.yaml -n tap-install

    Where TAP-VERSION is the Tanzu Application Platform version.

Create the private image scan

Create sample-private-image-scan.yaml:

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
  name: sample-private-image-scan
spec:
  registry:
    image: IMAGE-URL
  scanTemplate: private-image-scan-template

Where IMAGE-URL is the URL of an image in a private registry.

(Optional) Set up a watch

Before deploying the resources to a user specified namespace, set up a watch in another terminal to view the progression:

watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

For more information, see Observing and Troubleshooting.

Deploy the resources

kubectl apply -f sample-private-image-scan.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View the scan results

When the scan completes, run:

kubectl describe imagescan sample-private-image-scan -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

Note

The Status.Conditions includes a Reason: JobFinished and Message: The scan job finished. See Viewing and Understanding Scan Status Conditions.

Clean up

kubectl delete -f sample-private-image-scan.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View vulnerability reports

After completing the scans, query the Supply Chain Security Tools - Store to view your vulnerability results.

check-circle-line exclamation-circle-line close-line
Scroll to top icon