Sample public source scan of a blob for Supply Chain Security Tools - Scan

You can do a public source scan of a blob for SCST - Scan. This example performs a scan against source code in a .tar.gz file. This is helpful in a Supply Chain, where there is a GitRepository step that handles cloning a repository and outputting the source code as a compressed archive.

Define the resources

Create public-blob-source-example.yaml:

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
  name: public-blob-source-example
spec:
  blob:
    url: "https://gitlab.com/nina-data/ckan/-/archive/master/ckan-master.tar.gz"
  scanTemplate: blob-source-scan-template

(Optional) Set up a watch

Before deploying the resources to a user specified namespace, set up a watch in another terminal to view the progression:

watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

For more information, see Observing and Troubleshooting.

Deploy the resources

kubectl apply -f public-blob-source-example.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View the scan results

When the scan completes, perform:

kubectl describe sourcescan public-blob-source-example -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

Notice the Status.Conditions includes a Reason: JobFinished and Message: The scan job finished.

For more information, see Viewing and Understanding Scan Status Conditions.

Clean up

kubectl delete -f public-blob-source-example.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View vulnerability reports

After completing the scans, query the Supply Chain Security Tools - Store to view your vulnerability results.

check-circle-line exclamation-circle-line close-line
Scroll to top icon