This topic gives you an overview of Supply Chain Security Tools (SCST) – Store.
Supply Chain Security Tools - Store saves software bills of materials (SBoMs) to a database and allows you to query for image, source code, package, and vulnerability relationships. It integrates with Supply Chain Security Tools - Scan to automatically store the resulting source code and image vulnerability reports. It accepts CycloneDX input and outputs in both human-readable and machine-readable formats, including JSON, text, and CycloneDX.
The following is a quick demo of configuring the tanzu insight plug-in and querying the metadata store for CVEs and scan results.
The Tanzu Insight CLI plug-in is the primary way to view results from the Supply Chain Security Tools - Scan of source code and image files. Use it to query by source code commit, image digest, and CVE identifier to understand security risks.
See Tanzu Insight plug-in overview to install, configure, and use tanzu insight
.
See Multicluster setup for information about how to set up SCST - Store in a multicluster setup.
Using the Supply Chain Choreographer in Tanzu Developer Portal (formerly named Tanzu Application Platform GUI), you can visualize your supply chain. It uses SCST - Store to show the packages and vulnerabilities in your source code and images.
Additional documentation includes information about the API, deployment details and configuration, AWS RDS configuration, other database backup recommendations, known issues, and other topics.