Bring your own scanner with Supply Chain Security Tools - Scan 2.0
This topic tells you how to bring your own scanner to use with Supply Chain Security Tools (SCST) - Scan 2.0.
Overview
Supply Chain Security Tools (SCST) - Scan 2.0 includes integrations with Trivy and Grype and examples for the following container image scanning tools:
You might have an existing investment in a scan solution that VMware does not have a published integration with, but Scan 2.0 makes building an integration to bring your own scanner easy. To bring your own scanner to the Tanzu Application Platform:
- Create an ImageVulnerabilityScan: Create an ImageVulnerabilityScan template that tells the Tanzu Application Platform how to run your scanner.
- Verify your ImageVulnerabilityScan: Verify that your ImageVulnerabilityScan is working correctly so that downstream Tanzu Application Platform services work correctly.
- Wrap your ImageVulnerabilityScan in a ClusterImageTemplate: The ClusterImageTemplate wraps the ImageVulnerabilityScan and allows the Tanzu Application Platform supply chain to run the scan job.
Prerequisites
Tanzu Application Platform users must have the following prerequisites:
- Provide a Vulnerability Scanner Image either by:
- Using a publicly available image that contains the scanner CLI.
- For example, the official Aqua image for Trivy from Dockerhub.
- Building your own image with the scanner CLI, which allows for:
- A more customizable scanning experience.
- For example, you can create an image with the scanner CLI with any dependencies required to run the scanner CLI.
- Managing your image to meet the Tanzu Application Platform user’s compliance standards.
- Know how your preferred scanner works. For example, commands to use to call scan results.