This topic tells you how to enable Supply Chain Security Tools (SCST) - Scan 2.0 and an included container image scanner with the out-of-box box test and scan supply chain. The default out-of-box configuration for the Testing and Scanning
supply chain uses SCST - Scan 1.0 but you can switch to using SCST - Scan 2.0 by using this topic.
SCST - Scan 2.0 includes two integrations for container image scanners:
VMware recommends using Aqua Trivy scanner with Tanzu Application Platform for container image scanning. Anchore Grype is included as an open source alternative and for users who want to remain consistent with the default scanner in SCST - Scan 1.0. Additionally, you can build an integration for additional scanners by following the Bring Your Own Scanner guide.
Container Image Scanner | Documentation | Template Name | Status |
---|---|---|---|
Aqua Trivy | Link | image-vulnerability-scan-trivy | Recommended out-of-box scanner for Scan 2.0 |
Anchore Grype | Link | image-vulnerability-scan-grype | Alternative to Trivy that is used in Scan 1.0 |
Before you can integrate SCST - Scan 2.0 with the out of the box supply chain:
To integrate Scan 2.0 with an OOTB supply chain using the Trivy scanner:
After completing the prerequisites, update your tap-values.yaml
file to specify the Trivy ClusterImageTemplate. For example:
ootb_supply_chain_testing_scanning:
image_scanner_template_name: image-vulnerability-scan-trivy
NoteIn Tanzu Application Platform v1.7 there is a known issue that causes the default Trivy scanner image to point to an inaccessible location. You can resolve this by setting
ootb_supply_chain_testing_scanning.image_scanner_cli
to the correct image, for example:ootb_supply_chain_testing_scanning: image_scanner_template_name: image-vulnerability-scan-trivy image_scanner_cli: image: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
For more information, see v1.7.0 Known issues: Supply Chain Security Tools (SCST) - Scan 2.0.
Update your Tanzu Application Platform installation by running:
tanzu package installed update tap -p tap.tanzu.vmware.com -v TAP-VERSION --values-file tap-values.yaml -n tap-install
Where TAP-VERSION
is the version of Tanzu Application Platform installed.
Enable AMR and AMR Observer.
Downstream Tanzu Application Platform services, such as Tanzu Developer Portal and Tanzu CLI, depend on scan results stored in SCST - Store to display correctly. For more information, see Artifact Metadata Repository Observer for Supply Chain Security Tools - Store.
Verify the scan capability is working as expected by creating a workload. See Verify.