Enable App Scanning for default Test and Scan supply chains
This topic tells you how to enable Supply Chain Security Tools (SCST) - Scan 2.0 and an included container image scanner for Out of the Box Supply Chain with Testing and Scanning. The default configuration for Out of the Box Supply Chain with Testing and Scanning is SCST - Scan 1.0.
Overview
SCST - Scan 2.0 includes two integrations for container image scanners:
| Container Image Scanner | Documentation | Cluster Image Template Name | Description |
|---|---|---|---|
| Aqua Trivy | Link | image-vulnerability-scan-trivy |
Recommended scanner for SCST - Scan 2.0 |
| Anchore Grype | Link | image-vulnerability-scan-grype |
Alternative to Trivy that is used in SCST - Scan 1.0 |
VMware recommends using Aqua Trivy scanner with Tanzu Application Platform for container image scanning. If you want to remain consistent with the default scanner in SCST - Scan 1.0, Anchore Grype is included as an open-source alternative. Additionally, you can build an integration for extra scanners. For more information, see Bring your own scanner with SCST - Scan 2.0.
Prerequisites
Before you can integrate SCST - Scan 2.0 with the out-of-the-box supply chain, install the Scan 2.0 component because this component is not included in any of the installation profiles.
Integrate with OOTB supply chain
To integrate Scan 2.0 with an out-of-the-box supply chain using the Trivy scanner:
-
After completing the prerequisites, update your
tap-values.yamlfile to specify the TrivyClusterImageTemplate. For example:ootb_supply_chain_testing_scanning: image_scanner_template_name: image-vulnerability-scan-trivyIn Tanzu Application Platform v1.7 there is a known issue that causes the default Trivy scanner image to point to an inaccessible location. You can resolve this by setting
ootb_supply_chain_testing_scanning.image_scanner_clito the correct image. For example:ootb_supply_chain_testing_scanning: image_scanner_template_name: image-vulnerability-scan-trivy image_scanner_cli: image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6 -
Update your Tanzu Application Platform installation by running:
tanzu package installed update tap -p tap.tanzu.vmware.com -v TAP-VERSION --values-file \ tap-values.yaml -n tap-installWhere
TAP-VERSIONis the version of Tanzu Application Platform installed. -
Enable AMR and AMR Observer. Downstream Tanzu Application Platform services, such as Tanzu Developer Portal and Tanzu CLI, depend on scan results stored in SCST - Store to display correctly. For more information, see Artifact Metadata Repository Observer for SCST - Store.
