Enable App Scanning for default Test and Scan supply chains
This topic tells you how to enable Supply Chain Security Tools (SCST) - Scan 2.0 and an included container image scanner with the out-of-box box test and scan supply chain. The default out-of-box configuration for the Testing and Scanning supply chain uses SCST - Scan 1.0 but you can switch to using SCST - Scan 2.0 by using this topic.
Overview
SCST - Scan 2.0 includes two integrations for container image scanners:
- Anchore Grype
- Aqua Trivy
VMware recommends using Aqua Trivy scanner with Tanzu Application Platform for container image scanning. Anchore Grype is included as an open source alternative and for users who want to remain consistent with the default scanner in SCST - Scan 1.0. Additionally, you can build an integration for additional scanners by following the Bring Your Own Scanner guide.
| Container Image Scanner | Documentation | Template Name | Status |
|---|---|---|---|
| Aqua Trivy | Link | image-vulnerability-scan-trivy | Recommended out-of-box scanner for Scan 2.0 |
| Anchore Grype | Link | image-vulnerability-scan-grype | Alternative to Trivy that is used in Scan 1.0 |
Prerequisites
Before you can integrate SCST - Scan 2.0 with the out of the box supply chain:
- Install the Scan 2.0 component as this component is not included in any of the installation profiles. See Install Supply Chain Security Tools - Scan 2.0 in a cluster.
Integrate with OOTB supply chain
To integrate Scan 2.0 with an OOTB supply chain using the Trivy scanner:
-
After completing the prerequisites, update your
tap-values.yamlfile to specify the Trivy ClusterImageTemplate. For example:ootb_supply_chain_testing_scanning: image_scanner_template_name: image-vulnerability-scan-trivyNote
In Tanzu Application Platform v1.7 there is a known issue that causes the default Trivy scanner image to point to an inaccessible location. You can resolve this by setting
ootb_supply_chain_testing_scanning.image_scanner_clito the correct image, for example:ootb_supply_chain_testing_scanning: image_scanner_template_name: image-vulnerability-scan-trivy image_scanner_cli: image: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6For more information, see v1.7.0 Known issues: Supply Chain Security Tools (SCST) - Scan 2.0.
-
Update your Tanzu Application Platform installation by running:
tanzu package installed update tap -p tap.tanzu.vmware.com -v TAP-VERSION --values-file tap-values.yaml -n tap-installWhere
TAP-VERSIONis the version of Tanzu Application Platform installed. -
Enable AMR and AMR Observer.
Downstream Tanzu Application Platform services, such as Tanzu Developer Portal and Tanzu CLI, depend on scan results stored in SCST - Store to display correctly. For more information, see Artifact Metadata Repository Observer for Supply Chain Security Tools - Store.
-
Verify the scan capability is working as expected by creating a workload. See Verify.
