You can do a public source scan of a blob for SCST - Scan. This example performs a scan against source code in a .tar.gz
file. This is helpful in a Supply Chain, where there is a GitRepository
step that handles cloning a repository and outputting the source code as a compressed archive.
Create public-blob-source-example.yaml
:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
name: public-blob-source-example
spec:
blob:
url: "https://gitlab.com/nina-data/ckan/-/archive/master/ckan-master.tar.gz"
scanTemplate: blob-source-scan-template
Before deploying the resources to a user specified namespace, set up a watch in another terminal to view the progression:
watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
For more information, see Observing and Troubleshooting.
kubectl apply -f public-blob-source-example.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
When the scan completes, perform:
kubectl describe sourcescan public-blob-source-example -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
Notice the Status.Conditions
includes a Reason: JobFinished
and Message: The scan job finished
.
For more information, see Viewing and Understanding Scan Status Conditions.
kubectl delete -f public-blob-source-example.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
After completing the scans, query the Supply Chain Security Tools - Store to view your vulnerability results.