Sample public source scan of a blob for Supply Chain Security Tools - Scan
You can do a public source scan of a blob for Supply Chain Security Tools (SCST) - Scan. This example performs a scan against source code in a .tar.gz file. This is helpful in a supply chain, where there is a GitRepository step that handles cloning a repository and exporting the source code as a compressed archive.
Define the resources
Create public-blob-source-example.yaml with this content:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
name: public-blob-source-example
spec:
blob:
url: "https://gitlab.com/nina-data/ckan/-/archive/master/ckan-master.tar.gz"
scanTemplate: blob-source-scan-template
(Optional) Set up a watch
Before deploying the resources to a user-specified namespace, set up a watch in another terminal to view the progression by running:
watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
For more information, see Observing and Troubleshooting.
Deploy the resources
Deploy the resources by running:
kubectl apply -f public-blob-source-example.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
View the scan results
After the scan finishes, view the results:
- Print the scan results by running:
kubectl describe sourcescan public-blob-source-example -n DEV-NAMESPACE
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
- Verify that
Status.Conditionsincludes aReason: JobFinishedandMessage: The scan job finished. For more information, see Viewing and Understanding Scan Status Conditions.
Clean up
Clean up by running:
kubectl delete -f public-blob-source-example.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
View vulnerability reports
After completing the scans, query the Supply Chain Security Tools - Store to view your vulnerability results.
