Sample private source scan for Supply Chain Security Tools - Scan
This example shows how you can perform a private source scan for Supply Chain Security Tools (SCST) - Scan.
Define the resources
To define resources:
-
Create a Kubernetes secret with an SSH key for cloning a Git repository. See the Kubernetes documentation.
cat <<EOF | kubectl create -f - apiVersion: v1 kind: Secret metadata: name: SECRET-SSH-AUTH namespace: DEV-NAMESPACE annotations: tekton.dev/git-0: https://github.com tekton.dev/git-1: https://gitlab.com type: kubernetes.io/ssh-auth stringData: ssh-privatekey: | -----BEGIN OPENSSH PRIVATE KEY----- .... .... -----END OPENSSH PRIVATE KEY----- EOFWhere:
SECRET-SSH-AUTHis the name of the secret that is created.DEV-NAMESPACEis the developer namespace where the scanner is installed..stringData.ssh-privatekeycontains the private key with pull permissions.
-
Update the
tap-values.yamlfile to include the name of secret created.grype: targetSourceSshSecret: "SECRET-SSH-AUTH" -
Upgrade Tanzu Application Platform with the modified
tap-values.yamlfile.tanzu package installed update tap -p tap.tanzu.vmware.com -v ${TAP-VERSION} --values-file \ tap-values.yaml -n tap-installWhere
TAP-VERSIONis the Tanzu Application Platform version. -
Create
sample-private-source-scan.yaml:--- apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: SourceScan metadata: name: sample-private-source-scan spec: git: url: URL revision: REVISION knownHosts: | KNOWN-HOSTS scanTemplate: private-source-scan-templateWhere:
URLis the Git clone repository using SSH.REVISIONis the commit hash.KNOWN-HOSTSare the SSH client stored host keys generated by ssh-keyscan.
For example,
ssh-keyscan github.comproduces:github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl--- apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: SourceScan metadata: name: sample-private-source-scan spec: git: url: [email protected]:acme/website.git revision: 25as5e7df56c6401111be514a2f3666179ba04d0 knownHosts: | 10.254.171.53 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItb POVVQF/CzuAeQNv4fZVf2pLxpGHle15zkpxOosckequUDxoq scanTemplate: private-source-scan-template
(Optional) Set up a watch
Before deploying the resources to a user-specified namespace, set up a watch in another terminal to view the progression by running:
watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
See Observing and Troubleshooting.
Deploy the resources
Deploy the resources by running:
kubectl apply -f sample-private-source-scan.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
View the scan status
To view the scan status:
-
After the scan has finished, run:
kubectl describe sourcescan sample-private-source-scan -n DEV-NAMESPACEWhere
DEV-NAMESPACEis the developer namespace where the scanner is installed. -
Verify that
Status.ConditionsincludesReason: JobFinishedandMessage: The scan job finished. For more information, see Viewing and Understanding Scan Status Conditions.
Clean up
Clean up by running:
kubectl delete -f sample-private-source-scan.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE is the developer namespace where the scanner is installed.
View vulnerability reports
After completing the scans, query the Supply Chain Security Tools - Store to view your vulnerability results.
