This topic includes an example public image scan with compliance check for SCST - Scan.
The following example performs an image scan on an image in a public registry. This image revision has 223 known vulnerabilities (CVEs), spanning a number of severities. ImageScan uses the ScanPolicy to run a compliance check against the CVEs.
The policy in this example is set to only consider Critical
severity CVEs as a violation, which returns 21 Critical Severity Vulnerabilities.
NoteThis example ScanPolicy is deliberately constructed to showcase the features available and must not be considered an acceptable base policy.
In this example, the scan does the following:
Status.Conditions
that 21 CVEs have violated policy complianceCreate sample-public-image-scan-with-compliance-check.yaml
:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
name: sample-scan-policy
labels:
'app.kubernetes.io/part-of': 'enable-in-gui'
spec:
regoFile: |
package main
# Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
notAllowedSeverities := ["Critical"]
ignoreCves := []
contains(array, elem) = true {
array[_] = elem
} else = false { true }
isSafe(match) {
severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
some i
fails := contains(notAllowedSeverities, severities[i])
not fails
}
isSafe(match) {
ignore := contains(ignoreCves, match.id)
ignore
}
deny[msg] {
comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] }
some i
comp := comps[i]
vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] }
some j
vuln := vulns[j]
ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity }
not isSafe(vuln)
msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings])
}
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
name: sample-public-image-scan-with-compliance-check
spec:
registry:
image: "nginx:1.16"
scanTemplate: public-image-scan-template
scanPolicy: sample-scan-policy
Before deploying the resources to a user specified namespace, set up a watch in another terminal to view the progression:
watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
For more information about setting up a watch, see Observing and Troubleshooting.
kubectl apply -f sample-public-image-scan-with-compliance-check.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
kubectl describe imagescan sample-public-image-scan-with-compliance-check -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
NoteThe
Status.Conditions
includes aReason: EvaluationFailed
andMessage: Policy violated because of 21 CVEs
.
For more information about scan status conditions, see Viewing and Understanding Scan Status Conditions.
To edit the Scan Policy, see Step 5: Sample Public Source Code Scan with Compliance Check.
To clean up, run:
kubectl delete -f sample-public-image-scan-with-compliance-check.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.