This topic tells you how to verify an ImageVulnerabilityScan
without a Supply Chain integration.
After you build an ImageVulnerabilityScan
to bring your own scanner, you can validate the capabilities to verify the integration.
Ensure that the scan integration is working correctly so that downstream servers such as AMR Observer, Tanzu Developer Portal, and the insight CLI can use scan results.
To verify scanning:
To verify that you can scan an image by using your ImageVulnerabilityScan
:
Deploy your ImageVulnerabilityScan
to the cluster by running:
kubectl apply -f image-vulnerability-scan.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the name of the developer namespace you want to use.
Child resources are created. View the child PipelineRun
, TaskRuns
, and pods by running:
kubectl get -l imagevulnerabilityscan pipelinerun,taskrun,pod -n DEV-NAMESPACE
When the scanning finishes, the status is shown. Specify -o wide
to see the digest of the image scanned and the location of the published results by running:
kubectl get imagevulnerabilityscans -n DEV-NAMESPACE -o wide
The following is an example of expected output:
NAME SCANRESULT SCANNEDIMAGE SUCCEEDED REASON
generic-image-scan registry/project/scan-results@digest nginx:latest@digest True Succeeded
Scan results are uploaded to the container image registry as an imgpkg bundle. To retrieve a vulnerability report:
Retrieve the result location from the ImageVulnerabilityScan
CR status:
SCAN_RESULT_URL=$(kubectl get imagevulnerabilityscan my-scan -n DEV-NAMESPACE -o \
jsonpath='{.status.scanResult}')
Download the bundle to a local directory and list the content by running:
imgpkg pull -b $SCAN_RESULT_URL -o scan-results/
ls scan-results/
After retrieving the scan results, you must verify that the scan results are in a format that downstream Tanzu Application Platform services such as AMR Observer support. AMR Observer supports the following SBOM formats and versions:
SBOM Formats | Versions |
CycloneDX | 1.2, 1.3, 1.4 |
SPDX | 2.2 |
VMware recommends validating the scan results by using the CycloneDX tool sbom-utility. This tool validates CycloneDX and SPDX BOMs against versioned schemas.
CautionThe output of the scan must be valid in accordance with SPDX or CycloneDX specifications. If not, although it might be parsed correctly, VMware cannot ensure that it is. If not parsed correctly, results might not appear accurately in Tanzu Developer Portal and the Tanzu Application CLI.
To validate a scan format with sbom:
Run the sbom-utility
CLI with the subcommand validate to validate the scan report against its declared format, such as SPDX, CycloneDX, and version, by running:
./sbom-utility validate -i SCAN-REPORT-FILE-NAME
Where SCAN-REPORT-FILE-NAME
is the name of the scan report.
For example:
sbom-utility-v0.11.0-darwin-amd64 % ./sbom-utility validate -i scan-results/scan.json
Welcome to the sbom-utility! Version `v0.11.0` (sbom-utility) (darwin/amd64)
============================================================================
[INFO] Loading license policy config file: `license.json`...
[WARN] Invalid flag for command: `output-file` (`o`). Ignoring...
[INFO] Attempting to load and unmarshal file `/Users/lrobin/go/src/gitlab/app-scanning/scan-results-grype-cyclonedx-json/scan.json`...
[INFO] Successfully unmarshalled data from: `/Users/lrobin/go/src/gitlab/app-scanning/scan-results-grype-cyclonedx-json/scan.json`
[INFO] Determining file's SBOM format and version...
[INFO] Determined SBOM format, version (variant): `CycloneDX`, `1.4` (latest)
[INFO] Matching SBOM schema (for validation): schema/cyclonedx/1.4/bom-1.4.schema.json
[INFO] Loading schema `schema/cyclonedx/1.4/bom-1.4.schema.json`...
[INFO] Schema `schema/cyclonedx/1.4/bom-1.4.schema.json` loaded.
[INFO] Validating `/Users/lrobin/go/src/gitlab/app-scanning/scan-results-grype-cyclonedx-json/scan.json`...
[INFO] SBOM valid against JSON schema: `true`
ImportantThe
sbom-utility
only accepts JSON as input. Your scan report must be a JSON file to use this tool.