This topic tells you how to bring your own scanner to use with Supply Chain Security Tools (SCST) - Scan 2.0.
SCST - Scan 2.0 includes integrations with Trivy and Grype, and examples for the following container image-scanning tools:
You might have a scan solution that VMware does not have a published integration with. You can integrate this scan solution with SCST - Scan 2.0. To use your own scanner:
ImageVulnerabilityScan
template that tells Tanzu Application Platform how to run your scanner. For more information, see Customize an ImageVulnerabilityScan.ImageVulnerabilityScan
is working correctly so that downstream Tanzu Application Platform services work correctly. For more information, see Verify an ImageVulnerabilityScan.ImageVulnerabilityScan
in a ClusterImageTemplate
. The ClusterImageTemplate
wraps the ImageVulnerabilityScan
and allows the Tanzu Application Platform supply chain to run the scan job. For more information, see Author a ClusterImageTemplate for Supply Chain integration.Before you begin, you must know how your preferred scanner works. For example, what commands to use to call scan results. You must also use one of these methods to provide a vulnerability scanner image: