Enable App Scanning for default Test and Scan supply chains
This topic tells you how to enable Supply Chain Security Tools (SCST) - Scan 2.0 and an included container image scanner for Out of the Box Supply Chain with Testing and Scanning. The default configuration for Out of the Box Supply Chain with Testing and Scanning is SCST - Scan 1.0.
Overview
SCST - Scan 2.0 includes two integrations for container image scanners:
| Container Image Scanner | Documentation | Cluster Image Template Name | Status |
|---|---|---|---|
| Aqua Trivy | Link | image-vulnerability-scan-trivy |
Recommended scanner for SCST - Scan 2.0 |
| Anchore Grype | Link | image-vulnerability-scan-grype |
Alternative to Trivy that is used in SCST - Scan 1.0 |
VMware recommends using Aqua Trivy scanner with Tanzu Application Platform for container image scanning. If you want to remain consistent with the default scanner in SCST - Scan 1.0, Anchore Grype is included as an open-source alternative. Additionally, you can build an integration for additional scanners. For more information, see Bring your own scanner with Supply Chain Security Tools - Scan 2.0.
Enable with OOTB supply chain
To enable SCST - Scan 2.0 with an OOTB supply chain using the Trivy scanner:
-
Update your
tap-values.yamlfile to specify the TrivyClusterImageTemplate. For example:ootb_supply_chain_testing_scanning: image_scanner_template_name: image-vulnerability-scan-trivy -
(Optional) In Tanzu Application Platform v1.8 if you are using a vulnerability scanner other than Trivy, you must specify the registry location of the container image to use for scanning. For example, if you are using the Grype template, set
ootb_supply_chain_testing_scanning.image_scanning_clito the Grype image, for example,ootb_supply_chain_testing_scanning: image_scanner_template_name: image-vulnerability-scan-grype image_scanning_cli: image: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages@sha256:feb1cdbd5c918aae7a89bdb2aa39d486bf6ffc81000764b522842e5934578497This example uses the packaged Grype image, but you can also use images from public repositories such as
anchore/grype:latest. -
Update your Tanzu Application Platform installation by running:
tanzu package installed update tap -p tap.tanzu.vmware.com -v TAP-VERSION --values-file tap-values.yaml -n tap-installWhere
TAP-VERSIONis the version of Tanzu Application Platform installed. -
Verify the scan capability is working as expected by creating a workload. See Verify scanning with Supply Chain integration.
