This topic gives you an example of how to configure a secret and ImageVulnerabilityScan
(IVS) for Carbon Black.
This section contains a sample secret containing the Carbon Black credentials inside the ~/.cbctl/cbctl.yaml
configuration file. These credentials are used to authenticate your Carbon Black account. You can find these credentials in the Carbon Black console. For more information, see the Carbon Black documentation. You must apply this once to your developer namespace.
apiVersion: v1
kind: Secret
metadata:
name: cbctl-creds
stringData:
cbctl: |
cb_api_id: CB-API-ID
cb_api_key: CB-API-KEY
org_key: ORG-KEY
saas_url: SAAS-URL
Where:
CB-API-ID
is the API ID obtained from Carbon Black Cloud.CB-API-KEY
is the API Key obtained from Carbon Black.ORG-KEY
is the Org Key for your Carbon Black organization.SAAS-URL
is the Carbon Black Backend URL.This section contains a sample IVS that uses Carbon Black to scan a targeted image and push the results to the specified registry location. For information about the IVS specification, see Configuration options.
Set the tekton-pipelines
feature-flags configmap
enable-api-fields
to alpha
. This lets you use the stdoutConfig
, which is needed to export the scan report as a file.
apiVersion: app-scanning.apps.tanzu.vmware.com/v1alpha1
kind: ImageVulnerabilityScan
metadata:
name: carbon-black-ivs
annotations:
app-scanning.apps.tanzu.vmware.com/scanner-name: Carbon-Black
spec:
image: nginx@sha256:... # The image to be scanned. Digest must be specified.
scanResults:
location: registry/project/scan-results
serviceAccountNames:
publisher: publisher
scanner: scanner
workspace:
bindings:
- name: cbctl
secret:
secretName: cbctl-creds
items:
- key: cbctl
path: .cbctl.yaml
steps:
- name: carbon-black
image: CARBON-BLACK-SCANNER-IMAGE
imagePullPolicy: IfNotPresent
command:
- cbctl
- image
- scan
- --force=true
- $(params.image)
- --config
- /cbctl/.cbctl.yaml
- -ocyclonedx
stdoutConfig:
path: /workspace/scan-results/scan-results.cdx.xml
Where CARBON-BLACK-SCANNER-IMAGE
is the Carbon Black scanner image. For example, cbartifactory/cbctl:latest
.
For information about publicly available Carbon Black images, see DockerHub. For more information about using the Carbon Black Scanner CLI, see the Carbon Black documentation.
The Carbon Black cbctl-creds
secret is mounted as a workspace binding and the credentials are inserted into a cbctl.yaml
configuration file that the Carbon Black CLI uses.
stdoutConfig.path
is specified to take the output stream of the step to a file where you can publish it to the registry. For more information, see the Tekton documentation.
For the publicly available Carbon Black scanner CLI image, the CLI commands and parameters used are accurate at the time of documentation.