Configure your custom ImageVulnerabilityScan samples for Supply Chain Security Tools - Scan
This topic gives you sample ImageVulnerabilityScans for various scanners, and any associated secrets.
ImageVulnerabilityScan samples
This section includes ImageVulnerabilityScans (IVS) for various scanners. To use them, copy the YAML content for the scanner you want to use in the following topics:
Use custom ImageVulnerabilityScan samples
To use a custom ImageVulnerabilityScan sample:
- Copy the sample YAML into a file named
custom-ivs.yaml. Some scanners, such as Carbon Black, Snyk, and Prisma Scanner, require specific credentials that you must specify in the secret. - Obtain the one or more necessary images. For example, an image containing the scanner.
-
Edit these fields of your ImageVulnerabilityScan:
spec.imageis the image that you are scanning. See Retrieving an image digest.scanResults.locationis the registry URL where thepublisherservice account uploads the scan results. For example,my.registry/scan-results.serviceAccountNamesincludes:scanneris the service account that runs the scan. It must have read access toimage.publisheris the service account that uploads results. It must have write access toscanResults.location.
- Complete any scanner specific changes specified on the sample ImageVulnerabilityScan page.
-
You can either incorporate your custom ImageVulnerabilityScan into a ClusterImageTemplate or run a standalone scan using:
kubectl apply -f custom-ivs.yaml -n DEV-NAMESPACEWhere
DEV-NAMESPACEis the name of the developer namespace where scanning occurs.
Retrieving an image digest
SCST - Scan 2.0 custom resources require the digest form of the URL. For example, nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2.
Use the Docker documentation to pull and inspect an image digest:
docker pull nginx:latest
docker inspect --format='{{index .RepoDigests 0}}' nginx:latest
Alternatively, you can install krane to retrieve the digest without pulling the image:
krane digest nginx:latest
