Configure your custom ImageVulnerabilityScan samples for Supply Chain Security Tools - Scan

This topic gives you sample ImageVulnerabilityScans for various scanners, and any associated secrets.

ImageVulnerabilityScan samples

This section includes ImageVulnerabilityScans (IVS) for various scanners. To use them, copy the YAML content for the scanner you want to use in the following topics:

Use custom ImageVulnerabilityScan samples

To use a custom ImageVulnerabilityScan sample:

  1. Copy the sample YAML into a file named custom-ivs.yaml. Some scanners, such as Carbon Black, Snyk, and Prisma Scanner, require specific credentials that you must specify in the secret.
  2. Obtain the one or more necessary images. For example, an image containing the scanner.

  3. Edit these fields of your ImageVulnerabilityScan:

    • spec.image is the image that you are scanning. For more information, see Retrieving an image digest.
    • scanResults.location is the registry URL where the publisher service account uploads the scan results. For example, my.registry/scan-results.
    • serviceAccountNames includes:
      • scanner, which is the service account that runs the scan. It must have read access to image.
      • publisher, which is the service account that uploads results. It must have write access to scanResults.location.

  4. Complete any scanner-specific changes specified on the sample ImageVulnerabilityScan page.

  5. Incorporate your custom ImageVulnerabilityScan into a ClusterImageTemplate or run a standalone scan by running:

    kubectl apply -f custom-ivs.yaml -n DEV-NAMESPACE

    Where DEV-NAMESPACE is the name of the developer namespace where scanning occurs.

Retrieving an image digest

SCST - Scan 2.0 custom resources require the digest form of the URL. For example, nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2.

Use the Docker documentation to pull and inspect an image digest. For example, by running:

docker pull nginx:latest
docker inspect --format='{{index .RepoDigests 0}}' nginx:latest

Alternatively, you can install krane to retrieve the digest without pulling the image by running:

krane digest nginx:latest
check-circle-line exclamation-circle-line close-line
Scroll to top icon