Sample public source scan of a blob for Supply Chain Security Tools - Scan

You can do a public source scan of a blob for Supply Chain Security Tools (SCST) - Scan. This example performs a scan against source code in a .tar.gz file. This is helpful in a supply chain, where there is a GitRepository step that handles cloning a repository and exporting the source code as a compressed archive.

Define the resources

Create public-blob-source-example.yaml with this content:

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
  name: public-blob-source-example
spec:
  blob:
    url: "https://gitlab.com/nina-data/ckan/-/archive/master/ckan-master.tar.gz"
  scanTemplate: blob-source-scan-template

(Optional) Set up a watch

Before deploying the resources to a user-specified namespace, set up a watch in another terminal to view the progression by running:

watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

For more information, see Observing and Troubleshooting.

Deploy the resources

Deploy the resources by running:

kubectl apply -f public-blob-source-example.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View the scan results

After the scan finishes, view the results:

  1. Print the scan results by running:
kubectl describe sourcescan public-blob-source-example -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

  1. Verify that Status.Conditions includes a Reason: JobFinished and Message: The scan job finished. For more information, see Viewing and Understanding Scan Status Conditions.

Clean up

Clean up by running:

kubectl delete -f public-blob-source-example.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View vulnerability reports

After completing the scans, query the Supply Chain Security Tools - Store to view your vulnerability results.

check-circle-line exclamation-circle-line close-line
Scroll to top icon