Sample private source scan for Supply Chain Security Tools - Scan

This example shows how you can perform a private source scan for Supply Chain Security Tools (SCST) - Scan.

Define the resources

To define resources:

  1. Create a Kubernetes secret with an SSH key for cloning a Git repository. See the Kubernetes documentation.

    cat <<EOF | kubectl create -f -
    apiVersion: v1
    kind: Secret
    metadata:
     name: SECRET-SSH-AUTH
     namespace: DEV-NAMESPACE
     annotations:
       tekton.dev/git-0: https://github.com
       tekton.dev/git-1: https://gitlab.com
    type: kubernetes.io/ssh-auth
    stringData:
     ssh-privatekey: |
       -----BEGIN OPENSSH PRIVATE KEY-----
       ....
       ....
       -----END OPENSSH PRIVATE KEY-----
    EOF
    

    Where:

    • SECRET-SSH-AUTH is the name of the secret that is created.
    • DEV-NAMESPACE is the developer namespace where the scanner is installed.
    • .stringData.ssh-privatekey contains the private key with pull permissions.
  2. Update the tap-values.yaml file to include the name of secret created.

    grype:
      targetSourceSshSecret: "SECRET-SSH-AUTH"
    
  3. Upgrade Tanzu Application Platform with the modified tap-values.yaml file.

    tanzu package installed update tap -p tap.tanzu.vmware.com -v ${TAP-VERSION}  --values-file \
    tap-values.yaml -n tap-install
    

    Where TAP-VERSION is the Tanzu Application Platform version.

  4. Create sample-private-source-scan.yaml:

    ---
    apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
    kind: SourceScan
    metadata:
      name: sample-private-source-scan
    spec:
      git:
        url: URL
        revision: REVISION
        knownHosts: |
          KNOWN-HOSTS
      scanTemplate: private-source-scan-template
    

    Where:

    For example, ssh-keyscan github.com produces:

    github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
    github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
    github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
    
    ---
    apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
    kind: SourceScan
    metadata:
      name: sample-private-source-scan
    spec:
      git:
        url: [email protected]:acme/website.git
        revision: 25as5e7df56c6401111be514a2f3666179ba04d0
        knownHosts: |
          10.254.171.53 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItb
    POVVQF/CzuAeQNv4fZVf2pLxpGHle15zkpxOosckequUDxoq
      scanTemplate: private-source-scan-template
    

(Optional) Set up a watch

Before deploying the resources to a user-specified namespace, set up a watch in another terminal to view the progression by running:

watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

See Observing and Troubleshooting.

Deploy the resources

Deploy the resources by running:

kubectl apply -f sample-private-source-scan.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View the scan status

To view the scan status:

  1. After the scan has finished, run:

    kubectl describe sourcescan sample-private-source-scan -n DEV-NAMESPACE
    

    Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

  2. Verify that Status.Conditions includes Reason: JobFinished and Message: The scan job finished. For more information, see Viewing and Understanding Scan Status Conditions.

Clean up

Clean up by running:

kubectl delete -f sample-private-source-scan.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View vulnerability reports

After completing the scans, query the Supply Chain Security Tools - Store to view your vulnerability results.

check-circle-line exclamation-circle-line close-line
Scroll to top icon