This topic describes how you can configure code repositories and image artifacts for Supply Chain Security Tools (SCST) - Scan.
Both the source and image scans require you to define a ScanTemplate
. Run kubectl get scantemplates
for the ScanTemplates provided with the scanner installation. For information about how to reference these ScanTemplates, see How to create a ScanTemplate.
The scan controller defines two custom resources to create scans:
SourceScan
ImageScan
The SourceScan
custom resource helps you define and trigger a scan for a given repository. You can deploy SourceScan
with source code existing in a public repository or a private one:
Create the SourceScan
custom resource as in this example:
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
# set the name of the source scan CR
name: sample-source-scan
spec:
# At least one of these fields (blob or git) must be defined.
blob:
# location to a file with the source code compressed (supported files: .tar.gz)
url:
git:
# A multiline string defining the known hosts that are going to be used for the SSH client on the container
knownHosts:
# Branch, tag, or commit digest
revision:
# The name of the kubernetes secret containing the private SSH key information.
sshKeySecret:
# A string containing the repository URL.
url:
# The user name needed to SSH connection. Default value is “git”
username:
# A string defining the name of an existing ScanTemplate custom resource.
scanTemplate: my-scan-template
# A string defining the name of an existing ScanPolicy custom resource. See the "Enforcement Policies (OPA)" section.
scanPolicy: my-scan-policy
Deploy the SourceScan
custom resource to the desired namespace on the cluster by running:
kubectl apply -f <path_to_the_cr>/<custom_resource_filename>.yaml -n <desired_namespace>
After the scanning finishes, the following fields appear in the custom resource and are filled by the scanner:
# These fields are populated from the source scan results
status:
# The source code information as provided in the CycloneDX bom>metadata>component>* fields
artifact:
blob:
url:
git:
url:
revision:
# An array populated with information about the scanning status
# and the policy validation. These conditions might change in the lifecycle
# of the scan, refer to the "View Scan Status and Understanding Conditions" section to learn more.
conditions: []
# The URL of the vulnerability scan results in the Metadata Store integration.
# Only available when the integration is configured.
metadataUrl:
# When the CRD is updated to point at new revisions, this lets you know
# if the status reflects the latest one or not
observedGeneration: 1
observedPolicyGeneration: 1
observedTemplateGeneration: 1
# The latest datetime when the scanning was successfully finished.
scannedAt:
# Information about the scanner that was used for the latest image scan.
# This information reflects what's in the CycloneDX bom>metadata>tools>tool>* fields.
scannedBy:
scanner:
# The name of the scanner that was used.
name: my-image-scanner
# The name of the scanner's development company or team
vendor: my-image-scanner-provider
# The version of the scanner used.
version: 1.0.0
The ImageScan
custom resource helps you define and trigger a scan for a given image. You can deploy ImageScan
with an image in a public registry or a private registry:
Create the ImageScan
custom resource as in this example:
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
# set the name of the image scan CR
name: sample-image-scan
spec:
registry:
# Required. A string containing the image name can additionally add its tag or its digest
image: nginx:1.16
# A string containing the secret needed to pull the image from a private registry.
# The secret needs to be deployed in the same namespace as the ImageScan
imagePullSecret: my-image-pull-secret
# A string defining the name of an existing ScanTemplate custom resource. See the "How To Create a ScanTemplate" section.
scanTemplate: my-scan-template
# A string defining the name of an existing ScanPolicy custom resource. See the "Enforcement Policies (OPA)" section.
scanPolicy: my-scan-policy
Deploy the ImageScan
custom resource to the desired namespace on the cluster by running:
kubectl apply -f <path_to_the_cr>/<custom_resource_filename>.yaml -n <desired_namespace>
After the scanning finishes, the following fields appear in the custom resource and are filled by the scanner:
# These fields are populated from the image scan results
status:
artifact:
registry:
# The image name with its digest as provided in the CycloneDX bom>metadata>component>* fields
image:
imagePullSecret:
# An array that is populated with information about the scanning status
# and the policy validation. These conditions might change in the lifecycle
# of the scan, refer to the "View Scan Status and Understanding Conditions" section to learn more.
conditions: []
# The URL of the vulnerability scan results in the Metadata Store integration.
# Only available when the integration is configured.
metadataUrl:
# When the CRD is updated to point at new revisions, this lets you know
# whether the status reflects the latest one
observedGeneration: 1
observedPolicyGeneration: 1
observedTemplateGeneration: 1
# The latest datetime when the scanning was successfully finished.
scannedAt:
# Information about the scanner used for the latest image scan.
# This information reflects what's in the CycloneDX bom>metadata>tools>tool>* fields.
scannedBy:
scanner:
# The name of the scanner that was used.
name: my-image-scanner
# The name of the scanner's development company or team
vendor: my-image-scanner-provider
# The version of the scanner used.
version: 1.0.0