Configure code repositories and image artifacts for Supply Chain Security Tools - Scan
This topic describes how you can configure code repositories and image artifacts for SCST - Scan.
Prerequisite
Both the source and image scans require you to define a ScanTemplate. Run kubectl get scantemplates for the ScanTemplates provided with the scanner installation. For information about how to reference these ScanTemplates, see How to create a ScanTemplate.
Deploy scan custom resources
The scan controller defines two custom resources to create scans:
- SourceScan
- ImageScan
SourceScan
The SourceScan custom resource helps you define and trigger a scan for a given repository. You can deploy SourceScan with source code existing in a public repository or a private one:
-
Create the
SourceScancustom resource.Example:
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: SourceScan metadata: # set the name of the source scan CR name: sample-source-scan spec: # At least one of these fields (blob or git) must be defined. blob: # location to a file with the source code compressed (supported files: .tar.gz) url: git: # A multiline string defining the known hosts that are going to be used for the SSH client on the container knownHosts: # Branch, tag, or commit digest revision: # The name of the kubernetes secret containing the private SSH key information. sshKeySecret: # A string containing the repository URL. url: # The username needed to SSH connection. Default value is “git” username: # A string defining the name of an existing ScanTemplate custom resource. scanTemplate: my-scan-template # A string defining the name of an existing ScanPolicy custom resource. See "Enforcement Policies (OPA)" section. scanPolicy: my-scan-policy -
Deploy the
SourceScancustom resource to the desired namespace on cluster by running:kubectl apply -f <path_to_the_cr>/<custom_resource_filename>.yaml -n <desired_namespace>After the scanning completes, the following fields appear in the custom resource and are filled by the scanner:
# These fields are populated from the source scan results status: # The source code information as provided in the CycloneDX `bom>metadata>component>*` fields artifact: blob: url: git: url: revision: # An array populated with information about the scanning status # and the policy validation. These conditions might change in the lifecycle # of the scan, refer to the "View Scan Status and Understanding Conditions" section to learn more. conditions: [] # The URL of the vulnerability scan results in the Metadata Store integration. # Only available when the integration is configured. metadataUrl: # When the CRD is updated to point at new revisions, this lets you know # if the status reflects the latest one or not observedGeneration: 1 observedPolicyGeneration: 1 observedTemplateGeneration: 1 # The latest datetime when the scanning was successfully finished. scannedAt: # Information about the scanner that was used for the latest image scan. # This information reflects what's in the CycloneDX `bom>metadata>tools>tool>*` fields. scannedBy: scanner: # The name of the scanner that was used. name: my-image-scanner # The name of the scanner's development company or team vendor: my-image-scanner-provider # The version of the scanner used. version: 1.0.0
ImageScan
The ImageScan custom resource helps you define and trigger a scan for a given image. You can deploy ImageScan with an image existing in a public or private registry:
-
Create the
ImageScancustom resource.Example:
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ImageScan metadata: # set the name of the image scan CR name: sample-image-scan spec: registry: # Required. A string containing the image name can additionally add its tag or its digest image: nginx:1.16 # A string containing the secret needed to pull the image from a private registry. # The secret needs to be deployed in the same namespace as the ImageScan imagePullSecret: my-image-pull-secret # A string defining the name of an existing ScanTemplate custom resource. See "How To Create a ScanTemplate" section. scanTemplate: my-scan-template # A string defining the name of an existing ScanPolicy custom resource. See "Enforcement Policies (OPA)" section. scanPolicy: my-scan-policy -
Deploy the
ImageScancustom resource to the desired namespace on cluster by running:kubectl apply -f <path_to_the_cr>/<custom_resource_filename>.yaml -n <desired_namespace>After the scanning completes, the following fields appear in the custom resource and are filled by the scanner:
# These fields are populated from the image scan results status: artifact: registry: # The image name with its digest as provided in the CycloneDX `bom>metadata>component>*` fields image: imagePullSecret: # An array that is populated with information about the scanning status # and the policy validation. These conditions might change in the lifecycle # of the scan, refer to the "View Scan Status and Understanding Conditions" section to learn more. conditions: [] # The URL of the vulnerability scan results in the Metadata Store integration. # Only available when the integration is configured. metadataUrl: # When the CRD is updated to point at new revisions, this lets you know # whether the status reflects the latest one observedGeneration: 1 observedPolicyGeneration: 1 observedTemplateGeneration: 1 # The latest datetime when the scanning was successfully finished. scannedAt: # Information about the scanner used for the latest image scan. # This information reflects what's in the CycloneDX `bom>metadata>tools>tool>*` fields. scannedBy: scanner: # The name of the scanner that was used. name: my-image-scanner # The name of the scanner's development company or team vendor: my-image-scanner-provider # The version of the scanner used. version: 1.0.0
