Scan Types for Supply Chain Security Tools - Scan
This topic tells you what scan types you can use with Scan Types for Supply Chain Security Tools (SCST) - Scan. The out-of-box test and scan supply chain supports the source and container image scan types.
Source scan
The source scan step in the test and scan supply chain performs a Software Composition Analysis (SCA) scan to inspect the open-source dependencies of an application for vulnerabilities.
You scan by inspecting the file that the language uses for dependency declaration. This table has examples:
| Language | Dependency File |
|---|---|
| Spring | pom.xml |
| .Net | deps.json |
| Node.JS | packages.json |
| Python | requirements.txt |
Rather than declare specific dependency versions, some languages such as Spring, Java, and .Net resolve dependency versions at build time. For these languages, performing a SCA scan on the declaration file stored in the source code does not produce meaningful results. Instead the SCA scan often creates false positives or false negatives.
Because of this, in Tanzu Application Platform v1.6 and later the source scan step is moved to an opt-in step in the supply chain.
Adding Source Scan to the Test and Scan Supply Chain
To add source scanning to the out-of-the-box test and scan supply chain, you can apply an overlay in the tap-values.yaml file used for installation. This overlay adds the required resources to the supply chain in the correct location to opt in to source scanning.
For information about how overlays work with Tanzu Application Platform, see Customize your package installation.
To add source scanning to the default out-of-the-box test and scan supply chain:
-
Create a
secret.ymlfile with aSecretthat contains your ytt overlay. For example:apiVersion: v1 kind: Secret metadata: name: ootb-supply-chain-testing-scanning-add-source-scanner namespace: tap-install annotations: kapp.k14s.io/change-group: "tap-overlays" type: Opaque stringData: ootb-supply-chain-testing-scanning-add-source-scanner.yaml: | #@ load("@ytt:overlay", "overlay") #@overlay/match by=overlay.subset({"metadata":{"name":"source-test-scan-to-url"}, "kind": "ClusterSupplyChain"}) --- spec: resources: #@overlay/match by=overlay.index(2) #@overlay/insert before=True - name: source-scanner params: - default: scan-policy name: scanning_source_policy - default: blob-source-scan-template name: scanning_source_template sources: - name: source resource: source-tester templateRef: kind: ClusterSourceTemplate name: source-scanner-template #@overlay/match by="name" - name: image-provider sources: #@overlay/match by="name" - name: source resource: source-scannerFor information about ytt overlays, see the Carvel documentation.
-
Apply the
Secretto your cluster by running:kubectl apply -f secret.yml -
Update your values file to include a
package_overlaysfield by running:package_overlays: - name: ootb-supply-chain-testing-scanning secrets: - name: ootb-supply-chain-testing-scanning-add-source-scanner -
Update Tanzu Application Platform by running:
tanzu package installed update tap -p tap.tanzu.vmware.com -v 1.8.7 \ --values-file tap-values.yaml -n tap-install
For a multicluster installation, you must apply this to the build profile because that is where the scan components run. For information about Tanzu Application Platform profiles, see Installing Tanzu Application Platform package and profiles.
Container image scan
A container image scan inspects the contents of a built container image for vulnerabilities. This scan is performed on the container image after it is uploaded to the container image registry and at periodic intervals after the initial upload. Many container registries, such as Harbor and Docker Hub, include this capability.
Tanzu Application Platform enables scanning container images for vulnerabilities as part of your supply chain, allowing you to prevent deployment of a container image if vulnerabilities are discovered that exceed your security policy.
