This topic describes how you can upgrade Supply Chain Security Tools (SCST) - Scan from the Tanzu Application Platform package repository.
You can perform a fresh install of SCST - Scan by following the instructions in Install Supply Chain Security Tools - Scan.
Before you upgrade SCST - Scan, upgrade the Tanzu Application Platform by following the instructions in Upgrading Tanzu Application Platform.
Before upgrading to any version of SCST - Scan:
See the release notes for the version you want to upgrade to learn about any breaking changes for the upgrade.
Get the values schema for the package version you want to upgrade by running:
tanzu package available get scanning.apps.tanzu.vmware.com/$VERSION --values-schema -n tap-install
Where $VERSION
is the new version. This gives you insights on the values you can configure in your tap-values.yaml
for the new version.
This section describes how to upgrade a supported scanner in all namespaces. The procedure is different depending on whether you install manually or by using Namespace Provisioner.
If a scanner, such as Grype Scanner, was installed as part of Tanzu Application Platform by using the full profile, run to upgrade:
tanzu package installed update tap -p tap.tanzu.vmware.com -v VERSION --values-file tap-values.yaml -n tap-install
Where VERSION
is your Tanzu Application Platform version.
If a scanner, such as Grype Scanner, was installed by using component installation you must manually run:
tanzu package installed update grype -p grype.scanning.apps.tanzu.vmware.com -v GRYPE-VERSION \
--values-file grype-values.yaml -n NAMESPACE
Where:
GRYPE-VERSION
is the version of Grype that you are upgrading to.NAMESPACE
is the namespace in which Grype is installed in.To upgrade from a previous version of SCST - Scan to the version v1.2.0:
Change the SecretExports
from SCST - Store.
SCST - Scan needs information to connect to the SCST - Store deployment. You must change where these secrets are exported to enable the connection with SCST - Scan v1.2.0.
Edit the tap-values.yaml
file you used to deploy SCST - Store to export the CA certificate to your developer namespace.
metadata_store:
ns_for_export_app_cert: "DEV-NAMESPACE"
NoteThe
ns_for_export_app_cert
supports one namespace at a time. If you have multiple namespaces you can replace this value with a*
, but this exports the CA certificate to all namespaces. Consider whether this increased visibility presents a risk.
Update Tanzu Application Platform to apply the changes:
tanzu package installed update tap -f tap-values.yaml -n tap-install
SecretExport
by changing the
toNamespace: scan-link-system
to
toNamespace: DEV-NAMESPACE
. For example:
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
name: store-ca-cert
namespace: metadata-store-secrets
spec:
toNamespace: "DEV-NAMESPACE"
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
name: store-auth-token
namespace: metadata-store-secrets
spec:
toNamespace: "DEV-NAMESPACE"
Update your tap-values.yaml
file.
The installation of SCST - Scan and Grype Scanner has some changes. The connection to the SCST - Store component has moved to the Grype Scanner package. The connection from SCST - Scan still exists for backward compatibility, but is deprecated and is removed in v1.3.0.
To deactivate the connection, edit tap-values.yaml
as follows:
# Deactivate scan controller embedded SCST - Store integration
scanning:
metadataStore:
url: ""
# Install Grype Scanner v1.2.0
grype:
namespace: "DEV-NAMESPACE" # The developer namespace where the ScanTemplates are going to be deployed
metadataStore:
url: "METADATA-STORE-URL" # The base URL where the Store deployment can be reached
caSecret:
name: "CA-SECRET-NAME" # The name of the secret containing the ca.crt
importFromNamespace: "SECRET-NAMESPACE" # The namespace where Store is deployed (if single cluster) or where the connection secrets were created (if multi-cluster)
authSecret:
name: "TOKEN-SECRET-NAME" # The name of the secret containing the auth token to connect to Store
importFromNamespace: "SECRET-NAMESPACE" # The namespace where the connection secrets were created (if multi-cluster)
For more information about how to install Grype, see Install SCST - Scan (Grype Scanner).
NoteIf a mix of Grype templates is used, such as templates before and after v1.2.0 and v1.2.0, both
scanning
andgrype
must configure the parameters. The secret must also export to bothscan-link-system
and the developer namespace. Configure this by exporting to*
or by defining multiple secrets and exports. If Grype is installed in multiple namespaces there must be corresponding exports. For more information, see Install SCST - Scan (Grype Scanner).
Update Tanzu Application Platform to apply the changes by running:
tanzu package installed update tap -f tap-values.yaml -n tap-install
Update the ScanPolicy
to include the latest structure changes for v1.2.0.
To update to the latest valid Rego file in ScanPolicy
, enforce compliance policy by using Open Policy Agent. v1.2.0 introduced some breaking changes in the Rego file structure used for ScanPolicies
.
Create a verify-upgrade.yaml
file in your system with the following content:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ScanPolicy
metadata:
name: scan-policy
labels:
'app.kubernetes.io/part-of': 'enable-in-gui'
spec:
regoFile: |
package main
# Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity"
notAllowedSeverities := ["Critical", "High", "UnknownSeverity"]
ignoreCves := []
contains(array, elem) = true {
array[_] = elem
} else = false { true }
isSafe(match) {
severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity }
some i
fails := contains(notAllowedSeverities, severities[i])
not fails
}
isSafe(match) {
ignore := contains(ignoreCves, match.id)
ignore
}
deny[msg] {
comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] }
some i
comp := comps[i]
vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] }
some j
vuln := vulns[j]
ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity }
not isSafe(vuln)
msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings])
}
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: ImageScan
metadata:
name: sample-public-image-scan
spec:
registry:
image: "nginx:1.16"
scanTemplate: public-image-scan-template
scanPolicy: scan-policy
Deploy the resources by running:
kubectl apply -f verify-upgrade.yaml -n DEV-NAMESPACE
View the scan results by running:
kubectl describe imagescan sample-public-image-scan -n DEV-NAMESPACE
If it is successful, the ImageScan
goes to the Failed
phase and shows the results of the scan in Status
. You can run any ImageScan
or SourceScan
in your DEV-NAMESPACE
where the Grype Scanner was installed, and it finishes.