This topic tells you how to verify scanning with Supply Chains.
Create a sample workload with a pre-built image by running:
tanzu apps workload create WORKLOAD-NAME \
--app APP-NAME \
--git-repo GIT-REPO \
--git-branch GIT-BRANCH \
--type TYPE \
--namespace DEV-NAMESPACE
Where:
WORKLOAD-NAME
is the name you choose for your workload.APP-NAME
is the name of your app.GIT-REPO
is the Git repository from which the workload is created.GIT-BRANCH
is the branch in a Git repository from where the workload is created.TYPE
is the type of your app.DEV-NAMESPACE
is the name of the developer namespace where scanning occurs.NoteFor information about how to use the Tanzu CLI workload creation, see Create a Workload.
Scan results are uploaded to the container image registry as an imgpkg bundle. To retrieve a vulnerability report:
Retrieve the result location from the ImageVulnerabilityScan
CR status by running:
SCAN_RESULT_URL=$(kubectl get imagevulnerabilityscan my-scan -n DEV-NAMESPACE -o jsonpath='{.status.scanResult}')
Download the bundle to a local directory and list the content by running:
imgpkg pull -b $SCAN_RESULT_URL -o scan-results/
ls scan-results/