This topic tells you how to use Namespace Provisioner to automate multiple scanner installations in the developer namespace in Tanzu Application Platform (commonly known as TAP).
Grype scanner is installed by default in all namespaces managed by Namespace Provisioner.
The following steps describe how to install Snyk scanner and Grype in the developer namespace and use both together in the supply chain. Grype is used for Source scans and Snyk is used for Image scans.
For information about, how to create a developer namespace, see Provision Developer Namespaces.
-
Create a secret in the
tap-installnamespace or any namespace of your preference that contains the Snyk token in YAML format. It must have .yaml or .yml in the key as shown here:cat << EOF | kubectl apply -f - apiVersion: v1 kind: Secret metadata: name: scanner-auth namespace: tap-install type: Opaque stringData: content.yaml: | scanners: snyk_api_token: "" # Paste your snyk API token here EOF
-
Add the following configuration to your
tap-values.yamlfile to create the supply-chain and scanners:
Using Namespace Provisioner Controller
: Add the following configuration to your tap-values.yaml file:
Using GitOps
: Add the following configuration to your tap-values.yaml file:
Additional source points to the location of the sample GitOps repo which has the following custom resources:
tekton-pipeline-java.yaml: Use this to create a Tekton pipeline for running tests on the Java workload.scanpolicy-grype.yaml and scanpolicy-snyk.yaml: Use to create Scan policies for Grype and Snyk scanners.snyk-token-secret.yaml: This is a Snyk token secret that must be created in the developer namespace. Instead of putting the actual Snyk token in the secret in the Git repository, put the reference to the values in the scanner-auth secret created in Step 1 by using thedata.values.importedkeys.snyk-scanner-install.yaml: This contains the PackageInstall for installing the Snyk package for the developer namespace. The namespacetap-installis mentioned in the PackageInstall resource. This causes Namespace Provisioner to create a PackageInstall resource for all provisioned namespaces in the same namespace and add-{namespace}as the suffix in the name to avoid name collisions.
Run the following command to apply a workload in your developer namespace that uses Grype for source scan and Snyk for Image scan:
Using Tanzu CLI : Create workload using tanzu apps CLI command
tanzu apps workload apply tanzu-java-web-app \
--git-repo https://github.com/sample-accelerators/tanzu-java-web-app \
--git-branch main \
--type web \
--app tanzu-java-web-app \
--label apps.tanzu.vmware.com/has-tests="true" \
--param scanning_image_policy=snyk-scan-policy \
--param scanning_image_template=snyk-private-image-scan-template \
--namespace YOUR-NEW-DEVELOPER-NAMESPACE \
--tail \
--yesUsing workload yaml
: Create a workload.yaml file:
---
apiVersion: carto.run/v1alpha1
kind: Workload
metadata:
labels:
app.kubernetes.io/part-of: tanzu-java-web-app
apps.tanzu.vmware.com/has-tests: "true"
apps.tanzu.vmware.com/workload-type: web
name: tanzu-java-web-app
namespace: YOUR-NEW-DEVELOPER-NAMESPACE
spec:
params:
- name: scanning_image_policy
value: snyk-scan-policy
- name: scanning_image_template
value: snyk-private-image-scan-template
source:
git:
ref:
branch: main
url: https://github.com/sample-accelerators/tanzu-java-web-app