This topic describes how you can install scanners to work with Supply Chain Security Tools - Scan from the Tanzu Application Platform package repository.
Follow the instructions in this topic to install a scanner other than the out of the box Grype Scanner with SCST - Scan.
Before installing a new scanner, install Supply Chain Security Tools - Scan. It must be present on the same cluster. The prerequisites for Scan are also required.
To install a new scanner, follow these steps:
-
Complete scanner specific prerequisites for the scanner you're trying to install. For example, creating an API token to connect to the scanner.
- Snyk Scanner (Beta) is available for image scanning.
- Carbon Black Scanner (Beta) is available for image scanning.
-
List the available packages to discover what scanners you can use by running:
tanzu package available list --namespace tap-installFor example:
$ tanzu package available list --namespace tap-install / Retrieving available packages... NAME DISPLAY-NAME SHORT-DESCRIPTION grype.scanning.apps.tanzu.vmware.com Grype Scanner for Supply Chain Security Tools - Scan Default scan templates using Anchore Grype snyk.scanning.apps.tanzu.vmware.com Snyk for Supply Chain Security Tools - Scan Default scan templates using Snyk carbonblack.scanning.apps.tanzu.vmware.com Carbon Black Scanner for Supply Chain Security Tools - Scan Default scan templates using Carbon Black
-
List version information for the scanner package by running:
tanzu package available list SCANNER-NAME --namespace tap-installFor example:
$ tanzu package available list snyk.scanning.apps.tanzu.vmware.com --namespace tap-install / Retrieving package versions for snyk.scanning.apps.tanzu.vmware.com... NAME VERSION RELEASED-AT snyk.scanning.apps.tanzu.vmware.com 1.0.0-beta.2
-
(Optional) Confirm that the secret created in Step 1 for scanner specific prerequisites is created.
-
Create a
values.yamlto apply custom configurations to the scanner:Note This step might be required for some scanners but optional for others.
To list the values you can configure for any scanner, run:
tanzu package available get SCANNER-NAME/VERSION --values-schema -n tap-installWhere:
SCANNER-NAMEis the name of the scanner package you retrieved earlier.VERSIONis your package version number. For example,snyk.scanning.apps.tanzu.vmware.com/1.0.0-beta.2.
For example:
$ tanzu package available get snyk.scanning.apps.tanzu.vmware.com/1.0.0-beta.2 --values-schema -n tap-install KEY DEFAULT TYPE DESCRIPTION metadataStore.authSecret.name string Name of deployed Secret with key auth_token metadataStore.authSecret.importFromNamespace string Namespace from which to import the Insight Metadata Store auth_token metadataStore.caSecret.importFromNamespace metadata-store string Namespace from which to import the Insight Metadata Store CA Cert metadataStore.caSecret.name app-tls-cert string Name of deployed Secret with key ca.crt holding the CA Cert of the Insight Metadata Store metadataStore.clusterRole metadata-store-read-write string Name of the deployed ClusterRole for read/write access to the Insight Metadata Store deployed in the same cluster metadataStore.url https://metadata-store-app.metadata-store.svc.cluster.local:8443 string Url of the Insight Metadata Store namespace default string Deployment namespace for the Scan Templates resources.requests.cpu 250m <nil> Requests describes the minimum amount of cpu resources required. resources.requests.memory 128Mi <nil> Requests describes the minimum amount of memory resources required. resources.limits.cpu 1000m <nil> Limits describes the maximum amount of cpu resources allowed. snyk.tokenSecret.name string Reference to the secret containing a Snyk API Token as snyk_token. targetImagePullSecret string Reference to the secret used for pulling images from private registry.
-
Define the
--values-fileflag to customize the default configuration:The
values.yamlfile you created earlier is referenced with the--values-fileflag when running your Tanzu install command:tanzu package install REFERENCE-NAME \ --package SCANNER-NAME \ --version VERSION \ --namespace tap-install \ --values-file PATH-TO-VALUES-YAML
Where:
REFERENCE-NAMEis the name referenced by the installed package. For example,grype-scanner,snyk-scanner.SCANNER-NAMEis the name of the scanner package you retrieved earlier. For example,snyk.scanning.apps.tanzu.vmware.com.VERSIONis your package version number. For example,1.0.0-beta.2.PATH-TO-VALUES-YAMLis the path that points to thevalues.yamlfile created earlier.
For example:
$ tanzu package install snyk-scanner \ --package snyk.scanning.apps.tanzu.vmware.com \ --version 1.1.0 \ --namespace tap-install \ --values-file values.yaml / Installing package 'snyk.scanning.apps.tanzu.vmware.com' | Getting namespace 'tap-install' | Getting package metadata for 'snyk.scanning.apps.tanzu.vmware.com' | Creating service account 'snyk-scanner-tap-install-sa' | Creating cluster admin role 'snyk-scanner-tap-install-cluster-role' | Creating cluster role binding 'snyk-scanner-tap-install-cluster-rolebinding' / Creating package resource - Package install status: Reconciling Added installed package 'snyk-scanner' in namespace 'tap-install'
To verify the installation create an ImageScan or SourceScan referencing one of the newly added ScanTemplates for the scanner.
-
(Optional) Create a
ScanPolicyformatted for the output specific to the scanner you are installing, to reference in theImageScanorSourceScan.kubectl apply -n $DEV_NAMESPACE -f SCAN-POLICY-YAMLNote As vulnerability scanners output different formats, the
ScanPoliciescan vary. For information about policies and samples, see Enforce compliance policy using Open Policy Agent. -
Retrieve available
ScanTemplatesfrom the namespace where the scanner is installed:kubectl get scantemplates -n DEV-NAMESPACEWhere
DEV-NAMESPACEis the developer namespace where the scanner is installed.For example:
$ kubectl get scantemplates NAME AGE blob-source-scan-template 10d private-image-scan-template 10d public-image-scan-template 10d public-source-scan-template 10d snyk-private-image-scan-template 10d snyk-public-image-scan-template 10d
-
Create the following ImageScan YAML:
Note Some scanners do not support both
ImageScanandSourceScan.apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ImageScan metadata: name: sample-scanner-public-image-scan spec: registry: image: "nginx:1.16" scanTemplate: SCAN-TEMPLATE scanPolicy: SCAN-POLICY # Optional
Where:
SCAN-TEMPLATEis the name of the installedScanTemplatein theDEV-NAMESPACEyou retrieved earlier.SCAN-POLICYit's an optional reference to an existingScanPolicyin the sameDEV-NAMESPACE.
For example:
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ImageScan metadata: name: sample-snyk-public-image-scan spec: registry: image: "nginx:1.16" scanTemplate: snyk-public-image-scan-template scanPolicy: snyk-scan-policy
-
Create the following SourceScan YAML:
Note Some scanners do not support both
ImageScanandSourceScan.apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: SourceScan metadata: name: sample-scanner-public-source-scan spec: git: url: "https://github.com/houndci/hound.git" revision: "5805c650" scanTemplate: SCAN-TEMPLATE scanPolicy: SCAN-POLICY # Optional
Where:
SCAN-TEMPLATEis the name of the installedScanTemplatein theDEV-NAMESPACEyou retrieved earlier.SCAN-POLICYis an optional reference to an existingScanPolicyin the sameDEV-NAMESPACE.
For example:
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: SourceScan metadata: name: sample-grype-public-source-scan spec: git: url: "https://github.com/houndci/hound.git" revision: "5805c650" scanTemplate: public-source-scan-template scanPolicy: scan-policy
-
Apply the ImageScan and SourceScan YAMLs:
To run the scans, apply them to the cluster by running these commands:
ImageScan:kubectl apply -f PATH-TO-IMAGE-SCAN-YAML -n DEV-NAMESPACEWhere
PATH-TO-IMAGE-SCAN-YAMLis the path to the YAML file created earlier.SourceScan:kubectl apply -f PATH-TO-SOURCE-SCAN-YAML -n DEV-NAMESPACEWhere
PATH-TO-SOURCE-SCAN-YAMLis the path to the YAML file created earlier.For example:
$ kubectl apply -f imagescan.yaml -n my-apps imagescan.scanning.apps.tanzu.vmware.com/sample-snyk-public-image-scan created $ kubectl apply -f sourcescan.yaml -n my-apps sourcescan.scanning.apps.tanzu.vmware.com/sample-grype-public-source-scan created
-
To verify the integration, get the scan to see if it completed by running:
For
ImageScan:kubectl get imagescan IMAGE-SCAN-NAME -n DEV-NAMESPACEWhere
IMAGE-SCAN-NAMEis the name of theImageScanas defined in the YAML file created earlier.For
SourceScan:kubectl get sourcescan SOURCE-SCAN-NAME -n DEV-NAMESPACEWhere
SOURCE-SCAN-NAMEis the name of theSourceScanas defined in the YAML file created earlier.For example:
$ kubectl get imagescan sample-snyk-public-image-scan -n my-apps NAME PHASE SCANNEDIMAGE AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL sample-snyk-public-image-scan Completed nginx:1.16 26h 0 114 58 314 0 486 $ kubectl get sourcescan sample-grype-public-source-scan -n my-apps NAME PHASE SCANNEDREVISION SCANNEDREPOSITORY AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL sourcescan.scanning.apps.tanzu.vmware.com/grypesourcescan-sample-public Completed 5805c650 https://github.com/houndci/hound.git 8m34s 21 121 112 9 0 263
Note If you define a
ScanPolicyfor the scans and the evaluation finds a violation, thePhaseisFailedinstead ofCompleted. In both cases the scan finished. -
Clean up:
kubectl delete -f PATH-TO-SCAN-YAML -n DEV-NAMESPACEWhere
PATH-TO-SCAN-YAMLis the path to the YAML file created earlier.
To install a Scanner to multiple namespaces, VMware recommends using a namespace provisioner. See Namespace Provisioner
In order to scan your images with the new scanner installed in the Out of the Box Supply Chain with Testing and Scanning, you must update your Tanzu Application Platform installation.
Add the ootb_supply_chain_testing_scanning.scanning section to your tap-values.yaml and perform a Tanzu Application Platform update.
You can define which ScanTemplates is used for both SourceScan and ImageScan. The default values are the Grype Scanner ScanTemplates, but they are overwritten by any other ScanTemplate present in your DEV-NAMESPACE. The same applies to the ScanPolicies applied to each kind of scan.
ootb_supply_chain_testing_scanning:
scanning:
image:
template: IMAGE-SCAN-TEMPLATE
policy: IMAGE-SCAN-POLICY
source:
template: SOURCE-SCAN-TEMPLATE
policy: SOURCE-SCAN-POLICYNote For the Supply Chain to work properly, the
SOURCE-SCAN-TEMPLATEmust support blob files and theIMAGE-SCAN-TEMPLATEmust support private images.
For example:
ootb_supply_chain_testing_scanning:
scanning:
image:
template: snyk-private-image-scan-template
policy: snyk-scan-policy
source:
template: blob-source-scan-template
policy: scan-policyTo replace the scanner in the Supply Chain, follow the steps mentioned in Configure TAP Supply Chain to Use New Scanner. After the scanner is no longer required by the Supply Chain, you can remove the package by running:
tanzu package installed delete REFERENCE-NAME \
--namespace tap-installWhere REFERENCE-NAME is the name you identified the package with, when installing in the Install section. For example, grype-scanner, snyk-scanner.
For example:
$ tanzu package installed delete snyk-scanner \
--namespace tap-installIn addition to providing the above supported integrations, VMware encourages the broader community to support VMware in our goal of integrating with customers' preferred CVE scanners.
Additional integrations:
- Prisma Scanner (Alpha) is available for source and image scanning.
- Trivy Scanner (Alpha) is available for source and image scanning.