This example shows how you can perform a private source scan for Supply Chain Security Tools (SCST) - Scan.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions.
To define resources:
Create a Kubernetes secret with an SSH key for cloning a Git repository. See the Kubernetes documentation.
cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Secret
metadata:
name: SECRET-SSH-AUTH
namespace: DEV-NAMESPACE
annotations:
tekton.dev/git-0: https://github.com
tekton.dev/git-1: https://gitlab.com
type: kubernetes.io/ssh-auth
stringData:
ssh-privatekey: |
-----BEGIN OPENSSH PRIVATE KEY-----
....
....
-----END OPENSSH PRIVATE KEY-----
EOF
Where:
SECRET-SSH-AUTH
is the name of the secret that is created.DEV-NAMESPACE
is the developer namespace where the scanner is installed..stringData.ssh-privatekey
contains the private key with pull permissions.Update the tap-values.yaml
file to include the name of secret created.
grype:
targetSourceSshSecret: "SECRET-SSH-AUTH"
Upgrade Tanzu Application Platform with the modified tap-values.yaml
file.
tanzu package installed update tap -p tap.tanzu.vmware.com -v ${TAP-VERSION} --values-file \
tap-values.yaml -n tap-install
Where TAP-VERSION
is the Tanzu Application Platform version.
Create sample-private-source-scan.yaml
:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
name: sample-private-source-scan
spec:
git:
url: URL
revision: REVISION
knownHosts: |
KNOWN-HOSTS
scanTemplate: private-source-scan-template
Where:
URL
is the Git clone repository using SSH.REVISION
is the commit hash.KNOWN-HOSTS
are the SSH client stored host keys generated by ssh-keyscan.For example, ssh-keyscan github.com
produces:
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
name: sample-private-source-scan
spec:
git:
url: git@github.com:acme/website.git
revision: 25as5e7df56c6401111be514a2f3666179ba04d0
knownHosts: |
10.254.171.53 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItb
POVVQF/CzuAeQNv4fZVf2pLxpGHle15zkpxOosckequUDxoq
scanTemplate: private-source-scan-template
Before deploying the resources to a user-specified namespace, set up a watch
in another terminal to view the progression by running:
watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
See Observing and Troubleshooting.
Deploy the resources by running:
kubectl apply -f sample-private-source-scan.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
To view the scan status:
After the scan has finished, run:
kubectl describe sourcescan sample-private-source-scan -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
Verify that Status.Conditions
includes Reason: JobFinished
and Message: The scan job finished
. For more information, see Viewing and Understanding Scan Status Conditions.
Clean up by running:
kubectl delete -f sample-private-source-scan.yaml -n DEV-NAMESPACE
Where DEV-NAMESPACE
is the developer namespace where the scanner is installed.
After finishing the scans, view the vulnerability results by using the Security Analysis plug-in.