This topic gives you sample ImageVulnerabilityScans for various scanners, and any associated secrets.
This section includes ImageVulnerabilityScans (IVS) for various scanners. To use them, copy the YAML content for the scanner you want to use in the following topics:
To use a custom ImageVulnerabilityScan sample:
-
Copy the sample YAML into a file named
custom-ivs.yaml. Some scanners, such as Carbon Black, Snyk, and Prisma Scanner, require specific credentials that you must specify in the secret. -
Obtain the one or more necessary images. For example, an image containing the scanner.
-
Edit these fields of your ImageVulnerabilityScan:
spec.imageis the image that you are scanning. See Retrieving an image digest.scanResults.locationis the registry URL where thepublisherservice account uploads the scan results. For example,my.registry/scan-results.serviceAccountNamesincludes:scanneris the service account that runs the scan. It must have read access toimage.publisheris the service account that uploads results. It must have write access toscanResults.location.
-
Complete any scanner specific changes specified on the sample ImageVulnerabilityScan page.
-
You can either incorporate your custom ImageVulnerabilityScan into a ClusterImageTemplate or run a standalone scan using:
kubectl apply -f custom-ivs.yaml -n DEV-NAMESPACEWhere DEV-NAMESPACE is the name of the developer namespace where scanning occurs.
SCST - Scan 2.0 custom resources require the digest form of the URL. For example, nginx@sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2.
Use the Docker documentation to pull and inspect an image digest:
docker pull nginx:latest
docker inspect --format='\{{index .RepoDigests 0}}' nginx:latestAlternatively, you can install krane to retrieve the digest without pulling the image:
krane digest nginx:latest