Skip to content

Latest commit

 

History

History
148 lines (111 loc) · 5.33 KB

private-source.hbs.md

File metadata and controls

148 lines (111 loc) · 5.33 KB
Raw

Sample private source scan for Supply Chain Security Tools - Scan

This example shows how you can perform a private source scan for SCST - Scan.

Note This topic uses SCST - Scan 1.0. SCST - Scan 1.0 is deprecated in Tanzu Application Platform v1.9 and later. In Tanzu Application Platform v1.9, SCST - Scan 1.0 is still the default in Supply Chain with Testing. For more information, see Add testing and scanning to your application. VMware recommends using SCST - Scan 2.0 as SCST - Scan 1.0 will be removed in a future version and SCST - Scan 2.0 will be the default. For more information, see SCST - Scan versions.

Define the resources

  1. Create a Kubernetes secret with an SSH key for cloning a Git repository. See the Kubernetes documentation.
cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Secret
metadata:
  name: SECRET-SSH-AUTH
  namespace: DEV-NAMESPACE
  annotations:
    tekton.dev/git-0: https://github.com
    tekton.dev/git-1: https://gitlab.com
type: kubernetes.io/ssh-auth
stringData:
  ssh-privatekey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ....
    ....
    -----END OPENSSH PRIVATE KEY-----
EOF

Where:

  • SECRET-SSH-AUTH is the name of the secret that is being created.
  • DEV-NAMESPACE is the developer namespace where the scanner is installed.
  • .stringData.ssh-privatekey contains the private key with pull-permissions.
  1. Update the tap-values.yaml file to include the name of secret created above.
grype:
  targetSourceSshSecret: "SECRET-SSH-AUTH"
  1. Upgrade Tanzu Application Platform with the modified tap-values.yaml file.
tanzu package installed update tap -p tap.tanzu.vmware.com -v ${TAP-VERSION}  --values-file tap-values.yaml -n tap-install

Where TAP-VERSION is the Tanzu Application Platform version.

  1. Create sample-private-source-scan.yaml:
---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
  name: sample-private-source-scan
spec:
  git:
    url: URL
    revision: REVISION
    knownHosts: |
      KNOWN-HOSTS
  scanTemplate: private-source-scan-template

Where:

  • URL is the Git clone repository using SSH.
  • REVISION is the commit hash.
  • KNOWN-HOSTS are the SSH client stored host keys generated by ssh-keyscan.

    • For example, ssh-keyscan github.com produces:

      github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl

For example:

---
apiVersion: scanning.apps.tanzu.vmware.com/v1beta1
kind: SourceScan
metadata:
  name: sample-private-source-scan
spec:
  git:
    url: git@github.com:acme/website.git
    revision: 25as5e7df56c6401111be514a2f3666179ba04d0
    knownHosts: |
      10.254.171.53 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItb
POVVQF/CzuAeQNv4fZVf2pLxpGHle15zkpxOosckequUDxoq
  scanTemplate: private-source-scan-template

(Optional) Set up a watch

Before deploying the resources to a user specified namespace, set up a watch in another terminal to view the progression:

watch kubectl get sourcescans,imagescans,pods,taskruns,scantemplates,scanpolicies -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

See Observing and Troubleshooting.

Deploy the resources

kubectl apply -f sample-private-source-scan.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View the scan status

After the scan has completed, run:

kubectl describe sourcescan sample-private-source-scan -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

Notice the Status.Conditions includes a Reason: JobFinished and Message: The scan job finished. See Viewing and Understanding Scan Status Conditions.

Clean up

kubectl delete -f sample-private-source-scan.yaml -n DEV-NAMESPACE

Where DEV-NAMESPACE is the developer namespace where the scanner is installed.

View vulnerability reports

After completing the scans, query the Supply Chain Security Tools - Store to view your vulnerability results.