This topic tells you how to verify scanning with Supply Chains.
Create a sample workload with a pre-built image by using the tanzu apps workload create
command:
tanzu apps workload create WORKLOAD-NAME \
--app APP-NAME \
--git-repo GIT-REPO \
--git-branch GIT-BRANCH \
--type TYPE \
--namespace DEV-NAMESPACE
Where:
WORKLOAD-NAME
is the name you choose for your workload.APP-NAME
is the name of your app.GIT-REPO
is the Git repository from which the workload is created.GIT-BRANCH
is the branch in a Git repository from where the workload is created.TYPE
is the type of your app.DEV-NAMESPACE
is the name of the developer namespace where scanning occurs.
Note For information about how to use the Tanzu CLI workload creation, see Create a Workload.
Scan results are uploaded to the container image registry as an imgpkg bundle. To retrieve a vulnerability report:
-
Retrieve the result location from the ImageVulnerabilityScan CR Status:
SCAN_RESULT_URL=$(kubectl get imagevulnerabilityscan my-scan -n DEV-NAMESPACE -o jsonpath='{.status.scanResult}')
-
Download the bundle to a local directory and list the content:
imgpkg pull -b $SCAN_RESULT_URL -o scan-results/ ls scan-results/