Skip to content

Latest commit

 

History

History
149 lines (109 loc) · 6.09 KB

install-scst-scan.md

File metadata and controls

149 lines (109 loc) · 6.09 KB
Raw

Install Supply Chain Security Tools - Scan

This document describes how to install Supply Chain Security Tools - Scan from the Tanzu Application Platform package repository.

Note: Use the instructions on this page if you do not want to use a profile to install packages. The full profile includes Supply Chain Security Tools - Scan. For more information about profiles, see Installing the Tanzu Application Platform Package and Profiles.

Prerequisites

Before installing Supply Chain Security Tools - Scan:

  • Complete all prerequisites to install Tanzu Application Platform. For more information, see Installing the Tanzu CLI.
  • Supply Chain Security Tools - Store must be installed on the cluster for scan results to persist. Supply Chain Security Tools - Scan can be installed without Supply Chain Security Tools - Store already installed. In this case, skip creating a values file. Once Supply Chain Security Tools - Store is installed, the Supply Chain Security Tools - Scan values file must be updated. For usage instructions, see Using the Supply Chain Security Tools - Store.
  • Install Supply Chain Security Tools - Store CLI to query the Supply Chain Security Tools - Store for CVE results. See Installing the CLI.

Scanner support

Out-Of-The-Box Scanner Version
Anchore Grype v0.27.2

Let us know if there's a scanner you'd like us to support.

Install

The installation for Supply Chain Security Tools – Scan involves installing two packages:

  • Scan controller
  • Grype scanner

The Scan controller enables you to use a scanner, in this case, the Grype scanner. Ensure both the Grype scanner and the Scan controller are installed.

To install Supply Chain Security Tools - Scan (Scan controller):

  1. List version information for the package by running:

    tanzu package available list scanning.apps.tanzu.vmware.com --namespace tap-install

    For example:

    $ tanzu package available list scanning.apps.tanzu.vmware.com --namespace tap-install
/ Retrieving package versions for scanning.apps.tanzu.vmware.com...
  NAME                             VERSION       RELEASED-AT
  scanning.apps.tanzu.vmware.com   1.0.0

  2. (Optional) Make changes to the default installation settings by running:

    tanzu package available get scanning.apps.tanzu.vmware.com/1.0.0 --values-schema -n tap-install

  3. Gather the values schema.

  4. Install the package with default configuration by running:

    tanzu package install scan-controller \
  --package-name scanning.apps.tanzu.vmware.com \
  --version 1.0.0 \
  --namespace tap-install

To install Supply Chain Security Tools - Scan (Grype scanner):

  1. List version information for the package by running:

    tanzu package available list grype.scanning.apps.tanzu.vmware.com --namespace tap-install

    For example:

    $ tanzu package available list grype.scanning.apps.tanzu.vmware.com --namespace tap-install
/ Retrieving package versions for grype.scanning.apps.tanzu.vmware.com...
  NAME                                  VERSION       RELEASED-AT
  grype.scanning.apps.tanzu.vmware.com  1.0.0

  2. (Optional) Make changes to the default installation settings by running:

    tanzu package available get grype.scanning.apps.tanzu.vmware.com/1.0.0 --values-schema -n tap-install

    For example:

    $ tanzu package available get grype.scanning.apps.tanzu.vmware.com/1.0.0 --values-schema -n tap-install
| Retrieving package details for grype.scanning.apps.tanzu.vmware.com/1.0.0...
  KEY                        DEFAULT  TYPE    DESCRIPTION
  namespace                  default  string  Deployment namespace for the Scan Templates
  resources.limits.cpu       1000m    <nil>   Limits describes the maximum amount of cpu resources allowed.
  resources.requests.cpu     250m     <nil>   Requests describes the minimum amount of cpu resources required.
  resources.requests.memory  128Mi    <nil>   Requests describes the minimum amount of memory resources required.
  targetImagePullSecret      <EMPTY>  string  Reference to the secret used for pulling images from private registry.
  targetSourceSshSecret      <EMPTY>  string  Reference to the secret containing SSH credentials for cloning private repositories.

    The tap-values.yml file to change the default installation settings looks like this:

    grype:
  namespace: my-dev-namespace
  targetImagePullSecret: registry-credentials

    Note: If you want to use a namespace other than the default namespace, then ensure that the namespace exists before you install. If the namespace does not exist, then the Grype scanner installation fails.

  3. The default values are appropriate for this package. If you want to change from the default values, use the Scan controller instructions as a guide.

  4. Install the package by running:

    tanzu package install grype-scanner \
  --package-name grype.scanning.apps.tanzu.vmware.com \
  --version 1.0.0 \
  --namespace tap-install

    For example:

    $ tanzu package install grype-scanner \
  --package-name grype.scanning.apps.tanzu.vmware.com \
  --version 1.0.0 \
  --namespace tap-install
/ Installing package 'grype.scanning.apps.tanzu.vmware.com'
| Getting namespace 'tap-install'
| Getting package metadata for 'grype.scanning.apps.tanzu.vmware.com'
| Creating service account 'grype-scanner-tap-install-sa'
| Creating cluster admin role 'grype-scanner-tap-install-cluster-role'
| Creating cluster role binding 'grype-scanner-tap-install-cluster-rolebinding'
/ Creating package resource
- Package install status: Reconciling

 Added installed package 'grype-scanner' in namespace 'tap-install'