Exploring Grype Scanner for Supply Chain Security Tools for VMware Tanzu – Scan in TAP

In this blog post series, I wanted to help you with the understanding of different packages those are part of TAP v0.3 beta release. In this post, I will be talking about “Grype” package specifically. “Grype” helps in scanning the vulnerabilities against the source code or container images. Before I jump on how TAP uses grype and scan the container image, let’s understand how it works without TAP.

Installing Grype on your local system

– Run the below commands to install “Grype” on your local system.

$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

anchore/grype info checking GitHub for latest tag
anchore/grype info found version: 0.25.1 for v0.25.1/darwin/amd64
anchore/grype info installed /usr/local/bin/grype

You can also run “grype –help” to see the different available options under grype.

Scanning nginx image using Grype

Now, Let’s use “grype” to scan the nginx image from dockerhub registry.

The below command scans for vulnerabilities that are visible in the container (i.e., the squashed representation of the image).

$ grype docker:nginx:1.16@sha256:d20aa6d1cae56fd17cd458f4807e0de462caf2336f0b70b5eeb69fcaaf30dd9c                                                 
 ✔ Vulnerability DB        [no update available]
 ✔ Pulled image            
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [119 packages]
 ✔ Scanned image           [224 vulnerabilities]

NAME             INSTALLED                  FIXED-IN                   VULNERABILITY     SEVERITY   
apt              1.8.2                                                 CVE-2011-3374     Negligible  
apt              1.8.2                                CVE-2020-27350    Medium      
apt              1.8.2                                CVE-2020-3810     Medium      
bash             5.0-4                                                 CVE-2019-18276    Negligible  
bsdutils         1:2.33.1-0.1               (won't fix)                CVE-2021-37600    Low         
coreutils        8.30-3                     (won't fix)                CVE-2016-2781     Low         
coreutils        8.30-3                                                CVE-2017-18018    Negligible  
fdisk            2.33.1-0.1                 (won't fix)                CVE-2021-37600    Low         
gcc-8-base       8.3.0-6                    (won't fix)                CVE-2018-12886    High        
gcc-8-base       8.3.0-6                    (won't fix)                CVE-2019-15847    High        
gpgv             2.2.12-1+deb10u1           (won't fix)                CVE-2019-14855    Low         
libapt-pkg5.0    1.8.2                                                 CVE-2011-3374     Negligible  
libapt-pkg5.0    1.8.2                                CVE-2020-27350    Medium      
libapt-pkg5.0    1.8.2                                CVE-2020-3810     Medium      
libblkid1        2.33.1-0.1                 (won't fix)                CVE-2021-37600    Low         
libbsd0          0.9.1-2                    0.9.1-2+deb10u1            CVE-2019-20367    Critical    
libc-bin         2.28-10                                               CVE-2010-4756     Negligible  
libc-bin         2.28-10                    (won't fix)                CVE-2016-10228    Low         
libc-bin         2.28-10                                               CVE-2018-20796    Negligible  
libc-bin         2.28-10                                               CVE-2019-1010022  Negligible  
libc-bin         2.28-10                                               CVE-2019-1010023  Negligible  
libc-bin         2.28-10                                               CVE-2019-1010024  Negligible  
libc-bin         2.28-10                                               CVE-2019-1010025  Negligible  
libc-bin         2.28-10                    (won't fix)                CVE-2019-19126    Low         
libc-bin         2.28-10                    (won't fix)                CVE-2019-25013    Medium      
libc-bin         2.28-10                                               CVE-2019-9192     Negligible  
libc-bin         2.28-10                    (won't fix)                CVE-2020-10029    Medium      
libc-bin         2.28-10                    (won't fix)                CVE-2020-1751     High        
libc-bin         2.28-10                    (won't fix)                CVE-2020-1752     High        
libc-bin         2.28-10                    (won't fix)                CVE-2020-27618    Medium      
libc-bin         2.28-10                    (won't fix)                CVE-2020-6096     Low         
libc-bin         2.28-10                    (won't fix)                CVE-2021-27645    Low         
libc-bin         2.28-10                    (won't fix)                CVE-2021-3326     High        
libc-bin         2.28-10                    (won't fix)                CVE-2021-33574    Critical    
libc-bin         2.28-10                    (won't fix)                CVE-2021-35942    Critical    
libc6            2.28-10                                               CVE-2010-4756     Negligible  
libc6            2.28-10                    (won't fix)                CVE-2016-10228    Low         
libc6            2.28-10                                               CVE-2018-20796    Negligible  
libc6            2.28-10                                               CVE-2019-1010022  Negligible  
libc6            2.28-10                                               CVE-2019-1010023  Negligible  
libc6            2.28-10                                               CVE-2019-1010024  Negligible  
libc6            2.28-10                                               CVE-2019-1010025  Negligible  
libc6            2.28-10                    (won't fix)                CVE-2019-19126    Low         
libc6            2.28-10                    (won't fix)                CVE-2019-25013    Medium      
libc6            2.28-10                                               CVE-2019-9192     Negligible  
libc6            2.28-10                    (won't fix)                CVE-2020-10029    Medium      
libc6            2.28-10                    (won't fix)                CVE-2020-1751     High        
libc6            2.28-10                    (won't fix)                CVE-2020-1752     High        
libc6            2.28-10                    (won't fix)                CVE-2020-27618    Medium      
libc6            2.28-10                    (won't fix)                CVE-2020-6096     Low         
libc6            2.28-10                    (won't fix)                CVE-2021-27645    Low         
libc6            2.28-10                    (won't fix)                CVE-2021-3326     High        
libc6            2.28-10                    (won't fix)                CVE-2021-33574    Critical    
libc6            2.28-10                    (won't fix)                CVE-2021-35942    Critical    
libexpat1        2.2.6-2+deb10u1                                       CVE-2013-0340     Negligible  
libfdisk1        2.33.1-0.1                 (won't fix)                CVE-2021-37600    Low         
libfreetype6     2.9.1-3+deb10u1            2.9.1-3+deb10u2            CVE-2020-15999    Medium      
libgcc1          1:8.3.0-6                  (won't fix)                CVE-2018-12886    High        
libgcc1          1:8.3.0-6                  (won't fix)                CVE-2019-15847    High        
libgcrypt20      1.8.4-5                    (won't fix)                CVE-2019-13627    Medium      
libgcrypt20      1.8.4-5                    1.8.4-5+deb10u1            CVE-2021-33560    High        
libgcrypt20      1.8.4-5                    (won't fix)                CVE-2021-40528    Medium      
libgcrypt20      1.8.4-5                                               CVE-2018-6829     Negligible  
libgd3           2.2.5-5.2                  (won't fix)                CVE-2017-6363     High        
libgd3           2.2.5-5.2                  (won't fix)                CVE-2018-14553    Low         
libgd3           2.2.5-5.2                  (won't fix)                CVE-2021-38115    Medium      
libgd3           2.2.5-5.2                  (won't fix)                CVE-2021-40145    High        
libgd3           2.2.5-5.2                  (won't fix)                CVE-2021-40812    Medium      
libgmp10         2:6.1.2+dfsg-4                                        CVE-2021-43618    Unknown     
libgnutls30      3.6.7-4+deb10u3                                       CVE-2011-3389     Medium      
libgnutls30      3.6.7-4+deb10u3            3.6.7-4+deb10u4            CVE-2020-13777    High        
libgnutls30      3.6.7-4+deb10u3            3.6.7-4+deb10u7            CVE-2020-24659    High        
libgnutls30      3.6.7-4+deb10u3            3.6.7-4+deb10u7            CVE-2021-20231    Critical    
libgnutls30      3.6.7-4+deb10u3            3.6.7-4+deb10u7            CVE-2021-20232    Critical    
libhogweed4      3.4.1-1                    3.4.1-1+deb10u1            CVE-2021-20305    High        
libhogweed4      3.4.1-1                    3.4.1-1+deb10u1            CVE-2021-3580     High        
libicu63         63.1-6+deb10u1                                        CVE-2020-21913    Medium      
libicu63         63.1-6+deb10u1                                        CVE-2021-30535    High        
libidn2-0        2.0.5-1+deb10u1            (won't fix)                CVE-2019-12290    High        
libjbig0         2.1-3.1+b2                                            CVE-2017-9937     Negligible  
libjpeg62-turbo  1:1.5.2-2+b1                                          CVE-2017-15232    Negligible  
libjpeg62-turbo  1:1.5.2-2+b1               1:1.5.2-2+deb10u1          CVE-2018-1152     Medium      
libjpeg62-turbo  1:1.5.2-2+b1                                          CVE-2018-11813    Negligible  
libjpeg62-turbo  1:1.5.2-2+b1               1:1.5.2-2+deb10u1          CVE-2018-14498    Medium      
libjpeg62-turbo  1:1.5.2-2+b1               1:1.5.2-2+deb10u1          CVE-2019-2201     High        
libjpeg62-turbo  1:1.5.2-2+b1               1:1.5.2-2+deb10u1          CVE-2020-13790    High        
libjpeg62-turbo  1:1.5.2-2+b1                                          CVE-2020-17541    Negligible  
liblz4-1         1.8.3-1                    (won't fix)                CVE-2019-17543    Low         
liblz4-1         1.8.3-1                    1.8.3-1+deb10u1            CVE-2021-3520     Critical    
libmount1        2.33.1-0.1                 (won't fix)                CVE-2021-37600    Low         
libncursesw6     6.1+20181013-2+deb10u2                                CVE-2021-39537    Negligible  
libnettle6       3.4.1-1                    3.4.1-1+deb10u1            CVE-2021-20305    High        
libnettle6       3.4.1-1                    3.4.1-1+deb10u1            CVE-2021-3580     High        
libp11-kit0      0.23.15-2                  0.23.15-2+deb10u1          CVE-2020-29361    High        
libp11-kit0      0.23.15-2                  0.23.15-2+deb10u1          CVE-2020-29362    Medium      
libp11-kit0      0.23.15-2                  0.23.15-2+deb10u1          CVE-2020-29363    High        
libpcre3         2:8.39-12                                             CVE-2017-11164    Negligible  
libpcre3         2:8.39-12                                             CVE-2017-16231    Negligible  
libpcre3         2:8.39-12                                             CVE-2017-7245     Negligible  
libpcre3         2:8.39-12                                             CVE-2017-7246     Negligible  
libpcre3         2:8.39-12                                             CVE-2019-20838    Negligible  
libpcre3         2:8.39-12                  (won't fix)                CVE-2020-14155    Medium      
libpng16-16      1.6.36-6                                              CVE-2018-14048    Negligible  
libpng16-16      1.6.36-6                                              CVE-2018-14550    Negligible  
libpng16-16      1.6.36-6                                              CVE-2019-6129     Negligible  
libseccomp2      2.3.3-4                                               CVE-2019-9893     Negligible  
libsepol1        2.8-1                      (won't fix)                CVE-2021-36084    Low         
libsepol1        2.8-1                      (won't fix)                CVE-2021-36085    Low         
libsepol1        2.8-1                      (won't fix)                CVE-2021-36086    Low         
libsepol1        2.8-1                      (won't fix)                CVE-2021-36087    Low         
libsmartcols1    2.33.1-0.1                 (won't fix)                CVE-2021-37600    Low         
libssl1.1        1.1.1d-0+deb10u3                                      CVE-2007-6755     Negligible  
libssl1.1        1.1.1d-0+deb10u3                                      CVE-2010-0928     Negligible  
libssl1.1        1.1.1d-0+deb10u3           1.1.1d-0+deb10u5           CVE-2019-1551     Medium      
libssl1.1        1.1.1d-0+deb10u3           1.1.1d-0+deb10u4           CVE-2020-1971     Medium      
libssl1.1        1.1.1d-0+deb10u3           1.1.1d-0+deb10u5           CVE-2021-23840    High        
libssl1.1        1.1.1d-0+deb10u3           1.1.1d-0+deb10u5           CVE-2021-23841    Medium      
libssl1.1        1.1.1d-0+deb10u3           1.1.1d-0+deb10u6           CVE-2021-3449     Medium      
libssl1.1        1.1.1d-0+deb10u3           1.1.1d-0+deb10u7           CVE-2021-3711     Critical    
libssl1.1        1.1.1d-0+deb10u3           1.1.1d-0+deb10u7           CVE-2021-3712     High        
libstdc++6       8.3.0-6                    (won't fix)                CVE-2018-12886    High        
libstdc++6       8.3.0-6                    (won't fix)                CVE-2019-15847    High        
libsystemd0      241-7~deb10u3                                         CVE-2013-4392     Negligible  
libsystemd0      241-7~deb10u3                                         CVE-2019-20386    Negligible  
libsystemd0      241-7~deb10u3              (won't fix)                CVE-2019-3843     High        
libsystemd0      241-7~deb10u3              (won't fix)                CVE-2019-3844     High        
libsystemd0      241-7~deb10u3                                         CVE-2020-13529    Negligible  
libsystemd0      241-7~deb10u3                                         CVE-2020-13776    Negligible  
libsystemd0      241-7~deb10u3              241-7~deb10u4              CVE-2020-1712     High        
libsystemd0      241-7~deb10u3              241-7~deb10u8              CVE-2021-33910    Medium      
libtasn1-6       4.13-3                                                CVE-2018-1000654  Negligible  
libtiff5         4.1.0+git191117-2~deb10u1                             CVE-2014-8130     Negligible  
libtiff5         4.1.0+git191117-2~deb10u1                             CVE-2017-16232    Negligible  
libtiff5         4.1.0+git191117-2~deb10u1                             CVE-2017-17973    Negligible  
libtiff5         4.1.0+git191117-2~deb10u1                             CVE-2017-5563     Negligible  
libtiff5         4.1.0+git191117-2~deb10u1                             CVE-2017-9117     Negligible  
libtiff5         4.1.0+git191117-2~deb10u1                             CVE-2018-10126    Negligible  
libtiff5         4.1.0+git191117-2~deb10u1                             CVE-2020-35521    Negligible  
libtiff5         4.1.0+git191117-2~deb10u1                             CVE-2020-35522    Negligible  
libtiff5         4.1.0+git191117-2~deb10u1  4.1.0+git191117-2~deb10u2  CVE-2020-35523    High        
libtiff5         4.1.0+git191117-2~deb10u1  4.1.0+git191117-2~deb10u2  CVE-2020-35524    High        
libtiff5         4.1.0+git191117-2~deb10u1  4.1.0+git191117-2~deb10u3  CVE-2020-19143    Medium      
libtinfo6        6.1+20181013-2+deb10u2                                CVE-2021-39537    Negligible  
libudev1         241-7~deb10u3                                         CVE-2013-4392     Negligible  
libudev1         241-7~deb10u3                                         CVE-2019-20386    Negligible  
libudev1         241-7~deb10u3              (won't fix)                CVE-2019-3843     High        
libudev1         241-7~deb10u3              (won't fix)                CVE-2019-3844     High        
libudev1         241-7~deb10u3                                         CVE-2020-13529    Negligible  
libudev1         241-7~deb10u3                                         CVE-2020-13776    Negligible  
libudev1         241-7~deb10u3              241-7~deb10u4              CVE-2020-1712     High        
libudev1         241-7~deb10u3              241-7~deb10u8              CVE-2021-33910    Medium      
libuuid1         2.33.1-0.1                 (won't fix)                CVE-2021-37600    Low         
libwebp6         0.6.1-2                                               CVE-2016-9085     Negligible  
libwebp6         0.6.1-2                    0.6.1-2+deb10u1            CVE-2018-25009    Critical    
libwebp6         0.6.1-2                    0.6.1-2+deb10u1            CVE-2018-25010    Critical    
libwebp6         0.6.1-2                    0.6.1-2+deb10u1            CVE-2018-25011    Critical    
libwebp6         0.6.1-2                    0.6.1-2+deb10u1            CVE-2018-25012    Critical    
libwebp6         0.6.1-2                    0.6.1-2+deb10u1            CVE-2018-25013    Critical    
libwebp6         0.6.1-2                    0.6.1-2+deb10u1            CVE-2018-25014    Critical    
libwebp6         0.6.1-2                    0.6.1-2+deb10u1            CVE-2020-36328    Critical    
libwebp6         0.6.1-2                    0.6.1-2+deb10u1            CVE-2020-36329    Critical    
libwebp6         0.6.1-2                    0.6.1-2+deb10u1            CVE-2020-36330    Critical    
libwebp6         0.6.1-2                    0.6.1-2+deb10u1            CVE-2020-36331    Critical    
libwebp6         0.6.1-2                    0.6.1-2+deb10u1            CVE-2020-36332    High        
libx11-6         2:1.6.7-1                  2:1.6.7-1+deb10u1          CVE-2020-14344    Medium      
libx11-6         2:1.6.7-1                  2:1.6.7-1+deb10u1          CVE-2020-14363    High        
libx11-6         2:1.6.7-1                  2:1.6.7-1+deb10u2          CVE-2021-31535    Critical    
libx11-data      2:1.6.7-1                  2:1.6.7-1+deb10u1          CVE-2020-14344    Medium      
libx11-data      2:1.6.7-1                  2:1.6.7-1+deb10u1          CVE-2020-14363    High        
libx11-data      2:1.6.7-1                  2:1.6.7-1+deb10u2          CVE-2021-31535    Critical    
libxml2          2.9.4+dfsg1-7+b3           (won't fix)                CVE-2016-9318     Medium      
libxml2          2.9.4+dfsg1-7+b3           (won't fix)                CVE-2017-16932    High        
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u1      CVE-2017-18258    Medium      
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u1      CVE-2018-14404    High        
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u1      CVE-2018-14567    Medium      
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u1      CVE-2019-19956    High        
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u1      CVE-2019-20388    High        
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u2      CVE-2020-24977    Medium      
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u1      CVE-2020-7595     High        
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u2      CVE-2021-3516     High        
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u2      CVE-2021-3517     High        
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u2      CVE-2021-3518     High        
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u2      CVE-2021-3537     Medium      
libxml2          2.9.4+dfsg1-7+b3           2.9.4+dfsg1-7+deb10u2      CVE-2021-3541     Medium      
libxslt1.1       1.1.32-2.2~deb10u1                                    CVE-2015-9019     Negligible  
libzstd1         1.3.8+dfsg-3               1.3.8+dfsg-3+deb10u1       CVE-2021-24031    Medium      
libzstd1         1.3.8+dfsg-3               1.3.8+dfsg-3+deb10u2       CVE-2021-24032    Medium      
login            1:4.5-1.1                                             CVE-2007-5686     Negligible  
login            1:4.5-1.1                                             CVE-2013-4235     Negligible  
login            1:4.5-1.1                  (won't fix)                CVE-2018-7169     Low         
login            1:4.5-1.1                                             CVE-2019-19882    Negligible  
mount            2.33.1-0.1                 (won't fix)                CVE-2021-37600    Low         
ncurses-base     6.1+20181013-2+deb10u2                                CVE-2021-39537    Negligible  
ncurses-bin      6.1+20181013-2+deb10u2                                CVE-2021-39537    Negligible  
nginx            1.16.1-1~buster                                       CVE-2009-4487     Negligible  
nginx            1.16.1-1~buster            (won't fix)                CVE-2013-0337     Low         
nginx            1.16.1-1~buster            (won't fix)                CVE-2020-36309    Medium      
nginx            1.16.1-1~buster            (won't fix)                CVE-2021-3618     Unknown     
passwd           1:4.5-1.1                                             CVE-2007-5686     Negligible  
passwd           1:4.5-1.1                                             CVE-2013-4235     Negligible  
passwd           1:4.5-1.1                  (won't fix)                CVE-2018-7169     Low         
passwd           1:4.5-1.1                                             CVE-2019-19882    Negligible  
perl-base        5.28.1-6                                              CVE-2011-4116     Negligible  
perl-base        5.28.1-6                   5.28.1-6+deb10u1           CVE-2020-10543    High        
perl-base        5.28.1-6                   5.28.1-6+deb10u1           CVE-2020-10878    High        
perl-base        5.28.1-6                   5.28.1-6+deb10u1           CVE-2020-12723    High        
tar              1.30+dfsg-6                                           CVE-2005-2541     Negligible  
tar              1.30+dfsg-6                                           CVE-2019-9923     Negligible  
tar              1.30+dfsg-6                                           CVE-2021-20193    Negligible  
util-linux       2.33.1-0.1                 (won't fix)                CVE-2021-37600    Low         

So, as you might notice in the above command output, there are total “224 vulnerabilities” found in this nginx image.

Now, let’s use the same image and see how we can scan using grype tanzu package available with TAP.

How to use Grype scanner with TAP

I will not be talking about how to install TAP, but will let you know which package you need to install before you can use grype resources. In case you need the detail about installing TAP, Refer the VMware official doc here: https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/0.3/tap-0-3/GUID-install.html

– List the available packages in TAP after adding the repository.

 $ tanzu package available list --namespace tap-install
| Retrieving available packages... 
  NAME                                                 DISPLAY-NAME                                                              SHORT-DESCRIPTION                                                                                                                                              LATEST-VERSION  
  accelerator.apps.tanzu.vmware.com                    Application Accelerator for VMware Tanzu                                  Used to create new projects and configurations.                                                                                                                0.4.0           
  api-portal.tanzu.vmware.com                          API portal                                                                A unified user interface to enable search, discovery and try-out of API endpoints at ease.                                                                     1.0.3           
  appliveview.tanzu.vmware.com                         Application Live View for VMware Tanzu                                    App for monitoring and troubleshooting running apps                                                                                                            0.3.0           
  buildservice.tanzu.vmware.com                        Tanzu Build Service                                                       Tanzu Build Service enables the building and automation of containerized software workflows securely and at scale.                                             1.3.1           
  cartographer.tanzu.vmware.com                        Cartographer                                                              Kubernetes native Supply Chain Choreographer.                                                                                                                  0.0.7           
  cnrs.tanzu.vmware.com                                Cloud Native Runtimes                                                     Cloud Native Runtimes is a serverless runtime based on Knative                                                                                                 1.0.3           
  controller.conventions.apps.tanzu.vmware.com         Convention Service for VMware Tanzu                                       Convention Service enables app operators to consistently apply desired runtime configurations to fleets of workloads.                                          0.4.2           
  controller.source.apps.tanzu.vmware.com              Tanzu Source Controller                                                   Tanzu Source Controller enables workload create/update from source code.                                                                                       0.1.2           
  developer-conventions.tanzu.vmware.com               Tanzu App Platform Developer Conventions                                  Developer Conventions                                                                                                                                          0.3.0           
  grype.scanning.apps.tanzu.vmware.com                 Grype Scanner for Supply Chain Security Tools for VMware Tanzu - Scan     Default scan templates using Anchore Grype                                                                                                                     1.0.0-beta.2    
  image-policy-webhook.signing.run.tanzu.vmware.com    Image Policy Webhook                                                      The Image Policy Webhook allows platform operators to define a policy that will use cosign to verify signatures of container images                            1.0.0-beta.1    
  learningcenter.tanzu.vmware.com                      Learning Center for Tanzu Application Platform                            Guided technical workshops                                                                                                                                     1.0.14-build.1  
  ootb-supply-chain-basic.tanzu.vmware.com             Tanzu App Platform Out of The Box Supply Chain Basic                      Out of The Box Supply Chain Basic.                                                                                                                             0.3.0-build.5   
  ootb-supply-chain-testing-scanning.tanzu.vmware.com  Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning  Out of The Box Supply Chain with Testing and Scanning.                                                                                                         0.3.0-build.5   
  ootb-supply-chain-testing.tanzu.vmware.com           Tanzu App Platform Out of The Box Supply Chain with Testing               Out of The Box Supply Chain with Testing.                                                                                                                      0.3.0-build.5   
  ootb-templates.tanzu.vmware.com                      Tanzu App Platform Out of The Box Templates                               Out of The Box Templates.                                                                                                                                      0.3.0-build.5   
  scanning.apps.tanzu.vmware.com                       Supply Chain Security Tools for VMware Tanzu - Scan                       Scan for vulnerabilities and enforce policies directly within Kubernetes native Supply Chains.                                                                 1.0.0-beta.2    
  scst-store.tanzu.vmware.com                          Tanzu Supply Chain Security Tools - Store                                 The Metadata Store enables saving and querying image, package, and vulnerability data.                                                                         1.0.0-beta.1    
  service-bindings.labs.vmware.com                     Service Bindings for Kubernetes                                           Service Bindings for Kubernetes implements the Service Binding Specification.                                                                                  0.5.0           
  services-toolkit.tanzu.vmware.com                    Services Toolkit                                                          The Services Toolkit enables the management, lifecycle, discoverability and connectivity of Service Resources (databases, message queues, DNS records, etc.).  0.4.0           
  spring-boot-conventions.tanzu.vmware.com             Tanzu Spring Boot Conventions Server                                      Default Spring Boot convention server.                                                                                                                         0.1.2           
  tap-gui.tanzu.vmware.com                             Tanzu Application Platform GUI                                            web app graphical user interface for Tanzu Application Platform                                                                                                0.3.0           
  tap.tanzu.vmware.com                                 Tanzu Application Platform                                                Package to install a set of TAP components to get you started based on your use case.                                                                          0.3.0           
  workshops.learningcenter.tanzu.vmware.com            Workshop Building Tutorial                                                Workshop Building Tutorial                                                                                                                                     1.0.7-build.1   

We need to install the following two packages for using Grype.

tanzu package installed list -n tap-install         
- Retrieving installed packages... 
  NAME             PACKAGE-NAME                          PACKAGE-VERSION  STATUS                                                                
  scan-controller  scanning.apps.tanzu.vmware.com        1.0.0-beta.2     Reconcile succeeded                                                   
  tap              grype.scanning.apps.tanzu.vmware.com  1.0.0-beta.2     Reconcile succeeded                                                   

You can install above packages by running simple “tanzu package install” command. e.g. to install grype package, run the below command:

$ tanzu package install tap -p grype.scanning.apps.tanzu.vmware.com -v 1.0.0-beta.2 -n tap-install

Since, we are focused on scanning functionality, so lets get back there.

Scanning Image

– First, validate the CRD’s created after installing above mentioned packages.

$ k get crd | grep -i scan                                                      
imagescans.scanning.apps.tanzu.vmware.com                          2021-11-19T15:40:26Z
scanpolicies.scanning.apps.tanzu.vmware.com                        2021-11-19T15:40:26Z
scantemplates.scanning.apps.tanzu.vmware.com                       2021-11-19T15:40:26Z
sourcescans.scanning.apps.tanzu.vmware.com                         2021-11-19T15:40:26Z

Now, we are going to use the above CRD’s.

– Create a scan configuration file with the below content.

apiVersion: scanning.apps.tanzu.vmware.com/v1alpha1
kind: ScanPolicy
  name: sample-scan-policy
  regoFile: |
    package policies

    default isCompliant = false

    # Accepted Values: "UnknownSeverity", "Critical", "High", "Medium", "Low", "Negligible"
    violatingSeverities := ["Critical"]
    ignoreCVEs := []

    contains(array, elem) = true {
      array[_] = elem
    } else = false { true }

    isSafe(match) {
      fails := contains(violatingSeverities, match.Ratings.Rating[_].Severity)
      not fails

    isSafe(match) {
      ignore := contains(ignoreCVEs, match.Id)

    isCompliant = isSafe(input.currentVulnerability)

apiVersion: scanning.apps.tanzu.vmware.com/v1alpha1
kind: ImageScan
  name: sample-public-image-scan-with-compliance-check
    image: "nginx:1.16"
  scanTemplate: public-image-scan-template
  scanPolicy: sample-scan-policy

– As you notice above, we are going to create two objects, ScanPolicy and ImageScan.

  • ScanPolicy : Defines what needs to be scanned
  • ImageScan : Defines which image needs to be scanned

– Apply the manifest file

$ k create -f sample-public-image-scan-with-compliance-check.yaml 
scanpolicy.scanning.apps.tanzu.vmware.com/sample-scan-policy created
imagescan.scanning.apps.tanzu.vmware.com/sample-public-image-scan-with-compliance-check created

– Notice the objects created, you will have a job and a pod created to run the image scan.

 $ k get job,po                                              
NAME                                                                 COMPLETIONS   DURATION   AGE
job.batch/scan-sample-public-image-scan-with-compliance-check4xmq5   0/1           33s        33s

NAME                                                                 READY   STATUS    RESTARTS   AGE
pod/scan-sample-public-image-scan-with-compliance-check4xmq5-v4gtw   1/1     Running   0          33s

– In few mins, you will notice that the job is completed.

$ k get job,po
NAME                                                                 COMPLETIONS   DURATION   AGE
job.batch/scan-sample-public-image-scan-with-compliance-check4xmq5   1/1           34s        85s

NAME                                                                 READY   STATUS      RESTARTS   AGE
pod/scan-sample-public-image-scan-with-compliance-check4xmq5-v4gtw   0/1     Completed   0          85s

Validate the Scan Result

Now, since the scan is completed, we are ready to view the scan result. Run the below command to validate the scan result.

 $ k describe imagescan sample-public-image-scan-with-compliance-check           
Name:         sample-public-image-scan-with-compliance-check
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  scanning.apps.tanzu.vmware.com/v1alpha1
Kind:         ImageScan
  Creation Timestamp:  2021-11-20T06:17:41Z
  Generation:          1
  Managed Fields:
    API Version:  scanning.apps.tanzu.vmware.com/v1alpha1
    Fields Type:  FieldsV1
    Manager:      kubectl-create
    Operation:    Update
    Time:         2021-11-20T06:17:41Z
    API Version:  scanning.apps.tanzu.vmware.com/v1alpha1
    Fields Type:  FieldsV1
    Manager:         manager
    Operation:       Update
    Time:            2021-11-20T06:18:16Z
  Resource Version:  27503
  UID:               af0ea300-5ed8-4669-840b-2b9c7bc07f4a
    Image:        nginx:1.16
  Scan Policy:    sample-scan-policy
  Scan Template:  public-image-scan-template
      Image:  nginx:1.16@sha256:d20aa6d1cae56fd17cd458f4807e0de462caf2336f0b70b5eeb69fcaaf30dd9c
    Last Transition Time:  2021-11-20T06:18:16Z
    Message:               The scan job terminated
    Observed Generation:   1
    Reason:                JobFinished
    Status:                False
    Type:                  Scanning
    Last Transition Time:  2021-11-20T06:18:16Z
    Message:               Scan completed. Found 224 CVE(s): 21 Critical, 59 High, 45 Medium, 97 Low, 2 Unknown
    Observed Generation:   1
    Reason:                JobFinished
    Status:                True
    Type:                  Succeeded
    Last Transition Time:  2021-11-20T06:18:16Z
    Message:               Results successfully sent to metadata store
    Observed Generation:   1
    Reason:                ResultsSent
    Status:                True
    Type:                  SendingResults
    Last Transition Time:  2021-11-20T06:18:17Z
    Message:               Policy violated because of 18 CVEs
    Observed Generation:   1
    Reason:                EvaluationFailed
    Status:                False
    Type:                  PolicySucceeded
  Non Compliant Artifact:
      Image:            nginx:1.16@sha256:d20aa6d1cae56fd17cd458f4807e0de462caf2336f0b70b5eeb69fcaaf30dd9c
  Observed Generation:  1
  Phase:                Failed
  Scanned By:
      Name:     grype
      Vendor:   anchore
      Version:  v0.23.0
  Type    Reason                  Age                    From                 Message
  ----    ------                  ----                   ----                 -------
  Normal  ScanJobCreationSuccess  2m50s (x2 over 2m50s)  ImageScanReconciler  ImageScan job created successfully
  Normal  FetchScanReportSuccess  2m15s (x2 over 2m16s)  JobReconciler        Fetched scan report from the job
  Normal  SaveScanResultsSuccess  2m15s (x2 over 2m16s)  JobReconciler        Sent the report to the metadata store successfully!

Notice the bold marked messages above to understand the scan output.

So, Let’s conclude here:

We have first explored Grype without TAP, where grype CLI was used to scan the nginx image. Later, I installed Grype package that is part of TAP repository and then ran the image scan in kubernetes native way.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s