In this blog post series, I wanted to help you with the understanding of different packages those are part of TAP v0.3 beta release. In this post, I will be talking about “Grype” package specifically. “Grype” helps in scanning the vulnerabilities against the source code or container images. Before I jump on how TAP uses grype and scan the container image, let’s understand how it works without TAP.
Installing Grype on your local system
– Run the below commands to install “Grype” on your local system.
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
anchore/grype info checking GitHub for latest tag
anchore/grype info found version: 0.25.1 for v0.25.1/darwin/amd64
anchore/grype info installed /usr/local/bin/grype
$
You can also run “grype –help” to see the different available options under grype.
Scanning nginx image using Grype
Now, Let’s use “grype” to scan the nginx image from dockerhub registry.
The below command scans for vulnerabilities that are visible in the container (i.e., the squashed representation of the image).
$ grype docker:nginx:1.16@sha256:d20aa6d1cae56fd17cd458f4807e0de462caf2336f0b70b5eeb69fcaaf30dd9c
✔ Vulnerability DB [no update available]
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [119 packages]
✔ Scanned image [224 vulnerabilities]
NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
apt 1.8.2 CVE-2011-3374 Negligible
apt 1.8.2 1.8.2.2 CVE-2020-27350 Medium
apt 1.8.2 1.8.2.1 CVE-2020-3810 Medium
bash 5.0-4 CVE-2019-18276 Negligible
bsdutils 1:2.33.1-0.1 (won't fix) CVE-2021-37600 Low
coreutils 8.30-3 (won't fix) CVE-2016-2781 Low
coreutils 8.30-3 CVE-2017-18018 Negligible
fdisk 2.33.1-0.1 (won't fix) CVE-2021-37600 Low
gcc-8-base 8.3.0-6 (won't fix) CVE-2018-12886 High
gcc-8-base 8.3.0-6 (won't fix) CVE-2019-15847 High
gpgv 2.2.12-1+deb10u1 (won't fix) CVE-2019-14855 Low
libapt-pkg5.0 1.8.2 CVE-2011-3374 Negligible
libapt-pkg5.0 1.8.2 1.8.2.2 CVE-2020-27350 Medium
libapt-pkg5.0 1.8.2 1.8.2.1 CVE-2020-3810 Medium
libblkid1 2.33.1-0.1 (won't fix) CVE-2021-37600 Low
libbsd0 0.9.1-2 0.9.1-2+deb10u1 CVE-2019-20367 Critical
libc-bin 2.28-10 CVE-2010-4756 Negligible
libc-bin 2.28-10 (won't fix) CVE-2016-10228 Low
libc-bin 2.28-10 CVE-2018-20796 Negligible
libc-bin 2.28-10 CVE-2019-1010022 Negligible
libc-bin 2.28-10 CVE-2019-1010023 Negligible
libc-bin 2.28-10 CVE-2019-1010024 Negligible
libc-bin 2.28-10 CVE-2019-1010025 Negligible
libc-bin 2.28-10 (won't fix) CVE-2019-19126 Low
libc-bin 2.28-10 (won't fix) CVE-2019-25013 Medium
libc-bin 2.28-10 CVE-2019-9192 Negligible
libc-bin 2.28-10 (won't fix) CVE-2020-10029 Medium
libc-bin 2.28-10 (won't fix) CVE-2020-1751 High
libc-bin 2.28-10 (won't fix) CVE-2020-1752 High
libc-bin 2.28-10 (won't fix) CVE-2020-27618 Medium
libc-bin 2.28-10 (won't fix) CVE-2020-6096 Low
libc-bin 2.28-10 (won't fix) CVE-2021-27645 Low
libc-bin 2.28-10 (won't fix) CVE-2021-3326 High
libc-bin 2.28-10 (won't fix) CVE-2021-33574 Critical
libc-bin 2.28-10 (won't fix) CVE-2021-35942 Critical
libc6 2.28-10 CVE-2010-4756 Negligible
libc6 2.28-10 (won't fix) CVE-2016-10228 Low
libc6 2.28-10 CVE-2018-20796 Negligible
libc6 2.28-10 CVE-2019-1010022 Negligible
libc6 2.28-10 CVE-2019-1010023 Negligible
libc6 2.28-10 CVE-2019-1010024 Negligible
libc6 2.28-10 CVE-2019-1010025 Negligible
libc6 2.28-10 (won't fix) CVE-2019-19126 Low
libc6 2.28-10 (won't fix) CVE-2019-25013 Medium
libc6 2.28-10 CVE-2019-9192 Negligible
libc6 2.28-10 (won't fix) CVE-2020-10029 Medium
libc6 2.28-10 (won't fix) CVE-2020-1751 High
libc6 2.28-10 (won't fix) CVE-2020-1752 High
libc6 2.28-10 (won't fix) CVE-2020-27618 Medium
libc6 2.28-10 (won't fix) CVE-2020-6096 Low
libc6 2.28-10 (won't fix) CVE-2021-27645 Low
libc6 2.28-10 (won't fix) CVE-2021-3326 High
libc6 2.28-10 (won't fix) CVE-2021-33574 Critical
libc6 2.28-10 (won't fix) CVE-2021-35942 Critical
libexpat1 2.2.6-2+deb10u1 CVE-2013-0340 Negligible
libfdisk1 2.33.1-0.1 (won't fix) CVE-2021-37600 Low
libfreetype6 2.9.1-3+deb10u1 2.9.1-3+deb10u2 CVE-2020-15999 Medium
libgcc1 1:8.3.0-6 (won't fix) CVE-2018-12886 High
libgcc1 1:8.3.0-6 (won't fix) CVE-2019-15847 High
libgcrypt20 1.8.4-5 (won't fix) CVE-2019-13627 Medium
libgcrypt20 1.8.4-5 1.8.4-5+deb10u1 CVE-2021-33560 High
libgcrypt20 1.8.4-5 (won't fix) CVE-2021-40528 Medium
libgcrypt20 1.8.4-5 CVE-2018-6829 Negligible
libgd3 2.2.5-5.2 (won't fix) CVE-2017-6363 High
libgd3 2.2.5-5.2 (won't fix) CVE-2018-14553 Low
libgd3 2.2.5-5.2 (won't fix) CVE-2021-38115 Medium
libgd3 2.2.5-5.2 (won't fix) CVE-2021-40145 High
libgd3 2.2.5-5.2 (won't fix) CVE-2021-40812 Medium
libgmp10 2:6.1.2+dfsg-4 CVE-2021-43618 Unknown
libgnutls30 3.6.7-4+deb10u3 CVE-2011-3389 Medium
libgnutls30 3.6.7-4+deb10u3 3.6.7-4+deb10u4 CVE-2020-13777 High
libgnutls30 3.6.7-4+deb10u3 3.6.7-4+deb10u7 CVE-2020-24659 High
libgnutls30 3.6.7-4+deb10u3 3.6.7-4+deb10u7 CVE-2021-20231 Critical
libgnutls30 3.6.7-4+deb10u3 3.6.7-4+deb10u7 CVE-2021-20232 Critical
libhogweed4 3.4.1-1 3.4.1-1+deb10u1 CVE-2021-20305 High
libhogweed4 3.4.1-1 3.4.1-1+deb10u1 CVE-2021-3580 High
libicu63 63.1-6+deb10u1 CVE-2020-21913 Medium
libicu63 63.1-6+deb10u1 CVE-2021-30535 High
libidn2-0 2.0.5-1+deb10u1 (won't fix) CVE-2019-12290 High
libjbig0 2.1-3.1+b2 CVE-2017-9937 Negligible
libjpeg62-turbo 1:1.5.2-2+b1 CVE-2017-15232 Negligible
libjpeg62-turbo 1:1.5.2-2+b1 1:1.5.2-2+deb10u1 CVE-2018-1152 Medium
libjpeg62-turbo 1:1.5.2-2+b1 CVE-2018-11813 Negligible
libjpeg62-turbo 1:1.5.2-2+b1 1:1.5.2-2+deb10u1 CVE-2018-14498 Medium
libjpeg62-turbo 1:1.5.2-2+b1 1:1.5.2-2+deb10u1 CVE-2019-2201 High
libjpeg62-turbo 1:1.5.2-2+b1 1:1.5.2-2+deb10u1 CVE-2020-13790 High
libjpeg62-turbo 1:1.5.2-2+b1 CVE-2020-17541 Negligible
liblz4-1 1.8.3-1 (won't fix) CVE-2019-17543 Low
liblz4-1 1.8.3-1 1.8.3-1+deb10u1 CVE-2021-3520 Critical
libmount1 2.33.1-0.1 (won't fix) CVE-2021-37600 Low
libncursesw6 6.1+20181013-2+deb10u2 CVE-2021-39537 Negligible
libnettle6 3.4.1-1 3.4.1-1+deb10u1 CVE-2021-20305 High
libnettle6 3.4.1-1 3.4.1-1+deb10u1 CVE-2021-3580 High
libp11-kit0 0.23.15-2 0.23.15-2+deb10u1 CVE-2020-29361 High
libp11-kit0 0.23.15-2 0.23.15-2+deb10u1 CVE-2020-29362 Medium
libp11-kit0 0.23.15-2 0.23.15-2+deb10u1 CVE-2020-29363 High
libpcre3 2:8.39-12 CVE-2017-11164 Negligible
libpcre3 2:8.39-12 CVE-2017-16231 Negligible
libpcre3 2:8.39-12 CVE-2017-7245 Negligible
libpcre3 2:8.39-12 CVE-2017-7246 Negligible
libpcre3 2:8.39-12 CVE-2019-20838 Negligible
libpcre3 2:8.39-12 (won't fix) CVE-2020-14155 Medium
libpng16-16 1.6.36-6 CVE-2018-14048 Negligible
libpng16-16 1.6.36-6 CVE-2018-14550 Negligible
libpng16-16 1.6.36-6 CVE-2019-6129 Negligible
libseccomp2 2.3.3-4 CVE-2019-9893 Negligible
libsepol1 2.8-1 (won't fix) CVE-2021-36084 Low
libsepol1 2.8-1 (won't fix) CVE-2021-36085 Low
libsepol1 2.8-1 (won't fix) CVE-2021-36086 Low
libsepol1 2.8-1 (won't fix) CVE-2021-36087 Low
libsmartcols1 2.33.1-0.1 (won't fix) CVE-2021-37600 Low
libssl1.1 1.1.1d-0+deb10u3 CVE-2007-6755 Negligible
libssl1.1 1.1.1d-0+deb10u3 CVE-2010-0928 Negligible
libssl1.1 1.1.1d-0+deb10u3 1.1.1d-0+deb10u5 CVE-2019-1551 Medium
libssl1.1 1.1.1d-0+deb10u3 1.1.1d-0+deb10u4 CVE-2020-1971 Medium
libssl1.1 1.1.1d-0+deb10u3 1.1.1d-0+deb10u5 CVE-2021-23840 High
libssl1.1 1.1.1d-0+deb10u3 1.1.1d-0+deb10u5 CVE-2021-23841 Medium
libssl1.1 1.1.1d-0+deb10u3 1.1.1d-0+deb10u6 CVE-2021-3449 Medium
libssl1.1 1.1.1d-0+deb10u3 1.1.1d-0+deb10u7 CVE-2021-3711 Critical
libssl1.1 1.1.1d-0+deb10u3 1.1.1d-0+deb10u7 CVE-2021-3712 High
libstdc++6 8.3.0-6 (won't fix) CVE-2018-12886 High
libstdc++6 8.3.0-6 (won't fix) CVE-2019-15847 High
libsystemd0 241-7~deb10u3 CVE-2013-4392 Negligible
libsystemd0 241-7~deb10u3 CVE-2019-20386 Negligible
libsystemd0 241-7~deb10u3 (won't fix) CVE-2019-3843 High
libsystemd0 241-7~deb10u3 (won't fix) CVE-2019-3844 High
libsystemd0 241-7~deb10u3 CVE-2020-13529 Negligible
libsystemd0 241-7~deb10u3 CVE-2020-13776 Negligible
libsystemd0 241-7~deb10u3 241-7~deb10u4 CVE-2020-1712 High
libsystemd0 241-7~deb10u3 241-7~deb10u8 CVE-2021-33910 Medium
libtasn1-6 4.13-3 CVE-2018-1000654 Negligible
libtiff5 4.1.0+git191117-2~deb10u1 CVE-2014-8130 Negligible
libtiff5 4.1.0+git191117-2~deb10u1 CVE-2017-16232 Negligible
libtiff5 4.1.0+git191117-2~deb10u1 CVE-2017-17973 Negligible
libtiff5 4.1.0+git191117-2~deb10u1 CVE-2017-5563 Negligible
libtiff5 4.1.0+git191117-2~deb10u1 CVE-2017-9117 Negligible
libtiff5 4.1.0+git191117-2~deb10u1 CVE-2018-10126 Negligible
libtiff5 4.1.0+git191117-2~deb10u1 CVE-2020-35521 Negligible
libtiff5 4.1.0+git191117-2~deb10u1 CVE-2020-35522 Negligible
libtiff5 4.1.0+git191117-2~deb10u1 4.1.0+git191117-2~deb10u2 CVE-2020-35523 High
libtiff5 4.1.0+git191117-2~deb10u1 4.1.0+git191117-2~deb10u2 CVE-2020-35524 High
libtiff5 4.1.0+git191117-2~deb10u1 4.1.0+git191117-2~deb10u3 CVE-2020-19143 Medium
libtinfo6 6.1+20181013-2+deb10u2 CVE-2021-39537 Negligible
libudev1 241-7~deb10u3 CVE-2013-4392 Negligible
libudev1 241-7~deb10u3 CVE-2019-20386 Negligible
libudev1 241-7~deb10u3 (won't fix) CVE-2019-3843 High
libudev1 241-7~deb10u3 (won't fix) CVE-2019-3844 High
libudev1 241-7~deb10u3 CVE-2020-13529 Negligible
libudev1 241-7~deb10u3 CVE-2020-13776 Negligible
libudev1 241-7~deb10u3 241-7~deb10u4 CVE-2020-1712 High
libudev1 241-7~deb10u3 241-7~deb10u8 CVE-2021-33910 Medium
libuuid1 2.33.1-0.1 (won't fix) CVE-2021-37600 Low
libwebp6 0.6.1-2 CVE-2016-9085 Negligible
libwebp6 0.6.1-2 0.6.1-2+deb10u1 CVE-2018-25009 Critical
libwebp6 0.6.1-2 0.6.1-2+deb10u1 CVE-2018-25010 Critical
libwebp6 0.6.1-2 0.6.1-2+deb10u1 CVE-2018-25011 Critical
libwebp6 0.6.1-2 0.6.1-2+deb10u1 CVE-2018-25012 Critical
libwebp6 0.6.1-2 0.6.1-2+deb10u1 CVE-2018-25013 Critical
libwebp6 0.6.1-2 0.6.1-2+deb10u1 CVE-2018-25014 Critical
libwebp6 0.6.1-2 0.6.1-2+deb10u1 CVE-2020-36328 Critical
libwebp6 0.6.1-2 0.6.1-2+deb10u1 CVE-2020-36329 Critical
libwebp6 0.6.1-2 0.6.1-2+deb10u1 CVE-2020-36330 Critical
libwebp6 0.6.1-2 0.6.1-2+deb10u1 CVE-2020-36331 Critical
libwebp6 0.6.1-2 0.6.1-2+deb10u1 CVE-2020-36332 High
libx11-6 2:1.6.7-1 2:1.6.7-1+deb10u1 CVE-2020-14344 Medium
libx11-6 2:1.6.7-1 2:1.6.7-1+deb10u1 CVE-2020-14363 High
libx11-6 2:1.6.7-1 2:1.6.7-1+deb10u2 CVE-2021-31535 Critical
libx11-data 2:1.6.7-1 2:1.6.7-1+deb10u1 CVE-2020-14344 Medium
libx11-data 2:1.6.7-1 2:1.6.7-1+deb10u1 CVE-2020-14363 High
libx11-data 2:1.6.7-1 2:1.6.7-1+deb10u2 CVE-2021-31535 Critical
libxml2 2.9.4+dfsg1-7+b3 (won't fix) CVE-2016-9318 Medium
libxml2 2.9.4+dfsg1-7+b3 (won't fix) CVE-2017-16932 High
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u1 CVE-2017-18258 Medium
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u1 CVE-2018-14404 High
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u1 CVE-2018-14567 Medium
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u1 CVE-2019-19956 High
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u1 CVE-2019-20388 High
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u2 CVE-2020-24977 Medium
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u1 CVE-2020-7595 High
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u2 CVE-2021-3516 High
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u2 CVE-2021-3517 High
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u2 CVE-2021-3518 High
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u2 CVE-2021-3537 Medium
libxml2 2.9.4+dfsg1-7+b3 2.9.4+dfsg1-7+deb10u2 CVE-2021-3541 Medium
libxslt1.1 1.1.32-2.2~deb10u1 CVE-2015-9019 Negligible
libzstd1 1.3.8+dfsg-3 1.3.8+dfsg-3+deb10u1 CVE-2021-24031 Medium
libzstd1 1.3.8+dfsg-3 1.3.8+dfsg-3+deb10u2 CVE-2021-24032 Medium
login 1:4.5-1.1 CVE-2007-5686 Negligible
login 1:4.5-1.1 CVE-2013-4235 Negligible
login 1:4.5-1.1 (won't fix) CVE-2018-7169 Low
login 1:4.5-1.1 CVE-2019-19882 Negligible
mount 2.33.1-0.1 (won't fix) CVE-2021-37600 Low
ncurses-base 6.1+20181013-2+deb10u2 CVE-2021-39537 Negligible
ncurses-bin 6.1+20181013-2+deb10u2 CVE-2021-39537 Negligible
nginx 1.16.1-1~buster CVE-2009-4487 Negligible
nginx 1.16.1-1~buster (won't fix) CVE-2013-0337 Low
nginx 1.16.1-1~buster (won't fix) CVE-2020-36309 Medium
nginx 1.16.1-1~buster (won't fix) CVE-2021-3618 Unknown
passwd 1:4.5-1.1 CVE-2007-5686 Negligible
passwd 1:4.5-1.1 CVE-2013-4235 Negligible
passwd 1:4.5-1.1 (won't fix) CVE-2018-7169 Low
passwd 1:4.5-1.1 CVE-2019-19882 Negligible
perl-base 5.28.1-6 CVE-2011-4116 Negligible
perl-base 5.28.1-6 5.28.1-6+deb10u1 CVE-2020-10543 High
perl-base 5.28.1-6 5.28.1-6+deb10u1 CVE-2020-10878 High
perl-base 5.28.1-6 5.28.1-6+deb10u1 CVE-2020-12723 High
tar 1.30+dfsg-6 CVE-2005-2541 Negligible
tar 1.30+dfsg-6 CVE-2019-9923 Negligible
tar 1.30+dfsg-6 CVE-2021-20193 Negligible
util-linux 2.33.1-0.1 (won't fix) CVE-2021-37600 Low
So, as you might notice in the above command output, there are total “224 vulnerabilities” found in this nginx image.
Now, let’s use the same image and see how we can scan using grype tanzu package available with TAP.
How to use Grype scanner with TAP
I will not be talking about how to install TAP, but will let you know which package you need to install before you can use grype resources. In case you need the detail about installing TAP, Refer the VMware official doc here: https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/0.3/tap-0-3/GUID-install.html
– List the available packages in TAP after adding the repository.
$ tanzu package available list --namespace tap-install
| Retrieving available packages...
NAME DISPLAY-NAME SHORT-DESCRIPTION LATEST-VERSION
accelerator.apps.tanzu.vmware.com Application Accelerator for VMware Tanzu Used to create new projects and configurations. 0.4.0
api-portal.tanzu.vmware.com API portal A unified user interface to enable search, discovery and try-out of API endpoints at ease. 1.0.3
appliveview.tanzu.vmware.com Application Live View for VMware Tanzu App for monitoring and troubleshooting running apps 0.3.0
buildservice.tanzu.vmware.com Tanzu Build Service Tanzu Build Service enables the building and automation of containerized software workflows securely and at scale. 1.3.1
cartographer.tanzu.vmware.com Cartographer Kubernetes native Supply Chain Choreographer. 0.0.7
cnrs.tanzu.vmware.com Cloud Native Runtimes Cloud Native Runtimes is a serverless runtime based on Knative 1.0.3
controller.conventions.apps.tanzu.vmware.com Convention Service for VMware Tanzu Convention Service enables app operators to consistently apply desired runtime configurations to fleets of workloads. 0.4.2
controller.source.apps.tanzu.vmware.com Tanzu Source Controller Tanzu Source Controller enables workload create/update from source code. 0.1.2
developer-conventions.tanzu.vmware.com Tanzu App Platform Developer Conventions Developer Conventions 0.3.0
grype.scanning.apps.tanzu.vmware.com Grype Scanner for Supply Chain Security Tools for VMware Tanzu - Scan Default scan templates using Anchore Grype 1.0.0-beta.2
image-policy-webhook.signing.run.tanzu.vmware.com Image Policy Webhook The Image Policy Webhook allows platform operators to define a policy that will use cosign to verify signatures of container images 1.0.0-beta.1
learningcenter.tanzu.vmware.com Learning Center for Tanzu Application Platform Guided technical workshops 1.0.14-build.1
ootb-supply-chain-basic.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain Basic Out of The Box Supply Chain Basic. 0.3.0-build.5
ootb-supply-chain-testing-scanning.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing and Scanning Out of The Box Supply Chain with Testing and Scanning. 0.3.0-build.5
ootb-supply-chain-testing.tanzu.vmware.com Tanzu App Platform Out of The Box Supply Chain with Testing Out of The Box Supply Chain with Testing. 0.3.0-build.5
ootb-templates.tanzu.vmware.com Tanzu App Platform Out of The Box Templates Out of The Box Templates. 0.3.0-build.5
scanning.apps.tanzu.vmware.com Supply Chain Security Tools for VMware Tanzu - Scan Scan for vulnerabilities and enforce policies directly within Kubernetes native Supply Chains. 1.0.0-beta.2
scst-store.tanzu.vmware.com Tanzu Supply Chain Security Tools - Store The Metadata Store enables saving and querying image, package, and vulnerability data. 1.0.0-beta.1
service-bindings.labs.vmware.com Service Bindings for Kubernetes Service Bindings for Kubernetes implements the Service Binding Specification. 0.5.0
services-toolkit.tanzu.vmware.com Services Toolkit The Services Toolkit enables the management, lifecycle, discoverability and connectivity of Service Resources (databases, message queues, DNS records, etc.). 0.4.0
spring-boot-conventions.tanzu.vmware.com Tanzu Spring Boot Conventions Server Default Spring Boot convention server. 0.1.2
tap-gui.tanzu.vmware.com Tanzu Application Platform GUI web app graphical user interface for Tanzu Application Platform 0.3.0
tap.tanzu.vmware.com Tanzu Application Platform Package to install a set of TAP components to get you started based on your use case. 0.3.0
workshops.learningcenter.tanzu.vmware.com Workshop Building Tutorial Workshop Building Tutorial 1.0.7-build.1 We need to install the following two packages for using Grype.
tanzu package installed list -n tap-install
- Retrieving installed packages...
NAME PACKAGE-NAME PACKAGE-VERSION STATUS
scan-controller scanning.apps.tanzu.vmware.com 1.0.0-beta.2 Reconcile succeeded
tap grype.scanning.apps.tanzu.vmware.com 1.0.0-beta.2 Reconcile succeeded
$
You can install above packages by running simple “tanzu package install” command. e.g. to install grype package, run the below command:
$ tanzu package install tap -p grype.scanning.apps.tanzu.vmware.com -v 1.0.0-beta.2 -n tap-install
Since, we are focused on scanning functionality, so lets get back there.
Scanning Image
– First, validate the CRD’s created after installing above mentioned packages.
$ k get crd | grep -i scan
imagescans.scanning.apps.tanzu.vmware.com 2021-11-19T15:40:26Z
scanpolicies.scanning.apps.tanzu.vmware.com 2021-11-19T15:40:26Z
scantemplates.scanning.apps.tanzu.vmware.com 2021-11-19T15:40:26Z
sourcescans.scanning.apps.tanzu.vmware.com 2021-11-19T15:40:26Z
$
Now, we are going to use the above CRD’s.
– Create a scan configuration file with the below content.
---
apiVersion: scanning.apps.tanzu.vmware.com/v1alpha1
kind: ScanPolicy
metadata:
name: sample-scan-policy
spec:
regoFile: |
package policies
default isCompliant = false
# Accepted Values: "UnknownSeverity", "Critical", "High", "Medium", "Low", "Negligible"
violatingSeverities := ["Critical"]
ignoreCVEs := []
contains(array, elem) = true {
array[_] = elem
} else = false { true }
isSafe(match) {
fails := contains(violatingSeverities, match.Ratings.Rating[_].Severity)
not fails
}
isSafe(match) {
ignore := contains(ignoreCVEs, match.Id)
ignore
}
isCompliant = isSafe(input.currentVulnerability)
---
apiVersion: scanning.apps.tanzu.vmware.com/v1alpha1
kind: ImageScan
metadata:
name: sample-public-image-scan-with-compliance-check
spec:
registry:
image: "nginx:1.16"
scanTemplate: public-image-scan-template
scanPolicy: sample-scan-policy– As you notice above, we are going to create two objects, ScanPolicy and ImageScan.
- ScanPolicy : Defines what needs to be scanned
- ImageScan : Defines which image needs to be scanned
– Apply the manifest file
$ k create -f sample-public-image-scan-with-compliance-check.yaml
scanpolicy.scanning.apps.tanzu.vmware.com/sample-scan-policy created
imagescan.scanning.apps.tanzu.vmware.com/sample-public-image-scan-with-compliance-check created
$ – Notice the objects created, you will have a job and a pod created to run the image scan.
$ k get job,po
NAME COMPLETIONS DURATION AGE
job.batch/scan-sample-public-image-scan-with-compliance-check4xmq5 0/1 33s 33s
NAME READY STATUS RESTARTS AGE
pod/scan-sample-public-image-scan-with-compliance-check4xmq5-v4gtw 1/1 Running 0 33s– In few mins, you will notice that the job is completed.
$ k get job,po
NAME COMPLETIONS DURATION AGE
job.batch/scan-sample-public-image-scan-with-compliance-check4xmq5 1/1 34s 85s
NAME READY STATUS RESTARTS AGE
pod/scan-sample-public-image-scan-with-compliance-check4xmq5-v4gtw 0/1 Completed 0 85sValidate the Scan Result
Now, since the scan is completed, we are ready to view the scan result. Run the below command to validate the scan result.
$ k describe imagescan sample-public-image-scan-with-compliance-check
Name: sample-public-image-scan-with-compliance-check
Namespace: default
Labels: <none>
Annotations: <none>
API Version: scanning.apps.tanzu.vmware.com/v1alpha1
Kind: ImageScan
Metadata:
Creation Timestamp: 2021-11-20T06:17:41Z
Generation: 1
Managed Fields:
API Version: scanning.apps.tanzu.vmware.com/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:spec:
.:
f:registry:
.:
f:image:
f:scanPolicy:
f:scanTemplate:
Manager: kubectl-create
Operation: Update
Time: 2021-11-20T06:17:41Z
API Version: scanning.apps.tanzu.vmware.com/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:artifact:
.:
f:registry:
.:
f:image:
f:conditions:
f:nonCompliantArtifact:
.:
f:registry:
.:
f:image:
f:observedGeneration:
f:phase:
f:scannedBy:
.:
f:scanner:
.:
f:name:
f:vendor:
f:version:
Manager: manager
Operation: Update
Time: 2021-11-20T06:18:16Z
Resource Version: 27503
UID: af0ea300-5ed8-4669-840b-2b9c7bc07f4a
Spec:
Registry:
Image: nginx:1.16
Scan Policy: sample-scan-policy
Scan Template: public-image-scan-template
Status:
Artifact:
Registry:
Image: nginx:1.16@sha256:d20aa6d1cae56fd17cd458f4807e0de462caf2336f0b70b5eeb69fcaaf30dd9c
Conditions:
Last Transition Time: 2021-11-20T06:18:16Z
Message: The scan job terminated
Observed Generation: 1
Reason: JobFinished
Status: False
Type: Scanning
Last Transition Time: 2021-11-20T06:18:16Z
Message: Scan completed. Found 224 CVE(s): 21 Critical, 59 High, 45 Medium, 97 Low, 2 Unknown
Observed Generation: 1
Reason: JobFinished
Status: True
Type: Succeeded
Last Transition Time: 2021-11-20T06:18:16Z
Message: Results successfully sent to metadata store
Observed Generation: 1
Reason: ResultsSent
Status: True
Type: SendingResults
Last Transition Time: 2021-11-20T06:18:17Z
Message: Policy violated because of 18 CVEs
Observed Generation: 1
Reason: EvaluationFailed
Status: False
Type: PolicySucceeded
Non Compliant Artifact:
Registry:
Image: nginx:1.16@sha256:d20aa6d1cae56fd17cd458f4807e0de462caf2336f0b70b5eeb69fcaaf30dd9c
Observed Generation: 1
Phase: Failed
Scanned By:
Scanner:
Name: grype
Vendor: anchore
Version: v0.23.0
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ScanJobCreationSuccess 2m50s (x2 over 2m50s) ImageScanReconciler ImageScan job created successfully
Normal FetchScanReportSuccess 2m15s (x2 over 2m16s) JobReconciler Fetched scan report from the job
Normal SaveScanResultsSuccess 2m15s (x2 over 2m16s) JobReconciler Sent the report to the metadata store successfully!
$ Notice the bold marked messages above to understand the scan output.
So, Let’s conclude here:
We have first explored Grype without TAP, where grype CLI was used to scan the nginx image. Later, I installed Grype package that is part of TAP repository and then ran the image scan in kubernetes native way.
Modern Apps Platform Learning 