This topic guides you through installing the optional OOTB Supply Chain with Testing and the optional OOTB Supply Chain with Testing and Scanning.
For more information about available supply chains, see Supply chains on Tanzu Application Platform.
- Install OOTB Supply Chain with Testing.
- Add a Tekton pipeline to the cluster and update the workload to point to the pipeline and resolve errors.
- Install OOTB Supply Chain with Testing and Scanning.
- Update the workload to point to the Tekton pipeline and resolve errors.
- Query for vulnerabilities and dependencies.
The default Out of the Box (OOTB) Supply Chain Basic and its dependencies were installed on your cluster during the Tanzu Application Platform install. As demonstrated in this guide, you can add testing and security scanning to your application. When you activate OOTB Supply Chain with Testing, it deactivates OOTB Supply Chain Basic.
The following installations also provide a sample Tekton pipeline that tests your sample application. The pipeline is configurable. Therefore, you can customize the steps to perform either additional testing or other tasks with Tekton Pipelines.
To install OOTB Supply Chain with Testing:
-
You can activate the OOTB Supply Chain with Testing by updating your profile to use
testingrather thanbasicas the selected supply chain for workloads in this cluster. Thetap-values.yamlis the file used to customize the profile inTanzu package install tap --values-file=.... Updatetap-values.yamlwith the following changes:- supply_chain: basic + supply_chain: testing - ootb_supply_chain_basic: + ootb_supply_chain_testing: registry: server: "SERVER-NAME" repository: "REPO-NAME"
Where:
SERVER-NAMEis the name of your server.REPO-NAMEis the name of the image repository that hosts the container images.
-
Update the installed profile by running:
tanzu package installed update tap -p tap.tanzu.vmware.com -v VERSION-NUMBER --values-file tap-values.yaml -n tap-installWhere
VERSION-NUMBERis your Tanzu Application Platform version. For example,{{ vars.tap_version }}.
In this section, a Tekton pipeline is added to the cluster. In the next section, the workload is updated to point to the pipeline and resolve any current errors.
Note Developers can perform this step because they know how their application must be tested. The operator can also add the Tekton pipeline to a cluster before the developer gets access.
To add the Tekton pipeline to the cluster, apply the following YAML to the cluster:
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: developer-defined-tekton-pipeline
namespace: DEVELOPER-NAMESPACE
labels:
apps.tanzu.vmware.com/pipeline: test # (!) required
spec:
params:
- name: source-url # (!) required
- name: source-revision # (!) required
tasks:
- name: test
params:
- name: source-url
value: $(params.source-url)
- name: source-revision
value: $(params.source-revision)
taskSpec:
params:
- name: source-url
- name: source-revision
steps:
- name: test
image: gradle
script: |-
cd `mktemp -d`
wget -qO- $(params.source-url) | tar xvz -m
./mvnw testWhere DEVELOPER-NAMESPACE is the name of your developer namespace.
The preceding YAML puts a Tekton pipeline in the developer namespace you specify.
It defines the Tekton pipeline with a single step.
The step contained in the steps pulls the code from the repository indicated
in the developers workload and runs the tests within the repository.
The steps of the Tekton pipeline are configurable and allow the developer to add additional items
needed to test their code.
There are many steps in the supply chain. In this case, the next step is an image build. Any additional steps the developer adds to the Tekton pipeline to test their code are independent of the image being built and of any subsequent steps executed in the supply chain. This independence gives the developer freedom to focus on testing their code.
The params are templated by Supply Chain Choreographer.
Additionally, Tekton pipelines require a Tekton pipelineRun to execute on the cluster.
Supply Chain Choreographer handles creating the pipelineRun dynamically each time
that step of the supply chain requires execution.
To connect the new supply chain to the workload, the workload must be updated to point at your Tekton pipeline.
-
Update the workload by running the following with the Tanzu CLI:
tanzu apps workload apply tanzu-java-web-app \ --git-repo https://github.com/vmware-tanzu/application-accelerator-samples \ --sub-path tanzu-java-web-app \ --git-branch main \ --type web \ --label apps.tanzu.vmware.com/has-tests=true \ --label app.kubernetes.io/part-of=tanzu-java-web-app \ --yes
-
After accepting the workload creation, monitor the creation of new resources by the workload by running:
kubectl get workload,gitrepository,pipelinerun,images.kpack,podintent,app,services.serving
The result is output similar to the following example that shows the objects created by Supply Chain Choreographer:
-
Both the Scan Controller and the default Grype scanner must be installed for scanning. Refer to the verify installation steps later in the topic.
Note When leveraging both Tanzu Build Service and Grype in your Tanzu Application Platform supply chain, you can receive enhanced scanning coverage for the languages and frameworks with check marks in the column "Extended Scanning Coverage using Anchore Grype" on the Language and Framework Support Table.
To install OOTB Supply Chain with Testing and Scanning:
Note The OOTB Supply Chain with Testing and Scanning capability has been changed to opt-in and is skipped by default starting in Tanzu Application Platform 1.6. See Scan Types.
-
Supply Chain Security Tools (SCST) - Scan is installed as part of the Tanzu Application Platform profiles. Verify that both Scan Controller and Grype Scanner are installed by running:
tanzu package installed get scanning -n tap-install tanzu package installed get grype -n tap-install
If the packages are not already installed, follow the steps in Supply Chain Security Tools - Scan to install the required scanning components.
During installation of the Grype Scanner, sample ScanTemplates are installed into the
defaultnamespace. If the workload is deployed into another namespace, these sample ScanTemplates must also be present in the other namespace. One way to accomplish this is to install Grype Scanner again and provide the namespace in the values file.A ScanPolicy is required and must be in the required namespace. A sample ScanPolicy is provided as follows to block a supply chain when CVEs with critical, high, and unknown ratings are found using
notAllowedSeverities := ["Critical","High","UnknownSeverity"]. You can also configure the supply chain to use your own custom policies and apply exceptions when you want to ignore certain CVEs. See Out of the Box Supply Chain with Testing and Scanning. To apply the sample ScanPolicy, you can either add the namespace flag to the kubectl command or add the namespace text box to the template by running:kubectl apply -f - -o yaml << EOF --- apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ScanPolicy metadata: name: scan-policy labels: 'app.kubernetes.io/part-of': 'enable-in-gui' spec: regoFile: | package main # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity" notAllowedSeverities := ["Critical", "High", "UnknownSeverity"] ignoreCves := [] contains(array, elem) = true { array[_] = elem } else = false { true } isSafe(match) { severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity } some i fails := contains(notAllowedSeverities, severities[i]) not fails } isSafe(match) { ignore := contains(ignoreCves, match.id) ignore } deny[msg] { comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] } some i comp := comps[i] vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] } some j vuln := vulns[j] ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity } not isSafe(vuln) msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings]) } EOF
-
(optional) The Tanzu Application Platform profiles install the Supply Chain Security Tools - Store package by default. To persist and query the vulnerability results post-scan, confirm it is installed by running:
tanzu package installed get metadata-store -n tap-installIf the package is not installed, follow the installation instructions at Install Supply Chain Security Tools - Store independent from Tanzu Application Platform profiles.
-
Update the profile to use the supply chain with testing and scanning by updating
tap-values.yaml(the file used to customize the profile intanzu package install tap --values-file=...) with the following changes:- supply_chain: testing + supply_chain: testing_scanning - ootb_supply_chain_testing: + ootb_supply_chain_testing_scanning: registry: server: "<SERVER-NAME>" repository: "<REPO-NAME>"
-
Update the
tappackage:tanzu package installed update tap -p tap.tanzu.vmware.com -v VERSION-NUMBER --values-file tap-values.yaml -n tap-installWhere
VERSION-NUMBERis your Tanzu Application Platform version. For example,{{ vars.tap_version }}.
To connect the new supply chain to the workload, update the workload to point to your Tekton pipeline:
-
Update the workload by running the following using the Tanzu CLI:
tanzu apps workload apply tanzu-java-web-app \ --git-repo https://github.com/vmware-tanzu/application-accelerator-samples \ --sub-path tanzu-java-web-app \ --git-branch main \ --type web \ --label apps.tanzu.vmware.com/has-tests=true \ --label app.kubernetes.io/part-of=tanzu-java-web-app \ --yes
-
After accepting the workload creation, view the new resources that the workload created by running:
kubectl get workload,gitrepository,sourcescan,pipelinerun,images.kpack,imagescan,podintent,app,services.servingThe following is an example output, which shows the objects that Supply Chain Choreographer created:
NAME AGE workload.carto.run/tanzu-java-web-app 109s NAME URL READY STATUS AGE gitrepository.source.toolkit.fluxcd.io/tanzu-java-web-app https://github.com/vmware-tanzu/application-accelerator-samples True Fetched revision: main/872ff44c8866b7805fb2425130edb69a9853bfdf 109s NAME PHASE SCANNEDREVISION SCANNEDREPOSITORY AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL sourcescan.scanning.apps.tanzu.vmware.com/tanzu-java-web-app Completed 187850b39b754e425621340787932759a0838795 https://github.com/vmware-tanzu/application-accelerator-samples 90s NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME pipelinerun.tekton.dev/tanzu-java-web-app-4ftlb True Succeeded 104s 77s NAME LATESTIMAGE READY image.kpack.io/tanzu-java-web-app 10.188.0.3:5000/foo/tanzu-java-web-app@sha256:1d5bc4d3d1ffeb8629fbb721fcd1c4d28b896546e005f1efd98fbc4e79b7552c True NAME PHASE SCANNEDIMAGE AGE CRITICAL HIGH MEDIUM LOW UNKNOWN CVETOTAL imagescan.scanning.apps.tanzu.vmware.com/tanzu-java-web-app Completed 10.188.0.3:5000/foo/tanzu-java-web-app@sha256:1d5bc4d3d1ffeb8629fbb721fcd1c4d28b896546e005f1efd98fbc4e79b7552c 14s NAME READY REASON AGE podintent.conventions.carto.run/tanzu-java-web-app True 7s NAME DESCRIPTION SINCE-DEPLOY AGE app.kappctrl.k14s.io/tanzu-java-web-app Reconcile succeeded 1s 2s NAME URL LATESTCREATED LATESTREADY READY REASON service.serving.knative.dev/tanzu-java-web-app http://tanzu-java-web-app.developer.example.com tanzu-java-web-app-00001 tanzu-java-web-app-00001 Unknown IngressNotConfigured
Important If the source or image scan has a "Failed" phase this means that the scan failed due to a scan policy violation and the supply chain stops. For information about the CVE triage workflow, see Out of the Box Supply Chain with Testing and Scanning.
Scan reports are automatically saved to the Supply Chain Security Tools - Store, and you can query them for vulnerabilities and dependencies. For example, related to open-source software (OSS) or third-party packages.
Query the tanzu-java-web-app image dependencies and vulnerabilities by running:
tanzu insight image get --digest DIGEST
tanzu insight image vulnerabilities --digest DIGESTWhere DIGEST is the component version or image digest printed in the KUBECTL GET command.
For additional information and examples, see Tanzu Insight plug-in overview.
Congratulations! You have successfully added testing and security scanning to your application on the Tanzu Application Platform.
Take the next steps to learn about recommended supply chain security best practices and gain a powerful services journey experience on the Tanzu Application Platform by enabling several advanced use cases.