@making's tech note

Exclude Source Scanner from source-test-scan-to-url Supply Chain in Tanzu Application Platform

🗃 {Dev/CaaS/Kubernetes/TAP}
🏷 Cartographer 🏷 Grype 🏷 Kubernetes 🏷 TAP 🏷 Tanzu 🏷 ytt 
🗓 Updated at 2022-12-16T05:12:51Z  🗓 Created at 2022-12-16T04:31:11Z {✒️️ Edit  ⏰ History  🗑 Delete}  🇯🇵 Original entry

⚠️ The content of this article is not supported by VMware. Any issues arising from the content of this article are your responsibility and please do not contact VMware Support.

How to exclude Source Scanner using ytt overlay when Image Scanner is sufficient for vulnerability scanning in source-test-scan-to-url Supply Chain and Source Scanner is unnecessary

Create an overlay

cat <<EOF > ootb-supply-chain-testing-scanning-remove-source-scanner.yaml
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"metadata":{"name":"source-test-scan-to-url"}, "kind": "ClusterSupplyChain"})
  #@overlay/match by="name"
  - name: source-scanner
  #@overlay/match by="name"
  - name: image-provider
    #@overlay/match by="name"
    - name: source
      resource: source-tester

Register the overlay as a Secret. The following should be done for Build Cluster in case of Multi Cluster topology.

kubectl -n tap-install create secret generic ootb-supply-chain-testing-scanning-remove-source-scanner \
  -o yaml \
  --dry-run=client \
  --from-file=ootb-supply-chain-testing-scanning-remove-source-scanner.yaml \
  | kubectl apply -f-

Set the Secret name of the created overlay above to package_overlays in tap-values.yaml as follows.

# ...
- name: ootb-supply-chain-testing-scanning
  - name: ootb-supply-chain-testing-scanning-remove-source-scanner 
  # ...

Update the packageinstall

tanzu package installed update -n tap-install tap -f tap-values.yaml

Before image

After image