This topic tells you how to verify scanning with Supply Chains.
-
Create a sample workload with a pre-built image by using the
tanzu apps workload create
command:tanzu apps workload create WORKLOAD-NAME \ --app APP-NAME \ --git-repo GIT-REPO \ --git-branch GIT-BRANCH \ --type TYPE \ --namespace DEV-NAMESPACE
Where:
WORKLOAD-NAME
is the name you choose for your workload.APP-NAME
is the name of your app.GIT-REPO
is the Git repository from which the workload is created.GIT-BRANCH
is the branch in a Git repository from where the workload is created.TYPE
is the type of your app.DEV-NAMESPACE
is the name of the developer namespace where scanning occurs.
Note For information about how to use the Tanzu CLI workload creation, see Create a Workload.
Scan results are uploaded to the container image registry as an imgpkg bundle. To retrieve a vulnerability report:
-
Retrieve the result location from the ImageVulnerabilityScan CR Status:
SCAN_RESULT_URL=$(kubectl get imagevulnerabilityscan my-scan -n DEV-NAMESPACE -o jsonpath='{.status.scanResult}')
-
Download the bundle to a local directory and list the content:
imgpkg pull -b $SCAN_RESULT_URL -o scan-results/ ls scan-results/