TAP has always included a pluggable scanning mechanism allowing for the platform to perform source code and image scanning as part of your supply chain.
By default TAP utilizes Grype as the scanner, but has added support for additional scanner over time including:
- Carbon Black Container Security – for image scanning
- Snyk – for image scanning
- Prisma Cloud (alpha) – for source code and image scanning
As I have many customers that use Aqua, as well as many customers that utilize Aquas open source scanner trivy, I was asked many times if TAP could integrate with these tools.
Back in November 2022, I started working on a trivy integration in TAP, and put together a POC implementation of trivy as a scanner for TAP.
This process was relatively very simple, and the results were pretty good, but i did not get around to building it for Aqua simply out of lack of time.
I ended up also writing a blog post describing what was needed in order to build the solution, with detailed instructions.
I also brought this up with the TAP team, as they are always extremely happy to get customer feedback, and they truly do listen to this feedback and take it seriously.
Trivy Scanner In TAP 1.5
Now in TAP 1.5, VMware have added a new Alpha scanner for Trivy which supports both the Opensource trivy scanner, as well as Aqua Enterprise, which is implemented using the Aqua plugin for trivy, making it a seamless change and experience between the OSS and Enterprise solutions.
Like the Prisma scanner which was added in TAP 1.4, The trivy scanner is released as an alpha feature, and is located in a seperate package repository.
While the second repository does require a few extra steps in terms of configuration, the benefit is huge, as these packages have lifecycles of there own, and as these are alpha integrations, bugs can occur. I found some issues for example in the Prisma scanner about a month ago, and let the relevant people know at VMware, and within 4 days, a new version was released, with updated documentation, and ready for consumption!
The scanner is extremely nice, in that we can not only scan with Aqua, but we also can have a scan policy resource, that instead of defining locally in each namespace what are policy around vulnerabilities is within a rego file, we can simply define a policy that checks if our scan results pass the Aqua scan policy defined globally within our Aqua console. This means that we can manage our scanning policies, and allow list and deny list of vulnerabilities, at the organizational level, without regard to where how and by whom an image was built.
It is great to see the new integrations of scanning solutions in TAP with every release, and Aqua + Trivy are truly an amazing addition to the already quite impressive list of integrations.
As these integrations mature, it will be great to see them fully integrated as well, as first class packages in the TAP package repository itself!