The new scanning model “Supply Chain Security Tools – Scan 2.0” which was introduced back in TAP 1.5, now includes some great new improvements, and has been promoted from Alpha to Beta!
The new model, is much easier to extend and customize to your own organizations needs, and is built with a more scalable and secure architecture.
In the previous model of the scanning feature in TAP, image scanning definitions needed to handle 4 main topics:
- Perform the scan
- Output an SBOM in CycloneDX or SPDX format
- Push the data to the central metadata store
- validate the scan results against your desired security policy
Now with this new model, the image scanning definition is only responsible for scanning the image and outputting an SBOM with the results in CycloneDX or SPDX formats. From their the platform will handle the rest by pushing the SBOM to an OCI registry, and then the AMR Observer will pull down this data and transfer it via CloudEvents to the AMR Persister which will save the data in the Metadata Store.
With TAP 1.6, we now have the ability to easily integrate the new scanning mechanism in the OOTB testing and scanning supply chain, and we also get visibility into the results from the scans in the Tanzu Developer Portal (TDP) formerly known as TAP GUI.
The new mechanism is based on a CRD called ImageVulnerabilityScan (IVS) which you define in your cluster, and sample IVS templates are provided in the docs for Grype, Trivy, Prisma, Snyk and Carbon Black.
The new Scanning framework is really looking great, and the functionality while not yet feature parity with the initial framework, does provide alot of benefits.
The main lacking currently, is the lack of ScanPolicy support. One other key lacking in the new model so far, is that it only covers image scanning at this point, and does not cover source code scanning.
Source code scanning has also been removed from the OOTB supply chains in this version, but can be re-integrated if you need that functionality.
While the Source Code scanning in TAP was never great, hopefully VMware will add back this functionality in a new and more feature rich manner by integrating with common SAST and DAST solutions which would suite the needs of TAP workloads much better.