x95castle1 · April 3, 2025 17:31
diff --git a/01-overlay.yaml b/01-overlay.yaml
 #@ load("@ytt:overlay", "overlay")

 #@overlay/match by=overlay.subset({"kind": "ClusterImageTemplate", "metadata": {"name": "image-vulnerability-scan-trivy"}}), expects="0+"
 ---
 spec:
  retentionPolicy:
    maxFailedRuns: 2
    maxSuccessfulRuns: 2

 #@overlay/match by=overlay.subset({"kind": "ClusterConfigTemplate", "metadata": {"name": "carvel-package"}}), expects="0+"
 ---
 spec:
  retentionPolicy:
    maxFailedRuns: 2
    maxSuccessfulRuns: 2
    
 #@overlay/match by=overlay.subset({"kind": "ClusterTemplate", "metadata": {"name": "config-writer-and-pull-requester-template"}}), expects="0+"
 ---
 spec:
  retentionPolicy:
    maxFailedRuns: 2
    maxSuccessfulRuns: 2
    
 #@overlay/match by=overlay.subset({"kind": "ClusterImageTemplate", "metadata": {"name": "kaniko-template"}}), expects="0+"
 ---
 spec:
  retentionPolicy:
    maxFailedRuns: 2
    maxSuccessfulRuns: 2
    
 #@overlay/match by=overlay.subset({"kind": "ClusterTemplate", "metadata": {"name": "config-writer-template"}}), expects="0+"
 ---
 spec:
  retentionPolicy:
    maxFailedRuns: 2
    maxSuccessfulRuns: 2
    
 #@overlay/match by=overlay.subset({"kind": "ClusterTemplate", "metadata": {"name": "package-config-writer-and-pull-requester-template"}}), expects="0+"
 ---
 spec:
  retentionPolicy:
    maxFailedRuns: 2
    maxSuccessfulRuns: 2
    
 #@overlay/match by=overlay.subset({"kind": "ClusterTemplate", "metadata": {"name": "package-config-writer-template"}}), expects="0+"
 ---
 spec:
  retentionPolicy:
    maxFailedRuns: 2
    maxSuccessfulRuns: 2
diff --git a/02-clusterimagetemplate.yaml b/02-clusterimagetemplate.yaml
 apiVersion: carto.run/v1alpha1
 kind: ClusterImageTemplate
 metadata:
  name: image-vulnerability-scan-trivy
 spec:
  healthRule:
    multiMatch:
      healthy:
        matchConditions:
        - status: "True"
          type: ScanCompleted
        - status: "True"
          type: Succeeded
      unhealthy:
        matchConditions:
        - status: "False"
          type: ScanCompleted
        - status: "False"
          type: Succeeded
  imagePath: .status.scannedImage
  lifecycle: immutable
  params:
  - default: 4Gi
    name: image_scanning_workspace_size
  - default: default
    name: image_scanning_service_account_scanner
  - default: default
    name: image_scanning_service_account_publisher
  - default:
      image: tap-sm-docker-prod-local.dmz.packages.broadcom.com/1.12.2/tanzu-application-platform/tap-packages@sha256:31d36a8582a75b042dc12aea0808f822e27747a2f8103af0f0c52ef8d68a8bf0
    name: image_scanning_cli
  - default: []
    name: image_scanning_active_keychains
  - default: []
    name: image_scanning_workspace_bindings
  - default: []
    name: image_scanning_steps_env_vars
  - default: ghcr.io/aquasecurity/trivy-db
    name: trivy_db_repository
  - default: ghcr.io/aquasecurity/trivy-java-db
    name: trivy_java_db_repository
  retentionPolicy:
    maxFailedRuns: 10
    maxSuccessfulRuns: 10
  ytt: |
    #@ load("@ytt:data", "data")
    #@ load("@ytt:template", "template")

    #@ def merge_labels(fixed_values):
    #@   labels = {}
    #@   if hasattr(data.values.workload.metadata, "labels"):
    #@     exclusions = ["kapp.k14s.io/app", "kapp.k14s.io/association"]
    #@     for k,v in dict(data.values.workload.metadata.labels).items():
    #@       if k not in exclusions:
    #@         labels[k] = v
    #@       end
    #@     end
    #@   end
    #@   labels.update(fixed_values)
    #@   return labels
    #@ end

    #@ def scanResultsLocation():
    #@   return "/".join([
    #@    data.values.params.registry.server,
    #@    data.values.params.registry.repository,
    #@    "-".join([
    #@      data.values.workload.metadata.name,
    #@      data.values.workload.metadata.namespace,
    #@      "scan-results",
    #@    ])
    #@   ]) + ":" + data.values.workload.metadata.uid
    #@ end

    #@ def param(key):
    #@   if not key in data.values.params:
    #@     return None
    #@   end
    #@   return data.values.params[key]
    #@ end

    #@ def maven_param(key):
    #@   if not key in data.values.params["maven"]:
    #@     return None
    #@   end
    #@   return data.values.params["maven"][key]
    #@ end

    #@ def maven_repository_url():
    #@   if maven_param("repository") and "url" in maven_param("repository"):
    #@     return maven_param("repository")["url"]
    #@   elif param("maven_repository_url"):
    #@     return param("maven_repository_url")
    #@   else:
    #@     return None
    #@   end
    #@ end

    #@ def correlationId():
    #@   if hasattr(data.values.workload, "annotations") and hasattr(data.values.workload.annotations, "apps.tanzu.vmware.com/correlationid"):
    #@     return data.values.workload.annotations["apps.tanzu.vmware.com/correlationid"]
    #@   end
    #@   url = "
    #@   if hasattr(data.values.workload.spec, "source"):
    #@     if hasattr(data.values.workload.spec.source, "git"):
    #@       url = data.values.workload.spec.source.git.url
    #@     elif hasattr(data.values.workload.spec.source, "image"):
    #@       url = data.values.workload.spec.source.image.split("@")[0]
    #@     end
    #@     url = url + "?sub_path=" + getattr(data.values.workload.spec.source, "subPath", "/")
    #@   end
    #@   if param("maven"):
    #@     url = maven_repository_url() + "/" + maven_param("groupId").replace(".", "/") + "/" + maven_param("artifactId")
    #@   end
    #@   if hasattr(data.values.workload.spec, "image"):
    #@     url = data.values.workload.spec.image.split("@",1)[0]
    #@     url = url.split(":",1)[0]
    #@   end
    #@   return url
    #@ end

    ---
    apiVersion: app-scanning.apps.tanzu.vmware.com/v1alpha1
    kind: ImageVulnerabilityScan
    metadata:
      labels: #@ merge_labels({ "app.kubernetes.io/component": "image-scan" })
      annotations:
        apps.tanzu.vmware.com/correlationid: #@ correlationId()
        app-scanning.apps.tanzu.vmware.com/scanner-name: Trivy
      generateName: #@ data.values.workload.metadata.name + "-trivy-scan-
    spec:
      image: #@ data.values.image
      activeKeychains: #@ data.values.params.image_scanning_active_keychains
      scanResults:
        location: #@ scanResultsLocation()
      workspace:
        size: #@ data.values.params.image_scanning_workspace_size
        #@ if/end data.values.params.image_scanning_workspace_bindings:
        bindings: #@ data.values.params.image_scanning_workspace_bindings
      serviceAccountNames:
        scanner: #@ data.values.params.image_scanning_service_account_scanner
        publisher: #@ data.values.params.image_scanning_service_account_publisher
      steps:
      - name: trivy-generate-report
        image: #@ data.values.params.image_scanning_cli.image
        env:
        - name: TRIVY_DB_REPOSITORY
          value: #@ data.values.params.trivy_db_repository
        - name: TRIVY_JAVA_DB_REPOSITORY
          value: #@ data.values.params.trivy_java_db_repository
        - name: TRIVY_CACHE_DIR
          value: /workspace/trivy-cache
        - name: XDG_CACHE_HOME
          value: /workspace/.cache
        - name: TMPDIR
          value: /workspace
        - #@ template.replace(data.values.params.image_scanning_steps_env_vars)
        command: ["/cnb/process/trivy"]
        args:
        - image
        - $(params.image)
        - --exit-code=0
        - --no-progress
        - --scanners=vuln
        - --format=cyclonedx
        - --output=$(params.scan-results-path)/scan.cdx.json
	#@ load("@ytt:overlay", "overlay")

	#@overlay/match by=overlay.subset({"kind": "ClusterImageTemplate", "metadata": {"name": "image-vulnerability-scan-trivy"}}), expects="0+"
	---
	spec:
	retentionPolicy:
	maxFailedRuns: 2
	maxSuccessfulRuns: 2

	#@overlay/match by=overlay.subset({"kind": "ClusterConfigTemplate", "metadata": {"name": "carvel-package"}}), expects="0+"
	---
	spec:
	retentionPolicy:
	maxFailedRuns: 2
	maxSuccessfulRuns: 2

	#@overlay/match by=overlay.subset({"kind": "ClusterTemplate", "metadata": {"name": "config-writer-and-pull-requester-template"}}), expects="0+"
	---
	spec:
	retentionPolicy:
	maxFailedRuns: 2
	maxSuccessfulRuns: 2

	#@overlay/match by=overlay.subset({"kind": "ClusterImageTemplate", "metadata": {"name": "kaniko-template"}}), expects="0+"
	---
	spec:
	retentionPolicy:
	maxFailedRuns: 2
	maxSuccessfulRuns: 2

	#@overlay/match by=overlay.subset({"kind": "ClusterTemplate", "metadata": {"name": "config-writer-template"}}), expects="0+"
	---
	spec:
	retentionPolicy:
	maxFailedRuns: 2
	maxSuccessfulRuns: 2

	#@overlay/match by=overlay.subset({"kind": "ClusterTemplate", "metadata": {"name": "package-config-writer-and-pull-requester-template"}}), expects="0+"
	---
	spec:
	retentionPolicy:
	maxFailedRuns: 2
	maxSuccessfulRuns: 2

	#@overlay/match by=overlay.subset({"kind": "ClusterTemplate", "metadata": {"name": "package-config-writer-template"}}), expects="0+"
	---
	spec:
	retentionPolicy:
	maxFailedRuns: 2
	maxSuccessfulRuns: 2
	apiVersion: carto.run/v1alpha1
	kind: ClusterImageTemplate
	metadata:
	name: image-vulnerability-scan-trivy
	spec:
	healthRule:
	multiMatch:
	healthy:
	matchConditions:
	- status: "True"
	type: ScanCompleted
	- status: "True"
	type: Succeeded
	unhealthy:
	matchConditions:
	- status: "False"
	type: ScanCompleted
	- status: "False"
	type: Succeeded
	imagePath: .status.scannedImage
	lifecycle: immutable
	params:
	- default: 4Gi
	name: image_scanning_workspace_size
	- default: default
	name: image_scanning_service_account_scanner
	- default: default
	name: image_scanning_service_account_publisher
	- default:
	image: tap-sm-docker-prod-local.dmz.packages.broadcom.com/1.12.2/tanzu-application-platform/tap-packages@sha256:31d36a8582a75b042dc12aea0808f822e27747a2f8103af0f0c52ef8d68a8bf0
	name: image_scanning_cli
	- default: []
	name: image_scanning_active_keychains
	- default: []
	name: image_scanning_workspace_bindings
	- default: []
	name: image_scanning_steps_env_vars
	- default: ghcr.io/aquasecurity/trivy-db
	name: trivy_db_repository
	- default: ghcr.io/aquasecurity/trivy-java-db
	name: trivy_java_db_repository
	retentionPolicy:
	maxFailedRuns: 10
	maxSuccessfulRuns: 10
	ytt: \|
	#@ load("@ytt:data", "data")
	#@ load("@ytt:template", "template")

	#@ def merge_labels(fixed_values):
	#@ labels = {}
	#@ if hasattr(data.values.workload.metadata, "labels"):
	#@ exclusions = ["kapp.k14s.io/app", "kapp.k14s.io/association"]
	#@ for k,v in dict(data.values.workload.metadata.labels).items():
	#@ if k not in exclusions:
	#@ labels[k] = v
	#@ end
	#@ end
	#@ end
	#@ labels.update(fixed_values)
	#@ return labels
	#@ end

	#@ def scanResultsLocation():
	#@ return "/".join([
	#@ data.values.params.registry.server,
	#@ data.values.params.registry.repository,
	#@ "-".join([
	#@ data.values.workload.metadata.name,
	#@ data.values.workload.metadata.namespace,
	#@ "scan-results",
	#@ ])
	#@ ]) + ":" + data.values.workload.metadata.uid
	#@ end

	#@ def param(key):
	#@ if not key in data.values.params:
	#@ return None
	#@ end
	#@ return data.values.params[key]
	#@ end

	#@ def maven_param(key):
	#@ if not key in data.values.params["maven"]:
	#@ return None
	#@ end
	#@ return data.values.params["maven"][key]
	#@ end

	#@ def maven_repository_url():
	#@ if maven_param("repository") and "url" in maven_param("repository"):
	#@ return maven_param("repository")["url"]
	#@ elif param("maven_repository_url"):
	#@ return param("maven_repository_url")
	#@ else:
	#@ return None
	#@ end
	#@ end

	#@ def correlationId():
	#@ if hasattr(data.values.workload, "annotations") and hasattr(data.values.workload.annotations, "apps.tanzu.vmware.com/correlationid"):
	#@ return data.values.workload.annotations["apps.tanzu.vmware.com/correlationid"]
	#@ end
	#@ url = "
	#@ if hasattr(data.values.workload.spec, "source"):
	#@ if hasattr(data.values.workload.spec.source, "git"):
	#@ url = data.values.workload.spec.source.git.url
	#@ elif hasattr(data.values.workload.spec.source, "image"):
	#@ url = data.values.workload.spec.source.image.split("@")[0]
	#@ end
	#@ url = url + "?sub_path=" + getattr(data.values.workload.spec.source, "subPath", "/")
	#@ end
	#@ if param("maven"):
	#@ url = maven_repository_url() + "/" + maven_param("groupId").replace(".", "/") + "/" + maven_param("artifactId")
	#@ end
	#@ if hasattr(data.values.workload.spec, "image"):
	#@ url = data.values.workload.spec.image.split("@",1)[0]
	#@ url = url.split(":",1)[0]
	#@ end
	#@ return url
	#@ end

	---
	apiVersion: app-scanning.apps.tanzu.vmware.com/v1alpha1
	kind: ImageVulnerabilityScan
	metadata:
	labels: #@ merge_labels({ "app.kubernetes.io/component": "image-scan" })
	annotations:
	apps.tanzu.vmware.com/correlationid: #@ correlationId()
	app-scanning.apps.tanzu.vmware.com/scanner-name: Trivy
	generateName: #@ data.values.workload.metadata.name + "-trivy-scan-
	spec:
	image: #@ data.values.image
	activeKeychains: #@ data.values.params.image_scanning_active_keychains
	scanResults:
	location: #@ scanResultsLocation()
	workspace:
	size: #@ data.values.params.image_scanning_workspace_size
	#@ if/end data.values.params.image_scanning_workspace_bindings:
	bindings: #@ data.values.params.image_scanning_workspace_bindings
	serviceAccountNames:
	scanner: #@ data.values.params.image_scanning_service_account_scanner
	publisher: #@ data.values.params.image_scanning_service_account_publisher
	steps:
	- name: trivy-generate-report
	image: #@ data.values.params.image_scanning_cli.image
	env:
	- name: TRIVY_DB_REPOSITORY
	value: #@ data.values.params.trivy_db_repository
	- name: TRIVY_JAVA_DB_REPOSITORY
	value: #@ data.values.params.trivy_java_db_repository
	- name: TRIVY_CACHE_DIR
	value: /workspace/trivy-cache
	- name: XDG_CACHE_HOME
	value: /workspace/.cache
	- name: TMPDIR
	value: /workspace
	- #@ template.replace(data.values.params.image_scanning_steps_env_vars)
	command: ["/cnb/process/trivy"]
	args:
	- image
	- $(params.image)
	- --exit-code=0
	- --no-progress
	- --scanners=vuln
	- --format=cyclonedx
	- --output=$(params.scan-results-path)/scan.cdx.json