---
title: Tanzu Application Platformのsource-test-scan-to-url Supply ChainでSorurce Scannerを除外するメモ
tags: ["Kubernetes", "Cartographer", "Grype", "Tanzu", "TAP", "ytt"]
categories: ["Dev", "CaaS", "Kubernetes", "TAP"]
date: 2022-12-16T01:14:42Z
updated: 2022-12-16T01:33:15Z
---

source-test-scan-to-url Supply Chainで脆弱性スキャンはImage Scannerだけで十分で、Source Scannerは不要な場合に、ytt overlayを使ってSoruce Scannerを除外する方法。

<br>

overlayの作成

```yaml
cat <<EOF > ootb-supply-chain-testing-scanning-remove-source-scanner.yaml
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"metadata":{"name":"source-test-scan-to-url"}, "kind": "ClusterSupplyChain"})
---
spec:
  resources:
  #@overlay/match by="name"
  #@overlay/remove
  - name: source-scanner
  #@overlay/match by="name"
  - name: image-provider
    sources:
    #@overlay/match by="name"
    - name: source
      resource: source-tester
EOF
```

overlayをSecretとして登録。以下は、Multi Cluster構成の場合はBuild Clusterに対して行う。

```
kubectl -n tap-install create secret generic ootb-supply-chain-testing-scanning-remove-source-scanner \
  -o yaml \
  --dry-run=client \
  --from-file=ootb-supply-chain-testing-scanning-remove-source-scanner.yaml \
  | kubectl apply -f-
```


作成したoverlayのSecret名をtap-values.yamlのpackage_overlaysへ次のように設定する。

```yaml
package_overlays:
# ...
- name: ootb-supply-chain-testing-scanning
  secrets:
  - name: ootb-supply-chain-testing-scanning-remove-source-scanner 
  # ...
```

packageinstallを更新

```
tanzu package installed update -n tap-install tap -f tap-values.yaml
```

変更前
<img width="1024" alt="image" src="https://user-images.githubusercontent.com/106908/207999730-2e762569-1ad4-442d-aa9d-48393f342c8d.png">

変更後
<img width="1024" alt="image" src="https://user-images.githubusercontent.com/106908/208000821-a19e4da8-0ed6-4efe-88a0-a78409ccf41b.png">