From 7d5599e81c220f5b3a2c2b87e57e7e6630c55198 Mon Sep 17 00:00:00 2001 From: Tim Walter Date: Fri, 2 Jul 2021 14:03:25 +0200 Subject: [PATCH 1/7] Rename lurcher to lurker Renames `lurcher` to `lurker` to fix this long lasting typo. Signed-off-by: Tim Walter --- .github/workflows/ci.yaml | 8 ++-- docs/resources/scb-architecture.drawio | 4 +- docs/resources/scb-architecture.svg | 2 +- docs/uml/compononents_overview.uxf | 2 +- docs/uml/sequence_overview.puml | 10 ++--- {lurcher => lurker}/.dockerignore | 0 {lurcher => lurker}/.gitignore | 0 {lurcher => lurker}/Dockerfile | 6 +-- .../docs/README.DockerHub-Core.md | 4 +- {lurcher => lurker}/go.mod | 2 +- {lurcher => lurker}/go.sum | 0 {lurcher => lurker}/go.sum.license | 0 {lurcher => lurker}/main.go | 6 +-- operator/Chart.yaml | 4 +- operator/README.md | 8 ++-- .../execution/scans/scan_controller.go | 2 +- .../execution/scans/scan_reconciler.go | 44 +++++++++---------- operator/docs/README.ArtifactHub.md | 8 ++-- operator/templates/manager/manager.yaml | 8 ++-- operator/values.yaml | 12 ++--- .../angularjs-csti-scanner/scanner/wrapper.sh | 2 +- .../kubeaudit/templates/kubeaudit-rbac.yaml | 4 +- scanners/screenshooter/scanner/wrapper.sh | 4 +- 23 files changed, 70 insertions(+), 70 deletions(-) rename {lurcher => lurker}/.dockerignore (100%) rename {lurcher => lurker}/.gitignore (100%) rename {lurcher => lurker}/Dockerfile (89%) rename {lurcher => lurker}/docs/README.DockerHub-Core.md (95%) rename {lurcher => lurker}/go.mod (80%) rename {lurcher => lurker}/go.sum (100%) rename {lurcher => lurker}/go.sum.license (100%) rename {lurcher => lurker}/main.go (93%) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 77ed1e26e8..6aa3dd2172 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -120,7 +120,7 @@ jobs: # ---- Build Stage ---- - # ---- Build Stage | Operator & Lurcher ---- + # ---- Build Stage | Operator & Lurker ---- operator: name: "Build | Operator" @@ -130,7 +130,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - component: ["operator", "lurcher"] + component: ["operator", "lurker"] steps: - name: Checkout uses: actions/checkout@v2 @@ -625,8 +625,8 @@ jobs: helm -n securecodebox-system install securecodebox-operator ./operator/ --wait \ --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/operator" \ --set="image.tag=sha-$(git rev-parse --short HEAD)" \ - --set="lurcher.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/lurcher" \ - --set="lurcher.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="lurker.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/lurker" \ + --set="lurker.image.tag=sha-$(git rev-parse --short HEAD)" \ # ---- Operator Health Check ---- diff --git a/docs/resources/scb-architecture.drawio b/docs/resources/scb-architecture.drawio index 9f6f1a6d36..7da3d1532f 100644 --- a/docs/resources/scb-architecture.drawio +++ b/docs/resources/scb-architecture.drawio @@ -70,7 +70,7 @@ - + @@ -268,4 +268,4 @@ - \ No newline at end of file + diff --git a/docs/resources/scb-architecture.svg b/docs/resources/scb-architecture.svg index df4cfc1b42..4d5bf5bf52 100644 --- a/docs/resources/scb-architecture.svg +++ b/docs/resources/scb-architecture.svg @@ -1 +1 @@ -
Kubernetes Job
Kubernetes Job
kubectl apply -f scan.yaml
kubectl apply -f scan.yaml
Kubernetes Job
Kubernetes Job
Scanner Container
Run Scan
Scanner Container...
Lurcher
Extract Results
Lurcher...
Kubernetes Job
Kubernetes Job
CustomRessource
Scan : scanType
CustomRessourceScan : sc...
1
1
Security Scanning
Security Scanning
Result Parsing
Result Parsing
Data Processing Hooks
Data Processing Hooks
Analytics &
Vulnerability Management
Analytics &...
Security Test Definition
Security Test Definition
Parser Container
Parse Results
Parser Container...
secureCodeBox
Operator
secureCodeBoxOperator
3
3
2
2
Kubernetes Job
Kubernetes Job
ReadOnlyHook
Persist Results
ReadOnlyHook...
ReadAndWriteHook
Modify Results
ReadAndWriteHook...
5
5
4
4
Viewer does not support full SVG 1.1
\ No newline at end of file +
Kubernetes Job
Kubernetes Job
kubectl apply -f scan.yaml
kubectl apply -f scan.yaml
Kubernetes Job
Kubernetes Job
Scanner Container
Run Scan
Scanner Container...
Lurker
Extract Results
Lurker...
Kubernetes Job
Kubernetes Job
CustomRessource
Scan : scanType
CustomRessourceScan : sc...
1
1
Security Scanning
Security Scanning
Result Parsing
Result Parsing
Data Processing Hooks
Data Processing Hooks
Analytics &
Vulnerability Management
Analytics &...
Security Test Definition
Security Test Definition
Parser Container
Parse Results
Parser Container...
secureCodeBox
Operator
secureCodeBoxOperator
3
3
2
2
Kubernetes Job
Kubernetes Job
ReadOnlyHook
Persist Results
ReadOnlyHook...
ReadAndWriteHook
Modify Results
ReadAndWriteHook...
5
5
4
4
Viewer does not support full SVG 1.1
diff --git a/docs/uml/compononents_overview.uxf b/docs/uml/compononents_overview.uxf index 14be20fca3..7f7f0e0748 100644 --- a/docs/uml/compononents_overview.uxf +++ b/docs/uml/compononents_overview.uxf @@ -22,7 +22,7 @@ Operator 60 <<Sidecar>> -Lurcher +Lurker diff --git a/docs/uml/sequence_overview.puml b/docs/uml/sequence_overview.puml index ddefe0c0cc..0f6a59f752 100644 --- a/docs/uml/sequence_overview.puml +++ b/docs/uml/sequence_overview.puml @@ -14,7 +14,7 @@ actor kubectl box "secureCodeBox" participant Operator <> participant Scanner <> - participant Lurcher <> + participant Lurker <> participant Minio <> participant Parser <> collections ReadOnlyHooks <> @@ -30,14 +30,14 @@ kubectl -\ Operator : start scan activate Operator Operator -> Scanner : run job activate Scanner -activate Lurcher +activate Lurker Scanner -> Target : scan -Lurcher -\ Scanner : read data -Lurcher -\ Minio : store raw results +Lurker -\ Scanner : read data +Lurker -\ Minio : store raw results Scanner <-- Target Operator <-- Scanner deactivate Scanner -deactivate Lurcher +deactivate Lurker Operator -> Parser : run job activate Parser diff --git a/lurcher/.dockerignore b/lurker/.dockerignore similarity index 100% rename from lurcher/.dockerignore rename to lurker/.dockerignore diff --git a/lurcher/.gitignore b/lurker/.gitignore similarity index 100% rename from lurcher/.gitignore rename to lurker/.gitignore diff --git a/lurcher/Dockerfile b/lurker/Dockerfile similarity index 89% rename from lurcher/Dockerfile rename to lurker/Dockerfile index d4b8176acd..95a41dd39c 100644 --- a/lurcher/Dockerfile +++ b/lurker/Dockerfile @@ -17,12 +17,12 @@ RUN go mod download COPY main.go main.go # Build -RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o lurcher main.go +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o lurker main.go # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details FROM gcr.io/distroless/static:nonroot WORKDIR / -COPY --from=builder /workspace/lurcher . +COPY --from=builder /workspace/lurker . -ENTRYPOINT ["/lurcher"] +ENTRYPOINT ["/lurker"] diff --git a/lurcher/docs/README.DockerHub-Core.md b/lurker/docs/README.DockerHub-Core.md similarity index 95% rename from lurcher/docs/README.DockerHub-Core.md rename to lurker/docs/README.DockerHub-Core.md index 4ecab2691c..432836840b 100644 --- a/lurcher/docs/README.DockerHub-Core.md +++ b/lurker/docs/README.DockerHub-Core.md @@ -45,10 +45,10 @@ You can find resources to help you get started on our [documentation website](ht - tagged releases, e.g. `2.9.0`, `2.8.0`, `2.7.0` ## How to use this image -This `lurcher` image is intended to work in combination with the OWASP secureCodeBox. For more informations details please take a look at the documentation page: https://docs.securecodebox.io/docs/getting-started/installation. +This `lurker` image is intended to work in combination with the OWASP secureCodeBox. For more informations details please take a look at the documentation page: https://docs.securecodebox.io/docs/getting-started/installation. ```bash -docker pull securecodebox/lurcher +docker pull securecodebox/lurker ``` ## What is secureCodeBox Operator? diff --git a/lurcher/go.mod b/lurker/go.mod similarity index 80% rename from lurcher/go.mod rename to lurker/go.mod index b690df4806..d222c997f8 100644 --- a/lurcher/go.mod +++ b/lurker/go.mod @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -module github.com/secureCodeBox/secureCodeBox/lurcher +module github.com/secureCodeBox/secureCodeBox/lurker go 1.15 diff --git a/lurcher/go.sum b/lurker/go.sum similarity index 100% rename from lurcher/go.sum rename to lurker/go.sum diff --git a/lurcher/go.sum.license b/lurker/go.sum.license similarity index 100% rename from lurcher/go.sum.license rename to lurker/go.sum.license diff --git a/lurcher/main.go b/lurker/main.go similarity index 93% rename from lurcher/main.go rename to lurker/main.go index 31aea5ebce..bad54c4b51 100644 --- a/lurcher/main.go +++ b/lurker/main.go @@ -46,7 +46,7 @@ func main() { log.Fatal("Flag 'uploadURL' is no proper URL") } - log.Println("Starting lurcher") + log.Println("Starting lurker") log.Printf("Waiting for main container '%s' to complete", mainContainer) log.Printf("After scan is completed file '%s' will be uploaded to '%s'", filePath, url.Hostname()) @@ -99,7 +99,7 @@ func uploadFile(path, url string) error { log.Println("Failed Request:") log.Println(string(bytes)) - return fmt.Errorf("Lurcher failed to upload scan result file. File upload returned non 2xx status code (%d)", res.StatusCode) + return fmt.Errorf("Lurker failed to upload scan result file. File upload returned non 2xx status code (%d)", res.StatusCode) } func waitForMainContainerToEnd(container, pod, namespace string) { @@ -127,7 +127,7 @@ func waitForMainContainerToEnd(container, pod, namespace string) { for _, status := range containerStatuses { if status.Name == container && status.State.Terminated != nil { - log.Printf("Main Container Exited. Lurcher will end as well.") + log.Printf("Main Container Exited. Lurker will end as well.") return } } diff --git a/operator/Chart.yaml b/operator/Chart.yaml index ea54eb740e..c8dddadaf1 100644 --- a/operator/Chart.yaml +++ b/operator/Chart.yaml @@ -42,8 +42,8 @@ annotations: # artifacthub.io/images: | # - name: securecodebox-operator # image: docker.io/securecodebox/operator:v2.7.0-alpha1 - # - name: securecodebox-lurcher - # image: docker.io/securecodebox/lurcher:v2.7.0-alpha1 + # - name: securecodebox-lurker + # image: docker.io/securecodebox/lurker:v2.7.0-alpha1 artifacthub.io/crds: | - kind: Scan version: v1 diff --git a/operator/README.md b/operator/README.md index dd85224c26..105994d75a 100644 --- a/operator/README.md +++ b/operator/README.md @@ -73,15 +73,15 @@ helm install securecodebox-operator secureCodeBox/operator | Key | Type | Default | Description | |-----|------|---------|-------------| -| customCACertificate | object | `{"certificate":"public.crt","existingCertificate":null}` | Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurcher, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s) | +| customCACertificate | object | `{"certificate":"public.crt","existingCertificate":null}` | Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s) | | customCACertificate.certificate | string | `"public.crt"` | key in the configmap holding the certificate(s) | | customCACertificate.existingCertificate | string | `nil` | name of the configMap holding the ca certificate(s), needs to be the same across all namespaces | | image.pullPolicy | string | `"Always"` | Image pull policy | | image.repository | string | `"docker.io/securecodebox/operator"` | The operator image repository | | image.tag | string | defaults to the charts version | Parser image tag | -| lurcher.image.pullPolicy | string | `"Always"` | Image pull policy | -| lurcher.image.repository | string | `"docker.io/securecodebox/lurcher"` | The operator image repository | -| lurcher.image.tag | string | defaults to the charts version | Parser image tag | +| lurker.image.pullPolicy | string | `"Always"` | Image pull policy | +| lurker.image.repository | string | `"docker.io/securecodebox/lurker"` | The operator image repository | +| lurker.image.tag | string | defaults to the charts version | Parser image tag | | minio.defaultBucket.enabled | bool | `true` | | | minio.defaultBucket.name | string | `"securecodebox"` | | | minio.enabled | bool | `true` | Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc. | diff --git a/operator/controllers/execution/scans/scan_controller.go b/operator/controllers/execution/scans/scan_controller.go index 41d786d78c..9e9e7ed48b 100644 --- a/operator/controllers/execution/scans/scan_controller.go +++ b/operator/controllers/execution/scans/scan_controller.go @@ -50,7 +50,7 @@ const defaultPresignDuration = 12 * time.Hour // +kubebuilder:rbac:groups=execution.securecodebox.io,resources=parsedefinitions,verbs=get;list;watch // +kubebuilder:rbac:groups=execution.securecodebox.io,resources=scancompletionhooks,verbs=get;list;watch // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete -// Permissions needed to create service accounts for lurcher, parser and scanCompletionHooks +// Permissions needed to create service accounts for lurker, parser and scanCompletionHooks // Pod permission are required to grant these permission to service accounts // +kubebuilder:rbac:groups=core,resources=pods,verbs=get diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go index 85fa794d7f..c1cfe081c9 100644 --- a/operator/controllers/execution/scans/scan_reconciler.go +++ b/operator/controllers/execution/scans/scan_reconciler.go @@ -73,8 +73,8 @@ func (r *ScanReconciler) startScan(scan *executionv1.Scan) error { } r.ensureServiceAccountExists( scan.Namespace, - "lurcher", - "Lurcher is used to extract results from secureCodeBox Scans. It needs rights to get and watch the status of pods to see when the scans have finished.", + "lurker", + "Lurker is used to extract results from secureCodeBox Scans. It needs rights to get and watch the status of pods to see when the scans have finished.", rules, ) @@ -181,7 +181,7 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e job.Spec.Template.Annotations = podAnnotations if job.Spec.Template.Spec.ServiceAccountName == "" { - job.Spec.Template.Spec.ServiceAccountName = "lurcher" + job.Spec.Template.Spec.ServiceAccountName = "lurker" } // merging volume definition from ScanType (if existing) with standard results volume @@ -207,33 +207,33 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e }, ) - // Get lurcher image config from env - lurcherImage := os.Getenv("LURCHER_IMAGE") - if lurcherImage == "" { - lurcherImage = "securecodebox/lurcher:latest" + // Get lurker image config from env + lurkerImage := os.Getenv("LURKER_IMAGE") + if lurkerImage == "" { + lurkerImage = "securecodebox/lurker:latest" } - lurcherPullPolicyRaw := os.Getenv("LURCHER_PULL_POLICY") - var lurcherPullPolicy corev1.PullPolicy - switch lurcherPullPolicyRaw { + lurkerPullPolicyRaw := os.Getenv("LURKER_PULL_POLICY") + var lurkerPullPolicy corev1.PullPolicy + switch lurkerPullPolicyRaw { case "Always": - lurcherPullPolicy = corev1.PullAlways + lurkerPullPolicy = corev1.PullAlways case "IfNotPresent": - lurcherPullPolicy = corev1.PullIfNotPresent + lurkerPullPolicy = corev1.PullIfNotPresent case "Never": - lurcherPullPolicy = corev1.PullNever + lurkerPullPolicy = corev1.PullNever case "": - lurcherPullPolicy = corev1.PullAlways + lurkerPullPolicy = corev1.PullAlways default: - return nil, fmt.Errorf("Unknown imagePull Policy for lurcher: %s", lurcherPullPolicyRaw) + return nil, fmt.Errorf("Unknown imagePull Policy for lurker: %s", lurkerPullPolicyRaw) } falsePointer := false truePointer := true - lurcherSidecar := &corev1.Container{ - Name: "lurcher", - Image: lurcherImage, - ImagePullPolicy: lurcherPullPolicy, + lurkerSidecar := &corev1.Container{ + Name: "lurker", + Image: lurkerImage, + ImagePullPolicy: lurkerPullPolicy, Args: []string{ "--container", job.Spec.Template.Spec.Containers[0].Name, @@ -281,7 +281,7 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e } customCACertificate, isConfigured := os.LookupEnv("CUSTOM_CA_CERTIFICATE_EXISTING_CERTIFICATE") - r.Log.Info("Configuring customCACerts for lurcher", "customCACertificate", customCACertificate, "isConfigured", isConfigured) + r.Log.Info("Configuring customCACerts for lurker", "customCACertificate", customCACertificate, "isConfigured", isConfigured) if customCACertificate != "" { job.Spec.Template.Spec.Volumes = append(job.Spec.Template.Spec.Volumes, corev1.Volume{ Name: "ca-certificate", @@ -295,7 +295,7 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e }) certificateName := os.Getenv("CUSTOM_CA_CERTIFICATE_NAME") - lurcherSidecar.VolumeMounts = append(lurcherSidecar.VolumeMounts, corev1.VolumeMount{ + lurkerSidecar.VolumeMounts = append(lurkerSidecar.VolumeMounts, corev1.VolumeMount{ Name: "ca-certificate", ReadOnly: true, MountPath: "/etc/ssl/certs/" + certificateName, @@ -303,7 +303,7 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e }) } - job.Spec.Template.Spec.Containers = append(job.Spec.Template.Spec.Containers, *lurcherSidecar) + job.Spec.Template.Spec.Containers = append(job.Spec.Template.Spec.Containers, *lurkerSidecar) if err := ctrl.SetControllerReference(scan, job, r.Scheme); err != nil { return nil, err diff --git a/operator/docs/README.ArtifactHub.md b/operator/docs/README.ArtifactHub.md index b6fb30e954..d37ff8157f 100644 --- a/operator/docs/README.ArtifactHub.md +++ b/operator/docs/README.ArtifactHub.md @@ -78,15 +78,15 @@ helm install securecodebox-operator secureCodeBox/operator | Key | Type | Default | Description | |-----|------|---------|-------------| -| customCACertificate | object | `{"certificate":"public.crt","existingCertificate":null}` | Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurcher, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s) | +| customCACertificate | object | `{"certificate":"public.crt","existingCertificate":null}` | Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s) | | customCACertificate.certificate | string | `"public.crt"` | key in the configmap holding the certificate(s) | | customCACertificate.existingCertificate | string | `nil` | name of the configMap holding the ca certificate(s), needs to be the same across all namespaces | | image.pullPolicy | string | `"Always"` | Image pull policy | | image.repository | string | `"docker.io/securecodebox/operator"` | The operator image repository | | image.tag | string | defaults to the charts version | Parser image tag | -| lurcher.image.pullPolicy | string | `"Always"` | Image pull policy | -| lurcher.image.repository | string | `"docker.io/securecodebox/lurcher"` | The operator image repository | -| lurcher.image.tag | string | defaults to the charts version | Parser image tag | +| lurker.image.pullPolicy | string | `"Always"` | Image pull policy | +| lurker.image.repository | string | `"docker.io/securecodebox/lurker"` | The operator image repository | +| lurker.image.tag | string | defaults to the charts version | Parser image tag | | minio.defaultBucket.enabled | bool | `true` | | | minio.defaultBucket.name | string | `"securecodebox"` | | | minio.enabled | bool | `true` | Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc. | diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml index 1004e76719..bd438ee24e 100644 --- a/operator/templates/manager/manager.yaml +++ b/operator/templates/manager/manager.yaml @@ -110,10 +110,10 @@ spec: value: {{ .Values.s3.awsStsEndpoint | quote }} {{- end }} {{- end }} - - name: LURCHER_IMAGE - value: "{{ .Values.lurcher.image.repository }}:{{ .Values.lurcher.image.tag | default .Chart.Version }}" - - name: LURCHER_PULL_POLICY - value: {{ .Values.lurcher.image.pullPolicy }} + - name: LURKER_IMAGE + value: "{{ .Values.lurker.image.repository }}:{{ .Values.lurker.image.tag | default .Chart.Version }}" + - name: LURKER_PULL_POLICY + value: {{ .Values.lurker.image.pullPolicy }} {{- if .Values.customCACertificate.existingCertificate }} - name: CUSTOM_CA_CERTIFICATE_EXISTING_CERTIFICATE value: {{ .Values.customCACertificate.existingCertificate | quote }} diff --git a/operator/values.yaml b/operator/values.yaml index 303d3a7cd7..19da5e4954 100644 --- a/operator/values.yaml +++ b/operator/values.yaml @@ -18,7 +18,7 @@ image: # image.pullPolicy -- Image pull policy pullPolicy: Always -# -- Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurcher, parser & hooks). +# -- Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks). # Requires that every namespace has a configmap with the CA certificate(s) customCACertificate: # -- name of the configMap holding the ca certificate(s), needs to be the same across all namespaces @@ -52,14 +52,14 @@ securityContext: # -- Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container podSecurityContext: {} -lurcher: +lurker: image: - # lurcher.image.repository -- The operator image repository - repository: docker.io/securecodebox/lurcher - # lurcher.image.tag -- Parser image tag + # lurker.image.repository -- The operator image repository + repository: docker.io/securecodebox/lurker + # lurker.image.tag -- Parser image tag # @default -- defaults to the charts version tag: null - # lurcher.image.pullPolicy -- Image pull policy + # lurker.image.pullPolicy -- Image pull policy pullPolicy: Always minio: diff --git a/scanners/angularjs-csti-scanner/scanner/wrapper.sh b/scanners/angularjs-csti-scanner/scanner/wrapper.sh index 510726ca0c..43d4b4290f 100644 --- a/scanners/angularjs-csti-scanner/scanner/wrapper.sh +++ b/scanners/angularjs-csti-scanner/scanner/wrapper.sh @@ -11,7 +11,7 @@ if [ -f /acstis/config/acstis-config.py ]; then fi python /acstis/acstis-script.py $@ -# If no finding occured generate a empty file for the lurcher +# If no finding occurred generate a empty file for the lurker if [ ! -f /home/securecodebox/findings.log ]; then touch /home/securecodebox/findings.log fi diff --git a/scanners/kubeaudit/templates/kubeaudit-rbac.yaml b/scanners/kubeaudit/templates/kubeaudit-rbac.yaml index 62104b819c..6437248a0d 100644 --- a/scanners/kubeaudit/templates/kubeaudit-rbac.yaml +++ b/scanners/kubeaudit/templates/kubeaudit-rbac.yaml @@ -12,7 +12,7 @@ metadata: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: kubeaudit-lurcher + name: kubeaudit-lurker namespace: {{ .Release.Namespace}} subjects: - kind: ServiceAccount @@ -21,7 +21,7 @@ subjects: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: lurcher + name: lurker --- {{- if eq .Values.kubeauditScope "namespace" }} kind: Role diff --git a/scanners/screenshooter/scanner/wrapper.sh b/scanners/screenshooter/scanner/wrapper.sh index aab7f778fd..40d0282862 100644 --- a/scanners/screenshooter/scanner/wrapper.sh +++ b/scanners/screenshooter/scanner/wrapper.sh @@ -3,8 +3,8 @@ # SPDX-License-Identifier: Apache-2.0 # Screnshooter entrypoint script to change the result file linux permission after completion. -# Firefox will set the permission in a way which makes it inaccessible to the lurcher otherwise -# Gets executed two times because it happend to produce better results for long loading sites +# Firefox will set the permission in a way which makes it inaccessible to the lurker otherwise +# Gets executed two times because it happened to produce better results for long loading sites timeout 30 firefox $@ timeout 30 firefox $@ if [ ! -f /home/securecodebox/screenshot.png ]; then From 102290204feeef4cab7ed723b8fa755440b74371 Mon Sep 17 00:00:00 2001 From: Tim Walter Date: Fri, 2 Jul 2021 14:24:31 +0200 Subject: [PATCH 2/7] Rename lurcher to lurker Renames `lurcher` to `lurker` to fix this long lasting typo. Signed-off-by: Tim Walter --- demo-targets/bodgeit/README.md | 68 +-- demo-targets/dummy-ssh/README.md | 70 +--- demo-targets/http-webhook/README.md | 64 +-- demo-targets/juice-shop/README.md | 66 +-- demo-targets/old-wordpress/README.md | 64 +-- demo-targets/swagger-petstore/README.md | 64 +-- demo-targets/unsafe-https/README.md | 66 +-- hooks/cascading-scans/README.md | 166 +------- hooks/finding-post-processing/README.md | 96 +---- hooks/generic-webhook/README.md | 64 +-- hooks/notification/README.md | 272 +----------- hooks/persistence-defectdojo/README.md | 133 ++---- hooks/persistence-elastic/README.md | 70 +--- hooks/teams-webhook/README.md | 66 +-- hooks/update-field/README.md | 67 +-- operator/README.md | 78 +--- scanners/amass/README.md | 80 +--- scanners/angularjs-csti-scanner/README.md | 177 +------- scanners/git-repo-scanner/README.md | 106 +---- scanners/gitleaks/README.md | 170 +------- scanners/kube-hunter/README.md | 73 +--- scanners/kubeaudit/README.md | 75 +--- scanners/ncrack/README.md | 219 +--------- scanners/nikto/README.md | 91 +--- scanners/nmap/README.md | 126 +----- scanners/screenshooter/README.md | 70 +--- scanners/ssh-scan/README.md | 105 +---- scanners/sslyze/README.md | 172 +------- scanners/test-scan/README.md | 64 +-- scanners/trivy/README.md | 76 +--- scanners/wpscan/README.md | 112 +---- scanners/zap-advanced/README.md | 490 +--------------------- scanners/zap/README.md | 112 +---- 33 files changed, 341 insertions(+), 3451 deletions(-) diff --git a/demo-targets/bodgeit/README.md b/demo-targets/bodgeit/README.md index f8a1faa36c..c55c81cf8b 100644 --- a/demo-targets/bodgeit/README.md +++ b/demo-targets/bodgeit/README.md @@ -1,56 +1,21 @@ ---- -title: "Bodgeit" -category: "target" -type: "Website" -state: "released" -appVersion: "v1.4.0" -usecase: "Vulnerable WebApp based on html serverside rendering" ---- +# bodgeit - - - -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

- -## What is Bodgeit? -The BodgeIt Store is a vulnerable web app which is aimed at people who are new to pen testing. -BodgeIt Store is a serverside rendering based html website without any heavy javascript. +The BodgeIt Store is a vulnerable web app which is aimed at people who are new to pen testing **Homepage:** -### Source Code +## Maintainers -* -* +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | securecodebox@iteratec.com | | -## Deployment -The bodgeit `scanType` can be deployed via helm: +## Source Code -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install bodgeit secureCodeBox/bodgeit -``` +* +* ## Values @@ -79,16 +44,3 @@ helm upgrade --install bodgeit secureCodeBox/bodgeit | service.type | string | `"ClusterIP"` | | | tolerations | list | `[]` | | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/demo-targets/dummy-ssh/README.md b/demo-targets/dummy-ssh/README.md index 242d19359d..290fd24eed 100644 --- a/demo-targets/dummy-ssh/README.md +++ b/demo-targets/dummy-ssh/README.md @@ -1,60 +1,21 @@ ---- -title: "Dummy SSH" -category: "target" -type: "service" -state: "released" -appVersion: "v1.0.0" -usecase: "Vulnerable WebApp based on html serverside rendering" ---- +# dummy-ssh - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is Dummy SSH? -The Dummy SSH service is a vulnerable SSH Service which is aimed at people who are new to pen testing. +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | securecodebox@iteratec.com | | -The vulnerable SSH Server is used for for security scan testing. - -There are also vulnerable credentials which can be identified via bruteforcing: -- Port 22 -- Username root, -- Password: THEPASSWORDYOUCREATED - -### Source Code +## Source Code * -## Deployment -The dummy-ssh `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install dummy-ssh secureCodeBox/dummy-ssh -``` - ## Values | Key | Type | Default | Description | @@ -77,16 +38,3 @@ helm upgrade --install dummy-ssh secureCodeBox/dummy-ssh | service.type | string | `"ClusterIP"` | | | tolerations | list | `[]` | | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/demo-targets/http-webhook/README.md b/demo-targets/http-webhook/README.md index e8c511c428..4ad995b85b 100644 --- a/demo-targets/http-webhook/README.md +++ b/demo-targets/http-webhook/README.md @@ -1,53 +1,8 @@ ---- -title: "HTTP WebHook" -category: "target" -type: "service" -state: "released" -appVersion: "1.16.0" -usecase: "Vulnerable HTTP WebHook" ---- +# http-webhook - - - -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

- -## What is HTTP WebHook? -A Dummy webserver to echo HTTP requests in log. - -### Source Code - -* -* - -## Deployment -The http-webhook `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install http-webhook secureCodeBox/http-webhook -``` +A Dummy webserver to echo HTTP requests in log ## Values @@ -84,16 +39,3 @@ helm upgrade --install http-webhook secureCodeBox/http-webhook | serviceAccount.name | string | `""` | | | tolerations | list | `[]` | | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/demo-targets/juice-shop/README.md b/demo-targets/juice-shop/README.md index 51ec12c56b..cbff5f93b5 100644 --- a/demo-targets/juice-shop/README.md +++ b/demo-targets/juice-shop/README.md @@ -1,56 +1,21 @@ ---- -title: "OWASP JuiceShop" -category: "target" -type: "Website" -state: "released" -appVersion: "v12.7.0" -usecase: "Modern insecure web application" ---- +# juice-shop - - - -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

- -## What is OWASP JuiceShop? +![Version: v2.7.0-alpha1](https://img.shields.io/badge/Version-v2.7.0--alpha1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v12.7.0](https://img.shields.io/badge/AppVersion-v12.7.0-informational?style=flat-square) OWASP Juice Shop: Probably the most modern and sophisticated insecure web application **Homepage:** -### Source Code +## Maintainers -* -* +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | securecodebox@iteratec.com | | -## Deployment -The juice-shop `scanType` can be deployed via helm: +## Source Code -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install juice-shop secureCodeBox/juice-shop -``` +* +* ## Values @@ -79,16 +44,3 @@ helm upgrade --install juice-shop secureCodeBox/juice-shop | service.type | string | `"ClusterIP"` | | | tolerations | list | `[]` | | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/demo-targets/old-wordpress/README.md b/demo-targets/old-wordpress/README.md index a40a2325d1..ad538f0bcd 100644 --- a/demo-targets/old-wordpress/README.md +++ b/demo-targets/old-wordpress/README.md @@ -1,54 +1,21 @@ ---- -title: "Old Wordpress" -category: "target" -type: "Website" -state: "released" -appVersion: "4.0" -usecase: "Modern insecure web application" ---- +# old-wordpress - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is Old Wordpress? +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | securecodebox@iteratec.com | | -Insecure & Outdated WordPress Instance: Never expose it to the internet! - -### Source Code +## Source Code * -## Deployment -The old-wordpress `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install old-wordpress secureCodeBox/old-wordpress -``` - ## Values | Key | Type | Default | Description | @@ -71,16 +38,3 @@ helm upgrade --install old-wordpress secureCodeBox/old-wordpress | service.type | string | `"ClusterIP"` | | | tolerations | list | `[]` | | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/demo-targets/swagger-petstore/README.md b/demo-targets/swagger-petstore/README.md index 7a4cab5fd1..02862ca08c 100644 --- a/demo-targets/swagger-petstore/README.md +++ b/demo-targets/swagger-petstore/README.md @@ -1,55 +1,22 @@ ---- -title: "Swagger Petstore API" -category: "target" -type: "Website" -state: "released" -appVersion: "1.0.3" -usecase: "Modern insecure web application" ---- +# swagger-petstore - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is "Swagger Petstore API"? +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | securecodebox@iteratec.com | | -This is the sample petstore application with a restful API. - -### Source Code +## Source Code * * -## Deployment -The swagger-petstore `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install swagger-petstore secureCodeBox/swagger-petstore -``` - ## Values | Key | Type | Default | Description | @@ -78,16 +45,3 @@ helm upgrade --install swagger-petstore secureCodeBox/swagger-petstore | swaggerHostOverride | string | `"http://swagger-petstore.demo-targets.svc"` | | | tolerations | list | `[]` | | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/demo-targets/unsafe-https/README.md b/demo-targets/unsafe-https/README.md index f0d667421d..072ece8859 100644 --- a/demo-targets/unsafe-https/README.md +++ b/demo-targets/unsafe-https/README.md @@ -1,56 +1,21 @@ ---- -title: "Unsafe HTTPS" -category: "target" -type: "Website" -state: "released" -appVersion: "v1.0.0" -usecase: "Modern insecure web application" ---- +# unsafe-https - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is "Unsafe HTTPS"? +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | securecodebox@iteratec.com | | -Unsafe https Server for SSL Checking. -Can be used for scanners that check for unsafe ssl certificates, as the server uses a self-signed certificate -which contains both private and public key and is not authorized by a third party. - -### Source Code +## Source Code * -## Deployment -The unsafe-https `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install unsafe-https secureCodeBox/unsafe-https -``` - ## Values | Key | Type | Default | Description | @@ -73,16 +38,3 @@ helm upgrade --install unsafe-https secureCodeBox/unsafe-https | service.type | string | `"ClusterIP"` | | | tolerations | list | `[]` | | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/hooks/cascading-scans/README.md b/hooks/cascading-scans/README.md index 6a1e67fcff..11a6b6b525 100644 --- a/hooks/cascading-scans/README.md +++ b/hooks/cascading-scans/README.md @@ -1,158 +1,25 @@ ---- -title: "Cascading Scans" -category: "hook" -type: "processing" -state: "released" -usecase: "Cascading Scans based declarative Rules." ---- +# cascading-scans - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is "Cascading Scans" Hook about? -The Cascading Scans Hook can be used to orchestrate security scanners based on defined rule sets. -The so called `CascadingRules` consist of a `matches` section which contains one or multiple rules which are compared against `findings`. When a `finding` matches a `rule` the `scanSpec` section will then be used to create a new scan. To customize the scan to match the finding, the [mustache](https://github.com/janl/mustache.js) templating language can be used to reference fields of the finding. +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -<-- Todo: should be replaced with an valid docs.secureCodeBox.io link as soon as all ADRs are added there --> -This Hook is based on the ADR https://github.com/secureCodeBox/secureCodeBox/blob/main/docs/adr/adr_0003.md +## Source Code -## Deployment -The cascading-scans `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install cascading-scans secureCodeBox/cascading-scans -``` +* ## Requirements Kubernetes: `>=v1.11.0-0` -## Additional Chart Configurations -Installing the `Cascading Scans` hook will add a `ReadOnly Hook` to your namespace which looks for matching _CascadingRules_ in the namespace and start the according scans. - -### Verification -```bash -kubectl get ScanCompletionHooks -NAME TYPE IMAGE -dssh ReadOnly docker.io/securecodebox/hook-cascading-scans:latest -``` - -### CascadingScan Rules -The CascadingRules are included directly in each helm chart of the individual scanners. -There is a configuration option `cascadingRules.enabled` for each scanner to prevent this inclusion. - -```bash -# Check your CascadingRules -kubectl get CascadingRules -NAME STARTS INVASIVENESS INTENSIVENESS -https-tls-scan sslyze non-invasive light -imaps-tls-scan sslyze non-invasive light -nikto-http nikto non-invasive medium -nmap-smb nmap non-invasive light -pop3s-tls-scan sslyze non-invasive light -smtps-tls-scan sslyze non-invasive light -ssh-scan ssh-scan non-invasive light -zap-http zap-baseline-scan non-invasive medium -``` - -### Starting a cascading Scan -When you start a normal Scan, no CascadingRule will be applied. To use a _CascadingRule_ the scan must be marked to allow cascading rules. -This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one. - -#### Example -```yaml -cat < - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is "Finding Post Processing" Hook about? -Installing the _Finding Post Processing_ hook will add a ReadAndWrite Hook to your namespace, -which can be used to add or update fields from your findings meeting specified conditions. +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -## Deployment -The finding-post-processing `scanType` can be deployed via helm: +## Source Code -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install finding-post-processing secureCodeBox/finding-post-processing -``` +* ## Requirements Kubernetes: `>=v1.11.0-0` -## Additional Chart Configurations - -### Rule Configuration -The _rules_ can be defined in the `values` of the HelmChart. -The syntax and semantic for these rules are quite similar to CascadingRules (See: [secureCodeBox | CascadingRules](/docs/api/crds/cascading-rule)) - -To define rules you will have to provide the `rules` field with one or more `matches` elements. -Each `machtes` defines one Rule. -For example: - -```yaml -rules: - - matches: - anyOf: - - category: "Open Port" - attributes: - port: 23 - state: open - override: - severity: "high" - description: "Telnet is bad" -``` - -This rule will match all findings with an open port on 23 and override the severity for this finding with `high` as well as providing a new description `Telnet is bad!`. - -#### matches - -Within the `matches` you will have to provide `anyOf` and `override`. -In the `anyOff` contains one or more conditions to be met by the finding to match the rule. -Notice that only one of these elements needs to match the finding for the rule to match. - -#### override - -The `override` field specifies the desired fields and values that need to be updated or added if the rule is matching. - ## Values | Key | Type | Default | Description | @@ -92,16 +29,3 @@ The `override` field specifies the desired fields and values that need to be upd | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | rules | list | `[]` | | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/hooks/generic-webhook/README.md b/hooks/generic-webhook/README.md index 75ffe561e6..40a82218c5 100644 --- a/hooks/generic-webhook/README.md +++ b/hooks/generic-webhook/README.md @@ -1,56 +1,25 @@ ---- -title: "Generic WebHook" -category: "hook" -type: "integration" -state: "released" -usecase: "Publishes Scan Findings as WebHook." ---- +# generic-webhook - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is "Generic WebHook" Hook about? -Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace which is capable of sending scan results containing `findings` to a given webhook url. +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -## Deployment -The generic-webhook `scanType` can be deployed via helm: +## Source Code -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install generic-webhook secureCodeBox/generic-webhook -``` +* ## Requirements Kubernetes: `>=v1.11.0-0` -## Additional Chart Configurations - -> ✍ This documentation is currently work-in-progress. - ## Values | Key | Type | Default | Description | @@ -60,16 +29,3 @@ Kubernetes: `>=v1.11.0-0` | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | webhookUrl | string | `"http://example.com"` | The URL of your WebHook endpoint | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/hooks/notification/README.md b/hooks/notification/README.md index af712a84bf..115499365e 100644 --- a/hooks/notification/README.md +++ b/hooks/notification/README.md @@ -1,266 +1,13 @@ ---- -title: "Notification Hook" -category: "hook" -type: "integration" -state: "released" -usecase: "Publishes Scan Summary to MS Teams, Slack and others." ---- +# notification - - - -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

- -## What is "Notification" Hook about? -Installing the Notification WebHook hook will add a ReadOnly Hook to your namespace which is capable of sending scan results containing `findings` as messages to different tools like messangers or even email. - -You can customise the message templates on your behalf or use the already provided one. - -## Deployment -The notification `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install notification secureCodeBox/notification -``` +Lets you send a findings result summary as hook to MS Teams, Slack, e-mail and others after a scan is completed. ## Requirements Kubernetes: `>=v1.11.0-0` -## Additional Chart Configurations - -Installing the Notification hook will add a ReadOnly Hook to your namespace. - -```bash -helm upgrade --install nwh ./hooks/notification-hook/ --values /path/to/your/values" -``` - -The `values.yaml` you need depends on the notification type you want to use. -Please take a look at the documentation for each type (e.g. for slack see [Configuration of a Slack Notification](#configuration-o-a-slack-notification)) - -### Available Notifier - -- [Slack](#configuration-of-a-slack-notification) -- [Slack App](#configuration-of-a-slack-app-notification) -- [Email](#configuration-of-an-email-notification) - -### Configuration of a Notification - -The general configuration of a notification looks something like this - -```yaml -notificationChannels: - - name: slack - type: slack - template: slack-messageCard - skipNotificationOnZeroFinding: true - rules: - - matches: - anyOf: - - category: "Open Port" - endPoint: "SOME_ENV" - -env: - - name: SOME_ENV - valueFrom: - secretRefKey: - secret: some-secret - key: some-key -``` - -The Notification Hook enables you to define multiple so called `notificationChannels`. A `notificationChannel` defines the Notification to a specific platform (e.g. Slack or Teams). - -The `name` is used to for debugging failing notifications. -it can be a _string_ of you choice. - -The `type` specifies the type of the notification (in this example slack). -See [Available Notifier](#available-notifier). - -The `template` field defines the name of a Nunjucks template to send to your notification channel. -These templates are usually tied to their notification channel (slack templates will not work for teams). -The template `slack-messageCard` is provided by default. -Notice that for the name of the template we chose to omit the file type. -The template `slack-messageCard` will point to `slack-messageCard.njk` in the filesystem of the hook. - -The `skipNotificationOnZeroFindings` if set to true will cause the notifier when there were no findings. -This can happen when the scan did not identify any or if all findings were filtered out using [rules](#rule-configuration). -Defaults to `false` if not set. -You can use `skipNotificationOnZeroFindings` to only send out notification for non duplicate findings, e.g. by combining the DefectDojo hook with this one and filtering out the `duplicate` attribute in the rules. - -The `endPoint` specifies where the notification has to go to. -To protect the actual endPoint (e.g. a webhook url) this should point to an env name defined under `env` -For slack this would be your webhook URL to slack. - -To define conditions when a notification should be created you can use `rules`. -If no rules are specified, this hook will assume that you always want to be notified. - -Under `env` you have to define additional information needed for your templates such as the actual endpoint. -`env` will be mapped to the `env` implementation of Kubernetes. -This means that you can define key-value pairs as well as providing envs via secrets (See [Define Environment Variables for a Container | Kubernetes](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)). - -#### Rule Configuration - -The rules can be defined in the values of the Chart. -The syntax and semantic for these rules are quite similar to CascadingRules (See: [secureCodeBox | CascadingRules](/docs/api/crds/cascading-rule)) -To define Rules you will have to provide the `rules` field with one or more `matches` elements. -Each `machtes` defines one Rule. -For example: - -```yaml -rules: - - matches: - anyOf: - - category: "Open Port" - attributes: - port: 23 - state: open -``` - -This Rule will match all Findings with an open port on 23. - -##### matches - -Within the `matches` you will have to provide `anyOf` -`anyOf` contains one or more conditions to be met by the finding to match the rule. -Notice that only one of these elements needs to match the finding for the rule to match. - -#### Configuration of a Slack Notification - -To configure a Slack notification set the `type` to `slack` and the `endPoint` to point to your env containing your Webhook URL to slack. -You can use one of the following default templates: - -- `slack-messageCard`: Sends a message with a summary listing the number of findings per category and severity. -- `slack-individual-findings-with-defectdojo`: Sends a message with a list of all findings with a link to the finding in DefectDojo. Will only work correctly if the DefectDojo hook is installed in the same namespace. - -#### Configuration of a Slack App Notification - -The `slack-app` notifier is an _alternate_ way to send notifications to slack using the slack api directly rather then using webhooks. -Use `slack-app` over the normal `slack` if you want to send notifications into different slack channels on a per scan basis. - -##### Slack App Configuration - -To set it up, you'll need to create a new slack app at [https://api.slack.com/apps/](https://api.slack.com/apps/) and add the `chat:write` "Bot Token Scope" to it on the "OAuth & Permissions" tab. Then add the bot to your workspace, this will give you the access token (should begin with a `xoxb-`). - -To configure a Slack notification set the `type` to `slack-app` and reference the secret via the `SLACK_APP_TOKEN` env var. - -##### Example Config - -```yaml -notificationChannels: - - name: slack - type: slack-app - template: slack-messageCard - rules: [] - -env: - # you can create the secret via: kubectl create secret generic slack-app-token --from-literal="token=xoxb-..." - - name: SLACK_APP_TOKEN - valueFrom: - secretKeyRef: - name: slack-app-token - key: token - # configures which channel the messages are send to if the scan doesn't specify a channel - - name: SLACK_DEFAULT_CHANNEL - value: "#example-channel" -``` - -##### Supported Notification Channels - -The `slack-app` notifier supports the same message templates as the `slack` notifier. -See [slack](#configuration-of-a-slack-notification) for the supported message types. - -##### Scan / Channel Config - -You can configure to which channel the message is sent to by setting the `notification.securecodebox.io/slack-channel` to the channel the message should be sent to, the following example will send its notifications to the `#juice-shop-dev` channel in the slack workspace of the configured token. - -> Note: The channel needs to have the app you've create invited to it. Otherwise the app will not be permitted to write to it. - -```yaml -apiVersion: "execution.securecodebox.io/v1" -kind: Scan -metadata: - name: "nmap-juice-shop" - annotations: - notification.securecodebox.io/slack-channel: "#juice-shop-dev" -spec: - scanType: "nmap" - parameters: - - juice-shop.default.svc -``` - -#### Configuration Of An Email Notification - -To configure an email notification set the `type` to `email` and the `endPoint` to point to your env containing your target email address. -You can use one of the following default templates: - -- `email`: Sends a email with a summary listing the number of findings per category and severity. - -Additional to this configuration you will have to provide a special smtp configuration URL. -This config reflects the transporter configuration of nodemailer (See [nodemailer | SMTP Transport](https://nodemailer.com/smtp/)). -This configuration needs to be specified under `env` in the values yaml. -The identifier for this config has to be `SMTP_CONFIG`. -A basic configuration could look like this: - -``` -notificationChannels: - - name: email - type: email - template: email - rules: [] - endPoint: "someone@somewhere.xyz" -env: - - name: SMTP_CONFIG - value: "smtp://user:pass@smtp.domain.tld/" -``` - -To provide a custom `from` field for your email you can specify `EMAIL_FROM` under env. -For example: - -``` -env: - - name: SMTP_CONFIG - value: "smtp://user:pass@smtp.domain.tld/" - - name: EMAIL_FROM - value: secureCodeBox -``` - -### Custom Message Templates - -CAUTION: Nunjucks templates allow code to be injected! Use templates from trusted sources only! - -The Notification Hook enables you to write your own message templates if the templates provided by default are not sufficient. -Templates for this hook are written using the [Nunjucks](https://mozilla.github.io/nunjucks/) templating engine. - -To fill your template with data we provide the following objects. - -| object | Details | -| -------- | ------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | -| findings | An array of the findings matching your rules (See [Finding | secureCodeBox](https://docs.securecodebox.io/docs/api/finding) | -| scan | An Object containing information about the scan that triggered the notification (See [Scan | secureCodeBox](https://docs.securecodebox.io/docs/api/crds/scan) | -| args | contains `process.env` (See: [process.env | nodejs](https://nodejs.org/api/process.html#process_process_env)) you can use this to access data defined in `env` of the `values.yaml` | - ## Values | Key | Type | Default | Description | @@ -283,16 +30,3 @@ To fill your template with data we provide the following objects. | notificationChannels[0].template | string | `"slack-messageCard"` | | | notificationChannels[0].type | string | `"slack"` | | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/hooks/persistence-defectdojo/README.md b/hooks/persistence-defectdojo/README.md index 76d8563215..02ff03c6e3 100644 --- a/hooks/persistence-defectdojo/README.md +++ b/hooks/persistence-defectdojo/README.md @@ -6,47 +6,27 @@ state: "released" usecase: "Publishes all Scan Reports to OWASP DefectDojo." --- - - - -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

- -## What is "Persistence DefectDojo" Hook about? +## About + The DefectDojo hook imports the reports from scans automatically into [OWASP DefectDojo](https://www.defectdojo.org/). -The hook uses the import scan [API v2 from DefectDojo](https://defectdojo.readthedocs.io/en/latest/api-v2-docs.html) to import the scan results. +The hook uses the import scan [API from DefectDojo](https://defectdojo.readthedocs.io/en/latest/api-v2-docs.html) to import the scan results. This means that only scan types are supported by the hook which are both supported by the secureCodeBox and DefectDojo. These are: - Nmap -- Nikto - ZAP (Baseline, API Scan and Full Scan) -- ZAP Advanced - SSLyze - Trivy - Gitleaks +:::caution + +Nikto is currently **not** supported even though it's supported by the secureCodeBox and DefectDojo as the secureCodeBox +uses the Nikto JSON format while DefectDojo uses the XML format. + +::: + After uploading the results to DefectDojo, it will use the findings parsed by DefectDojo to overwrite the original secureCodeBox findings identified by the parser. This lets you access the finding metadata like the false positive and duplicate status from DefectDojo in further ReadOnly hooks, e.g. send out Slack notification @@ -61,53 +41,7 @@ run ReadAndWrite hooks. ReadOnly hooks work fine with the DefectDojo hook as they are always executed after ReadAndWrite Hooks. ::: -### Running "Persistence DefectDojo" Hook Locally from Source -For development purposes, it can be useful to run this hook locally. You can do so by following these steps: - -1. Make sure you have access to a running [DefectDojo](https://github.com/DefectDojo/django-DefectDojo) instance. -2. [Run a Scan](https://docs.securecodebox.io/docs/getting-started/first-scans) of your choice. -3. Supply Download Links for the Scan Results (Raw Result and Findings.json). You can e.g., access them from the -included [Minio Instance](https://docs.securecodebox.io/docs/getting-started/installation/#accessing-the-included-minio-instance) -and upload them to a GitHub Gist. -4. Set the following environment variables: - -- DEFECTDOJO_URL (e.g http://192.168.0.1:8080); -- DEFECTDOJO_USERNAME (e.g admin) -- DEFECTDOJO_APIKEY= (e.g. b09c.., can be fetched from the DefectDojo Settings) -- IS_DEV=true -- SCAN_NAME (e.g nmap-scanme.nmap.org, must be set exactly to the name of the scan used in step 2) - -5. Build the jar with gradle and run it with the following CLI arguments: {Raw Result Download URL} {Findings Download URL} {Raw Result Upload URL} {Findings Upload URL}. -See the code snippet below. You have to adjust the filename of the jar for other versions than the '0.1.0-SNAPSHOT'. -Also you will need to change the download URLs for the Raw Result and Findings to the ones from Step 3. - -```bash -./gradlew build -java -jar build/libs/defectdojo-persistenceprovider-0.1.0-SNAPSHOT.jar https://gist.githubusercontent.com/.../scanme-nmap-org.xml https://gist.githubusercontent.com/.../nmap-findings.json https://httpbin.org/put https://httpbin.org/put -``` - -## Deployment -The persistence-defectdojo `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install persistence-defectdojo secureCodeBox/persistence-defectdojo -``` - -## Requirements - -Kubernetes: `>=v1.11.0-0` - -## Additional Chart Configurations - -Installing the DefectDojo persistenceProvider hook will add a _ReadOnly Hook_ to your namespace. - -```bash -kubectl create secret generic defectdojo-credentials --from-literal="username=admin" --from-literal="apikey=08b7..." - -helm upgrade --install dd secureCodeBox/persistence-defectdojo \ - --set="defectdojo.url=https://defectdojo-django.default.svc" -``` +## Runtime Configuration The hook will automatically import the scan results into an engagement in DefectDojo. If the engagement doesn't exist the hook will create the engagement (CI/CD engagement) and all objects required for it @@ -179,7 +113,18 @@ spec: - "http://juice-shop.demo-targets.svc:3000" ``` -## Values +## Deployment + +Installing the DefectDojo persistenceProvider hook will add a _ReadOnly Hook_ to your namespace. + +```bash +kubectl create secret generic defectdojo-credentials --from-literal="username=admin" --from-literal="apikey=08b7..." + +helm upgrade --install dd secureCodeBox/persistence-defectdojo \ + --set="defectdojo.url=https://defectdojo-django.default.svc" +``` + +## Chart Configuration | Key | Type | Default | Description | |-----|------|---------|-------------| @@ -192,16 +137,28 @@ spec: | hook.image.repository | string | `"docker.io/securecodebox/hook-persistence-defectdojo"` | Hook image repository | | hook.image.tag | string | `nil` | Container image tag | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) +## Running Locally from Source +For Development, it can be useful to run the Hook locally. You can do so by following these steps: + +1. Make sure you have access to a running [DefectDojo](https://github.com/DefectDojo/django-DefectDojo) Instance +2. [Run a Scan](https://docs.securecodebox.io/docs/getting-started/first-scans) of your choice. +3. Supply Download Links for the Scan Results (Raw Result and Findings.json). You can e.g., access them from the +included [Minio Instance](https://docs.securecodebox.io/docs/getting-started/installation/#accessing-the-included-minio-instance) +and upload them to a GitHub gist. + +4. Set the following environment variables -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. +- DEFECTDOJO_URL (e.g http://192.168.0.228:8080); +- DEFECTDOJO_USERNAME (e.g admin) +- DEFECTDOJO_APIKEY= (e.g. b09c.., can be fetched from the DefectDojo Settings) +- IS_DEV=true +- SCAN_NAME (e.g nmap-scanme.nmap.org, must be set exactly to the name of the scan used in step 2) -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE +5. Build the jar with gradle and run it with the following CLI arguments: {Raw Result Download URL} {Findings Download URL} {Raw Result Upload URL} {Findings Upload URL}. +See the code snippet below. You have to adjust the filename of the jar for other versions than the '0.1.0-SNAPSHOT'. +Also you will need to change the download URLs for the Raw Result and Findings to the ones from Step 3. +```bash +./gradlew build +java -jar build/libs/defectdojo-persistenceprovider-0.1.0-SNAPSHOT.jar https://gist.githubusercontent.com/.../scanme-nmap-org.xml https://gist.githubusercontent.com/.../nmap-findings.json https://httpbin.org/put https://httpbin.org/put +``` diff --git a/hooks/persistence-elastic/README.md b/hooks/persistence-elastic/README.md index 93c207619c..501b7db9bc 100644 --- a/hooks/persistence-elastic/README.md +++ b/hooks/persistence-elastic/README.md @@ -1,49 +1,20 @@ ---- -title: "Elasticsearch" -category: "hook" -type: "persistenceProvider" -state: "released" -usecase: "Publishes all Scan Findings to Elasticsearch." ---- +# persistence-elastic - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is "Persistence ElasticSearch" Hook about? -The ElasticSearch persistenceProvider hook saves all findings and reports into the configured ElasticSearch index. This allows for some easy searching and visualization of the findings. To learn more about Elasticsearch visit [elastic.io]. +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -Installing the Elasticsearch persistenceProvider hook will add a _ReadOnly Hook_ to your namespace. +## Source Code -## Deployment -The persistence-elastic `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install persistence-elastic secureCodeBox/persistence-elastic -``` +* ## Requirements @@ -54,14 +25,6 @@ Kubernetes: `>=v1.11.0-0` | https://helm.elastic.co | elasticsearch | 7.9.2 | | https://helm.elastic.co | kibana | 7.9.2 | -## Additional Chart Configurations - -### Elasticsearch Indexing - -For the elasticsearch `indexSuffix` you can provide a date format pattern. We use [Luxon](https://moment.github.io/luxon/) to format the date. So checkout -the [Luxon documentation](https://moment.github.io/luxon/docs/manual/formatting.html#table-of-tokens) to see what kind of format patterns you can use for the -`indexSuffix`. Default pattern is `yyyy-MM-dd` - ## Values | Key | Type | Default | Description | @@ -96,16 +59,3 @@ the [Luxon documentation](https://moment.github.io/luxon/docs/manual/formatting. | securityContext | object | `{}` | | | tolerations | list | `[]` | | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE -[elastic.io]: https://www.elastic.co/products/elasticsearch diff --git a/hooks/teams-webhook/README.md b/hooks/teams-webhook/README.md index 46df93835e..42373a0ae9 100644 --- a/hooks/teams-webhook/README.md +++ b/hooks/teams-webhook/README.md @@ -1,56 +1,27 @@ ---- -title: "MS Teams WebHook" -category: "hook" -type: "integration" -state: "roadmap" -usecase: "Publishes Scan Summary to MS Teams." ---- +# teams-webhook - - +Lets you send a findings result summary as webhook to MS Teams, after a scan is completed. -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+**Homepage:** -## What is "Teams Webhook" Hook about? -> 🔧 This chart is deprecated and will be replaced by the more general `notification-hook` soon +## Maintainers -## Deployment -The teams-webhook `scanType` can be deployed via helm: +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install teams-webhook secureCodeBox/teams-webhook -``` +## Source Code + +* ## Requirements Kubernetes: `>=v1.11.0-0` -## Additional Chart Configurations - -> ✍ This documentation is currently work-in-progress. - ## Values | Key | Type | Default | Description | @@ -66,16 +37,3 @@ Kubernetes: `>=v1.11.0-0` | vulnerabilityManagement.name | string | `"Kibana Dashboard"` | | | vulnerabilityManagement.url | string | `"https://your-kibana-service.url/your-dashboard-path"` | | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/hooks/update-field/README.md b/hooks/update-field/README.md index 82bde6330e..64e4051505 100644 --- a/hooks/update-field/README.md +++ b/hooks/update-field/README.md @@ -1,61 +1,13 @@ ---- -title: "Update Field" -category: "hook" -type: "dataProcessing" -state: "released" -usecase: "Updates fields in finding results." ---- +# update-field-hook - - - -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

- -## What is "Update Field" Hook about? - -> ✍ This documentation is currently work-in-progress. - -## Deployment -The update-field-hook `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install update-field-hook secureCodeBox/update-field-hook -``` +Lets you add or override a field to every finding ## Requirements Kubernetes: `>=v1.11.0-0` -## Additional Chart Configurations -Installing the _Update Field_ hook will add a ReadAndWrite Hook to your namespace, which can be used to add or update fields from your findings. - -```bash -helm upgrade --install ufh secureCodeBox/update-field --set attribute.name="category" --set attribute.value="my-own-category" -``` -> ✍ This documentation is currently work-in-progress. - ## Values | Key | Type | Default | Description | @@ -66,16 +18,3 @@ helm upgrade --install ufh secureCodeBox/update-field --set attribute.name="cate | hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. | | hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/operator/README.md b/operator/README.md index 105994d75a..f2b8489631 100644 --- a/operator/README.md +++ b/operator/README.md @@ -1,52 +1,20 @@ ---- -title: "secreCodeBox Operator" -category: "core" -type: "Operator" -state: "released" -appVersion: "" -usecase: "secureCodeBox Operator is the core componente." ---- +# operator -![operator logo](https://docs.securecodebox.io/img/Logo_Color.svg) +![Version: v2.7.0-alpha1](https://img.shields.io/badge/Version-v2.7.0--alpha1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is secureCodeBox Operator? -The secureCodeBox operator is running on Kubernetes and is the core component of the complete secureCodeBox stack, responsible for managing all scans and resources. +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -**Homepage:** +## Source Code -## Deployment -The operator `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install operator secureCodeBox/operator -``` +* ## Requirements @@ -56,19 +24,6 @@ Kubernetes: `>=v1.11.0-0` |------------|------|---------| | https://helm.min.io/ | minio | 7.1.2 | -## Deployment - -The secureCodeBox Operator can be deployed via helm: - -```bash -# Add the secureCodeBox Helm Repo -helm repo add secureCodeBox https://charts.securecodebox.io -# Create a new namespace for the secureCodeBox Operator -kubectl create namespace securecodebox-system -# Install the Operator & CRDs -helm install securecodebox-operator secureCodeBox/operator -``` - ## Values | Key | Type | Default | Description | @@ -110,16 +65,3 @@ helm install securecodebox-operator secureCodeBox/operator | serviceAccount.name | string | `"securecodebox-operator"` | Name of the serviceAccount the operator uses to talk to the k8s api | | telemetryEnabled | bool | `true` | The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/scanners/amass/README.md b/scanners/amass/README.md index e4154a296c..93b5a13066 100644 --- a/scanners/amass/README.md +++ b/scanners/amass/README.md @@ -1,65 +1,20 @@ ---- -title: "Amass" -category: "scanner" -type: "Network" -state: "released" -appVersion: "v3.13" -usecase: "Subdomain Enumeration Scanner" ---- +# amass -![owasp logo](https://owasp.org/assets/images/logo.png) +![Version: v2.7.0-alpha1](https://img.shields.io/badge/Version-v2.7.0--alpha1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.13](https://img.shields.io/badge/AppVersion-v3.13-informational?style=flat-square) - - +## Maintainers -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -## What is OWASP Amass? +## Source Code -The [OWASP Amass Project][owasp_amass_project] has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques. To learn more about the Amass scanner itself visit [OWASP Amass Project][owasp_amass_project] or [Amass GitHub]. - -## Deployment -The amass `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install amass secureCodeBox/amass -``` - -## Scanner Configuration - -The following security scan configuration example are based on the [Amass User Guide], please take a look at the original documentation for more configuration examples. - -- The most basic use of the tool for subdomain enumeration: `amass enum -d example.com` -- Typical parameters for DNS enumeration: `amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com` - -Special command line options: - -- Disable generation of altered names `amass enum -noalts -d example.com` -- Turn off recursive brute forcing `amass enum -brute -norecursive -d example.com` -- Disable saving data into a local database `amass enum -nolocaldb -d example.com` -- Domain names separated by commas (can be used multiple times) `amass enum -d example.com` +* ## Requirements @@ -84,18 +39,3 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE -[owasp_amass_project]: https://owasp.org/www-project-amass/ -[amass github]: https://github.com/OWASP/Amass -[amass user guide]: https://github.com/OWASP/Amass/blob/master/doc/user_guide.md diff --git a/scanners/angularjs-csti-scanner/README.md b/scanners/angularjs-csti-scanner/README.md index 22caa21039..e34ff7b06c 100644 --- a/scanners/angularjs-csti-scanner/README.md +++ b/scanners/angularjs-csti-scanner/README.md @@ -1,169 +1,25 @@ ---- -title: "Angularjs CSTI Scanner" -category: "scanner" -type: "WebApplication" -state: "released" -appVersion: "3.0.6" -usecase: "Find AngularJS websites vulnerable to template injections" ---- +# angularjs-csti-scanner -![acstis logo](https://rawgit.com/tijme/angularjs-csti-scanner/master/.github/logo.svg?pypi=png.from.svg) +![Version: v2.7.0-alpha1](https://img.shields.io/badge/Version-v2.7.0--alpha1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.6](https://img.shields.io/badge/AppVersion-3.0.6-informational?style=flat-square) - - +## Maintainers -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -## What is AngularJS Client-Side Template Injection Scanner (acstis)? +## Source Code -The AngularJS Client-Side Template Injection Scanner (acstis) is an open source scanner for -finding possible template injection vulnerabilities on websites using AngularJS. - -For more information visit the projects [GitHub site][acstis-github]. - -## Deployment -The angularjs-csti-scanner `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install angularjs-csti-scanner secureCodeBox/angularjs-csti-scanner -``` - -## Scanner Configuration - -The only mandatory parameter is: -- `-d`: The url to scan (e.g. https://angularjs.org/). - -Optional arguments: - -```bash --c, --crawl use the crawler to scan all the entire domain --vp, --verify-payload use a javascript engine to verify if the payload was executed (otherwise false positives may occur) --av ANGULAR_VERSION, --angular-version ANGULAR_VERSION manually pass the angular version (e.g. 1.4.2) if the automatic check doesn't work --vrl VULNERABLE_REQUESTS_LOG, --vulnerable-requests-log VULNERABLE_REQUESTS_LOG log all vulnerable requests to this file (e.g. /var/logs/acstis.log or urls.log) --siv, --stop-if-vulnerable (crawler option) stop scanning if a vulnerability was found --pmm, --protocol-must-match (crawler option) only scan pages with the same protocol as the starting point (e.g. only https) --sos, --scan-other-subdomains (crawler option) also scan pages that have another subdomain than the starting point --soh, --scan-other-hostnames (crawler option) also scan pages that have another hostname than the starting point --sot, --scan-other-tlds (crawler option) also scan pages that have another tld than the starting point --md MAX_DEPTH, --max-depth MAX_DEPTH (crawler option) the maximum search depth (default is unlimited) --mt MAX_THREADS, --max-threads MAX_THREADS (crawler option) the maximum amount of simultaneous threads to use (default is 20) --iic, --ignore-invalid-certificates (crawler option) ignore invalid ssl certificates -``` - -**Do not** override the option `-vrl` or `--vulnerable-requests-log`. It is already configured for automatic findings parsing. +* ## Requirements Kubernetes: `>=v1.11.0-0` -## Additional Chart Configurations -### Request configuration - -Because *acstis* does not provide command line arguments for configuring the sent requests, -you have to mount a config map into the scan container on a specific location. Your additional config map should be - mounted to `/acstis/config/acstis-config.py`. For example create a config map: - - ```bash -kubectl create configmap --from-file /path/to/my/acstis-config.py acstis-config -``` - -Then, mount it into the container: - -```yaml - volumes: - - name: "acstis-config" - configMap: - name: "acstis-config" - volumeMounts: - - name: "acstis-config" - mountPath: "/acstis/config/" -``` - -#### Configuration options in *acstis-config.py* - -Add the following snippets to the *acstis-config.py* file to enable further options. -The options are python code which will be injected into the *acstis* script before execution. - -**Basic Authentication** -```text -options.identity.auth = HTTPBasicAuth("username", "password") -``` - -**Cookies** -```text -options.identity.cookies.set(name='tasty_cookie', value='yum', domain='finnwea.com', path='/cookies') -options.identity.cookies.set(name='gross_cookie', value='blech', domain='finnwea.com', path='/elsewhere') -``` - -**Headers** -```text -options.identity.headers.update({ - "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36", - "Authorization": "Bearer ey3jafoe.2jefo..." -}) -``` - -**Proxies** -```text -options.identity.proxies = { - # No authentication - # 'http': 'http://host:port', - # 'https': 'http://host:port', - - # Basic authentication - # 'http': 'http://user:pass@host:port', - # 'https': 'https://user:pass@host:port', - - # SOCKS - 'http': 'socks5://user:pass@host:port', - 'https': 'socks5://user:pass@host:port' -} -``` - -**Scope options** -```text -options.scope.protocol_must_match = False - -options.scope.subdomain_must_match = True - -options.scope.hostname_must_match = True - -options.scope.tld_must_match = True - -options.scope.max_depth = None - -options.scope.request_methods = [ - Request.METHOD_GET, - Request.METHOD_POST, - Request.METHOD_PUT, - Request.METHOD_DELETE, - Request.METHOD_OPTIONS, - Request.METHOD_HEAD -] -``` - ## Values | Key | Type | Default | Description | @@ -182,16 +38,3 @@ options.scope.request_methods = [ | scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE -[acstis-github]: https://github.com/tijme/angularjs-csti-scanner diff --git a/scanners/git-repo-scanner/README.md b/scanners/git-repo-scanner/README.md index b843b92686..9f4a6ca0ff 100644 --- a/scanners/git-repo-scanner/README.md +++ b/scanners/git-repo-scanner/README.md @@ -1,93 +1,20 @@ ---- -title: "Git Repo Scanner" -category: "scanner" -type: "Repository" -state: "released" -appVersion: "1.0" -usecase: "Discover Git repositories" ---- +# git-repo-scanner - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is Git-Repo-Scanner? +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -Git-Repo-Scanner is a small Python script which discovers repositories on GitHub or GitLab. The main purpose of this scanner -is to provide a cascading input for the [gitleaks](https://github.com/secureCodeBox/secureCodeBox/tree/main/scanners/gitleaks). - scanner. +## Source Code -## Deployment -The git-repo-scanner `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install git-repo-scanner secureCodeBox/git-repo-scanner -``` - -## Scanner Configuration - -The scanner options can be divided into two groups for Gitlab and GitHub. You can choose the git -repository type with the option: - -```bash ---git-type github -or ---git-type Gitlab -``` - -#### GitHub -For type GitHub you can use the following options: -- `--organization`: The name of the GitHub organization you want to scan. -- `--url`: The url of the api for a GitHub enterprise server. Skip this option for repos on . -- `--access-token`: Your personal GitHub access token. -- `--ignore-repos`: A list of GitHub repository ids you want to ignore -- `--obey-rate-limit`: True to obey the rate limit of the GitHub server (default), otherwise False -- `--activity-since-duration`: Return git repo findings with repo activity (e.g. commits) more recent than a specific date expressed by a duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each - with optional fraction and a unit suffix, such as '1h' or '2h45m'. Valid time units are 'm', 'h', 'd', 'w'. -- `--activity-until-duration`: Return git repo findings with repo activity (e.g. commits) older than a specific date expressed by a duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with - optional fraction and a unit suffix, such as '1h' or '2h45m'. Valid time units are 'm', 'h', 'd', 'w'. - -For now only organizations are supported, so the option is mandatory. We **strongly recommend** providing an access token -for authentication. If not provided the rate limiting will kick in after about 30 repositories scanned. - -#### GitLab -For type GitLab you can use the following options: -- `--url`: The url of the GitLab server. -- `--access-token`: Your personal GitLab access token. -- `--group`: A specific GitLab group id you want to san, including subgroups. -- `--ignore-groups`: A list of GitLab group ids you want to ignore -- `--ignore-repos`: A list of GitLab project ids you want to ignore -- `--obey-rate-limit`: True to obey the rate limit of the GitLab server (default), otherwise False -- `--activity-since-duration`: Return git repo findings with repo activity (e.g. commits) more recent than a specific date expressed by a duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each - with optional fraction and a unit suffix, such as '1h' or '2h45m'. Valid time units are 'm', 'h', 'd', 'w'. -- `--activity-until-duration`: Return git repo findings with repo activity (e.g. commits) older than a specific date expressed by a duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with - optional fraction and a unit suffix, such as '1h' or '2h45m'. Valid time units are 'm', 'h', 'd', 'w'. - -For Gitlab, the url and the access token is mandatory. If you don't provide a specific group id, all projects -on the Gitlab server are going to be discovered. +* ## Requirements @@ -112,16 +39,3 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/scanners/gitleaks/README.md b/scanners/gitleaks/README.md index f8dc52e458..4e92bed5ef 100644 --- a/scanners/gitleaks/README.md +++ b/scanners/gitleaks/README.md @@ -1,162 +1,25 @@ ---- -title: "Gitleaks" -category: "scanner" -type: "Repository" -state: "released" -appVersion: "v7.5.0" -usecase: "Find potential secrets in repositories" ---- +# gitleaks -![gitleaks logo](https://raw.githubusercontent.com/zricethezav/gifs/master/gitleakslogo.png) +![Version: v2.7.0-alpha1](https://img.shields.io/badge/Version-v2.7.0--alpha1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v7.5.0](https://img.shields.io/badge/AppVersion-v7.5.0-informational?style=flat-square) - - +## Maintainers -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -## What is Gitleaks? -Gitleaks is a free and open source tool for finding secrets in git repositories. -These secrets could be passwords, API keys, tokens, private keys or suspicious file names or -file extensions like *id_rsa*, *.pem*, *htpasswd*. Furthermore, gitleaks can scan your whole repository's history -with all commits up to the initial one. +## Source Code -To learn more about gitleaks visit . - -## Deployment -The gitleaks `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install gitleaks secureCodeBox/gitleaks -``` - -## Scanner Configuration - -For a complete overview of the configuration options checkout the -[Gitleaks documentation](https://github.com/zricethezav/gitleaks/wiki/Options). - -The only mandatory parameters are: -- `-r`: The link to the repository you want to scan. -- `--access-token`: Only for non-public repositories. -- `--username` and `--password`: Only for non-public repositories. -- `--config-path`: The ruleset you want to use. - -#### Ruleset - -At this point we provide three rulesets which you can pass to the `--config-path` oprtion: - -- `/home/config_all.toml`: Includes every rule. -- `/home/config_filenames_only.toml`: Gitleaks scans only file names and extensions. -- `/home/config_no_generics.toml`: No generic rules like searching for the word *password*. With this option you won't -find something like **password = Ej2ifDk2jfeo2**, but it will reduce resulting false positives. - -If you like to provide your custom ruleset, you can create a configMap and mount it into -the scan. Checkout the examples for more information about providing your own gitleaks rules config. +* ## Requirements Kubernetes: `>=v1.11.0-0` -**Do not** override the option `--report-format` or `--report`. It is already configured for automatic findings parsing. - -## Additional Chart Configurations -### secureCodeBox extended GitLeaks Features - -:::info -If you run gitleaks based on a scheduledScan (e.g. one scan per day) it would be enough to scan all git-commits since the last executed schedule. -Instead of scanning all commits in the complete git history every day it would save a lot of resources to scan only all commits of the last day. - -_Problem is: This is a feature and configuration option gitleaks is currently not supporting._ - -That's why we created an [issue](https://github.com/zricethezav/gitleaks/issues/497) and a [pull request](https://github.com/zricethezav/gitleaks/pull/498) for that. -If you like the idea, please vote for our issue and PR. - -If you already want to use our implementation (fork) of this feature you can use our [gitleaks forked docker image](https://hub.docker.com/r/securecodebox/gitleaks) instead of the gitleaks original image. -::: - -```yaml -# Corresponding HelmChart Configuration -scanner: - image: - # scanner.image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-gitleaks - # scanner.image.tag -- defaults to the charts version - tag: v7.3.0 -``` - -#### Deployment with extended GitLeaks -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install gitleaks secureCodeBox/gitleaks \ - --set="scanner.image.repository=docker.io/securecodebox/scanner-gitleaks" \ - --set="scanner.image.tag=v7.3.0" -``` - -#### Additional (Fork) Scanner configuration options -```bash ---commit-since-duration= Scan commits more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each - with optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. ---commit-until-duration= Scan commits older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with - optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'. -``` - -#### Other useful options are: - -- `--commit-since`: Scan commits more recent than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--commit-until`: Scan commits older than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. -- `--repo-config`: Load config from target repo. Config file must be ".gitleaks.toml" or "gitleaks.toml". - -#### Finding format - -It is not an easy task to classify the severity of the scans because we can't tell for sure if the finding is e.g. a real -or a testing password. Another issue is that the rate of false positives for generic rules can be very high. Therefore, -we tried to classify the severity of the finding by looking at the accuracy of the rule which detected it. Rules for AWS -secrets or Artifactory tokens are very precise, so they get a high severity. Generic rules on the other hand get a low -severity because the often produce false positives. - -**Please keep in mind that findings with a low severity can be actually -very critical.** - -#### Cascading Rules - -If you want to scan multiple repositories from GitHub or gitlab automatically at once, you should -take a look at the cascading rules which get triggered by the **git-repo-scanner**. -For more information on how to use **git-repo-scanner** checkout the -[Readme](https://github.com/secureCodeBox/secureCodeBox/tree/main/scanners/git-repo-scanner). - -For cascading scans on public GitHub repositories you don't need any credentials. For the gitlab -and private GitHub rules you need to provide an access token via environment. You could do that with -the following commands: - -```bash -kubectl create secret generic github-access-token --from-literal="token=" -kubectl create secret generic gitlab-access-token --from-literal="token=" -``` - -For more information on how to use cascades take a look at -[Scanning Networks Example](https://docs.securecodebox.io/docs/how-tos/scanning-networks/) - ## Values | Key | Type | Default | Description | @@ -177,16 +40,3 @@ For more information on how to use cascades take a look at | scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE - diff --git a/scanners/kube-hunter/README.md b/scanners/kube-hunter/README.md index 8ff4cab51b..e79d49d057 100644 --- a/scanners/kube-hunter/README.md +++ b/scanners/kube-hunter/README.md @@ -1,58 +1,20 @@ ---- -title: "kube-hunter" -category: "scanner" -type: "Kubernetes" -state: "released" -appVersion: "0.4.1" -usecase: "Kubernetes Vulnerability Scanner" ---- +# kube-hunter - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is kube-hunter? -kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don't own! +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -To learn more about the kube-hunter scanner itself visit [kube-hunter GitHub] or [kube-hunter Website]. +## Source Code -## Deployment -The kube-hunter `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install kube-hunter secureCodeBox/kube-hunter -``` - -## Scanner Configuration - -The following security scan configuration example are based on the [kube-hunter Documentation], please take a look at the original documentation for more configuration examples. - -* To specify remote machines for hunting, select option 1 or use the --remote option. Example: `kube-hunter --remote some.node.com` -* To specify interface scanning, you can use the --interface option (this will scan all the machine's network interfaces). Example: `kube-hunter --interface` -* To specify a specific CIDR to scan, use the --cidr option. Example: `kube-hunter --cidr 192.168.0.0/24` +* ## Requirements @@ -78,18 +40,3 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE -[kube-hunter Website]: https://kube-hunter.aquasec.com/ -[kube-hunter GitHub]: https://github.com/aquasecurity/kube-hunter -[kube-hunter Documentation]: https://github.com/aquasecurity/kube-hunter#scanning-options diff --git a/scanners/kubeaudit/README.md b/scanners/kubeaudit/README.md index f982e9eeb6..b29cebcac9 100644 --- a/scanners/kubeaudit/README.md +++ b/scanners/kubeaudit/README.md @@ -1,61 +1,21 @@ ---- -title: "kubeaudit" -category: "scanner" -type: "Kubernetes" -state: "released" -appVersion: "v0.14.1" -usecase: "Kubernetes Configuration Scanner" ---- +# kubeaudit - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is Kubeaudit? -Kubeaudit finds security misconfigurations in you Kubernetes Resources and gives tips on how to resolve these. +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -Kubeaudit comes with a large lists of "auditors" which test various aspects, like the SecurityContext of pods. -You can find the complete list of [auditors here](https://github.com/Shopify/kubeaudit/tree/master/docs/auditors). +## Source Code -To learn more about the kubeaudit itself visit [kubeaudit GitHub]. - -## Deployment -The kubeaudit `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install kubeaudit secureCodeBox/kubeaudit -``` - -## Scanner Configuration - -The following security scan configuration example are based on the [kube-hunter Documentation], please take a look at the original documentation for more configuration examples. - -* To specify remote machines for hunting, select option 1 or use the --remote option. Example: `kube-hunter --remote some.node.com` -* To specify interface scanning, you can use the --interface option (this will scan all the machine's network interfaces). Example: `kube-hunter --interface` -* To specify a specific CIDR to scan, use the --cidr option. Example: `kube-hunter --cidr 192.168.0.0/24` +* +* ## Requirements @@ -84,16 +44,3 @@ Kubernetes: `>=v1.11.0-0` | scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://docs.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-twitter]: https://twitter.com/secureCodeBox -[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE -[kubeaudit GitHub]: https://github.com/Shopify/kubeaudit/ diff --git a/scanners/ncrack/README.md b/scanners/ncrack/README.md index aa84887d75..f6cdd63e62 100644 --- a/scanners/ncrack/README.md +++ b/scanners/ncrack/README.md @@ -1,209 +1,25 @@ ---- -title: "Ncrack" -category: "scanner" -type: "Authentication" -state: "released" -appVersion: "0.7" -usecase: "Network authentication bruteforcing" ---- +# ncrack - - +**Homepage:** -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Incubator Project - Artifact HUB - GitHub Repo stars - Twitter Follower -

+## Maintainers -## What is Ncrack? -Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts. +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | secureCodeBox@iteratec.com | | -To learn more about the Ncrack scanner itself visit [Ncrack GitHub] or [Ncrack Website]. +## Source Code -## Deployment -The ncrack `scanType` can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install ncrack secureCodeBox/ncrack -``` - -## Scanner Configuration - -The following security scan configuration example are based on the [Ncrack Documentation], please take a look at the original documentation for more configuration examples. - -This options summary is printed when Ncrack is run with no arguments. It helps people remember the most common options, but is no substitute for the in-depth documentation in the rest of this manual. - -``` -Ncrack 0.7 ( http://ncrack.org ) -Usage: ncrack [Options] {target and service specification} -TARGET SPECIFICATION: - Can pass hostnames, IP addresses, networks, etc. - Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 - -iX : Input from Nmap's -oX XML output format - -iN : Input from Nmap's -oN Normal output format - -iL : Input from list of hosts/networks - --exclude : Exclude hosts/networks - --excludefile : Exclude list from file -SERVICE SPECIFICATION: - Can pass target specific services in ://target (standard) notation or - using -p which will be applied to all hosts in non-standard notation. - Service arguments can be specified to be host-specific, type of service-specific - (-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000 - Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl - -p : services will be applied to all non-standard notation hosts - -m :: options will be applied to all services of this type - -g : options will be applied to every service globally - Misc options: - ssl: enable SSL over this service - path : used in modules like HTTP ('=' needs escaping if used) - db : used in modules like MongoDB to specify the database - domain : used in modules like WinRM to specify the domain -TIMING AND PERFORMANCE: - Options which take