├── .codeclimate.yml ├── .editorconfig ├── .envrc ├── .eslintignore ├── .eslintrc ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── documentation_issue.md │ ├── feature_request.md │ ├── new_hook.md │ ├── new_security_scanner.md │ └── question.md ├── pull_request_template.md ├── release-drafter.yml └── workflows │ ├── ci.yaml │ ├── helm-charts.yaml │ └── helm-docs.yaml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── bin ├── install-all.sh └── uninstall-all.sh ├── demo-apps ├── README.md ├── bodgeit │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── helm2.Chart.yaml │ ├── questions.yml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── deployment.yaml │ │ ├── ingress.yaml │ │ ├── service.yaml │ │ └── tests │ │ │ └── test-connection.yaml │ └── values.yaml ├── dummy-ssh │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── helm2.Chart.yaml │ ├── questions.yml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── deployment.yaml │ │ └── service.yaml │ └── values.yaml ├── http-webhook │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── deployment.yaml │ │ ├── hpa.yaml │ │ ├── ingress.yaml │ │ ├── service.yaml │ │ ├── serviceaccount.yaml │ │ └── tests │ │ │ └── test-connection.yaml │ └── values.yaml ├── juice-shop │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── helm2.Chart.yaml │ ├── questions.yml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── deployment.yaml │ │ ├── ingress.yaml │ │ ├── service.yaml │ │ └── tests │ │ │ └── test-connection.yaml │ └── values.yaml ├── old-wordpress │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── helm2.Chart.yaml │ ├── questions.yml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── deployment.yaml │ │ ├── service.yaml │ │ └── tests │ │ │ └── test-connection.yaml │ └── values.yaml └── swagger-petstore │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── helm2.Chart.yaml │ ├── questions.yml │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── deployment.yaml │ ├── ingress.yaml │ ├── service.yaml │ └── tests │ │ └── test-connection.yaml │ └── values.yaml ├── docs ├── .gitkeep ├── adr │ ├── adr_0000.adoc │ ├── adr_0001.adoc │ ├── adr_0002.adoc │ ├── adr_0003.adoc │ ├── adr_0004.adoc │ ├── adr_0005.adoc │ ├── adr_0006.adoc │ └── adr_README.md ├── developer-guide │ └── README.md ├── glossary.md ├── index.md ├── resources │ ├── logo.png │ ├── logo.svg │ ├── macbook_kibana.jpg │ ├── scb-architecture.drawio │ ├── scb-architecture.svg │ └── securecodebox-logo.svg ├── uml │ ├── _copyright.ipuml │ ├── _iteratecTheme.ipuml │ ├── compononents_overview.png │ ├── compononents_overview.uxf │ ├── sequence_overview.png │ └── sequence_overview.puml ├── user-guide │ └── README.md └── versioning.md ├── hook-sdk └── nodejs │ ├── .dockerignore │ ├── .gitignore │ ├── Dockerfile │ ├── hook-wrapper.js │ ├── package-lock.json │ └── package.json ├── hooks ├── declarative-subsequent-scans │ ├── .dockerignore │ ├── .gitignore │ ├── .helmignore │ ├── Chart.lock │ ├── Chart.yaml │ ├── Dockerfile │ ├── README.md │ ├── README.md.gotmpl │ ├── helm2.Chart.yaml │ ├── hook.test.js │ ├── hook.ts │ ├── kubernetes-label-selector.test.js │ ├── kubernetes-label-selector.ts │ ├── package-lock.json │ ├── package.json │ ├── scan-helpers.ts │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── declerative-subsequent-scans-hook.yaml │ │ ├── role-binding.yaml │ │ ├── role.yaml │ │ └── service-account.yaml │ └── values.yaml ├── generic-webhook │ ├── .dockerignore │ ├── .gitignore │ ├── .helmignore │ ├── Chart.lock │ ├── Chart.yaml │ ├── Dockerfile │ ├── README.md │ ├── README.md.gotmpl │ ├── __mocks__ │ │ └── axios.js │ ├── helm2.Chart.yaml │ ├── hook.js │ ├── hook.test.js │ ├── package-lock.json │ ├── package.json │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ └── webhook-hook.yaml │ └── values.yaml ├── package-lock.json ├── package.json ├── persistence-defectdojo │ └── README.md ├── persistence-elastic │ ├── .dockerignore │ ├── .gitignore │ ├── .helmignore │ ├── Chart.lock │ ├── Chart.yaml │ ├── Dockerfile │ ├── README.md │ ├── README.md.gotmpl │ ├── __mocks__ │ │ └── @elastic │ │ │ └── elasticsearch.js │ ├── charts │ │ ├── elasticsearch-7.9.2.tgz │ │ └── kibana-7.9.2.tgz │ ├── dashboardImporter │ │ ├── Dockerfile │ │ ├── dashboards │ │ │ ├── daily-summary.json │ │ │ ├── nikto-overview.json │ │ │ ├── portscan-overview.json │ │ │ ├── ssh-overview.json │ │ │ ├── subdomain-overview.json │ │ │ ├── tls-ssl-overview.json │ │ │ ├── wordpress-overview.json │ │ │ └── zap-overview.json │ │ ├── export-dashboards.sh │ │ ├── import-dashboards.sh │ │ └── readme.md │ ├── helm2.Chart.yaml │ ├── helm2.requirements.lock │ ├── helm2.requirements.yaml │ ├── hook.js │ ├── hook.test.js │ ├── package-lock.json │ ├── package.json │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── import-dashboard.yaml │ │ └── persistence-provider.yaml │ └── values.yaml ├── persistence-static-report │ └── README.md ├── slack-webhook │ └── README.md ├── teams-webhook │ └── README.md └── update-field │ ├── .dockerignore │ ├── .gitignore │ ├── .helmignore │ ├── Chart.lock │ ├── Chart.yaml │ ├── Dockerfile │ ├── README.md │ ├── README.md.gotmpl │ ├── helm2.Chart.yaml │ ├── hook.js │ ├── hook.test.js │ ├── package-lock.json │ ├── package.json │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ └── update-field-hook.yaml │ └── values.yaml ├── lurcher ├── .dockerignore ├── .gitignore ├── Dockerfile ├── go.mod ├── go.sum └── main.go ├── operator ├── .gitignore ├── .helmignore ├── Chart.lock ├── Chart.yaml ├── Dockerfile ├── Makefile ├── PROJECT ├── README.md ├── README.md.gotmpl ├── apis │ ├── cascading │ │ └── v1 │ │ │ ├── cascadingrule_types.go │ │ │ ├── groupversion_info.go │ │ │ └── zz_generated.deepcopy.go │ └── execution │ │ └── v1 │ │ ├── groupversion_info.go │ │ ├── parsedefinition_types.go │ │ ├── scan_types.go │ │ ├── scancompletionhook.go │ │ ├── scantype_types.go │ │ ├── scheduledscan_types.go │ │ └── zz_generated.deepcopy.go ├── charts │ └── minio-7.1.2.tgz ├── config │ ├── certmanager │ │ ├── certificate.yaml │ │ ├── kustomization.yaml │ │ └── kustomizeconfig.yaml │ ├── crd │ │ ├── bases │ │ │ ├── cascading.securecodebox.io_cascadingrules.yaml │ │ │ ├── execution.securecodebox.io_parsedefinitions.yaml │ │ │ ├── execution.securecodebox.io_scancompletionhooks.yaml │ │ │ ├── execution.securecodebox.io_scans.yaml │ │ │ ├── execution.securecodebox.io_scantypes.yaml │ │ │ └── execution.securecodebox.io_scheduledscans.yaml │ │ ├── kustomization.yaml │ │ ├── kustomizeconfig.yaml │ │ └── patches │ │ │ ├── cainjection_in_cascadingrules.yaml │ │ │ ├── cainjection_in_parsedefinitions.yaml │ │ │ ├── cainjection_in_persistenceproviders.yaml │ │ │ ├── cainjection_in_scans.yaml │ │ │ ├── cainjection_in_scantypes.yaml │ │ │ ├── cainjection_in_scheduledscans.yaml │ │ │ ├── webhook_in_cascadingrules.yaml │ │ │ ├── webhook_in_parsedefinitions.yaml │ │ │ ├── webhook_in_persistenceproviders.yaml │ │ │ ├── webhook_in_scans.yaml │ │ │ ├── webhook_in_scantypes.yaml │ │ │ └── webhook_in_scheduledscans.yaml │ ├── default │ │ ├── kustomization.yaml │ │ ├── manager_auth_proxy_patch.yaml │ │ ├── manager_webhook_patch.yaml │ │ └── webhookcainjection_patch.yaml │ ├── manager │ │ ├── kustomization.yaml │ │ └── manager.yaml │ ├── prometheus │ │ ├── kustomization.yaml │ │ └── monitor.yaml │ ├── rbac │ │ ├── auth_proxy_client_clusterrole.yaml │ │ ├── auth_proxy_role.yaml │ │ ├── auth_proxy_role_binding.yaml │ │ ├── auth_proxy_service.yaml │ │ ├── cascadingrule_editor_role.yaml │ │ ├── cascadingrule_viewer_role.yaml │ │ ├── kustomization.yaml │ │ ├── leader_election_role.yaml │ │ ├── leader_election_role_binding.yaml │ │ ├── parsedefinition_editor_role.yaml │ │ ├── parsedefinition_viewer_role.yaml │ │ ├── role.yaml │ │ ├── role_binding.yaml │ │ ├── scan_editor_role.yaml │ │ ├── scan_viewer_role.yaml │ │ ├── scantype_editor_role.yaml │ │ ├── scantype_viewer_role.yaml │ │ ├── scheduledscan_editor_role.yaml │ │ └── scheduledscan_viewer_role.yaml │ ├── samples │ │ ├── Dockerfile │ │ ├── cascading_v1_cascadingrule.yaml │ │ ├── execution_v1_parsedefinition.yaml │ │ ├── execution_v1_readandwritehook.yaml │ │ ├── execution_v1_readonlyhook.yaml │ │ ├── execution_v1_scantype.yaml │ │ └── execution_v1_scheduledscan.yaml │ └── webhook │ │ ├── kustomization.yaml │ │ ├── kustomizeconfig.yaml │ │ ├── manifests.yaml │ │ └── service.yaml ├── controllers │ └── execution │ │ ├── scans │ │ ├── hook_reconciler.go │ │ ├── job.go │ │ ├── parse_reconciler.go │ │ ├── scan_controller.go │ │ ├── scan_reconciler.go │ │ └── serviceaccount.go │ │ ├── scheduledscan_controller.go │ │ └── suite_test.go ├── crds │ ├── cascading.securecodebox.io_cascadingrules.yaml │ ├── execution.securecodebox.io_parsedefinitions.yaml │ ├── execution.securecodebox.io_scancompletionhooks.yaml │ ├── execution.securecodebox.io_scans.yaml │ ├── execution.securecodebox.io_scantypes.yaml │ └── execution.securecodebox.io_scheduledscans.yaml ├── go.mod ├── go.sum ├── hack │ └── boilerplate.go.txt ├── helm2.Chart.yaml ├── helm2.requirements.lock ├── helm2.requirements.yaml ├── internal │ └── telemetry │ │ └── telemetry.go ├── main.go ├── templates │ ├── NOTES.txt │ ├── manager │ │ └── manager.yaml │ └── rbac │ │ ├── auth_proxy_client_clusterrole.yaml │ │ ├── auth_proxy_role.yaml │ │ ├── auth_proxy_role_binding.yaml │ │ ├── auth_proxy_service.yaml │ │ ├── leader_election_role.yaml │ │ ├── leader_election_role_binding.yaml │ │ ├── parsedefinition_editor_role.yaml │ │ ├── parsedefinition_viewer_role.yaml │ │ ├── role.yaml │ │ ├── role_binding.yaml │ │ ├── scan_editor_role.yaml │ │ ├── scan_viewer_role.yaml │ │ ├── scantype_editor_role.yaml │ │ ├── scantype_viewer_role.yaml │ │ ├── scheduledscan_editor_role.yaml │ │ └── scheduledscan_viewer_role.yaml ├── utils │ ├── truncatedname.go │ └── truncatedname_test.go └── values.yaml ├── package-lock.json ├── package.json ├── parser-sdk └── nodejs │ ├── .dockerignore │ ├── .gitignore │ ├── Dockerfile │ ├── package-lock.json │ ├── package.json │ └── parser-wrapper.js ├── scanners ├── amass │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── examples │ │ ├── example.com │ │ │ ├── README.md │ │ │ └── scan.yaml │ │ └── secureCodeBox.io │ │ │ └── scan.yaml │ ├── helm2.Chart.yaml │ ├── parser │ │ ├── Dockerfile │ │ ├── __snapshots__ │ │ │ └── parser.test.js.snap │ │ ├── __testFiles__ │ │ │ └── securecodebox.io.jsonl │ │ ├── parser.js │ │ └── parser.test.js │ ├── templates │ │ ├── amass-parse-definition.yaml │ │ └── amass-scan-type.yaml │ └── values.yaml ├── kube-hunter │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── cascading-rules │ │ └── remote-kubernetes.yaml │ ├── examples │ │ └── in-cluster │ │ │ ├── findings.yaml │ │ │ └── scan.yaml │ ├── helm2.Chart.yaml │ ├── parser │ │ ├── Dockerfile │ │ ├── __snapshots__ │ │ │ └── parser.test.js.snap │ │ ├── __testFiles__ │ │ │ └── kind-1.18-in-cluster-scan.json │ │ ├── parser.js │ │ └── parser.test.js │ ├── scanner │ │ ├── Dockerfile │ │ └── wrapper.sh │ ├── templates │ │ ├── cascading-rules.yaml │ │ ├── kube-hunter-parse-definition.yaml │ │ └── kubehunter-scan-type.yaml │ └── values.yaml ├── kubeaudit │ └── README.md ├── ncrack │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── cascading-rules │ │ └── crackssh.yaml │ ├── examples │ │ └── dummy-ssh │ │ │ ├── README.md │ │ │ └── scan.yaml │ ├── helm2.Chart.yaml │ ├── parser │ │ ├── .dockerignore │ │ ├── Dockerfile │ │ ├── __testFiles__ │ │ │ ├── ncrack_no_results.xml │ │ │ ├── ncrack_two_services_no_results.xml │ │ │ ├── ncrack_two_services_with_results.xml │ │ │ └── ncrack_with_results.xml │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── parser.js │ │ └── parser.test.js │ ├── scanner │ │ └── Dockerfile │ ├── templates │ │ ├── cascading-rules.yaml │ │ ├── ncrack-parse-definition.yaml │ │ └── ncrack-scan-type.yaml │ └── values.yaml ├── nikto │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── cascading-rules │ │ └── http.yaml │ ├── examples │ │ ├── demo-bodgeit │ │ │ ├── findings.yaml │ │ │ ├── nikto-results.json │ │ │ └── scan.yaml │ │ ├── demo-juice-shop │ │ │ ├── findings.yaml │ │ │ ├── nikto-results.json │ │ │ └── scan.yaml │ │ └── demo-secureCodeBox.io │ │ │ └── scan.yaml │ ├── helm2.Chart.yaml │ ├── parser │ │ ├── Dockerfile │ │ ├── __snapshots__ │ │ │ └── parser.test.js.snap │ │ ├── __testFiles__ │ │ │ ├── juice-shop.json │ │ │ └── www.securecodebox.io.json │ │ ├── parser.js │ │ └── parser.test.js │ ├── scanner │ │ ├── Dockerfile │ │ └── wrapper.sh │ ├── templates │ │ ├── cascading-rules.yaml │ │ ├── nikto-parse-definition.yaml │ │ └── nikto-scan-type.yaml │ └── values.yaml ├── nmap │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── cascading-rules │ │ ├── hostscan.yaml │ │ └── smb.yaml │ ├── examples │ │ ├── demo-app-ssh │ │ │ ├── findings.yaml │ │ │ ├── nmap-results.xml │ │ │ └── scan.yaml │ │ ├── demo-juice-shop │ │ │ ├── findings.yaml │ │ │ ├── nmap-results.xml │ │ │ └── scan.yaml │ │ ├── dummy-ssh-cascade │ │ │ └── scan.yaml │ │ ├── local-network │ │ │ ├── findings.yaml │ │ │ └── scan.yaml │ │ ├── localhost │ │ │ ├── findings.yaml │ │ │ └── scan.yaml │ │ └── scan.nmap.org │ │ │ ├── findings.yaml │ │ │ └── scan.yaml │ ├── helm2.Chart.yaml │ ├── parser │ │ ├── .dockerignore │ │ ├── Dockerfile │ │ ├── __testFiles__ │ │ │ ├── localhost-smb-script.xml │ │ │ ├── localhost.xml │ │ │ ├── no-host.xml │ │ │ ├── no-ports.xml │ │ │ └── no-service.xml │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── parser.js │ │ └── parser.test.js │ ├── scanner │ │ └── Dockerfile │ ├── templates │ │ ├── cascading-rules.yaml │ │ ├── nmap-parse-definition.yaml │ │ └── nmap-scan-type.yaml │ └── values.yaml ├── package-lock.json ├── package.json ├── ssh_scan │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── cascading-rules │ │ └── ssh.yaml │ ├── examples │ │ ├── demo-app-ssh │ │ │ ├── findings.yaml │ │ │ ├── scan.yaml │ │ │ └── ssh-scan-results.json │ │ ├── example.com │ │ │ └── scan.yaml │ │ └── localhost │ │ │ ├── findings.yaml │ │ │ └── scan.yaml │ ├── helm2.Chart.yaml │ ├── parser │ │ ├── Dockerfile │ │ ├── __testFiles__ │ │ │ ├── 192.168.42.42.json │ │ │ ├── local-network.json │ │ │ ├── localhost.json │ │ │ └── securecodebox.io.json │ │ ├── parser.js │ │ └── parser.test.js │ ├── templates │ │ ├── cascading-rules.yaml │ │ ├── ssh-scan-parse-definition.yaml │ │ └── ssh-scan-scan-type.yaml │ └── values.yaml ├── sslyze │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── cascading-rules │ │ ├── https.yaml │ │ └── mail.yaml │ ├── examples │ │ ├── example.com │ │ │ └── scan.yaml │ │ └── secureCodeBox.io │ │ │ └── scan.yaml │ ├── helm2.Chart.yaml │ ├── parser │ │ ├── .dockerignore │ │ ├── Dockerfile │ │ ├── __testFiles__ │ │ │ ├── expired.badssl.com.json │ │ │ ├── google.com.json │ │ │ ├── mixed-connectivity-result.json │ │ │ ├── revoked.badssl.com.json │ │ │ ├── self-signed.badssl.com.json │ │ │ ├── tls-v1-0.badssl.com_1010.json │ │ │ ├── unavailible-host.json │ │ │ ├── untrusted-root.badssl.com.json │ │ │ ├── wrong.host.badssl.com.json │ │ │ └── www.securecodebox.io.json │ │ ├── package-lock.json │ │ ├── package.json │ │ ├── parser.js │ │ └── parser.test.js │ ├── templates │ │ ├── cascading-rules.yaml │ │ ├── sslyze-parse-definition.yaml │ │ └── sslyze-scan-type.yaml │ └── values.yaml ├── test-scan │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── helm2.Chart.yaml │ ├── parser │ │ ├── Dockerfile │ │ └── parser.js │ ├── scanner │ │ └── Dockerfile │ ├── templates │ │ ├── test-scan-parse-definition.yaml │ │ └── test-scan-scan-type.yaml │ └── values.yaml ├── trivy │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── examples │ │ ├── juice-shop │ │ │ ├── findings.yaml │ │ │ └── scan.yaml │ │ └── mediawiki │ │ │ ├── findings.yaml │ │ │ └── scan.yaml │ ├── helm2.Chart.yaml │ ├── parser │ │ ├── Dockerfile │ │ ├── __snapshots__ │ │ │ └── parser.test.js.snap │ │ ├── __testFiles__ │ │ │ ├── juice-shop-v10.2.0.json │ │ │ ├── mediawiki-1.27.3.json │ │ │ ├── mediawiki-stable.json │ │ │ ├── securecodebox-amass-unstable-pinned.json │ │ │ ├── securecodebox-engine.json │ │ │ └── securecodebox-ssh-unstable.json │ │ ├── parser.js │ │ └── parser.test.js │ ├── templates │ │ ├── trivy-parse-definition.yaml │ │ └── trivy-scan-type.yaml │ └── values.yaml ├── wpscan │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── examples │ │ ├── example.com │ │ │ ├── findings.yaml │ │ │ └── scan.yaml │ │ └── old-wordpress │ │ │ ├── findings.yaml │ │ │ ├── scan.yaml │ │ │ └── wpscan-results.json │ ├── helm2.Chart.yaml │ ├── parser │ │ ├── Dockerfile │ │ ├── __testFiles__ │ │ │ ├── empty-localhost.json │ │ │ ├── example-latest.json │ │ │ └── example-old.json │ │ ├── parser.js │ │ └── parser.test.js │ ├── templates │ │ ├── wpscan-parse-definition.yaml │ │ └── wpscan-scan-type.yaml │ └── values.yaml └── zap │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── cascading-rules │ └── http.yaml │ ├── examples │ ├── demo-bodgeit-baseline-scan │ │ ├── findings.yaml │ │ ├── scan.yaml │ │ └── zap-results.json │ ├── demo-bodgeit-full-scan │ │ ├── findings.yaml │ │ ├── scan.yaml │ │ └── zap-results.json │ ├── demo-juice-shop-baseline-scan │ │ ├── findings.yaml │ │ ├── scan.yaml │ │ └── zap-results.json │ ├── demo-juice-shop-full-scan │ │ ├── findings.yaml │ │ ├── scan.yaml │ │ └── zap-results.json │ └── demo-petstore-api-scan │ │ ├── findings.yaml │ │ ├── scan.yaml │ │ └── zap-results.json │ ├── helm2.Chart.yaml │ ├── parser │ ├── Dockerfile │ ├── __snapshots__ │ │ └── parser.test.js.snap │ ├── __testFiles__ │ │ ├── example.com.json │ │ └── juice-shop.json │ ├── parser.js │ └── parser.test.js │ ├── templates │ ├── cascading-rules.yaml │ ├── zap-parse-definition.yaml │ └── zap-scan-type.yaml │ └── values.yaml └── tests └── integration ├── generic ├── no-scan-definition-error.test.js ├── read-only-hook.test.js └── read-write-hook.test.js ├── helpers.js ├── package-lock.json ├── package.json └── scanner ├── cascade.test.js ├── kube-hunter.test.js ├── ncrack.test.js ├── nmap.test.js ├── ssh-scan.test.js └── zap.test.js /.codeclimate.yml: -------------------------------------------------------------------------------- 1 | version: "2" # required to adjust maintainability checks 2 | checks: 3 | file-lines: 4 | config: 5 | threshold: 300 6 | method-lines: 7 | config: 8 | threshold: 50 9 | similar-code: 10 | enabled: false 11 | identical-code: 12 | enabled: false 13 | exclude_patterns: 14 | - "config/" 15 | - "db/" 16 | - "dist/" 17 | - "features/" 18 | - "**/node_modules/" 19 | - "script/" 20 | - "**/spec/" 21 | - "**/test/" 22 | - "**/tests/" 23 | - "**/__testFiles__/" 24 | - "**/__snapshots__/" 25 | - "Tests/" 26 | - "**/vendor/" 27 | - "**/*_test.go" 28 | - "**/*.deepcopy.go" 29 | - "**/*.test.js" 30 | - "**/*.d.ts" -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig is awesome: https://EditorConfig.org 2 | 3 | # top-most EditorConfig file 4 | root = true 5 | 6 | # Unix-style newlines with a newline ending every file 7 | [*] 8 | end_of_line = lf 9 | insert_final_newline = true 10 | charset = utf-8 11 | indent_style = space 12 | indent_size = 2 13 | 14 | [*.go] 15 | indent_style = tab 16 | 17 | [Makefile] 18 | indent_style = tab 19 | -------------------------------------------------------------------------------- /.envrc: -------------------------------------------------------------------------------- 1 | # shellcheck shell=sh 2 | # https://direnv.net/man/direnv-stdlib.1.html 3 | PATH_add bin 4 | # shellcheck disable=SC2155 5 | export PROJECT_DIR="$(pwd)" 6 | 7 | export S3_BUCKET="scb" 8 | export S3_USE_SSL="false" 9 | export S3_ENDPOINT="127.0.0.1:9000" 10 | # shellcheck disable=2039,1090 11 | source "${PROJECT_DIR}/.s3_credentials" 12 | -------------------------------------------------------------------------------- /.eslintignore: -------------------------------------------------------------------------------- 1 | **/node_modules 2 | **/coverage 3 | hooks/declarative-subsequent-scans/hook.js 4 | hooks/declarative-subsequent-scans/scan-helpers.js 5 | hooks/declarative-subsequent-scans/kubernetes-label-selector.js 6 | -------------------------------------------------------------------------------- /.eslintrc: -------------------------------------------------------------------------------- 1 | { 2 | "env": { 3 | "node": true, 4 | "commonjs": true, 5 | "jest": true, 6 | "es6": true 7 | }, 8 | "parserOptions": { 9 | "ecmaVersion": 2018 10 | }, 11 | "extends": ["eslint:recommended", "plugin:security/recommended"], 12 | "plugins": ["prettier", "security"], 13 | "rules": { 14 | "security/detect-object-injection": "off", 15 | "no-console": "off" 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/documentation_issue.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "📚 Documentation Issue" 3 | about: "Did you come across parts of our documentation that should be fixed?" 4 | labels: documentation 5 | 6 | --- 7 | 12 | 13 | ## Where to find the issue 14 | 15 | 16 | ## Describe the issue 17 | 18 | 19 | ## Suggested change 20 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "➹ Feature request" 3 | about: "Suggest an idea for this project" 4 | 5 | --- 6 | 11 | 12 | **Is your feature request related to a problem? Please describe.** 13 | 14 | 15 | **Describe the solution you'd like** 16 | 17 | 18 | **Describe alternatives you've considered** 19 | 20 | 21 | **Additional context** 22 | 23 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "🤨 Question" 3 | about: "If you have *specific* questions about the project, please post them here." 4 | labels: question 5 | 6 | --- 7 | 12 | 13 | ## Your Question 14 | -------------------------------------------------------------------------------- /.github/release-drafter.yml: -------------------------------------------------------------------------------- 1 | name-template: 'v$NEXT_PATCH_VERSION' 2 | tag-template: 'v$NEXT_PATCH_VERSION' 3 | categories: 4 | - title: '🚀 Features' 5 | label: 'enhancement' 6 | - title: '🐛 Bug Fixes' 7 | label: 'bug' 8 | - title: '🔧 Maintenance' 9 | label: 'maintenance' 10 | - title: '🧪 Test' 11 | label: 'test' 12 | - title: '🧪 Documentation' 13 | label: 'docs' 14 | - title: '📌 Dependencies' 15 | label: 'dependencies' 16 | change-template: '- $TITLE @$AUTHOR (#$NUMBER)' 17 | exclude-labels: 18 | - 'skip-changelog' 19 | template: | 20 | $CHANGES 21 | -------------------------------------------------------------------------------- /.github/workflows/helm-docs.yaml: -------------------------------------------------------------------------------- 1 | name: "Update Helm Docs" 2 | 3 | on: 4 | push: 5 | 6 | jobs: 7 | helm-docs: 8 | runs-on: ubuntu-latest 9 | 10 | steps: 11 | - uses: actions/checkout@v2 12 | with: 13 | ref: ${{ github.head_ref }} 14 | 15 | - name: Download Helm Docs 16 | run: | 17 | mkdir helm-docs 18 | cd helm-docs 19 | 20 | curl --output helm-docs.tar.gz --location https://github.com/norwoodj/helm-docs/releases/download/v0.15.0/helm-docs_0.15.0_Linux_x86_64.tar.gz 21 | tar -xvf helm-docs.tar.gz 22 | # Verify install 23 | ./helm-docs --version 24 | 25 | - name: Generate Helm Docs 26 | run: | 27 | ./helm-docs/helm-docs 28 | # Remove helm-docs download to ensure they dont get commited back 29 | rm -rf helm-docs 30 | - uses: stefanzweifel/git-auto-commit-action@v4.5.1 31 | with: 32 | commit_message: Updating Helm Docs 33 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | **/node_modules 3 | coverage/ 4 | .vagrant 5 | **.log 6 | **/*.monopic 7 | .s3_credentials 8 | -------------------------------------------------------------------------------- /bin/install-all.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu 4 | 5 | kubectl create namespace securecodebox-system 6 | helm -n securecodebox-system upgrade --install securecodebox-operator ./operator/ 7 | 8 | helm upgrade --install amass ./scanners/amass/ 9 | helm upgrade --install kube-hunter ./scanners/kube-hunter/ 10 | helm upgrade --install nikto ./scanners/nikto 11 | helm upgrade --install nmap ./scanners/nmap/ 12 | helm upgrade --install ssh-scan ./scanners/ssh_scan/ 13 | helm upgrade --install sslyze ./scanners/sslyze/ 14 | helm upgrade --install trivy ./scanners/trivy/ 15 | helm upgrade --install zap ./scanners/zap/ 16 | helm upgrade --install wpscan ./scanners/wpscan/ 17 | 18 | helm upgrade --install dummy-ssh ./demo-apps/dummy-ssh/ 19 | helm upgrade --install juice-shop ./demo-apps/juice-shop/ 20 | helm upgrade --install old-wordpress ./demo-apps/old-wordpress/ 21 | helm upgrade --install bodgeit ./demo-apps/bodgeit/ 22 | helm upgrade --install swagger-petstore ./demo-apps/swagger-petstore/ 23 | helm upgrade --install http-webhook ./demo-apps/http-webhook/ 24 | 25 | helm upgrade --install aah ./hooks/update-field/ 26 | helm upgrade --install gwh ./hooks/generic-webhook/ 27 | 28 | helm upgrade --install elkh ./hooks/persistence-elastic/ 29 | -------------------------------------------------------------------------------- /bin/uninstall-all.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu 4 | 5 | helm -n securecodebox-system uninstall securecodebox-operator 6 | 7 | helm uninstall amass 8 | helm uninstall kube-hunter 9 | helm uninstall nikto 10 | helm uninstall nmap 11 | helm uninstall ssh-scan 12 | helm uninstall sslyze 13 | helm uninstall trivy 14 | helm uninstall zap 15 | helm uninstall wpscan 16 | 17 | helm uninstall dummy-ssh 18 | helm uninstall bodgeit 19 | helm uninstall http-webhook 20 | helm uninstall juice-shop 21 | helm uninstall old-wordpress 22 | helm uninstall swagger-petstore 23 | 24 | helm uninstall aah 25 | helm uninstall gwh 26 | 27 | helm uninstall elkh 28 | 29 | kubectl delete namespaces securecodebox-system 30 | -------------------------------------------------------------------------------- /demo-apps/README.md: -------------------------------------------------------------------------------- 1 | # Demo Apps 2 | This folder contains a list of demo apps like vulnerable applications or services. 3 | These can be used to demonstrate or test the secureCodeBox capabilities. -------------------------------------------------------------------------------- /demo-apps/bodgeit/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /demo-apps/bodgeit/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | version: latest 3 | type: application 4 | appVersion: "v1.4.0" 5 | name: bodgeit 6 | description: "The BodgeIt Store is a vulnerable web app which is aimed at people who are new to pen testing" 7 | home: https://github.com/psiinon/bodgeit 8 | icon: https://scb-art.j12934.now.sh/bodgeit.png 9 | keywords: 10 | - vulnerable 11 | - webapp 12 | - demo 13 | sources: 14 | - https://github.com/secureCodeBox/helm 15 | - https://github.com/psiinon/bodgeit 16 | maintainers: 17 | - name: iteratec GmbH 18 | email: security@iteratec.com 19 | -------------------------------------------------------------------------------- /demo-apps/bodgeit/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | version: latest 3 | type: application 4 | appVersion: "v1.4.0" 5 | name: bodgeit 6 | description: "The BodgeIt Store is a vulnerable web app which is aimed at people who are new to pen testing" 7 | home: https://github.com/psiinon/bodgeit 8 | icon: https://scb-art.j12934.now.sh/bodgeit.png 9 | keywords: 10 | - vulnerable 11 | - webapp 12 | - demo 13 | sources: 14 | - https://github.com/secureCodeBox/helm 15 | - https://github.com/psiinon/bodgeit 16 | maintainers: 17 | - name: iteratec GmbH 18 | email: security@iteratec.com 19 | -------------------------------------------------------------------------------- /demo-apps/bodgeit/questions.yml: -------------------------------------------------------------------------------- 1 | categories: 2 | - "Vulnerable App" 3 | - "Demo Scan Target" 4 | questions: [] 5 | -------------------------------------------------------------------------------- /demo-apps/bodgeit/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "bodgeit.fullname" . -}} 3 | {{- $svcPort := .Values.service.port -}} 4 | {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 5 | apiVersion: networking.k8s.io/v1beta1 6 | {{- else -}} 7 | apiVersion: extensions/v1beta1 8 | {{- end }} 9 | kind: Ingress 10 | metadata: 11 | name: {{ $fullName }} 12 | labels: 13 | {{- include "bodgeit.labels" . | nindent 4 }} 14 | {{- with .Values.ingress.annotations }} 15 | annotations: 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- if .Values.ingress.tls }} 20 | tls: 21 | {{- range .Values.ingress.tls }} 22 | - hosts: 23 | {{- range .hosts }} 24 | - {{ . | quote }} 25 | {{- end }} 26 | secretName: {{ .secretName }} 27 | {{- end }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.ingress.hosts }} 31 | - host: {{ .host | quote }} 32 | http: 33 | paths: 34 | {{- range .paths }} 35 | - path: {{ . }} 36 | backend: 37 | serviceName: {{ $fullName }} 38 | servicePort: {{ $svcPort }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /demo-apps/bodgeit/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "bodgeit.fullname" . }} 5 | labels: 6 | {{- include "bodgeit.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "bodgeit.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /demo-apps/bodgeit/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "bodgeit.fullname" . }}-test-connection" 5 | labels: 6 | {{ include "bodgeit.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test-success 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "bodgeit.fullname" . }}:{{ .Values.service.port }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /demo-apps/dummy-ssh/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /demo-apps/dummy-ssh/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | version: latest 3 | type: application 4 | appVersion: "v1.0.0" 5 | name: dummy-ssh 6 | description: "SSH Server for scan testing." 7 | home: https://wordpress.org 8 | icon: https://www.securecodebox.io/integrationIcons/SSH.svg 9 | keywords: 10 | - vulnerable 11 | - ssh 12 | sources: 13 | - https://github.com/secureCodeBox/secureCodeBox/tree/master/demo/dummy-ssh 14 | maintainers: 15 | - name: iteratec GmbH 16 | email: security@iteratec.com 17 | -------------------------------------------------------------------------------- /demo-apps/dummy-ssh/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | version: latest 3 | type: application 4 | appVersion: "v1.0.0" 5 | name: dummy-ssh 6 | description: "SSH Server for scan testing." 7 | home: https://wordpress.org 8 | icon: https://www.securecodebox.io/integrationIcons/SSH.svg 9 | keywords: 10 | - vulnerable 11 | - ssh 12 | sources: 13 | - https://github.com/secureCodeBox/secureCodeBox/tree/master/demo/dummy-ssh 14 | maintainers: 15 | - name: iteratec GmbH 16 | email: security@iteratec.com 17 | -------------------------------------------------------------------------------- /demo-apps/dummy-ssh/questions.yml: -------------------------------------------------------------------------------- 1 | categories: 2 | - "Vulnerable App" 3 | - "Demo Scan Target" 4 | questions: [] 5 | -------------------------------------------------------------------------------- /demo-apps/dummy-ssh/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Demo SSH Server deployed. 2 | 3 | Note this should used for demo and test purposes. 4 | Do not expose this to the Internet! -------------------------------------------------------------------------------- /demo-apps/dummy-ssh/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "dummy-ssh.fullname" . }} 5 | labels: 6 | {{- include "dummy-ssh.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: ssh 12 | protocol: TCP 13 | name: ssh 14 | selector: 15 | {{- include "dummy-ssh.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /demo-apps/dummy-ssh/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for dummy-ssh. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | 7 | image: 8 | repository: securecodebox/dummy-ssh 9 | pullPolicy: IfNotPresent 10 | 11 | imagePullSecrets: [] 12 | nameOverride: "" 13 | fullnameOverride: "" 14 | 15 | podSecurityContext: {} 16 | # fsGroup: 2000 17 | 18 | securityContext: {} 19 | # capabilities: 20 | # drop: 21 | # - ALL 22 | # readOnlyRootFilesystem: true 23 | # runAsNonRoot: true 24 | # runAsUser: 1000 25 | 26 | service: 27 | type: ClusterIP 28 | port: 22 29 | 30 | resources: {} 31 | # We usually recommend not to specify default resources and to leave this as a conscious 32 | # choice for the user. This also increases chances charts run on environments with little 33 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 34 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 35 | # limits: 36 | # cpu: 100m 37 | # memory: 128Mi 38 | # requests: 39 | # cpu: 100m 40 | # memory: 128Mi 41 | 42 | nodeSelector: {} 43 | 44 | tolerations: [] 45 | 46 | affinity: {} 47 | -------------------------------------------------------------------------------- /demo-apps/http-webhook/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /demo-apps/http-webhook/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: http-webhook 3 | description: A Dummy webserver to echo HTTP requests in log 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: latest 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | appVersion: 1.16.0 24 | -------------------------------------------------------------------------------- /demo-apps/http-webhook/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoscaling.enabled }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "http-webhook.fullname" . }} 6 | labels: 7 | {{- include "http-webhook.labels" . | nindent 4 }} 8 | spec: 9 | scaleTargetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: {{ include "http-webhook.fullname" . }} 13 | minReplicas: {{ .Values.autoscaling.minReplicas }} 14 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 15 | metrics: 16 | {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} 17 | - type: Resource 18 | resource: 19 | name: cpu 20 | targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} 21 | {{- end }} 22 | {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} 23 | - type: Resource 24 | resource: 25 | name: memory 26 | targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /demo-apps/http-webhook/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "http-webhook.fullname" . -}} 3 | {{- $svcPort := .Values.service.port -}} 4 | {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 5 | apiVersion: networking.k8s.io/v1beta1 6 | {{- else -}} 7 | apiVersion: extensions/v1beta1 8 | {{- end }} 9 | kind: Ingress 10 | metadata: 11 | name: {{ $fullName }} 12 | labels: 13 | {{- include "http-webhook.labels" . | nindent 4 }} 14 | {{- with .Values.ingress.annotations }} 15 | annotations: 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- if .Values.ingress.tls }} 20 | tls: 21 | {{- range .Values.ingress.tls }} 22 | - hosts: 23 | {{- range .hosts }} 24 | - {{ . | quote }} 25 | {{- end }} 26 | secretName: {{ .secretName }} 27 | {{- end }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.ingress.hosts }} 31 | - host: {{ .host | quote }} 32 | http: 33 | paths: 34 | {{- range .paths }} 35 | - path: {{ . }} 36 | backend: 37 | serviceName: {{ $fullName }} 38 | servicePort: {{ $svcPort }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /demo-apps/http-webhook/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "http-webhook.fullname" . }} 5 | labels: 6 | {{- include "http-webhook.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "http-webhook.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /demo-apps/http-webhook/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "http-webhook.serviceAccountName" . }} 6 | labels: 7 | {{- include "http-webhook.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /demo-apps/http-webhook/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "http-webhook.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "http-webhook.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test-success 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "http-webhook.fullname" . }}:{{ .Values.service.port }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /demo-apps/juice-shop/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /demo-apps/juice-shop/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | version: latest 3 | appVersion: "v12.0.2" 4 | name: juice-shop 5 | description: "OWASP Juice Shop: Probably the most modern and sophisticated insecure web application" 6 | type: application 7 | home: https://owasp.org/www-project-juice-shop/ 8 | icon: https://raw.githubusercontent.com/bkimminich/juice-shop/bdbcc0ea4484a2dd6b8ca243daa34c882129cdd4/frontend/src/assets/public/images/JuiceShop_Logo_400px.png 9 | keywords: 10 | - owasp 11 | - javascript 12 | - vulnerable 13 | - hacking 14 | - application-security 15 | - owasp-top-10 16 | - owasp-top-ten 17 | - pentesting 18 | - vulnapp 19 | - appsec 20 | - ctf 21 | sources: 22 | - https://github.com/secureCodeBox/helm 23 | - https://github.com/bkimminich/juice-shop 24 | maintainers: 25 | - name: iteratec GmbH 26 | email: security@iteratec.com 27 | -------------------------------------------------------------------------------- /demo-apps/juice-shop/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | version: latest 3 | appVersion: "v12.0.2" 4 | name: juice-shop 5 | description: "OWASP Juice Shop: Probably the most modern and sophisticated insecure web application" 6 | type: application 7 | home: https://owasp.org/www-project-juice-shop/ 8 | icon: https://raw.githubusercontent.com/bkimminich/juice-shop/bdbcc0ea4484a2dd6b8ca243daa34c882129cdd4/frontend/src/assets/public/images/JuiceShop_Logo_400px.png 9 | keywords: 10 | - owasp 11 | - javascript 12 | - vulnerable 13 | - hacking 14 | - application-security 15 | - owasp-top-10 16 | - owasp-top-ten 17 | - pentesting 18 | - vulnapp 19 | - appsec 20 | - ctf 21 | sources: 22 | - https://github.com/secureCodeBox/helm 23 | - https://github.com/bkimminich/juice-shop 24 | maintainers: 25 | - name: iteratec GmbH 26 | email: security@iteratec.com 27 | -------------------------------------------------------------------------------- /demo-apps/juice-shop/questions.yml: -------------------------------------------------------------------------------- 1 | categories: 2 | - "Vulnerable App" 3 | - "Demo Scan Target" 4 | questions: [] 5 | -------------------------------------------------------------------------------- /demo-apps/juice-shop/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "juice-shop.fullname" . -}} 3 | {{- $svcPort := .Values.service.port -}} 4 | {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 5 | apiVersion: networking.k8s.io/v1beta1 6 | {{- else -}} 7 | apiVersion: extensions/v1beta1 8 | {{- end }} 9 | kind: Ingress 10 | metadata: 11 | name: {{ $fullName }} 12 | labels: 13 | {{- include "juice-shop.labels" . | nindent 4 }} 14 | {{- with .Values.ingress.annotations }} 15 | annotations: 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- if .Values.ingress.tls }} 20 | tls: 21 | {{- range .Values.ingress.tls }} 22 | - hosts: 23 | {{- range .hosts }} 24 | - {{ . | quote }} 25 | {{- end }} 26 | secretName: {{ .secretName }} 27 | {{- end }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.ingress.hosts }} 31 | - host: {{ .host | quote }} 32 | http: 33 | paths: 34 | {{- range .paths }} 35 | - path: {{ . }} 36 | backend: 37 | serviceName: {{ $fullName }} 38 | servicePort: {{ $svcPort }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /demo-apps/juice-shop/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "juice-shop.fullname" . }} 5 | labels: 6 | {{- include "juice-shop.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "juice-shop.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /demo-apps/juice-shop/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "juice-shop.fullname" . }}-test-connection" 5 | labels: 6 | {{ include "juice-shop.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test-success 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "juice-shop.fullname" . }}:{{ .Values.service.port }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /demo-apps/old-wordpress/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /demo-apps/old-wordpress/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | version: latest 3 | appVersion: "4.0" 4 | name: old-wordpress 5 | description: "Insecure & Outdated Wordpress Instance: Never expose it to the internet!" 6 | type: application 7 | home: https://wordpress.org 8 | icon: https://s.w.org/style/images/about/WordPress-logotype-alternative.png 9 | keywords: 10 | - vulnerable 11 | - wordpress 12 | sources: 13 | - https://github.com/secureCodeBox/helm 14 | - https://github.com/secureCodeBox/secureCodeBox/tree/master/demo/old-wordpress 15 | maintainers: 16 | - name: iteratec GmbH 17 | email: security@iteratec.com 18 | -------------------------------------------------------------------------------- /demo-apps/old-wordpress/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | version: latest 3 | appVersion: "4.0" 4 | name: old-wordpress 5 | description: "Insecure & Outdated Wordpress Instance: Never expose it to the internet!" 6 | type: application 7 | home: https://wordpress.org 8 | icon: https://s.w.org/style/images/about/WordPress-logotype-alternative.png 9 | keywords: 10 | - vulnerable 11 | - wordpress 12 | sources: 13 | - https://github.com/secureCodeBox/helm 14 | - https://github.com/secureCodeBox/secureCodeBox/tree/master/demo/old-wordpress 15 | maintainers: 16 | - name: iteratec GmbH 17 | email: security@iteratec.com 18 | -------------------------------------------------------------------------------- /demo-apps/old-wordpress/questions.yml: -------------------------------------------------------------------------------- 1 | categories: 2 | - "Vulnerable App" 3 | - "Demo Scan Target" 4 | questions: [] 5 | -------------------------------------------------------------------------------- /demo-apps/old-wordpress/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Old Wordpress Instance deployed. 2 | 3 | Note this should used for demo and test purposes. 4 | Do not expose this to the Internet! -------------------------------------------------------------------------------- /demo-apps/old-wordpress/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "old-wordpress.fullname" . }} 5 | labels: 6 | {{- include "old-wordpress.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "old-wordpress.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /demo-apps/old-wordpress/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "old-wordpress.fullname" . }}-test-connection" 5 | labels: 6 | {{ include "old-wordpress.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test-success 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "old-wordpress.fullname" . }}:{{ .Values.service.port }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /demo-apps/old-wordpress/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for old-wordpress. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | 7 | image: 8 | repository: securecodebox/old-wordpress 9 | pullPolicy: IfNotPresent 10 | 11 | imagePullSecrets: [] 12 | nameOverride: "" 13 | fullnameOverride: "" 14 | 15 | podSecurityContext: {} 16 | # fsGroup: 2000 17 | 18 | securityContext: {} 19 | # capabilities: 20 | # drop: 21 | # - ALL 22 | # readOnlyRootFilesystem: true 23 | # runAsNonRoot: true 24 | # runAsUser: 1000 25 | 26 | service: 27 | type: ClusterIP 28 | port: 80 29 | 30 | resources: {} 31 | # We usually recommend not to specify default resources and to leave this as a conscious 32 | # choice for the user. This also increases chances charts run on environments with little 33 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 34 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 35 | # limits: 36 | # cpu: 100m 37 | # memory: 128Mi 38 | # requests: 39 | # cpu: 100m 40 | # memory: 128Mi 41 | 42 | nodeSelector: {} 43 | 44 | tolerations: [] 45 | 46 | affinity: {} 47 | -------------------------------------------------------------------------------- /demo-apps/swagger-petstore/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /demo-apps/swagger-petstore/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | version: latest 3 | appVersion: "1.0.3" 4 | name: swagger-petstore 5 | description: "This is the sample petstore application" 6 | type: application 7 | home: https://github.com/swagger-api/swagger-petstore 8 | icon: https://static1.smartbear.co/swagger/media/assets/images/swagger_logo.svg 9 | keywords: 10 | - swagger 11 | - openapi 12 | sources: 13 | - https://github.com/secureCodeBox/helm 14 | - https://github.com/swagger-api/swagger-petstore 15 | maintainers: 16 | - name: iteratec GmbH 17 | email: security@iteratec.com 18 | -------------------------------------------------------------------------------- /demo-apps/swagger-petstore/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | version: latest 3 | appVersion: "1.0.3" 4 | name: swagger-petstore 5 | description: "This is the sample petstore application" 6 | type: application 7 | home: https://github.com/swagger-api/swagger-petstore 8 | icon: https://static1.smartbear.co/swagger/media/assets/images/swagger_logo.svg 9 | keywords: 10 | - swagger 11 | - openapi 12 | sources: 13 | - https://github.com/secureCodeBox/helm 14 | - https://github.com/swagger-api/swagger-petstore 15 | maintainers: 16 | - name: iteratec GmbH 17 | email: security@iteratec.com 18 | -------------------------------------------------------------------------------- /demo-apps/swagger-petstore/questions.yml: -------------------------------------------------------------------------------- 1 | categories: 2 | - "Demo Scan Target" 3 | questions: [] 4 | -------------------------------------------------------------------------------- /demo-apps/swagger-petstore/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "swagger-petstore.fullname" . -}} 3 | {{- $svcPort := .Values.service.port -}} 4 | {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 5 | apiVersion: networking.k8s.io/v1beta1 6 | {{- else -}} 7 | apiVersion: extensions/v1beta1 8 | {{- end }} 9 | kind: Ingress 10 | metadata: 11 | name: {{ $fullName }} 12 | labels: 13 | {{- include "swagger-petstore.labels" . | nindent 4 }} 14 | {{- with .Values.ingress.annotations }} 15 | annotations: 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- if .Values.ingress.tls }} 20 | tls: 21 | {{- range .Values.ingress.tls }} 22 | - hosts: 23 | {{- range .hosts }} 24 | - {{ . | quote }} 25 | {{- end }} 26 | secretName: {{ .secretName }} 27 | {{- end }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.ingress.hosts }} 31 | - host: {{ .host | quote }} 32 | http: 33 | paths: 34 | {{- range .paths }} 35 | - path: {{ . }} 36 | backend: 37 | serviceName: {{ $fullName }} 38 | servicePort: {{ $svcPort }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /demo-apps/swagger-petstore/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "swagger-petstore.fullname" . }} 5 | labels: 6 | {{- include "swagger-petstore.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "swagger-petstore.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /demo-apps/swagger-petstore/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "swagger-petstore.fullname" . }}-test-connection" 5 | labels: 6 | {{ include "swagger-petstore.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test-success 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "swagger-petstore.fullname" . }}:{{ .Values.service.port }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /docs/.gitkeep: -------------------------------------------------------------------------------- 1 | # 2 | -------------------------------------------------------------------------------- /docs/adr/adr_0000.adoc: -------------------------------------------------------------------------------- 1 | [[ADR-0000]] 2 | = ADR-0000: Short present tense imperative phrase, less than 50 characters, like a email subject 3 | 4 | [cols="h,d",grid=rows,frame=none,stripes=none,caption="Status",%autowidth] 5 | |==== 6 | // Use one of the ADR status parameter based on status 7 | // Please add a cross reference link to the new ADR on 'superseded' ADR. 8 | // e.g.: {adr_suposed_by} <> 9 | | Status 10 | | PROPOSED | ACCEPTED | REJECTED | DEPRECATED | SUPOSED_BY <> 11 | 12 | | Date 13 | | YYYY-MM-DD 14 | 15 | | Author(s) 16 | | John Doe + 17 | jane Doe 18 | // ... 19 | |==== 20 | 21 | == Context 22 | 23 | 24 | 25 | == Decision 26 | 27 | 28 | 29 | == Consequences 30 | 31 | 32 | -------------------------------------------------------------------------------- /docs/glossary.md: -------------------------------------------------------------------------------- 1 | # Glossary 2 | 3 | This overview provides a description for all acronyms and special terms which are used in this project. If you encounter any missing terms, please [let us know](https://github.com/corona-warn-app/cwa-documentation/issues/new?labels=documentation%2C+bug&template=01_doc_issue.md) or [create a pull request](https://github.com/secureCodeBox/secureCodeBox-v2/pulls). 4 | 5 | | Term, acronym... | Description | 6 | | --- | --- | 7 | | API | An [Application Programming Interface](https://en.wikipedia.org/wiki/Application_programming_interface) (API) is a computing interface which defines interactions between multiple software intermediaries. | 8 | | CRD | Acronym for "[Custom Ressource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)". | 9 | | GUID | Acronym for "[Globally Unique Identifier](https://en.wikipedia.org/wiki/Universally_unique_identifier)". | 10 | | K8S | Acronym for "[Kubernetes](https://kubernetes.io/docs/home/)". | 11 | | SCB | Acronym for "[secureCodeBox (This Project)](https://www.secureCodeBox.io)". | 12 | 13 | 14 | -------------------------------------------------------------------------------- /docs/resources/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureCodeBox/secureCodeBox-v2/4840c55cb9fcd69199d0c968d3a43cd6bf4326fe/docs/resources/logo.png -------------------------------------------------------------------------------- /docs/resources/macbook_kibana.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureCodeBox/secureCodeBox-v2/4840c55cb9fcd69199d0c968d3a43cd6bf4326fe/docs/resources/macbook_kibana.jpg -------------------------------------------------------------------------------- /docs/uml/_copyright.ipuml: -------------------------------------------------------------------------------- 1 | right footer **©** 2020 iteratec GmbH 2 | -------------------------------------------------------------------------------- /docs/uml/compononents_overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureCodeBox/secureCodeBox-v2/4840c55cb9fcd69199d0c968d3a43cd6bf4326fe/docs/uml/compononents_overview.png -------------------------------------------------------------------------------- /docs/uml/sequence_overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureCodeBox/secureCodeBox-v2/4840c55cb9fcd69199d0c968d3a43cd6bf4326fe/docs/uml/sequence_overview.png -------------------------------------------------------------------------------- /docs/versioning.md: -------------------------------------------------------------------------------- 1 | # Versioning 2 | 3 | All components of the secureCodeBox use [Semantic versioning](https://semver.org/). 4 | 5 | Given a version number MAJOR.MINOR.PATCH, we increment the: 6 | 7 | - MAJOR version when we make incompatible API changes, 8 | - MINOR version when we add functionality in a backwards compatible manner, and 9 | - PATCH version when we make backwards compatible bug fixes. 10 | 11 | ## Maintaining compatible versions 12 | 13 | Backend components will always remain compatible due to ongoing the availability of old API versions. 14 | 15 | ## Changelogs 16 | 17 | Changelogs can be found the in release notes attached to git tags, e.g. (https://github.com/secureCodeBox/secureCodeBox-v2/releases). -------------------------------------------------------------------------------- /hook-sdk/nodejs/.dockerignore: -------------------------------------------------------------------------------- 1 | node_modules/ -------------------------------------------------------------------------------- /hook-sdk/nodejs/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules/ -------------------------------------------------------------------------------- /hook-sdk/nodejs/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:12-alpine as build 2 | WORKDIR /home/app 3 | COPY package.json package-lock.json ./ 4 | RUN npm ci --production 5 | 6 | FROM node:12-alpine 7 | ARG NODE_ENV 8 | RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app 9 | WORKDIR /home/app/hook-wrapper/ 10 | COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ 11 | COPY --chown=app:app ./hook-wrapper.js ./hook-wrapper.js 12 | USER 1001 13 | ENV NODE_ENV ${NODE_ENV:-production} 14 | ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"] 15 | -------------------------------------------------------------------------------- /hook-sdk/nodejs/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "securecodebox-hook-sdk-nodejs", 3 | "version": "1.0.0", 4 | "description": "Handles external communication required for all secureCodeBox Hooks", 5 | "main": "hook-wrapper.js", 6 | "scripts": { 7 | "test": "jest" 8 | }, 9 | "keywords": [], 10 | "author": "iteratec GmbH", 11 | "license": "Apache-2.0", 12 | "dependencies": { 13 | "@kubernetes/client-node": "^0.12.2", 14 | "axios": "^0.20.0", 15 | "ws": "^7.3.1" 16 | }, 17 | "devDependencies": { 18 | "jest": "^25.1.0" 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/.dockerignore: -------------------------------------------------------------------------------- 1 | node_modules/ -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | *.map 3 | **.js 4 | !**.test.js -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | # Node.js files 24 | node_modules/* 25 | package.json 26 | package-lock.json 27 | src/* 28 | config/* 29 | Dockerfile 30 | .dockerignore -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: [] 2 | digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 3 | generated: "2020-05-26T16:56:03.119255+02:00" 4 | -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: declarative-subsequent-scans 3 | description: Starts possible subsequent security scans based on findings (e.g. open ports found by NMAP or subdomains found by AMASS). 4 | 5 | type: application 6 | 7 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 8 | version: latest 9 | kubeVersion: ">=v1.11.0" 10 | 11 | dependencies: [] 12 | -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM node:12-alpine as install 3 | RUN mkdir -p /home/app 4 | WORKDIR /home/app 5 | COPY package.json package-lock.json ./ 6 | RUN npm ci --production 7 | 8 | FROM node:12-alpine as build 9 | RUN mkdir -p /home/app 10 | WORKDIR /home/app 11 | COPY package.json package-lock.json ./ 12 | RUN npm ci 13 | COPY hook.ts scan-helpers.ts kubernetes-label-selector.ts ./ 14 | RUN npm run build 15 | 16 | FROM securecodebox/hook-sdk-nodejs:${baseImageTag:-latest} 17 | WORKDIR /home/app/hook-wrapper/hook/ 18 | COPY --from=install --chown=app:app /home/app/node_modules/ ./node_modules/ 19 | COPY --from=build --chown=app:app /home/app/hook.js /home/app/scan-helpers.js /home/app/kubernetes-label-selector.js ./ 20 | -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: declarative-subsequent-scans 3 | description: Starts possible subsequent security scans based on findings (e.g. open ports found by NMAP or subdomains found by AMASS). 4 | 5 | type: application 6 | 7 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 8 | version: latest 9 | kubeVersion: ">=v1.11.0" -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Declarative Subsequent Scan Hook deployed. 2 | 3 | This will allow you to start Scans based on previous findings. 4 | E.g. start a ssh scan for every open ssh port found. 5 | 6 | The rules are defined as kubernetes CRD's. You can list all of these `CascadingScanRules` by running: 7 | 8 | $ kubectl get cascadingrules 9 | 10 | You need to explicitly turn on scan cascading for every scan you use. 11 | You can do that by setting a label selector which matches all rules you want to use. 12 | 13 | Find out more, on the docs: TODO(https://github.com/secureCodeBox/secureCodeBox-v2/issues/46) -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/templates/declerative-subsequent-scans-hook.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ScanCompletionHook 3 | metadata: 4 | name: {{ include "declarative-subsequent-scans.fullname" . }} 5 | spec: 6 | type: ReadOnly 7 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}" 8 | serviceAccountName: declarative-combined-scans -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/templates/role-binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | annotations: 5 | description: DeclarativeCombinedScansHooks needs to have the rights to create new scans and the usual patch rules to update the scan status 6 | name: declarative-combined-scans 7 | namespace: {{ .Release.Namespace }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: Role 11 | name: declarative-combined-scans 12 | subjects: 13 | - kind: ServiceAccount 14 | name: declarative-combined-scans 15 | -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/templates/role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | annotations: 5 | description: DeclarativeCombinedScansHooks needs to have the rights to create new scans and the usual patch rules to update the scan status 6 | name: declarative-combined-scans 7 | namespace: {{ .Release.Namespace }} 8 | rules: 9 | - apiGroups: 10 | - execution.securecodebox.io 11 | resources: 12 | - scans 13 | verbs: 14 | - get 15 | - create 16 | - apiGroups: 17 | - execution.securecodebox.io 18 | resources: 19 | - scans/status 20 | verbs: 21 | - get 22 | - patch 23 | - apiGroups: 24 | - cascading.securecodebox.io 25 | resources: 26 | - cascadingrules 27 | verbs: 28 | - get 29 | - list 30 | -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/templates/service-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | annotations: 5 | description: DeclarativeCombinedScansHooks needs to have the rights to create new scans and the usual patch rules to update the scan status 6 | name: declarative-combined-scans 7 | namespace: {{ .Release.Namespace }} 8 | -------------------------------------------------------------------------------- /hooks/declarative-subsequent-scans/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for dispatcher. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | image: 6 | # image.tag - defaults to the charts version 7 | # image.repository -- Hook image repository 8 | repository: docker.io/securecodebox/hook-declarative-subsequent-scans 9 | # parserImage.tag -- Parser image tag 10 | # @default -- defaults to the charts version 11 | tag: null 12 | -------------------------------------------------------------------------------- /hooks/generic-webhook/.dockerignore: -------------------------------------------------------------------------------- 1 | node_modules/ -------------------------------------------------------------------------------- /hooks/generic-webhook/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules -------------------------------------------------------------------------------- /hooks/generic-webhook/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | # Node.js files 24 | node_modules/* 25 | package.json 26 | package-lock.json 27 | src/* 28 | config/* 29 | Dockerfile 30 | .dockerignore -------------------------------------------------------------------------------- /hooks/generic-webhook/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: [] 2 | digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 3 | generated: "2020-05-26T16:56:03.119255+02:00" 4 | -------------------------------------------------------------------------------- /hooks/generic-webhook/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: generic-webhook 3 | description: Lets you send http webhooks after scans are completed 4 | 5 | type: application 6 | 7 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 8 | version: latest 9 | kubeVersion: ">=v1.11.0" 10 | 11 | dependencies: [] 12 | -------------------------------------------------------------------------------- /hooks/generic-webhook/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM node:12-alpine as build 3 | RUN mkdir -p /home/app 4 | WORKDIR /home/app 5 | COPY package.json package-lock.json ./ 6 | RUN npm ci --production 7 | 8 | FROM securecodebox/hook-sdk-nodejs:${baseImageTag:-latest} 9 | WORKDIR /home/app/hook-wrapper/hook/ 10 | COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ 11 | COPY --chown=app:app ./hook.js ./hook.js 12 | -------------------------------------------------------------------------------- /hooks/generic-webhook/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Generic WebHook" 3 | path: "hooks/generic-webhook" 4 | category: "hook" 5 | type: "integration" 6 | state: "released" 7 | usecase: "Publishes Scan Findings as WebHook." 8 | --- 9 | 10 | 11 | 12 | ## Deployment 13 | 14 | Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace. 15 | 16 | ```bash 17 | helm upgrade --install gwh ./hooks/generic-webhook/ --set webhookUrl="http://example.com/my/webhook/target" 18 | ``` 19 | > ✍ This documentation is currently work-in-progress. 20 | 21 | ## Chart Configuration 22 | 23 | | Key | Type | Default | Description | 24 | |-----|------|---------|-------------| 25 | | image.repository | string | `"docker.io/securecodebox/generic-webhook"` | Hook image repository | 26 | | image.tag | string | `nil` | | 27 | | webhookUrl | string | `"http://example.com"` | The URL of your WebHook endpoint | 28 | -------------------------------------------------------------------------------- /hooks/generic-webhook/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Generic WebHook" 3 | path: "hooks/generic-webhook" 4 | category: "hook" 5 | type: "integration" 6 | state: "released" 7 | usecase: "Publishes Scan Findings as WebHook." 8 | --- 9 | 10 | 11 | 12 | ## Deployment 13 | 14 | Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace. 15 | 16 | ```bash 17 | helm upgrade --install gwh ./hooks/generic-webhook/ --set webhookUrl="http://example.com/my/webhook/target" 18 | ``` 19 | > ✍ This documentation is currently work-in-progress. 20 | 21 | ## Chart Configuration 22 | 23 | {{ template "chart.valuesTable" . }} 24 | -------------------------------------------------------------------------------- /hooks/generic-webhook/__mocks__/axios.js: -------------------------------------------------------------------------------- 1 | module.exports.post = jest.fn(); 2 | -------------------------------------------------------------------------------- /hooks/generic-webhook/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: generic-webhook 3 | description: Lets you send http webhooks after scans are completed 4 | 5 | type: application 6 | 7 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 8 | version: latest 9 | kubeVersion: ">=v1.11.0" -------------------------------------------------------------------------------- /hooks/generic-webhook/hook.js: -------------------------------------------------------------------------------- 1 | const axios = require("axios"); 2 | 3 | async function handle({ 4 | getFindings, 5 | scan, 6 | webhookUrl = process.env["WEBHOOK_URL"], 7 | }) { 8 | const findings = await getFindings(); 9 | 10 | console.log(`Sending ${findings.length} findings to ${webhookUrl}`); 11 | 12 | await axios.post(webhookUrl, { scan, findings }); 13 | } 14 | module.exports.handle = handle; 15 | module.exports.axios = axios; 16 | -------------------------------------------------------------------------------- /hooks/generic-webhook/hook.test.js: -------------------------------------------------------------------------------- 1 | const { handle, axios } = require("./hook"); 2 | 3 | beforeEach(() => { 4 | axios.post.mockClear(); 5 | }); 6 | 7 | test("should send a post request to the url when fired", async () => { 8 | const findings = []; 9 | 10 | const getFindings = async () => findings; 11 | 12 | const scan = { 13 | metadata: { 14 | uid: "09988cdf-1fc7-4f85-95ee-1b1d65dbc7cc", 15 | name: "demo-scan", 16 | labels: { 17 | company: "iteratec", 18 | }, 19 | }, 20 | spec: { 21 | scanType: "Nmap", 22 | parameters: ["-Pn", "localhost"], 23 | }, 24 | }; 25 | 26 | const webhookUrl = "http://example.com/foo/bar"; 27 | 28 | await handle({ getFindings, scan, webhookUrl }); 29 | 30 | expect(axios.post).toBeCalledWith(webhookUrl, { 31 | scan, 32 | findings: [], 33 | }); 34 | }); 35 | -------------------------------------------------------------------------------- /hooks/generic-webhook/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "scb-generic-webhook", 3 | "version": "1.0.0", 4 | "description": "secureCodeBox v2 Generic WebHook.", 5 | "homepage": "https://www.secureCodeBox.io", 6 | "repository": { 7 | "type": "git", 8 | "url": "git+https://github.com/secureCodeBox/secureCodeBox-v2.git" 9 | }, 10 | "main": "hook.js", 11 | "scripts": { 12 | "test": "jest ." 13 | }, 14 | "keywords": [ 15 | "secureCodeBox", 16 | "security", 17 | "hook" 18 | ], 19 | "author": { 20 | "name": "iteratec GmbH", 21 | "email": "security@iteratec.com", 22 | "url": "https://www.iteratec.com" 23 | }, 24 | "contributors": [ 25 | { 26 | "name" : "Jannik Hollenbach", 27 | "url" : "https://github.com/J12934" 28 | }, 29 | { 30 | "name" : "Robert Seedorff", 31 | "url" : "https://github.com/rseedorff" 32 | } 33 | ], 34 | "bugs": { 35 | "url": "https://github.com/secureCodeBox/secureCodeBox-v2/issues" 36 | }, 37 | "license": "Apache-2.0", 38 | "dependencies": { 39 | "axios": "^0.20.0" 40 | }, 41 | "devDependencies": { 42 | "jest": "^25.1.0" 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /hooks/generic-webhook/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | GenericWebhook deployed. 2 | Will send requests to: 3 | POST {{ .Values.webhookUrl }} 4 | on every completed scan -------------------------------------------------------------------------------- /hooks/generic-webhook/templates/webhook-hook.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ScanCompletionHook 3 | metadata: 4 | name: {{ include "generic-webhook.fullname" . }} 5 | spec: 6 | type: ReadOnly 7 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}" 8 | env: 9 | - name: WEBHOOK_URL 10 | value: {{ .Values.webhookUrl | quote }} -------------------------------------------------------------------------------- /hooks/generic-webhook/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for dispatcher. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | # webhookUrl -- The URL of your WebHook endpoint 6 | webhookUrl: "http://example.com" 7 | 8 | image: 9 | # image.tag - defaults to the charts version 10 | # image.repository -- Hook image repository 11 | repository: docker.io/securecodebox/generic-webhook 12 | # parserImage.tag -- Parser image tag 13 | # @default -- defaults to the charts version 14 | tag: null 15 | -------------------------------------------------------------------------------- /hooks/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "securecodebox-hooks", 3 | "version": "1.0.0", 4 | "description": "NPM library to easily set up new hooks for the secureCodeBox v2", 5 | "homepage": "https://www.secureCodeBox.io", 6 | "repository": { 7 | "type": "git", 8 | "url": "git+https://github.com/secureCodeBox/secureCodeBox-v2.git" 9 | }, 10 | "main": "index.js", 11 | "directories": { 12 | "example": "example" 13 | }, 14 | "scripts": { 15 | "test": "jest" 16 | }, 17 | "keywords": [ 18 | "secureCodeBox", 19 | "security", 20 | "hooks" 21 | ], 22 | "author": { 23 | "name": "iteratec GmbH", 24 | "email": "security@iteratec.com", 25 | "url": "https://www.iteratec.com" 26 | }, 27 | "contributors": [ 28 | { 29 | "name" : "Jannik Hollenbach", 30 | "url" : "https://github.com/J12934" 31 | }, 32 | { 33 | "name" : "Robert Seedorff", 34 | "url" : "https://github.com/rseedorff" 35 | } 36 | ], 37 | "bugs": { 38 | "url": "https://github.com/secureCodeBox/secureCodeBox-v2/issues" 39 | }, 40 | "license": "Apache-2.0", 41 | "devDependencies": { 42 | "jest": "^25.1.0" 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /hooks/persistence-elastic/.dockerignore: -------------------------------------------------------------------------------- 1 | node_modules/ -------------------------------------------------------------------------------- /hooks/persistence-elastic/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules -------------------------------------------------------------------------------- /hooks/persistence-elastic/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | # Node.js files 24 | node_modules/* 25 | package.json 26 | package-lock.json 27 | src/* 28 | config/* 29 | Dockerfile 30 | .dockerignore -------------------------------------------------------------------------------- /hooks/persistence-elastic/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: elasticsearch 3 | repository: https://helm.elastic.co 4 | version: 7.9.2 5 | - name: kibana 6 | repository: https://helm.elastic.co 7 | version: 7.9.2 8 | digest: sha256:e47a0c36a3ded9bc2cab9b2482dfa117dd2c3b9950d92d19d92cf47ac774ad69 9 | generated: "2020-10-07T10:47:56.519541956+02:00" 10 | -------------------------------------------------------------------------------- /hooks/persistence-elastic/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: persistence-elastic 3 | description: The elastic persistence provider persists secureCodeBox findings into the elastic stack. 4 | 5 | type: application 6 | 7 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 8 | version: latest 9 | 10 | appVersion: 7.9.2 11 | kubeVersion: ">=v1.11.0" 12 | 13 | dependencies: 14 | - name: elasticsearch 15 | version: 7.9.2 16 | repository: https://helm.elastic.co 17 | condition: elasticsearch.enabled 18 | - name: kibana 19 | version: 7.9.2 20 | repository: https://helm.elastic.co 21 | condition: kibana.enabled 22 | -------------------------------------------------------------------------------- /hooks/persistence-elastic/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM node:12-alpine as build 3 | RUN mkdir -p /home/app 4 | WORKDIR /home/app 5 | COPY package.json package-lock.json ./ 6 | RUN npm ci --production 7 | 8 | FROM securecodebox/hook-sdk-nodejs:${baseImageTag:-latest} 9 | WORKDIR /home/app/hook-wrapper/hook/ 10 | COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ 11 | COPY --chown=app:app ./hook.js ./hook.js 12 | -------------------------------------------------------------------------------- /hooks/persistence-elastic/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Elasticsearch" 3 | path: "hooks/persistence-elastic" 4 | category: "hook" 5 | type: "persistenceProvider" 6 | state: "released" 7 | usecase: "Publishes all Scan Findings to Elasticsearch." 8 | --- 9 | 10 | 11 | 12 | ## About 13 | The ElasticSearch persistenceProvider hook saves all findings and reports into the configured ElasticSearch index. This allows for some easy searching and visualization of the findings. To learn more about Elasticsearch visit [elastic.io]. 14 | 15 | ## Deployment 16 | 17 | Installing the Elasticsearch persistenceProvider hook will add a _ReadOnly Hook_ to your namespace. 18 | 19 | ```bash 20 | helm upgrade --install elkh ./hooks/persistence-elastic/ 21 | ``` 22 | 23 | ## Chart Configuration 24 | 25 | {{ template "chart.valuesTable" . }} 26 | 27 | 28 | [elastic.io]: https://www.elastic.co/products/elasticsearch -------------------------------------------------------------------------------- /hooks/persistence-elastic/__mocks__/@elastic/elasticsearch.js: -------------------------------------------------------------------------------- 1 | class Client { 2 | constructor() { 3 | this.indices = { 4 | create: jest.fn(), 5 | }; 6 | this.index = jest.fn(); 7 | this.bulk = jest.fn(async () => { 8 | return { 9 | body: { 10 | errors: false, 11 | }, 12 | }; 13 | }); 14 | } 15 | } 16 | 17 | module.exports.Client = Client; 18 | -------------------------------------------------------------------------------- /hooks/persistence-elastic/charts/elasticsearch-7.9.2.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureCodeBox/secureCodeBox-v2/4840c55cb9fcd69199d0c968d3a43cd6bf4326fe/hooks/persistence-elastic/charts/elasticsearch-7.9.2.tgz -------------------------------------------------------------------------------- /hooks/persistence-elastic/charts/kibana-7.9.2.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureCodeBox/secureCodeBox-v2/4840c55cb9fcd69199d0c968d3a43cd6bf4326fe/hooks/persistence-elastic/charts/kibana-7.9.2.tgz -------------------------------------------------------------------------------- /hooks/persistence-elastic/dashboardImporter/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.11 2 | 3 | RUN apk add --no-cache curl bash 4 | 5 | RUN addgroup -S app && adduser -S -G app app 6 | USER app 7 | 8 | WORKDIR /home/dashboard-importer/ 9 | 10 | COPY dashboards/ ./dashboards/ 11 | COPY import-dashboards.sh ./ 12 | 13 | CMD [ "bash", "import-dashboards.sh" ] -------------------------------------------------------------------------------- /hooks/persistence-elastic/dashboardImporter/export-dashboards.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | kibanaURL=${1:-"http://localhost:5601"} 4 | 5 | exportDashboard() { 6 | local filename=$1 7 | local id=$2 8 | curl ${kibanaURL}/api/kibana/dashboards/export?dashboard=${id} > ./dashboards/${filename} 9 | } 10 | 11 | exportDashboard "daily-summary.json" "34c734b0-6e79-11ea-bdc0-35f8aa7c4664" 12 | exportDashboard "wordpress-overview.json" "12b72880-fc09-11ea-a91c-5358dd402fdc" 13 | exportDashboard "subdomain-overview.json" "83e56080-b235-11ea-872e-c9b5d5ddb284" 14 | exportDashboard "tls-ssl-overview.json" "f5e576c0-af97-11ea-b237-7b9069d086af" 15 | exportDashboard "zap-overview.json" "57b2a830-bc60-11ea-872e-c9b5d5ddb284" 16 | exportDashboard "nikto-overview.json" "6a005c80-c4fd-11ea-8ad8-4f602085b3a0" 17 | exportDashboard "portscan-overview.json" "d93db110-937f-11ea-9a99-c571feec3570" 18 | exportDashboard "ssh-overview.json" "271ddac0-98d7-11ea-890b-7db8819c4f5b" 19 | -------------------------------------------------------------------------------- /hooks/persistence-elastic/dashboardImporter/import-dashboards.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | kibanaURL=${KIBANA_URL:-"http://localhost:5601"} 4 | 5 | echo "Waiting until kibana becomes availible" 6 | until $(curl --output /dev/null --silent --head --fail ${kibanaURL}); do 7 | printf '.' 8 | sleep 5 9 | done 10 | echo "" 11 | echo "Kibana is availible" 12 | 13 | for filename in ./dashboards/*.json; do 14 | echo "Importing dashboard '${filename}'" 15 | curl -i -H "Content-Type: application/json" -H "kbn-xsrf: reporting" -X POST --data @${filename} ${kibanaURL}/api/kibana/dashboards/import 16 | echo -e "\n\n" 17 | done 18 | -------------------------------------------------------------------------------- /hooks/persistence-elastic/dashboardImporter/readme.md: -------------------------------------------------------------------------------- 1 | # Dashboard Importer 2 | 3 | Imports all standard secureCodeBox Dashboards to Kibana. 4 | This comes pre-bundled as a kubernetes job in the Elastic Persistence Provider helm chart. 5 | 6 | ## Updating the Kibana Dashboards 7 | 8 | If you made changes to the Kibana Dashboards which you want rolled out to everybody, you can update the dashboards in the [dashboards](./dashboards/) folder. To update the easily you can use the [export-dashboards](./export-dashboards.sh) bash script. If you added a new dashboard you'll need to update the script to create a mapping between filename and dashboard id. 9 | 10 | ```bash 11 | # Default call. Assumes Kibana to be available at "http://localhost:5601" 12 | ./export-dashboards.sh 13 | 14 | # With a custom kibana endpoint 15 | ./export-dashboards.sh "https://kibana.local.example.com" 16 | ``` 17 | -------------------------------------------------------------------------------- /hooks/persistence-elastic/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: persistence-elastic 3 | description: The elastic persistence provider persists secureCodeBox findings into the elastic stack. 4 | 5 | type: application 6 | 7 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 8 | version: latest 9 | appVersion: 7.6.1 10 | kubeVersion: ">=v1.11.0" -------------------------------------------------------------------------------- /hooks/persistence-elastic/helm2.requirements.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: elasticsearch 3 | repository: https://helm.elastic.co 4 | version: 7.6.1 5 | - name: kibana 6 | repository: https://helm.elastic.co 7 | version: 7.6.1 8 | digest: sha256:7d3461d986f620421f775f9ecaf73af2565ace9d909a8134c4259c5206f1f89c 9 | generated: "2020-03-17T15:09:24.838784+01:00" 10 | -------------------------------------------------------------------------------- /hooks/persistence-elastic/helm2.requirements.yaml: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: elasticsearch 3 | version: 7.6.1 4 | repository: https://helm.elastic.co 5 | condition: elasticsearch.enabled 6 | - name: kibana 7 | version: 7.6.1 8 | repository: https://helm.elastic.co 9 | condition: kibana.enabled 10 | -------------------------------------------------------------------------------- /hooks/persistence-elastic/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Elastic Stack PersistenceProvider deployed. -------------------------------------------------------------------------------- /hooks/persistence-elastic/templates/import-dashboard.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: "dashboard-importer-{{ .Chart.Version }}" 5 | spec: 6 | backoffLimit: 3 7 | ttlSecondsAfterFinished: 3600 # 1 hour 8 | template: 9 | spec: 10 | restartPolicy: 'OnFailure' 11 | containers: 12 | - name: dasboard-importer 13 | image: "{{ .Values.dashboardImporter.image.repository }}:{{ .Values.dashboardImporter.image.tag | default .Chart.Version }}" 14 | imagePullPolicy: Always 15 | env: 16 | {{- if .Values.externalElasticStack.enabled }} 17 | - name: KIBANA_URL 18 | value: {{ .Values.externalElasticStack.kibanaAddress | quote }} 19 | {{- else }} 20 | - name: KIBANA_URL 21 | value: "http://{{ .Release.Name }}-kibana.{{ .Release.Namespace }}.svc.cluster.local:5601" 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /hooks/persistence-static-report/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Static Report" 3 | path: "hooks/persistence-staticreport" 4 | category: "hook" 5 | type: "persistenceProvider" 6 | state: "developing" 7 | usecase: "Publishes all Scan Findings as HTML Report." 8 | --- 9 | 10 | 11 | 12 | ## Deployment 13 | 14 | > 🔧 The implementation is currently work-in-progress and still undergoing major changes. It'll be released here once it has stabilized. 15 | 16 | -------------------------------------------------------------------------------- /hooks/slack-webhook/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Slack WebHook" 3 | path: "hooks/slack-webhook" 4 | category: "hook" 5 | type: "integration" 6 | state: "roadmap" 7 | usecase: "Publishes Scan Summary to Slack." 8 | --- 9 | 10 | 11 | 12 | ## Deployment 13 | 14 | Installing the Slack WebHook hook will add a ReadOnly Hook to your namespace. 15 | 16 | > 🔧 The implementation is currently work-in-progress and still undergoing major changes. It'll be released here once it has stabilized. 17 | -------------------------------------------------------------------------------- /hooks/teams-webhook/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "MS Teams WebHook" 3 | path: "hooks/teams-webhook" 4 | category: "hook" 5 | type: "integration" 6 | state: "roadmap" 7 | usecase: "Publishes Scan Summary to MS Teams." 8 | --- 9 | 10 | 11 | 12 | ## Deployment 13 | 14 | Installing the Teams WebHook hook will add a ReadOnly Hook to your namespace. 15 | 16 | > 🔧 The implementation is currently work-in-progress and still undergoing major changes. It'll be released here once it has stabilized. 17 | -------------------------------------------------------------------------------- /hooks/update-field/.dockerignore: -------------------------------------------------------------------------------- 1 | node_modules/ -------------------------------------------------------------------------------- /hooks/update-field/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules -------------------------------------------------------------------------------- /hooks/update-field/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | # Node.js files 24 | node_modules/* 25 | package.json 26 | package-lock.json 27 | src/* 28 | config/* 29 | Dockerfile 30 | .dockerignore -------------------------------------------------------------------------------- /hooks/update-field/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: [] 2 | digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 3 | generated: "2020-05-26T16:56:03.119255+02:00" 4 | -------------------------------------------------------------------------------- /hooks/update-field/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: update-field-hook 3 | description: Lets you add or override a field to every finding 4 | 5 | type: application 6 | 7 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 8 | version: latest 9 | kubeVersion: ">=v1.11.0" 10 | 11 | dependencies: [] 12 | -------------------------------------------------------------------------------- /hooks/update-field/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM node:12-alpine as build 3 | RUN mkdir -p /home/app 4 | WORKDIR /home/app 5 | COPY package.json package-lock.json ./ 6 | RUN npm ci --production 7 | 8 | FROM securecodebox/hook-sdk-nodejs:${baseImageTag:-latest} 9 | WORKDIR /home/app/hook-wrapper/hook/ 10 | COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ 11 | COPY --chown=app:app ./hook.js ./hook.js 12 | -------------------------------------------------------------------------------- /hooks/update-field/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Update Field" 3 | path: "hooks/update-field" 4 | category: "hook" 5 | type: "dataProcessing" 6 | state: "released" 7 | usecase: "Updates fields in finding results." 8 | --- 9 | 10 | 11 | 12 | ## Deployment 13 | 14 | Installing the _Update Field_ hook will add a ReadOnly Hook to your namespace. 15 | 16 | ```bash 17 | helm upgrade --install ufh ./hooks/update-field/ --set attribute.name="category" --set attribute.value="my-own-category" 18 | ``` 19 | 20 | > ✍ This documentation is currently work-in-progress. 21 | 22 | ## Chart Configuration 23 | 24 | | Key | Type | Default | Description | 25 | |-----|------|---------|-------------| 26 | | attribute.name | string | `"category"` | The name of the attribute you want to add to each finding result | 27 | | attribute.value | string | `"my-own-category"` | The value of the attribute you want to add to each finding result | 28 | | image.repository | string | `"docker.io/securecodebox/update-field"` | Hook image repository | 29 | | image.tag | string | `nil` | | 30 | -------------------------------------------------------------------------------- /hooks/update-field/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Update Field" 3 | path: "hooks/update-field" 4 | category: "hook" 5 | type: "dataProcessing" 6 | state: "released" 7 | usecase: "Updates fields in finding results." 8 | --- 9 | 10 | 11 | 12 | ## Deployment 13 | 14 | Installing the _Update Field_ hook will add a ReadOnly Hook to your namespace. 15 | 16 | ```bash 17 | helm upgrade --install ufh ./hooks/update-field/ --set attribute.name="category" --set attribute.value="my-own-category" 18 | ``` 19 | 20 | > ✍ This documentation is currently work-in-progress. 21 | 22 | ## Chart Configuration 23 | 24 | {{ template "chart.valuesTable" . }} 25 | -------------------------------------------------------------------------------- /hooks/update-field/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: update-field-hook 3 | description: Lets you add or override a field to every finding 4 | 5 | type: application 6 | 7 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 8 | version: latest 9 | kubeVersion: ">=v1.11.0" -------------------------------------------------------------------------------- /hooks/update-field/hook.js: -------------------------------------------------------------------------------- 1 | const set = require("lodash.set"); 2 | 3 | async function handle({ 4 | getFindings, 5 | updateFindings, 6 | attributeName = process.env["ATTRIBUTE_NAME"], 7 | attributeValue = process.env["ATTRIBUTE_VALUE"], 8 | }) { 9 | const findings = await getFindings(); 10 | 11 | const newFindings = findings.map((finding) => { 12 | set(finding, attributeName, attributeValue); 13 | return finding; 14 | }); 15 | 16 | console.log(`Updated attributes on ${findings.length} findings`); 17 | 18 | await updateFindings(newFindings); 19 | } 20 | module.exports.handle = handle; 21 | -------------------------------------------------------------------------------- /hooks/update-field/hook.test.js: -------------------------------------------------------------------------------- 1 | const { handle } = require("./hook"); 2 | 3 | test("should send a post request to the url when fired", async () => { 4 | const findings = [ 5 | { 6 | name: "Open Port", 7 | attributes: { 8 | hostname: "foobar.com", 9 | }, 10 | }, 11 | ]; 12 | 13 | const getFindings = async () => findings; 14 | 15 | const updateFindings = jest.fn(); 16 | 17 | await handle({ 18 | getFindings, 19 | updateFindings, 20 | attributeName: "attributes.cluster", 21 | attributeValue: "gke-internal", 22 | }); 23 | 24 | expect(updateFindings).toBeCalledWith([ 25 | { 26 | name: "Open Port", 27 | attributes: { 28 | hostname: "foobar.com", 29 | cluster: "gke-internal", 30 | }, 31 | }, 32 | ]); 33 | }); 34 | -------------------------------------------------------------------------------- /hooks/update-field/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "scb-update-field", 3 | "version": "1.0.0", 4 | "description": "secureCodeBox v2 Update Field Hook", 5 | "homepage": "https://www.secureCodeBox.io", 6 | "repository": { 7 | "type": "git", 8 | "url": "git+https://github.com/secureCodeBox/secureCodeBox-v2.git" 9 | }, 10 | "main": "hook.js", 11 | "scripts": { 12 | "test": "jest ." 13 | }, 14 | "keywords": [ 15 | "secureCodeBox", 16 | "security", 17 | "scanner" 18 | ], 19 | "author": { 20 | "name": "iteratec GmbH", 21 | "email": "security@iteratec.com", 22 | "url": "https://www.iteratec.com" 23 | }, 24 | "contributors": [ 25 | { 26 | "name" : "Jannik Hollenbach", 27 | "url" : "https://github.com/J12934" 28 | }, 29 | { 30 | "name" : "Robert Seedorff", 31 | "url" : "https://github.com/rseedorff" 32 | } 33 | ], 34 | "bugs": { 35 | "url": "https://github.com/secureCodeBox/secureCodeBox-v2/issues" 36 | }, 37 | "license": "Apache-2.0", 38 | "dependencies": { 39 | "lodash.set": "^4.3.2" 40 | }, 41 | "devDependencies": { 42 | "jest": "^25.1.0" 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /hooks/update-field/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | UpdateField Hook deployed. 2 | This will add or override "{{ .Values.attribute.name }}: {{ .Values.attribute.value }}" on every finding in this namespace. -------------------------------------------------------------------------------- /hooks/update-field/templates/update-field-hook.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ScanCompletionHook 3 | metadata: 4 | name: {{ .Release.Name }} 5 | spec: 6 | type: ReadAndWrite 7 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}" 8 | env: 9 | - name: ATTRIBUTE_NAME 10 | value: {{ .Values.attribute.name | quote }} 11 | - name: ATTRIBUTE_VALUE 12 | value: {{ .Values.attribute.value | quote }} 13 | -------------------------------------------------------------------------------- /hooks/update-field/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for dispatcher. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | attribute: 6 | # attribute.name -- The name of the attribute you want to add to each finding result 7 | name: "category" 8 | # attribute.value -- The value of the attribute you want to add to each finding result 9 | value: my-own-category 10 | 11 | image: 12 | # image.tag - defaults to the charts version 13 | # image.repository -- Hook image repository 14 | repository: docker.io/securecodebox/update-field 15 | # parserImage.tag -- Parser image tag 16 | # @default -- defaults to the charts version 17 | tag: null 18 | -------------------------------------------------------------------------------- /lurcher/.dockerignore: -------------------------------------------------------------------------------- 1 | Dockerfile 2 | main 3 | job.yaml 4 | .gitignore -------------------------------------------------------------------------------- /lurcher/.gitignore: -------------------------------------------------------------------------------- 1 | main -------------------------------------------------------------------------------- /lurcher/Dockerfile: -------------------------------------------------------------------------------- 1 | # Build the manager binary 2 | FROM golang:1.15 as builder 3 | 4 | WORKDIR /workspace 5 | # Copy the Go Modules manifests 6 | COPY go.mod go.mod 7 | COPY go.sum go.sum 8 | # cache deps before building and copying source so that we don't need to re-download as much 9 | # and so that source changes don't invalidate our downloaded layer 10 | RUN go mod download 11 | 12 | # Copy the go source 13 | COPY main.go main.go 14 | 15 | # Build 16 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o lurcher main.go 17 | 18 | # Use distroless as minimal base image to package the manager binary 19 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 20 | FROM gcr.io/distroless/static:nonroot 21 | WORKDIR / 22 | COPY --from=builder /workspace/lurcher . 23 | 24 | ENTRYPOINT ["/lurcher"] 25 | -------------------------------------------------------------------------------- /lurcher/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/secureCodeBox/secureCodeBox-v2/lurcher 2 | 3 | go 1.15 4 | 5 | require ( 6 | k8s.io/apimachinery v0.0.0-20191028221656-72ed19daf4bb 7 | k8s.io/client-go v0.0.0-20191114101535-6c5935290e33 8 | ) 9 | -------------------------------------------------------------------------------- /operator/.gitignore: -------------------------------------------------------------------------------- 1 | 2 | # Binaries for programs and plugins 3 | *.exe 4 | *.exe~ 5 | *.dll 6 | *.so 7 | *.dylib 8 | bin 9 | 10 | # Test binary, build with `go test -c` 11 | *.test 12 | 13 | # Output of the go coverage tool, specifically when used with LiteIDE 14 | *.out 15 | 16 | # Kubernetes Generated files - skip generated files, except for vendored files 17 | 18 | !vendor/**/zz_generated.* 19 | 20 | # editor and IDE paraphernalia 21 | .idea 22 | *.swp 23 | *.swo 24 | *~ 25 | -------------------------------------------------------------------------------- /operator/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | 25 | hack/ 26 | config/ 27 | bin/ 28 | controllers/ 29 | apis/ -------------------------------------------------------------------------------- /operator/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: minio 3 | repository: https://helm.min.io/ 4 | version: 7.1.2 5 | digest: sha256:6fee974baf705caae258636dbd7b2b89f14230b9ae28aa20da4643d8292c399b 6 | generated: "2020-10-07T11:26:59.229968+02:00" 7 | -------------------------------------------------------------------------------- /operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: operator 3 | description: secureCodeBox Operator to automate the execution of security scans on kubernetes 4 | 5 | type: application 6 | 7 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 8 | version: latest 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - secureCodeBox 14 | - operator 15 | home: https://docs.securecodebox.io/docs/getting-started/installation 16 | icon: https://docs.securecodebox.io/img/Logo_Color.svg 17 | sources: 18 | - https://github.com/secureCodeBox/secureCodeBox-v2 19 | maintainers: 20 | - name: iteratec GmbH 21 | email: secureCodeBox@iteratec.com 22 | 23 | dependencies: 24 | - name: minio 25 | version: 7.1.2 26 | repository: https://helm.min.io/ 27 | condition: minio.enabled 28 | -------------------------------------------------------------------------------- /operator/Dockerfile: -------------------------------------------------------------------------------- 1 | # Build the manager binary 2 | FROM golang:1.15 as builder 3 | 4 | WORKDIR /workspace 5 | # Copy the Go Modules manifests 6 | COPY go.mod go.mod 7 | COPY go.sum go.sum 8 | # cache deps before building and copying source so that we don't need to re-download as much 9 | # and so that source changes don't invalidate our downloaded layer 10 | RUN go mod download 11 | 12 | # Copy the go source 13 | COPY main.go main.go 14 | COPY apis/ apis/ 15 | COPY controllers/ controllers/ 16 | COPY internal/ internal/ 17 | COPY utils/ utils/ 18 | 19 | # Build 20 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go 21 | 22 | # Use distroless as minimal base image to package the manager binary 23 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 24 | FROM gcr.io/distroless/static:nonroot 25 | 26 | ENV VERSION=unkown 27 | ENV TELEMETRY_ENABLED "true" 28 | 29 | WORKDIR / 30 | COPY --from=builder /workspace/manager . 31 | 32 | ENTRYPOINT ["/manager"] 33 | -------------------------------------------------------------------------------- /operator/PROJECT: -------------------------------------------------------------------------------- 1 | domain: securecodebox.io 2 | multigroup: true 3 | repo: github.com/secureCodeBox/secureCodeBox-v2 4 | resources: 5 | - group: execution 6 | kind: Scan 7 | version: v1 8 | - group: execution 9 | kind: ScanType 10 | version: v1 11 | - group: execution 12 | kind: PersistenceProvider 13 | version: v1 14 | - group: execution 15 | kind: ParseDefinition 16 | version: v1 17 | - group: execution 18 | kind: ScheduledScan 19 | version: v1 20 | - group: cascading 21 | kind: CascadingRule 22 | version: v1 23 | version: "2" 24 | -------------------------------------------------------------------------------- /operator/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | ![operator logo](https://docs.securecodebox.io/img/Logo_Color.svg) 2 | 3 | The secureCodeBox operator is runniing on kubernetes and the core component of the complete secureCodeBox stack, responsible for operating all scans and ressources. 4 | 5 | 6 | 7 | ## Deployment 8 | 9 | The secureCodeBox Operator can be deployed via helm: 10 | 11 | ```bash 12 | # Add the secureCodeBox Helm Repo 13 | helm repo add secureCodeBox https://charts.securecodebox.io 14 | # Create a new namespace for the secureCodeBox Operator 15 | kubectl create namespace securecodebox-system 16 | # Install the Operator & CRD's 17 | helm install securecodebox-operator secureCodeBox/operator 18 | ``` 19 | 20 | ## Chart Configuration 21 | 22 | {{ template "chart.valuesTable" . }} 23 | 24 | -------------------------------------------------------------------------------- /operator/charts/minio-7.1.2.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureCodeBox/secureCodeBox-v2/4840c55cb9fcd69199d0c968d3a43cd6bf4326fe/operator/charts/minio-7.1.2.tgz -------------------------------------------------------------------------------- /operator/config/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for 4 | # breaking changes 5 | apiVersion: cert-manager.io/v1alpha2 6 | kind: Issuer 7 | metadata: 8 | name: selfsigned-issuer 9 | namespace: system 10 | spec: 11 | selfSigned: {} 12 | --- 13 | apiVersion: cert-manager.io/v1alpha2 14 | kind: Certificate 15 | metadata: 16 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 17 | namespace: system 18 | spec: 19 | # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize 20 | dnsNames: 21 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc 22 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local 23 | issuerRef: 24 | kind: Issuer 25 | name: selfsigned-issuer 26 | secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize 27 | -------------------------------------------------------------------------------- /operator/config/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | configurations: 5 | - kustomizeconfig.yaml 6 | -------------------------------------------------------------------------------- /operator/config/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: cert-manager.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: cert-manager.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: cert-manager.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: cert-manager.io 16 | path: spec/dnsNames 17 | -------------------------------------------------------------------------------- /operator/config/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | group: apiextensions.k8s.io 8 | path: spec/conversion/webhookClientConfig/service/name 9 | 10 | namespace: 11 | - kind: CustomResourceDefinition 12 | group: apiextensions.k8s.io 13 | path: spec/conversion/webhookClientConfig/service/namespace 14 | create: false 15 | 16 | varReference: 17 | - path: metadata/annotations 18 | -------------------------------------------------------------------------------- /operator/config/crd/patches/cainjection_in_cascadingrules.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: cascadingrules.cascading.securecodebox.io 9 | -------------------------------------------------------------------------------- /operator/config/crd/patches/cainjection_in_parsedefinitions.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: parsedefinitions.execution.securecodebox.io 9 | -------------------------------------------------------------------------------- /operator/config/crd/patches/cainjection_in_persistenceproviders.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: persistenceproviders.execution.securecodebox.io 9 | -------------------------------------------------------------------------------- /operator/config/crd/patches/cainjection_in_scans.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: scans.execution.securecodebox.io 9 | -------------------------------------------------------------------------------- /operator/config/crd/patches/cainjection_in_scantypes.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: scantypes.execution.securecodebox.io 9 | -------------------------------------------------------------------------------- /operator/config/crd/patches/cainjection_in_scheduledscans.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: scheduledscans.execution.securecodebox.io 9 | -------------------------------------------------------------------------------- /operator/config/crd/patches/webhook_in_cascadingrules.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: cascadingrules.cascading.securecodebox.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /operator/config/crd/patches/webhook_in_parsedefinitions.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: parsedefinitions.execution.securecodebox.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /operator/config/crd/patches/webhook_in_persistenceproviders.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: persistenceproviders.execution.securecodebox.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /operator/config/crd/patches/webhook_in_scans.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: scans.execution.securecodebox.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /operator/config/crd/patches/webhook_in_scantypes.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: scantypes.execution.securecodebox.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /operator/config/crd/patches/webhook_in_scheduledscans.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: scheduledscans.execution.securecodebox.io 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /operator/config/default/manager_auth_proxy_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch inject a sidecar container which is a HTTP proxy for the 2 | # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: controller-manager 7 | namespace: system 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | - name: kube-rbac-proxy 13 | image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1 14 | args: 15 | - "--secure-listen-address=0.0.0.0:8443" 16 | - "--upstream=http://127.0.0.1:8080/" 17 | - "--logtostderr=true" 18 | - "--v=10" 19 | ports: 20 | - containerPort: 8443 21 | name: https 22 | - name: manager 23 | args: 24 | - "--metrics-addr=127.0.0.1:8080" 25 | - "--enable-leader-election" 26 | -------------------------------------------------------------------------------- /operator/config/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 9443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: webhook-server-cert 24 | -------------------------------------------------------------------------------- /operator/config/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. 3 | apiVersion: admissionregistration.k8s.io/v1beta1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: mutating-webhook-configuration 7 | annotations: 8 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 9 | --- 10 | apiVersion: admissionregistration.k8s.io/v1beta1 11 | kind: ValidatingWebhookConfiguration 12 | metadata: 13 | name: validating-webhook-configuration 14 | annotations: 15 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 16 | -------------------------------------------------------------------------------- /operator/config/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | -------------------------------------------------------------------------------- /operator/config/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: system 7 | --- 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: controller-manager 12 | namespace: system 13 | labels: 14 | control-plane: controller-manager 15 | spec: 16 | selector: 17 | matchLabels: 18 | control-plane: controller-manager 19 | replicas: 1 20 | template: 21 | metadata: 22 | labels: 23 | control-plane: controller-manager 24 | spec: 25 | containers: 26 | - command: 27 | - /manager 28 | args: 29 | - --enable-leader-election 30 | image: controller:latest 31 | name: manager 32 | resources: 33 | limits: 34 | cpu: 100m 35 | memory: 30Mi 36 | requests: 37 | cpu: 100m 38 | memory: 20Mi 39 | terminationGracePeriodSeconds: 10 40 | -------------------------------------------------------------------------------- /operator/config/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - monitor.yaml 3 | -------------------------------------------------------------------------------- /operator/config/prometheus/monitor.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Prometheus Monitor Service (Metrics) 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | control-plane: controller-manager 8 | name: controller-manager-metrics-monitor 9 | namespace: system 10 | spec: 11 | endpoints: 12 | - path: /metrics 13 | port: https 14 | selector: 15 | matchLabels: 16 | control-plane: controller-manager 17 | -------------------------------------------------------------------------------- /operator/config/rbac/auth_proxy_client_clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1beta1 2 | kind: ClusterRole 3 | metadata: 4 | name: metrics-reader 5 | rules: 6 | - nonResourceURLs: ["/metrics"] 7 | verbs: ["get"] 8 | -------------------------------------------------------------------------------- /operator/config/rbac/auth_proxy_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: proxy-role 5 | rules: 6 | - apiGroups: ["authentication.k8s.io"] 7 | resources: 8 | - tokenreviews 9 | verbs: ["create"] 10 | - apiGroups: ["authorization.k8s.io"] 11 | resources: 12 | - subjectaccessreviews 13 | verbs: ["create"] 14 | -------------------------------------------------------------------------------- /operator/config/rbac/auth_proxy_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: proxy-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: proxy-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /operator/config/rbac/auth_proxy_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: controller-manager-metrics-service 7 | namespace: system 8 | spec: 9 | ports: 10 | - name: https 11 | port: 8443 12 | targetPort: https 13 | selector: 14 | control-plane: controller-manager 15 | -------------------------------------------------------------------------------- /operator/config/rbac/cascadingrule_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit cascadingrules. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: cascadingrule-editor-role 6 | rules: 7 | - apiGroups: 8 | - cascading.securecodebox.io 9 | resources: 10 | - cascadingrules 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - cascading.securecodebox.io 21 | resources: 22 | - cascadingrules/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /operator/config/rbac/cascadingrule_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view cascadingrules. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: cascadingrule-viewer-role 6 | rules: 7 | - apiGroups: 8 | - cascading.securecodebox.io 9 | resources: 10 | - cascadingrules 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - cascading.securecodebox.io 17 | resources: 18 | - cascadingrules/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /operator/config/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - role_binding.yaml 4 | - leader_election_role.yaml 5 | - leader_election_role_binding.yaml 6 | # Comment the following 4 lines if you want to disable 7 | # the auth proxy (https://github.com/brancz/kube-rbac-proxy) 8 | # which protects your /metrics endpoint. 9 | - auth_proxy_service.yaml 10 | - auth_proxy_role.yaml 11 | - auth_proxy_role_binding.yaml 12 | - auth_proxy_client_clusterrole.yaml 13 | -------------------------------------------------------------------------------- /operator/config/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - events 31 | verbs: 32 | - create 33 | -------------------------------------------------------------------------------- /operator/config/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /operator/config/rbac/parsedefinition_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit parsedefinitions. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: parsedefinition-editor-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - parsedefinitions 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - execution.securecodebox.io 21 | resources: 22 | - parsedefinitions/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /operator/config/rbac/parsedefinition_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view parsedefinitions. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: parsedefinition-viewer-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - parsedefinitions 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - execution.securecodebox.io 17 | resources: 18 | - parsedefinitions/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /operator/config/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: manager-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: manager-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /operator/config/rbac/scan_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit scans. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scan-editor-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scans 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - execution.securecodebox.io 21 | resources: 22 | - scans/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /operator/config/rbac/scan_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view scans. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scan-viewer-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scans 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - execution.securecodebox.io 17 | resources: 18 | - scans/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /operator/config/rbac/scantype_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit scantypes. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scantype-editor-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scantypes 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - execution.securecodebox.io 21 | resources: 22 | - scantypes/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /operator/config/rbac/scantype_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view scantypes. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scantype-viewer-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scantypes 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - execution.securecodebox.io 17 | resources: 18 | - scantypes/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /operator/config/rbac/scheduledscan_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit scheduledscans. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scheduledscan-editor-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scheduledscans 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - execution.securecodebox.io 21 | resources: 22 | - scheduledscans/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /operator/config/rbac/scheduledscan_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view scheduledscans. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scheduledscan-viewer-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scheduledscans 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - execution.securecodebox.io 17 | resources: 18 | - scheduledscans/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /operator/config/samples/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine 2 | ENTRYPOINT ["echo"] -------------------------------------------------------------------------------- /operator/config/samples/cascading_v1_cascadingrule.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cascading.securecodebox.io/v1 2 | kind: CascadingRule 3 | metadata: 4 | name: cascadingrule-sample 5 | spec: 6 | # Add fields here 7 | foo: bar 8 | -------------------------------------------------------------------------------- /operator/config/samples/execution_v1_parsedefinition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: execution.securecodebox.io/v1 2 | kind: ParseDefinition 3 | metadata: 4 | name: "nmap-xml" 5 | spec: 6 | image: securecodebox/nmap-parser 7 | -------------------------------------------------------------------------------- /operator/config/samples/execution_v1_readandwritehook.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: execution.securecodebox.io/v1 2 | kind: ScanCompletionHook 3 | metadata: 4 | name: "sleep-rw" 5 | spec: 6 | image: "sleep" 7 | type: "ReadAndWrite" 8 | env: [] 9 | -------------------------------------------------------------------------------- /operator/config/samples/execution_v1_readonlyhook.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: execution.securecodebox.io/v1 2 | kind: ScanCompletionHook 3 | metadata: 4 | name: "echo-r" 5 | spec: 6 | image: "echo" 7 | type: "ReadOnly" 8 | env: [] 9 | -------------------------------------------------------------------------------- /operator/config/samples/execution_v1_scantype.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: execution.securecodebox.io/v1 2 | kind: ScanType 3 | metadata: 4 | name: "nmap" 5 | spec: 6 | extractResults: 7 | type: nmap-xml 8 | location: "/home/securecodebox/nmap-results.xml" 9 | jobTemplate: 10 | spec: 11 | ttlSecondsAfterFinished: 10 12 | template: 13 | spec: 14 | restartPolicy: OnFailure 15 | containers: 16 | - name: nmap 17 | image: securecodebox/nmap:7.80 18 | command: ["nmap", "-oX", "/home/securecodebox/nmap-results.xml"] 19 | -------------------------------------------------------------------------------- /operator/config/samples/execution_v1_scheduledscan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: execution.securecodebox.io/v1 2 | kind: ScheduledScan 3 | metadata: 4 | name: scheduled-nmap-localhost 5 | spec: 6 | interval: 1m 7 | successfulJobsHistoryLimit: 2 8 | scanSpec: 9 | scanType: "nmap" 10 | parameters: 11 | - "-Pn" 12 | - "192.168.178.24" 13 | -------------------------------------------------------------------------------- /operator/config/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /operator/config/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /operator/config/webhook/manifests.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureCodeBox/secureCodeBox-v2/4840c55cb9fcd69199d0c968d3a43cd6bf4326fe/operator/config/webhook/manifests.yaml -------------------------------------------------------------------------------- /operator/config/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webhook-service 6 | namespace: system 7 | spec: 8 | ports: 9 | - port: 443 10 | targetPort: 9443 11 | selector: 12 | control-plane: controller-manager 13 | -------------------------------------------------------------------------------- /operator/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/secureCodeBox/secureCodeBox-v2/operator 2 | 3 | go 1.15 4 | 5 | require ( 6 | github.com/go-logr/logr v0.1.0 7 | github.com/minio/minio-go/v6 v6.0.50 8 | github.com/onsi/ginkgo v1.11.0 9 | github.com/onsi/gomega v1.8.1 10 | k8s.io/api v0.17.2 11 | k8s.io/apimachinery v0.17.2 12 | k8s.io/client-go v0.17.2 13 | sigs.k8s.io/controller-runtime v0.5.2 14 | ) 15 | -------------------------------------------------------------------------------- /operator/hack/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2020 iteratec GmbH. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ -------------------------------------------------------------------------------- /operator/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: operator 3 | description: secureCodeBox Operator to automate the execution of security scans on kubernetes 4 | 5 | type: application 6 | 7 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 8 | version: latest 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - secureCodeBox 14 | - operator 15 | home: https://docs.securecodebox.io/docs/getting-started/installation 16 | icon: https://docs.securecodebox.io/img/Logo_Color.svg 17 | sources: 18 | - https://github.com/secureCodeBox/secureCodeBox-v2 19 | maintainers: 20 | - name: iteratec GmbH 21 | email: secureCodeBox@iteratec.com 22 | 23 | dependencies: 24 | - name: minio 25 | version: 5.0.19 26 | repository: https://kubernetes-charts.storage.googleapis.com/ 27 | condition: minio.enabled 28 | -------------------------------------------------------------------------------- /operator/helm2.requirements.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: minio 3 | repository: https://kubernetes-charts.storage.googleapis.com/ 4 | version: 5.0.19 5 | digest: sha256:13a3a902e7ac7dcc7124ab858344b5bebe9ab623d06ee9c8d5a1cc3f467a36bb 6 | generated: "2020-08-10T13:09:59.053995+02:00" -------------------------------------------------------------------------------- /operator/helm2.requirements.yaml: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: minio 3 | version: 5.0.19 4 | repository: https://kubernetes-charts.storage.googleapis.com/ 5 | condition: minio.enabled 6 | -------------------------------------------------------------------------------- /operator/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | secureCodeBox Operator Deployed 🚀 2 | 3 | The operator can orchestrate the execution of various security scanning tools inside of your cluster. 4 | You can find a list of all officially supported scanners here: https://www.securecodebox.io/integrations/ 5 | The website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch. 6 | 7 | {{ if .Values.telemetryEnabled -}} 8 | The operator send out regular telemetry pings to a central service. 9 | This lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used. 10 | The submitted data is chosen to be as anonymous as possible. 11 | You can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/telemetry 12 | The first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`. 13 | {{ else -}} 14 | Telemetry data collection has been disabled. 15 | {{ end -}} -------------------------------------------------------------------------------- /operator/templates/rbac/auth_proxy_client_clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1beta1 2 | kind: ClusterRole 3 | metadata: 4 | name: metrics-reader 5 | rules: 6 | - nonResourceURLs: ["/metrics"] 7 | verbs: ["get"] 8 | -------------------------------------------------------------------------------- /operator/templates/rbac/auth_proxy_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: proxy-role 5 | rules: 6 | - apiGroups: ["authentication.k8s.io"] 7 | resources: 8 | - tokenreviews 9 | verbs: ["create"] 10 | - apiGroups: ["authorization.k8s.io"] 11 | resources: 12 | - subjectaccessreviews 13 | verbs: ["create"] 14 | -------------------------------------------------------------------------------- /operator/templates/rbac/auth_proxy_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: proxy-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: proxy-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: {{ .Release.Namespace }} 13 | 14 | -------------------------------------------------------------------------------- /operator/templates/rbac/auth_proxy_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: controller-manager-metrics-service 7 | namespace: {{ .Release.Namespace }} 8 | spec: 9 | ports: 10 | - name: https 11 | port: 8443 12 | targetPort: https 13 | selector: 14 | control-plane: controller-manager 15 | -------------------------------------------------------------------------------- /operator/templates/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - events 31 | verbs: 32 | - create 33 | -------------------------------------------------------------------------------- /operator/templates/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: {{ .Release.Namespace }} 13 | -------------------------------------------------------------------------------- /operator/templates/rbac/parsedefinition_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit parsedefinitions. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: parsedefinition-editor-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - parsedefinitions 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - execution.securecodebox.io 21 | resources: 22 | - parsedefinitions/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /operator/templates/rbac/parsedefinition_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view parsedefinitions. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: parsedefinition-viewer-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - parsedefinitions 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - execution.securecodebox.io 17 | resources: 18 | - parsedefinitions/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /operator/templates/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: manager-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: manager-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: {{ .Release.Namespace }} 13 | -------------------------------------------------------------------------------- /operator/templates/rbac/scan_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit scans. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scan-editor-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scans 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - execution.securecodebox.io 21 | resources: 22 | - scans/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /operator/templates/rbac/scan_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view scans. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scan-viewer-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scans 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - execution.securecodebox.io 17 | resources: 18 | - scans/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /operator/templates/rbac/scantype_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit scantypes. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scantype-editor-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scantypes 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - execution.securecodebox.io 21 | resources: 22 | - scantypes/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /operator/templates/rbac/scantype_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view scantypes. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scantype-viewer-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scantypes 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - execution.securecodebox.io 17 | resources: 18 | - scantypes/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /operator/templates/rbac/scheduledscan_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit scheduledscans. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scheduledscan-editor-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scheduledscans 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - execution.securecodebox.io 21 | resources: 22 | - scheduledscans/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /operator/templates/rbac/scheduledscan_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view scheduledscans. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: scheduledscan-viewer-role 6 | rules: 7 | - apiGroups: 8 | - execution.securecodebox.io 9 | resources: 10 | - scheduledscans 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - execution.securecodebox.io 17 | resources: 18 | - scheduledscans/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /operator/utils/truncatedname.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "fmt" 5 | "strings" 6 | ) 7 | 8 | // TruncateName Ensures that the name used for a kubernetes object doesn't exceed the 63 char length limit. This actually cuts of anything after char 57, so that we can use the randomly generated suffix from k8s `generateName`. 9 | func TruncateName(name string) string { 10 | if len(name) >= 57 { 11 | name = name[0:57] 12 | } 13 | 14 | // Ensure that the string does not end in a dot. 15 | // This would not be a valid domain name thous rejected by kubernetes 16 | if strings.HasSuffix(name, ".") { 17 | name = name[0:(len(name) - 1)] 18 | } 19 | 20 | return fmt.Sprintf("%s-", name) 21 | } 22 | -------------------------------------------------------------------------------- /parser-sdk/nodejs/.dockerignore: -------------------------------------------------------------------------------- 1 | node_modules/ -------------------------------------------------------------------------------- /parser-sdk/nodejs/.gitignore: -------------------------------------------------------------------------------- 1 | node_modules/ -------------------------------------------------------------------------------- /parser-sdk/nodejs/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:12-alpine as build 2 | WORKDIR /home/app 3 | COPY package.json package-lock.json ./ 4 | RUN npm ci --production 5 | 6 | FROM node:12-alpine 7 | ARG NODE_ENV 8 | RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app 9 | WORKDIR /home/app/parser-wrapper/ 10 | COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ 11 | COPY --chown=app:app ./parser-wrapper.js ./parser-wrapper.js 12 | USER 1001 13 | ENV NODE_ENV ${NODE_ENV:-production} 14 | ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"] 15 | -------------------------------------------------------------------------------- /parser-sdk/nodejs/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "securecodebox-parser-sdk-nodejs", 3 | "version": "1.0.0", 4 | "description": "Handles external communication required for all secureCodeBox parsers", 5 | "main": "parser-wrapper.js", 6 | "scripts": { 7 | "test": "jest" 8 | }, 9 | "keywords": [], 10 | "author": "iteratec GmbH", 11 | "license": "Apache-2.0", 12 | "dependencies": { 13 | "@kubernetes/client-node": "^0.12.2", 14 | "axios": "^0.20.0", 15 | "uuid": "^3.3.3", 16 | "ws": "^7.3.1" 17 | }, 18 | "devDependencies": { 19 | "jest": "^24.9.0" 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /scanners/amass/.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | parser/ 4 | scanner/ 5 | examples/ -------------------------------------------------------------------------------- /scanners/amass/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: amass 3 | description: A Helm chart for the Amass security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: 3.10.4 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - amass 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/Amass 17 | icon: https://docs.securecodebox.io/img/integrationIcons/Amass.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | -------------------------------------------------------------------------------- /scanners/amass/examples/example.com/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "example.com" 3 | --- 4 | 5 | > ✍ **Page under construction.** 6 | 7 | the frontmatter requires the name of the scantarget as 'title' 8 | -------------------------------------------------------------------------------- /scanners/amass/examples/example.com/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "amass-example.com" 5 | spec: 6 | scanType: "amass" 7 | parameters: 8 | - "-noalts" 9 | - "-norecursive" 10 | - "-nolocaldb" 11 | - "-d" 12 | - "example.com" 13 | -------------------------------------------------------------------------------- /scanners/amass/examples/secureCodeBox.io/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "amass-securecodebox.io" 5 | labels: 6 | organization: "secureCodeBox" 7 | spec: 8 | scanType: "amass" 9 | parameters: 10 | - "-noalts" 11 | - "-norecursive" 12 | - "-d" 13 | - "securecodebox.io" 14 | -------------------------------------------------------------------------------- /scanners/amass/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: amass 3 | description: A Helm chart for the Amass security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: 3.10.4 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - amass 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/Amass 17 | icon: https://docs.securecodebox.io/img/integrationIcons/Amass.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | -------------------------------------------------------------------------------- /scanners/amass/parser/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} 3 | WORKDIR /home/app/parser-wrapper/parser/ 4 | COPY --chown=app:app ./parser.js ./parser.js 5 | -------------------------------------------------------------------------------- /scanners/amass/parser/parser.js: -------------------------------------------------------------------------------- 1 | async function parse(fileContent) { 2 | return fileContent 3 | .split('\n') 4 | .filter(Boolean) 5 | .map(domainJson => { 6 | const domain = JSON.parse(domainJson); 7 | return { 8 | name: domain.name, 9 | description: `Found subdomain ${domain.name}`, 10 | category: 'Subdomain', 11 | location: domain.name, 12 | osi_layer: 'NETWORK', 13 | severity: 'INFORMATIONAL', 14 | attributes: { 15 | tag: domain.tag, 16 | name: domain.name, 17 | source: domain.source, 18 | domain: domain.domain, 19 | addresses: domain.addresses, 20 | }, 21 | }; 22 | }); 23 | } 24 | 25 | module.exports.parse = parse; 26 | -------------------------------------------------------------------------------- /scanners/amass/parser/parser.test.js: -------------------------------------------------------------------------------- 1 | const fs = require('fs'); 2 | const util = require('util'); 3 | 4 | // eslint-disable-next-line security/detect-non-literal-fs-filename 5 | const readFile = util.promisify(fs.readFile); 6 | 7 | const { parse } = require('./parser'); 8 | 9 | test('example parser parses empty json to zero findings', async () => { 10 | const fileContent = await readFile( 11 | __dirname + '/__testFiles__/securecodebox.io.jsonl', 12 | { 13 | encoding: 'utf8', 14 | } 15 | ); 16 | 17 | expect(await parse(fileContent)).toMatchSnapshot(); 18 | }); 19 | -------------------------------------------------------------------------------- /scanners/amass/templates/amass-parse-definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ParseDefinition 3 | metadata: 4 | name: "amass-jsonl" 5 | spec: 6 | handlesResultsType: amass-jsonl 7 | image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" 8 | -------------------------------------------------------------------------------- /scanners/kube-hunter/.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | parser/ 4 | scanner/ 5 | examples/ -------------------------------------------------------------------------------- /scanners/kube-hunter/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: kube-hunter 3 | description: A Helm chart for the kube-hunter security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: v0.3.0 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - kube-hunter 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/kube-hunter 17 | icon: https://docs.securecodebox.io/img/integrationIcons/kube-hunter.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | 24 | -------------------------------------------------------------------------------- /scanners/kube-hunter/cascading-rules/remote-kubernetes.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "cascading.securecodebox.io/v1" 2 | kind: CascadingRule 3 | metadata: 4 | name: "kubernetes-control-plane" 5 | labels: 6 | securecodebox.io/invasive: non-invasive 7 | securecodebox.io/intensive: light 8 | spec: 9 | matches: 10 | anyOf: 11 | # API Server 12 | - category: "Open Port" 13 | attributes: 14 | port: 6443 15 | state: "open" 16 | # etcd API 17 | - category: "Open Port" 18 | attributes: 19 | port: 2379 20 | state: "open" 21 | scanSpec: 22 | scanType: "kube-hunter" 23 | parameters: 24 | - "--remote" 25 | - "{{$.hostOrIP}}" 26 | --- 27 | apiVersion: "cascading.securecodebox.io/v1" 28 | kind: CascadingRule 29 | metadata: 30 | name: "kubernetes-node" 31 | labels: 32 | securecodebox.io/invasive: non-invasive 33 | securecodebox.io/intensive: light 34 | spec: 35 | matches: 36 | anyOf: 37 | # kubelet API 38 | - category: "Open Port" 39 | attributes: 40 | port: 10250 41 | state: "open" 42 | scanSpec: 43 | scanType: "kube-hunter" 44 | parameters: 45 | - "--remote" 46 | - "{{$.hostOrIP}}" 47 | -------------------------------------------------------------------------------- /scanners/kube-hunter/examples/in-cluster/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "kube-hunter-in-cluster" 5 | spec: 6 | scanType: "kube-hunter" 7 | parameters: 8 | - "--pod" 9 | -------------------------------------------------------------------------------- /scanners/kube-hunter/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: kube-hunter 3 | description: A Helm chart for the kube-hunter security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: v0.3.0 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - kube-hunter 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/kube-hunter 17 | icon: https://docs.securecodebox.io/img/integrationIcons/kube-hunter.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | -------------------------------------------------------------------------------- /scanners/kube-hunter/parser/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} 3 | WORKDIR /home/app/parser-wrapper/parser/ 4 | COPY --chown=app:app ./parser.js ./parser.js 5 | -------------------------------------------------------------------------------- /scanners/kube-hunter/parser/parser.test.js: -------------------------------------------------------------------------------- 1 | const fs = require('fs'); 2 | const util = require('util'); 3 | 4 | // eslint-disable-next-line security/detect-non-literal-fs-filename 5 | const readFile = util.promisify(fs.readFile); 6 | 7 | const { parse } = require('./parser'); 8 | 9 | test('parses result from kind-1.18-in-cluster-scan correctly', async () => { 10 | const fileContent = JSON.parse( 11 | await readFile(__dirname + '/__testFiles__/kind-1.18-in-cluster-scan.json', { 12 | encoding: 'utf8', 13 | }) 14 | ); 15 | 16 | expect(await parse(fileContent)).toMatchSnapshot(); 17 | }); 18 | -------------------------------------------------------------------------------- /scanners/kube-hunter/scanner/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM aquasec/kube-hunter:0.3.0 2 | COPY wrapper.sh /wrapper.sh 3 | ENTRYPOINT [ "sh", "/wrapper.sh" ] -------------------------------------------------------------------------------- /scanners/kube-hunter/scanner/wrapper.sh: -------------------------------------------------------------------------------- 1 | kube-hunter $@ >/home/securecodebox/kube-hunter-results.json 2 | exit $? -------------------------------------------------------------------------------- /scanners/kube-hunter/templates/cascading-rules.yaml: -------------------------------------------------------------------------------- 1 | # The CascadingRules are not directly in the /templates directory as their curly bracket syntax clashes with helms templates ... :( 2 | # We import them as raw files to avoid these clashes as escaping them is even more messy 3 | {{ range $path, $_ := .Files.Glob "cascading-rules/*" }} 4 | # Include File 5 | {{ $.Files.Get $path }} 6 | # Separate multiple files 7 | --- 8 | {{ end }} -------------------------------------------------------------------------------- /scanners/kube-hunter/templates/kube-hunter-parse-definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ParseDefinition 3 | metadata: 4 | name: "kube-hunter-json" 5 | spec: 6 | handlesResultsType: kube-hunter-json 7 | image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" 8 | -------------------------------------------------------------------------------- /scanners/kubeaudit/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "kubeaudit" 3 | path: "scanners/kubeaudit" 4 | category: "scanner" 5 | type: "Kubernetes" 6 | state: "roadmap" 7 | appVersion: "0.9.0" 8 | usecase: "Audit your Kubernetes clusters" 9 | --- 10 | 11 | kubeaudit helps you audit your Kubernetes clusters against common security controls. 12 | 13 | To learn more about the kubeaudit scanner itself visit [kubeaudit GitHub]. 14 | 15 | 16 | 17 | > 🔧 The secureCodeBox core team is working on an integration of kubeaudit. We will keep you informed. 18 | 19 | [kubeaudit GitHub]: https://github.com/Shopify/kubeaudit 20 | [kubeaudit Documentation]: https://github.com/Shopify/kubeaudit#quick-start 21 | -------------------------------------------------------------------------------- /scanners/ncrack/.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | parser/ 4 | scanner/ 5 | examples/ 6 | 7 | -------------------------------------------------------------------------------- /scanners/ncrack/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: ncrack 3 | description: A Helm chart for the NCRACK security Scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: 0.7 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - ncrack 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/Ncrack 17 | icon: https://docs.securecodebox.io/img/integrationIcons/Ncrack.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | -------------------------------------------------------------------------------- /scanners/ncrack/cascading-rules/crackssh.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "cascading.securecodebox.io/v1" 2 | kind: CascadingRule 3 | metadata: 4 | name: "ncrack-ssh" 5 | labels: 6 | securecodebox.io/invasive: invasive 7 | securecodebox.io/intensive: high 8 | spec: 9 | matches: 10 | anyOf: 11 | - category: "Open Port" 12 | attributes: 13 | port: 22 14 | state: open 15 | - category: "Open Port" 16 | attributes: 17 | service: "ssh" 18 | state: open 19 | scanSpec: 20 | scanType: "ncrack" 21 | parameters: 22 | - -v 23 | - -d10 24 | - -U 25 | - /ncrack/users.txt 26 | - -P 27 | - /ncrack/passwords.txt 28 | - -p 29 | - ssh:{{attributes.port}} 30 | - "{{attributes.ip_address}}" 31 | -------------------------------------------------------------------------------- /scanners/ncrack/examples/dummy-ssh/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "dummy-ssh" 5 | spec: 6 | scanType: "ncrack" 7 | parameters: 8 | # Enable verbose logging, d10: Debug Level 10, printing more output to the console 9 | - -v 10 | - -d10 11 | - -U 12 | - /ncrack/users.txt 13 | - -P 14 | - /ncrack/passwords.txt 15 | - ssh://dummy-ssh 16 | -------------------------------------------------------------------------------- /scanners/ncrack/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: ncrack 3 | description: A Helm chart for the NCRACK security Scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: 0.7 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - ncrack 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/Ncrack 17 | icon: https://docs.securecodebox.io/img/integrationIcons/Ncrack.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | -------------------------------------------------------------------------------- /scanners/ncrack/parser/.dockerignore: -------------------------------------------------------------------------------- 1 | node_modules/ 2 | 3 | -------------------------------------------------------------------------------- /scanners/ncrack/parser/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM node:12-alpine as build 3 | RUN mkdir -p /home/app 4 | WORKDIR /home/app 5 | COPY package.json package-lock.json ./ 6 | RUN npm ci --production 7 | 8 | FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} 9 | WORKDIR /home/app/parser-wrapper/parser/ 10 | COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ 11 | COPY --chown=app:app ./parser.js ./parser.js 12 | -------------------------------------------------------------------------------- /scanners/ncrack/parser/__testFiles__/ncrack_no_results.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /scanners/ncrack/parser/__testFiles__/ncrack_two_services_no_results.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
9 | 10 | 11 | 12 |
13 | 14 | 15 | -------------------------------------------------------------------------------- /scanners/ncrack/parser/__testFiles__/ncrack_two_services_with_results.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
9 | 10 | 11 | 12 | 13 |
14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /scanners/ncrack/parser/__testFiles__/ncrack_with_results.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /scanners/ncrack/parser/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "ncrack-parser", 3 | "version": "1.0.0", 4 | "description": "Parses result files for the type: 'ncrack-xml'", 5 | "main": "", 6 | "scripts": {}, 7 | "keywords": [], 8 | "author": "iteratec GmbH", 9 | "license": "Apache-2.0", 10 | "dependencies": { 11 | "xml2js": "^0.4.22" 12 | }, 13 | "devDependencies": {} 14 | } 15 | -------------------------------------------------------------------------------- /scanners/ncrack/scanner/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | 3 | RUN apt-get update \ 4 | && apt-get install ncrack=0.7+debian-1build1 -y \ 5 | && rm -rf /var/lib/apt/lists/* 6 | 7 | CMD [ "ncrack" ] 8 | 9 | -------------------------------------------------------------------------------- /scanners/ncrack/templates/cascading-rules.yaml: -------------------------------------------------------------------------------- 1 | # The CascadingRules are not directly in the /templates directory as their curly bracket syntax clashes with helms templates ... :( 2 | # We import them as raw files to avoid these clashes as escaping them is even more messy 3 | {{ range $path, $_ := .Files.Glob "cascading-rules/*" }} 4 | # Include File 5 | {{ $.Files.Get $path }} 6 | # Separate multiple files 7 | --- 8 | {{ end }} 9 | 10 | -------------------------------------------------------------------------------- /scanners/ncrack/templates/ncrack-parse-definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ParseDefinition 3 | metadata: 4 | name: "ncrack-xml" 5 | spec: 6 | handlesResultsType: ncrack-xml 7 | image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" 8 | -------------------------------------------------------------------------------- /scanners/nikto/.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | parser/ 4 | scanner/ 5 | examples/ -------------------------------------------------------------------------------- /scanners/nikto/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: nikto 3 | description: A Helm chart for the Nikto security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | # appVersion - Nikto doesn't really version its releases 9 | appVersion: latest 10 | kubeVersion: ">=v1.11.0" 11 | 12 | keywords: 13 | - security 14 | - nikto 15 | - scanner 16 | - secureCodeBox 17 | home: https://docs.securecodebox.io/docs/scanners/Nikto 18 | icon: https://docs.securecodebox.io/img/integrationIcons/Nikto.svg 19 | sources: 20 | - https://github.com/secureCodeBox/secureCodeBox-v2 21 | maintainers: 22 | - name: iteratec GmbH 23 | email: secureCodeBox@iteratec.com 24 | -------------------------------------------------------------------------------- /scanners/nikto/cascading-rules/http.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "cascading.securecodebox.io/v1" 2 | kind: CascadingRule 3 | metadata: 4 | name: "nikto-http" 5 | labels: 6 | securecodebox.io/invasive: non-invasive 7 | securecodebox.io/intensive: medium 8 | spec: 9 | matches: 10 | anyOf: 11 | - category: "Open Port" 12 | attributes: 13 | service: http 14 | state: open 15 | - category: "Open Port" 16 | attributes: 17 | service: https 18 | state: open 19 | scanSpec: 20 | scanType: "nikto" 21 | parameters: 22 | - "-host" 23 | # Use Hostname if defined, fall back to ip if not defined 24 | - "{{$.hostOrIP}}" 25 | - "-port" 26 | - "{{attributes.port}}" 27 | - "-Tuning" 28 | - "1,2,3,5,7,b" 29 | -------------------------------------------------------------------------------- /scanners/nikto/examples/demo-bodgeit/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: 'execution.securecodebox.io/v1' 2 | kind: Scan 3 | metadata: 4 | name: 'nikto-bodgeit' 5 | labels: 6 | organization: 'secureCodeBox' 7 | spec: 8 | scanType: 'nikto' 9 | parameters: 10 | - '-h' 11 | - 'bodgeit' 12 | - '-port 8080' 13 | - '-Tuning' 14 | # Only enable fast (ish) Scan Options, remove attack option like SQLi and RCE. We will leave those to ZAP 15 | - '1,2,3,5,7,b' 16 | -------------------------------------------------------------------------------- /scanners/nikto/examples/demo-juice-shop/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: 'execution.securecodebox.io/v1' 2 | kind: Scan 3 | metadata: 4 | name: 'nikto-juice-shop' 5 | labels: 6 | organization: 'secureCodeBox' 7 | spec: 8 | scanType: 'nikto' 9 | parameters: 10 | - '-h' 11 | - 'juice-shop' 12 | - '-port 3000' 13 | - '-Tuning' 14 | # Only enable fast (ish) Scan Options, remove attack option like SQLi and RCE. We will leave those to ZAP 15 | - '1,2,3,5,7,b' 16 | -------------------------------------------------------------------------------- /scanners/nikto/examples/demo-secureCodeBox.io/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: 'execution.securecodebox.io/v1' 2 | kind: Scan 3 | metadata: 4 | name: 'nikto-www.securecodebox.io' 5 | labels: 6 | organization: 'secureCodeBox' 7 | spec: 8 | scanType: 'nikto' 9 | parameters: 10 | - '-h' 11 | - 'https://www.securecodebox.io' 12 | - '-Tuning' 13 | # Only enable fast (ish) Scan Options, remove attack option like SQLi and RCE. We will leave those to ZAP 14 | - '1,2,3,5,7,b' 15 | -------------------------------------------------------------------------------- /scanners/nikto/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: nikto 3 | description: A Helm chart for the Nikto security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | # appVersion - Nikto doesn't really version its releases 9 | appVersion: latest 10 | kubeVersion: ">=v1.11.0" 11 | 12 | keywords: 13 | - security 14 | - nikto 15 | - scanner 16 | - secureCodeBox 17 | home: https://docs.securecodebox.io/docs/scanners/Nikto 18 | icon: https://docs.securecodebox.io/img/integrationIcons/Nikto.svg 19 | sources: 20 | - https://github.com/secureCodeBox/secureCodeBox-v2 21 | maintainers: 22 | - name: iteratec GmbH 23 | email: secureCodeBox@iteratec.com 24 | -------------------------------------------------------------------------------- /scanners/nikto/parser/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} 3 | WORKDIR /home/app/parser-wrapper/parser/ 4 | COPY --chown=app:app ./parser.js ./parser.js 5 | -------------------------------------------------------------------------------- /scanners/nikto/parser/parser.test.js: -------------------------------------------------------------------------------- 1 | const fs = require("fs"); 2 | const util = require("util"); 3 | 4 | // eslint-disable-next-line security/detect-non-literal-fs-filename 5 | const readFile = util.promisify(fs.readFile); 6 | 7 | const { parse } = require("./parser"); 8 | 9 | test("parses www.securecodebox.io result file into findings", async () => { 10 | const fileContent = JSON.parse( 11 | await readFile(__dirname + "/__testFiles__/www.securecodebox.io.json", { 12 | encoding: "utf8", 13 | }) 14 | ); 15 | 16 | expect(await parse(fileContent)).toMatchSnapshot(); 17 | }); 18 | 19 | test("parses OWASP Juice Shop result file into findings", async () => { 20 | const fileContent = JSON.parse( 21 | await readFile(__dirname + "/__testFiles__/juice-shop.json", { 22 | encoding: "utf8", 23 | }) 24 | ); 25 | 26 | expect(await parse(fileContent)).toMatchSnapshot(); 27 | }); 28 | -------------------------------------------------------------------------------- /scanners/nikto/scanner/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM sullo/nikto 2 | COPY wrapper.sh /wrapper.sh 3 | ENTRYPOINT [ "sh", "/wrapper.sh" ] -------------------------------------------------------------------------------- /scanners/nikto/scanner/wrapper.sh: -------------------------------------------------------------------------------- 1 | # Nikto Entrypoint Script to avoid problems nikto exiting with a non zero exit code 2 | # This would cause the kubernetes job to fail no matter what 3 | nikto.pl $@ 4 | exit 0 -------------------------------------------------------------------------------- /scanners/nikto/templates/cascading-rules.yaml: -------------------------------------------------------------------------------- 1 | # The CascadingRules are not directly in the /templates directory as their curly bracket syntax clashes with helms templates ... :( 2 | # We import them as raw files to avoid these clashes as escaping them is even more messy 3 | {{ range $path, $_ := .Files.Glob "cascading-rules/*" }} 4 | # Include File 5 | {{ $.Files.Get $path }} 6 | # Separate multiple files 7 | --- 8 | {{ end }} -------------------------------------------------------------------------------- /scanners/nikto/templates/nikto-parse-definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ParseDefinition 3 | metadata: 4 | name: "nikto-json" 5 | spec: 6 | handlesResultsType: nikto-json 7 | image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" 8 | -------------------------------------------------------------------------------- /scanners/nmap/.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | parser/ 4 | scanner/ 5 | examples/ -------------------------------------------------------------------------------- /scanners/nmap/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: nmap 3 | description: A Helm chart for the NMAP security Scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: 7.80-r2 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - nmap 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/Nmap 17 | icon: https://docs.securecodebox.io/img/integrationIcons/Nmap.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | -------------------------------------------------------------------------------- /scanners/nmap/cascading-rules/hostscan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "cascading.securecodebox.io/v1" 2 | kind: CascadingRule 3 | metadata: 4 | name: "nmap-hostscan" 5 | labels: 6 | securecodebox.io/invasive: non-invasive 7 | securecodebox.io/intensive: light 8 | spec: 9 | matches: 10 | anyOf: 11 | - category: "Subdomain" 12 | osi_layer: "NETWORK" 13 | scanSpec: 14 | scanType: "nmap" 15 | parameters: 16 | # Treat all hosts as online -- skip host discovery 17 | - "-Pn" 18 | # Target Port of the finding 19 | - "{{location}}" 20 | -------------------------------------------------------------------------------- /scanners/nmap/cascading-rules/smb.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "cascading.securecodebox.io/v1" 2 | kind: CascadingRule 3 | metadata: 4 | name: "nmap-smb" 5 | labels: 6 | securecodebox.io/invasive: non-invasive 7 | securecodebox.io/intensive: light 8 | spec: 9 | matches: 10 | anyOf: 11 | - category: "Open Port" 12 | attributes: 13 | port: 445 14 | state: open 15 | - category: "Open Port" 16 | attributes: 17 | service: "microsoft-ds" 18 | state: open 19 | - category: "Open Port" 20 | attributes: 21 | service: "netbios-ssn" 22 | state: open 23 | scanSpec: 24 | scanType: "nmap" 25 | parameters: 26 | # Treat all hosts as online -- skip host discovery 27 | - "-Pn" 28 | # Target Port of the finding 29 | - "-p{{attributes.port}}" 30 | # Use SMB Script 31 | - "--script" 32 | - "smb-protocols" 33 | # Against Host 34 | - "{{$.hostOrIP}}" 35 | -------------------------------------------------------------------------------- /scanners/nmap/examples/demo-app-ssh/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "nmap-ssh-demo-cluster-internal" 5 | spec: 6 | scanType: "nmap" 7 | parameters: 8 | # Internal cluster is blocking our ping probes, therefore we skip them 9 | - "-Pn" 10 | # Service Detection enabled 11 | - "-sV" 12 | # Actual Service Address will depend on you cluster and namespace configuration. 🤷‍ 13 | - "dummy-ssh.demo-apps.svc" 14 | -------------------------------------------------------------------------------- /scanners/nmap/examples/demo-juice-shop/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "nmap-juice-shop-cluster-internal" 5 | spec: 6 | scanType: "nmap" 7 | parameters: 8 | # Internal cluster is blocking our ping probes, therefore we skip them 9 | - "-Pn" 10 | # Service Detection enabled 11 | - "-sV" 12 | # Actual Service Address will depend on you cluster and namespace configuration. 🤷‍ 13 | - juice-shop.demo-apps.svc.cluster.local 14 | -------------------------------------------------------------------------------- /scanners/nmap/examples/dummy-ssh-cascade/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "nmap-dummy-ssh" 5 | spec: 6 | scanType: "nmap" 7 | parameters: 8 | # Internal cluster is blocking our ping probes, therefore we skip them 9 | - "-Pn" 10 | # Service Detection enabled 11 | - "-sV" 12 | # Actual Service Address will depend on you cluster and namespace configuration. 🤷‍ 13 | - "dummy-ssh.demo-apps.svc" 14 | cascades: 15 | matchLabels: 16 | securecodebox.io/invasive: invasive 17 | securecodebox.io/intensive: high 18 | -------------------------------------------------------------------------------- /scanners/nmap/examples/local-network/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "nmap-local-network" 5 | spec: 6 | scanType: "nmap" 7 | parameters: 8 | # Actual IP will depend on you network config. 🤷‍ 9 | - 192.168.178.0/24 10 | -------------------------------------------------------------------------------- /scanners/nmap/examples/localhost/findings.yaml: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "name": "Host: localhost", 4 | "category": "Host", 5 | "description": "Found a host", 6 | "location": "localhost", 7 | "severity": "INFORMATIONAL", 8 | "osi_layer": "NETWORK", 9 | "attributes": { 10 | "ip_address": "127.0.0.1", 11 | "hostname": "localhost", 12 | "operating_system": null 13 | }, 14 | "id": "9dced98c-eab8-4918-9f2d-ffb54df8436b" 15 | } 16 | ] 17 | -------------------------------------------------------------------------------- /scanners/nmap/examples/localhost/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "nmap-localhost" 5 | spec: 6 | scanType: "nmap" 7 | parameters: 8 | # Note: Localhost here isn't "your" localhost, but the scanner container. 9 | # This container doesn't have any ports open... 10 | - localhost 11 | -------------------------------------------------------------------------------- /scanners/nmap/examples/scan.nmap.org/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "nmap-scanme.nmap.org" 5 | spec: 6 | scanType: "nmap" 7 | parameters: 8 | - scanme.nmap.org 9 | -------------------------------------------------------------------------------- /scanners/nmap/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: nmap 3 | description: A Helm chart for the NMAP security Scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: 7.80-r2 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - nmap 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/Nmap 17 | icon: https://docs.securecodebox.io/img/integrationIcons/Nmap.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | -------------------------------------------------------------------------------- /scanners/nmap/parser/.dockerignore: -------------------------------------------------------------------------------- 1 | node_modules/ -------------------------------------------------------------------------------- /scanners/nmap/parser/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM node:12-alpine as build 3 | RUN mkdir -p /home/app 4 | WORKDIR /home/app 5 | COPY package.json package-lock.json ./ 6 | RUN npm ci --production 7 | 8 | FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} 9 | WORKDIR /home/app/parser-wrapper/parser/ 10 | COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ 11 | COPY --chown=app:app ./parser.js ./parser.js 12 | -------------------------------------------------------------------------------- /scanners/nmap/parser/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "nmap-parser", 3 | "version": "1.0.0", 4 | "description": "Parses result files for the type: 'nmap-xml'", 5 | "main": "", 6 | "scripts": {}, 7 | "keywords": [], 8 | "author": "iteratec GmbH", 9 | "license": "Apache-2.0", 10 | "dependencies": { 11 | "lodash": "^4.17.19", 12 | "xml2js": "^0.4.22" 13 | }, 14 | "devDependencies": {} 15 | } 16 | -------------------------------------------------------------------------------- /scanners/nmap/scanner/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.12 2 | RUN apk add --no-cache nmap=7.80-r2 nmap-scripts=7.80-r2 3 | RUN addgroup --system --gid 1001 nmap && adduser nmap --system --uid 1001 --ingroup nmap 4 | USER 1001 5 | CMD [nmap] 6 | -------------------------------------------------------------------------------- /scanners/nmap/templates/cascading-rules.yaml: -------------------------------------------------------------------------------- 1 | # The CascadingRules are not directly in the /templates directory as their curly bracket syntax clashes with helms templates ... :( 2 | # We import them as raw files to avoid these clashes as escaping them is even more messy 3 | {{ range $path, $_ := .Files.Glob "cascading-rules/*" }} 4 | # Include File 5 | {{ $.Files.Get $path }} 6 | # Separate multiple files 7 | --- 8 | {{ end }} -------------------------------------------------------------------------------- /scanners/nmap/templates/nmap-parse-definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ParseDefinition 3 | metadata: 4 | name: "nmap-xml" 5 | spec: 6 | handlesResultsType: nmap-xml 7 | image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" 8 | -------------------------------------------------------------------------------- /scanners/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "securecodebox-scanner", 3 | "version": "1.0.0", 4 | "description": "NPM library to easily set up new scanners for the secureCodeBox v2", 5 | "homepage": "https://www.secureCodeBox.io", 6 | "repository": { 7 | "type": "git", 8 | "url": "git+https://github.com/secureCodeBox/secureCodeBox-v2.git" 9 | }, 10 | "main": "index.js", 11 | "scripts": { 12 | "test": "jest" 13 | }, 14 | "keywords": [ 15 | "secureCodeBox", 16 | "security", 17 | "scanner" 18 | ], 19 | "author": { 20 | "name": "iteratec GmbH", 21 | "email": "security@iteratec.com", 22 | "url": "https://www.iteratec.com" 23 | }, 24 | "contributors": [ 25 | { 26 | "name" : "Jannik Hollenbach", 27 | "url" : "https://github.com/J12934" 28 | }, 29 | { 30 | "name" : "Robert Seedorff", 31 | "url" : "https://github.com/rseedorff" 32 | } 33 | ], 34 | "bugs": { 35 | "url": "https://github.com/secureCodeBox/secureCodeBox-v2/issues" 36 | }, 37 | "license": "Apache-2.0", 38 | "devDependencies": { 39 | "jest": "^25.5.4" 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /scanners/ssh_scan/.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | parser/ 4 | scanner/ 5 | examples/ -------------------------------------------------------------------------------- /scanners/ssh_scan/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: ssh-scan 3 | description: A Helm chart for the SSH_Scan security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: "0.0.43" 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - ssh 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/SSH 17 | icon: https://docs.securecodebox.io/img/integrationIcons/SSH.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | -------------------------------------------------------------------------------- /scanners/ssh_scan/cascading-rules/ssh.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "cascading.securecodebox.io/v1" 2 | kind: CascadingRule 3 | metadata: 4 | name: "ssh-scan" 5 | labels: 6 | securecodebox.io/invasive: non-invasive 7 | securecodebox.io/intensive: light 8 | spec: 9 | matches: 10 | anyOf: 11 | - category: "Open Port" 12 | attributes: 13 | port: 22 14 | state: open 15 | - category: "Open Port" 16 | attributes: 17 | service: "ssh" 18 | state: open 19 | scanSpec: 20 | scanType: "ssh-scan" 21 | parameters: 22 | - "--target" 23 | - "{{$.hostOrIP}}" 24 | - "--port" 25 | - "{{attributes.port}}" 26 | -------------------------------------------------------------------------------- /scanners/ssh_scan/examples/demo-app-ssh/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "ssh-ssh-demo-cluster-internal" 5 | spec: 6 | scanType: "ssh-scan" 7 | parameters: 8 | - "-t" 9 | - "dummy-ssh.demo-apps.svc" 10 | -------------------------------------------------------------------------------- /scanners/ssh_scan/examples/example.com/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "ssh-www.example.com" 5 | labels: 6 | company: example 7 | spec: 8 | scanType: "ssh-scan" 9 | parameters: 10 | - "-t" 11 | - www.example.com 12 | - "-p" 13 | - "22222" 14 | -------------------------------------------------------------------------------- /scanners/ssh_scan/examples/localhost/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "ssh-localhost" 5 | labels: 6 | company: localhost 7 | spec: 8 | scanType: "ssh-scan" 9 | parameters: 10 | - "-t" 11 | - localhost 12 | -------------------------------------------------------------------------------- /scanners/ssh_scan/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: ssh-scan 3 | description: A Helm chart for the SSH_Scan security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: "0.0.43" 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - ssh 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/SSH 17 | icon: https://docs.securecodebox.io/img/integrationIcons/SSH.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | -------------------------------------------------------------------------------- /scanners/ssh_scan/parser/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} 3 | WORKDIR /home/app/parser-wrapper/parser/ 4 | COPY --chown=app:app ./parser.js ./parser.js 5 | -------------------------------------------------------------------------------- /scanners/ssh_scan/templates/cascading-rules.yaml: -------------------------------------------------------------------------------- 1 | # The CascadingRules are not directly in the /templates directory as their curly bracket syntax clashes with helms templates ... :( 2 | # We import them as raw files to avoid these clashes as escaping them is even more messy 3 | {{ range $path, $_ := .Files.Glob "cascading-rules/*" }} 4 | # Include File 5 | {{ $.Files.Get $path }} 6 | # Separate multiple files 7 | --- 8 | {{ end }} -------------------------------------------------------------------------------- /scanners/ssh_scan/templates/ssh-scan-parse-definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ParseDefinition 3 | metadata: 4 | name: "ssh-scan-json" 5 | spec: 6 | handlesResultsType: ssh-scan-json 7 | image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" 8 | -------------------------------------------------------------------------------- /scanners/sslyze/.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | parser/ 4 | scanner/ 5 | examples/ -------------------------------------------------------------------------------- /scanners/sslyze/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: sslyze 3 | description: A Helm chart for the SSLyze security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: v3.0.6 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - ssl 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/SSLyze 17 | icon: https://docs.securecodebox.io/img/integrationIcons/SSLyze.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | -------------------------------------------------------------------------------- /scanners/sslyze/cascading-rules/https.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "cascading.securecodebox.io/v1" 2 | kind: CascadingRule 3 | metadata: 4 | name: "https-tls-scan" 5 | labels: 6 | securecodebox.io/invasive: non-invasive 7 | securecodebox.io/intensive: light 8 | spec: 9 | matches: 10 | anyOf: 11 | - category: "Open Port" 12 | attributes: 13 | port: 443 14 | state: open 15 | - category: "Open Port" 16 | attributes: 17 | service: "https" 18 | state: open 19 | scanSpec: 20 | scanType: "sslyze" 21 | parameters: ["--regular", "{{$.hostOrIP}}:{{attributes.port}}"] 22 | -------------------------------------------------------------------------------- /scanners/sslyze/examples/example.com/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "sslyze-securecodebox.io" 5 | spec: 6 | scanType: "sslyze" 7 | parameters: 8 | - "--regular" 9 | - "example.com" 10 | -------------------------------------------------------------------------------- /scanners/sslyze/examples/secureCodeBox.io/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "sslyze-securecodebox.io" 5 | labels: 6 | organization: "secureCodeBox" 7 | spec: 8 | scanType: "sslyze" 9 | parameters: 10 | - "--regular" 11 | - "securecodebox.io" 12 | -------------------------------------------------------------------------------- /scanners/sslyze/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: sslyze 3 | description: A Helm chart for the SSLyze security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: v3.0.6 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - ssl 14 | - scanner 15 | - secureCodeBox 16 | home: https://docs.securecodebox.io/docs/scanners/SSLyze 17 | icon: https://docs.securecodebox.io/img/integrationIcons/SSLyze.svg 18 | sources: 19 | - https://github.com/secureCodeBox/secureCodeBox-v2 20 | maintainers: 21 | - name: iteratec GmbH 22 | email: secureCodeBox@iteratec.com 23 | -------------------------------------------------------------------------------- /scanners/sslyze/parser/.dockerignore: -------------------------------------------------------------------------------- 1 | node_modules/ -------------------------------------------------------------------------------- /scanners/sslyze/parser/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM node:12-alpine as build 3 | RUN mkdir -p /home/app 4 | WORKDIR /home/app 5 | COPY package.json package-lock.json ./ 6 | RUN npm ci --production 7 | 8 | FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} 9 | WORKDIR /home/app/parser-wrapper/parser/ 10 | COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ 11 | COPY --chown=app:app ./parser.js ./parser.js 12 | -------------------------------------------------------------------------------- /scanners/sslyze/parser/__testFiles__/unavailible-host.json: -------------------------------------------------------------------------------- 1 | { 2 | "server_connectivity_errors": [ 3 | { 4 | "error_message": "Connection to the server timed out", 5 | "server_string": "192.168.0.102:443" 6 | } 7 | ], 8 | "server_scan_results": [], 9 | "sslyze_url": "https://github.com/nabla-c0d3/sslyze", 10 | "sslyze_version": "3.0.0", 11 | "total_scan_time": 5.010118246078491 12 | } 13 | -------------------------------------------------------------------------------- /scanners/sslyze/parser/package-lock.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "sslyze-parser", 3 | "version": "1.0.0", 4 | "lockfileVersion": 1, 5 | "requires": true, 6 | "dependencies": { 7 | "sprintf-js": { 8 | "version": "1.1.2", 9 | "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.1.2.tgz", 10 | "integrity": "sha512-VE0SOVEHCk7Qc8ulkWw3ntAzXuqf7S2lvwQaDLRnUeIEaKNQJzV6BwmLKhOqT61aGhfUMrXeaBk+oDGCzvhcug==" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /scanners/sslyze/parser/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "sslyze-parser", 3 | "version": "1.0.0", 4 | "description": "Parses result files for the type: 'sslyze-json'", 5 | "main": "", 6 | "scripts": {}, 7 | "keywords": [], 8 | "author": "iteratec GmbH", 9 | "license": "Apache-2.0", 10 | "dependencies": { 11 | "sprintf-js": "^1.1.2" 12 | }, 13 | "devDependencies": {} 14 | } 15 | -------------------------------------------------------------------------------- /scanners/sslyze/templates/cascading-rules.yaml: -------------------------------------------------------------------------------- 1 | # The CascadingRules are not directly in the /templates directory as their curly bracket syntax clashes with helms templates ... :( 2 | # We import them as raw files to avoid these clashes as escaping them is even more messy 3 | {{ range $path, $_ := .Files.Glob "cascading-rules/*" }} 4 | # Include File 5 | {{ $.Files.Get $path }} 6 | # Separate multiple files 7 | --- 8 | {{ end }} -------------------------------------------------------------------------------- /scanners/sslyze/templates/sslyze-parse-definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ParseDefinition 3 | metadata: 4 | name: "sslyze-json" 5 | spec: 6 | handlesResultsType: sslyze-json 7 | image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" 8 | -------------------------------------------------------------------------------- /scanners/test-scan/.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | parser/ 4 | scanner/ 5 | examples/ -------------------------------------------------------------------------------- /scanners/test-scan/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: test-scan 3 | description: A Helm chart to test the secureCodeBox operator 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | 9 | keywords: 10 | - security 11 | - scanner 12 | - secureCodeBox 13 | - integrationTest 14 | - test 15 | sources: 16 | - https://github.com/secureCodeBox/secureCodeBox 17 | maintainers: 18 | - name: iteratec GmbH 19 | email: security@iteratec.com 20 | -------------------------------------------------------------------------------- /scanners/test-scan/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | --- 2 | title: "test-scan" 3 | hidden: true 4 | --- 5 | 6 | # test-scan 7 | 8 | The `test-scan` type is used internally in the secureCodeBox to test the operator. 9 | It's rather unlikely that you'll need this outside of testing usecases, as it doesn't really do anything ;) 10 | 11 | ## Chart Configuration 12 | 13 | {{ template "chart.valuesTable" . }} 14 | -------------------------------------------------------------------------------- /scanners/test-scan/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: test-scan 3 | description: A Helm chart to test the secureCodeBox operator 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | 9 | keywords: 10 | - security 11 | - scanner 12 | - secureCodeBox 13 | - integrationTest 14 | - test 15 | sources: 16 | - https://github.com/secureCodeBox/secureCodeBox 17 | maintainers: 18 | - name: iteratec GmbH 19 | email: security@iteratec.com 20 | -------------------------------------------------------------------------------- /scanners/test-scan/parser/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} 3 | WORKDIR /home/app/parser-wrapper/parser/ 4 | COPY --chown=app:app ./parser.js ./parser.js 5 | -------------------------------------------------------------------------------- /scanners/test-scan/scanner/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.11 2 | RUN addgroup -S test && adduser -S -g test test 3 | USER test 4 | CMD [cat] -------------------------------------------------------------------------------- /scanners/test-scan/templates/test-scan-parse-definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ParseDefinition 3 | metadata: 4 | name: "test-txt" 5 | spec: 6 | handlesResultsType: test-txt 7 | image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" 8 | -------------------------------------------------------------------------------- /scanners/trivy/.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | parser/ 4 | scanner/ 5 | examples/ -------------------------------------------------------------------------------- /scanners/trivy/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: trivy 3 | description: A Helm chart for the trivy security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: v0.6.0 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - trivy 14 | - image-scanning 15 | - scanner 16 | - secureCodeBox 17 | home: https://docs.securecodebox.io/docs/scanners/Trivy 18 | icon: https://docs.securecodebox.io/img/integrationIcons/Trivy.svg 19 | sources: 20 | - https://github.com/secureCodeBox/secureCodeBox-v2 21 | maintainers: 22 | - name: iteratec GmbH 23 | email: secureCodeBox@iteratec.com 24 | -------------------------------------------------------------------------------- /scanners/trivy/examples/juice-shop/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "trivy-juiceshop" 5 | labels: 6 | organization: "OWASP" 7 | spec: 8 | scanType: "trivy" 9 | parameters: 10 | - "bkimminich/juice-shop:v10.2.0" 11 | -------------------------------------------------------------------------------- /scanners/trivy/examples/mediawiki/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "trivy-mediawiki" 5 | spec: 6 | scanType: "trivy" 7 | parameters: 8 | - "mediawiki:stable" 9 | -------------------------------------------------------------------------------- /scanners/trivy/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: trivy 3 | description: A Helm chart for the trivy security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: v0.6.0 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - trivy 14 | - image-scanning 15 | - scanner 16 | - secureCodeBox 17 | home: https://docs.securecodebox.io/docs/scanners/Trivy 18 | icon: https://docs.securecodebox.io/img/integrationIcons/Trivy.svg 19 | sources: 20 | - https://github.com/secureCodeBox/secureCodeBox-v2 21 | maintainers: 22 | - name: iteratec GmbH 23 | email: secureCodeBox@iteratec.com 24 | -------------------------------------------------------------------------------- /scanners/trivy/parser/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} 3 | WORKDIR /home/app/parser-wrapper/parser/ 4 | COPY --chown=app:app ./parser.js ./parser.js 5 | -------------------------------------------------------------------------------- /scanners/trivy/parser/__testFiles__/securecodebox-amass-unstable-pinned.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "Target": "securecodebox/amass:unstable@sha256:05954f82eaa7bbe81dfc81907113c1e8d9b2409f3d38be3f0e12bccb322bea2c (debian 9.11)", 4 | "Vulnerabilities": null 5 | } 6 | ] -------------------------------------------------------------------------------- /scanners/trivy/templates/trivy-parse-definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ParseDefinition 3 | metadata: 4 | name: "trivy-json" 5 | spec: 6 | handlesResultsType: trivy-json 7 | image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" 8 | -------------------------------------------------------------------------------- /scanners/wpscan/.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | parser/ 4 | scanner/ 5 | examples/ -------------------------------------------------------------------------------- /scanners/wpscan/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: wpscan 3 | description: A Helm chart for the WordPress security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: latest 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - wpscan 14 | - wordpress 15 | - scanner 16 | - secureCodeBox 17 | home: https://docs.securecodebox.io/docs/scanners/WPScan 18 | icon: https://docs.securecodebox.io/img/integrationIcons/WPScan.svg 19 | sources: 20 | - https://github.com/secureCodeBox/secureCodeBox-v2 21 | maintainers: 22 | - name: iteratec GmbH 23 | email: secureCodeBox@iteratec.com 24 | -------------------------------------------------------------------------------- /scanners/wpscan/examples/example.com/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "wpscan-www.example.com" 5 | spec: 6 | scanType: "wpscan" 7 | parameters: 8 | - "--url" 9 | - https://www.example.com 10 | - "-e" 11 | - "vp" 12 | - "--plugins-detection" 13 | - "mixed" 14 | - "--api-token" 15 | - "AAAAABBBBBCCCCCDDDDEEEEEEE" 16 | -------------------------------------------------------------------------------- /scanners/wpscan/examples/old-wordpress/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "wpscan-old-wordpress-internal" 5 | spec: 6 | scanType: "wpscan" 7 | parameters: 8 | - "--url" 9 | - old-wordpress.demo-apps.svc.cluster.local 10 | - "-e" 11 | - "vp" 12 | - "--plugins-detection" 13 | - "mixed" 14 | -------------------------------------------------------------------------------- /scanners/wpscan/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: wpscan 3 | description: A Helm chart for the WordPress security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: latest 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - wpscan 14 | - wordpress 15 | - scanner 16 | - secureCodeBox 17 | home: https://docs.securecodebox.io/docs/scanners/WPScan 18 | icon: https://docs.securecodebox.io/img/integrationIcons/WPScan.svg 19 | sources: 20 | - https://github.com/secureCodeBox/secureCodeBox-v2 21 | maintainers: 22 | - name: iteratec GmbH 23 | email: secureCodeBox@iteratec.com 24 | -------------------------------------------------------------------------------- /scanners/wpscan/parser/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} 3 | WORKDIR /home/app/parser-wrapper/parser/ 4 | COPY --chown=app:app ./parser.js ./parser.js 5 | -------------------------------------------------------------------------------- /scanners/wpscan/parser/__testFiles__/empty-localhost.json: -------------------------------------------------------------------------------- 1 | { 2 | } -------------------------------------------------------------------------------- /scanners/wpscan/templates/wpscan-parse-definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ParseDefinition 3 | metadata: 4 | name: "wpscan-json" 5 | spec: 6 | handlesResultsType: wpscan-json 7 | image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" 8 | -------------------------------------------------------------------------------- /scanners/zap/.helmignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | 3 | parser/ 4 | scanner/ 5 | examples/ -------------------------------------------------------------------------------- /scanners/zap/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: zap 3 | description: A Helm chart for the OWASP ZAP security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: v2.9.0 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - Zap 14 | - OWASP 15 | - scanner 16 | - secureCodeBox 17 | home: https://docs.securecodebox.io/docs/scanners/ZAP 18 | icon: https://docs.securecodebox.io/img/integrationIcons/ZAP.svg 19 | sources: 20 | - https://github.com/secureCodeBox/secureCodeBox-v2 21 | maintainers: 22 | - name: iteratec GmbH 23 | email: secureCodeBox@iteratec.com 24 | -------------------------------------------------------------------------------- /scanners/zap/cascading-rules/http.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "cascading.securecodebox.io/v1" 2 | kind: CascadingRule 3 | metadata: 4 | name: "zap-http" 5 | labels: 6 | securecodebox.io/invasive: non-invasive 7 | securecodebox.io/intensive: medium 8 | spec: 9 | matches: 10 | anyOf: 11 | - category: "Open Port" 12 | attributes: 13 | service: http 14 | state: open 15 | - category: "Open Port" 16 | attributes: 17 | service: https 18 | state: open 19 | scanSpec: 20 | scanType: "zap-baseline" 21 | parameters: ["-t", "{{attributes.service}}://{{$.hostOrIP}}"] 22 | -------------------------------------------------------------------------------- /scanners/zap/examples/demo-bodgeit-baseline-scan/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "zap-baseline-bodgeit" 5 | labels: 6 | organization: "OWASP" 7 | spec: 8 | scanType: "zap-baseline" 9 | parameters: 10 | # target URL including the protocol 11 | - "-t" 12 | - "http://bodgeit.demo-apps.svc:8080" 13 | # show debug messages 14 | - "-d" 15 | # the number of minutes to spider for (default 1) 16 | - "-m" 17 | - "2" -------------------------------------------------------------------------------- /scanners/zap/examples/demo-bodgeit-full-scan/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "zap-full-scan-bodgeit" 5 | labels: 6 | organization: "OWASP" 7 | spec: 8 | scanType: "zap-full-scan" 9 | parameters: 10 | # target URL including the protocol 11 | - "-t" 12 | - "http://bodgeit.demo-apps.svc:8080" 13 | # include the alpha active and passive scan rules as well 14 | - "-a" 15 | # show debug messages 16 | - "-d" 17 | # the number of minutes to spider for (default 1) 18 | - "-m" 19 | - "3" -------------------------------------------------------------------------------- /scanners/zap/examples/demo-juice-shop-baseline-scan/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "zap-baseline-juiceshop" 5 | labels: 6 | organization: "OWASP" 7 | spec: 8 | scanType: "zap-baseline" 9 | parameters: 10 | # target URL including the protocol 11 | - "-t" 12 | - "http://juice-shop.demo-apps.svc:3000" 13 | # show debug messages 14 | - "-d" 15 | # use the Ajax spider in addition to the traditional one 16 | - "-j" 17 | # the number of minutes to spider for (default 1) 18 | - "-m" 19 | - "3" 20 | -------------------------------------------------------------------------------- /scanners/zap/examples/demo-juice-shop-full-scan/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "zap-full-scan-juiceshop" 5 | labels: 6 | organization: "OWASP" 7 | spec: 8 | scanType: "zap-full-scan" 9 | parameters: 10 | # target URL including the protocol 11 | - "-t" 12 | - "http://juice-shop.demo-apps.svc:3000" 13 | # include the alpha active and passive scan rules as well 14 | - "-a" 15 | # show debug messages 16 | - "-d" 17 | # use the Ajax spider in addition to the traditional one 18 | - "-j" 19 | # the number of minutes to spider for (default 1) 20 | - "-m" 21 | - "3" 22 | -------------------------------------------------------------------------------- /scanners/zap/examples/demo-petstore-api-scan/scan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: Scan 3 | metadata: 4 | name: "zap-api-petstore" 5 | labels: 6 | organization: "OWASP" 7 | spec: 8 | scanType: "zap-api-scan" 9 | parameters: 10 | # target URL including the protocol 11 | - "-t" 12 | - "http://swagger-petstore.demo-apps.svc/v2/swagger.json" 13 | # format can either 'openapi' or 'soap' 14 | - "-f" 15 | - "openapi" 16 | # include the alpha passive scan rules as well 17 | # - "-a" 18 | # show debug messages 19 | - "-d" 20 | # the number of minutes to spider for (default 1) 21 | - "-m" 22 | - "3" 23 | -------------------------------------------------------------------------------- /scanners/zap/helm2.Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | name: zap 3 | description: A Helm chart for the OWASP ZAP security scanner that integrates with the secureCodeBox. 4 | 5 | type: application 6 | # version - gets automatically set to the secureCodeBox release version when the helm charts gets published 7 | version: latest 8 | appVersion: v2.9.0 9 | kubeVersion: ">=v1.11.0" 10 | 11 | keywords: 12 | - security 13 | - Zap 14 | - OWASP 15 | - scanner 16 | - secureCodeBox 17 | home: https://docs.securecodebox.io/docs/scanners/ZAP 18 | icon: https://docs.securecodebox.io/img/integrationIcons/ZAP.svg 19 | sources: 20 | - https://github.com/secureCodeBox/secureCodeBox-v2 21 | maintainers: 22 | - name: iteratec GmbH 23 | email: secureCodeBox@iteratec.com 24 | -------------------------------------------------------------------------------- /scanners/zap/parser/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG baseImageTag 2 | FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} 3 | WORKDIR /home/app/parser-wrapper/parser/ 4 | COPY --chown=app:app ./parser.js ./parser.js 5 | -------------------------------------------------------------------------------- /scanners/zap/parser/parser.test.js: -------------------------------------------------------------------------------- 1 | const fs = require('fs'); 2 | const util = require('util'); 3 | 4 | // eslint-disable-next-line security/detect-non-literal-fs-filename 5 | const readFile = util.promisify(fs.readFile); 6 | 7 | const { parse } = require('./parser'); 8 | 9 | test('Parsing the juice-shop results.', async () => { 10 | const fileContent = JSON.parse( 11 | await readFile(__dirname + '/__testFiles__/juice-shop.json', { 12 | encoding: 'utf8', 13 | }) 14 | ); 15 | 16 | expect(await parse(fileContent)).toMatchSnapshot(); 17 | }); 18 | 19 | test('Parsing the example.com results.', async () => { 20 | const fileContent = JSON.parse( 21 | await readFile(__dirname + '/__testFiles__/example.com.json', { 22 | encoding: 'utf8', 23 | }) 24 | ); 25 | 26 | expect(await parse(fileContent)).toMatchSnapshot(); 27 | }); -------------------------------------------------------------------------------- /scanners/zap/templates/cascading-rules.yaml: -------------------------------------------------------------------------------- 1 | # The CascadingRules are not directly in the /templates directory as their curly bracket syntax clashes with helms templates ... :( 2 | # We import them as raw files to avoid these clashes as escaping them is even more messy 3 | {{ range $path, $_ := .Files.Glob "cascading-rules/*" }} 4 | # Include File 5 | {{ $.Files.Get $path }} 6 | # Separate multiple files 7 | --- 8 | {{ end }} -------------------------------------------------------------------------------- /scanners/zap/templates/zap-parse-definition.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "execution.securecodebox.io/v1" 2 | kind: ParseDefinition 3 | metadata: 4 | name: "zap-json" 5 | spec: 6 | handlesResultsType: zap-json 7 | image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" 8 | -------------------------------------------------------------------------------- /tests/integration/generic/no-scan-definition-error.test.js: -------------------------------------------------------------------------------- 1 | const { scan } = require("../helpers"); 2 | 3 | test( 4 | "scan without a matching ScanType should be marked as errored", 5 | async () => { 6 | await expect( 7 | scan("scan-type-not-found", "this-type-does-not-exists", [], 30) 8 | ).rejects.toThrow( 9 | `Scan failed with description "Configured ScanType 'this-type-does-not-exists' not found in 'integration-tests' namespace. You'll likely need to deploy the ScanType."` 10 | ); 11 | }, 12 | 1 * 60 * 1000 13 | ); 14 | -------------------------------------------------------------------------------- /tests/integration/generic/read-write-hook.test.js: -------------------------------------------------------------------------------- 1 | const { scan } = require("../helpers"); 2 | 3 | test( 4 | "localhost port scan should only find a host finding", 5 | async () => { 6 | const { categories, severities, count } = await scan( 7 | "test-scan-read-write-hook", 8 | "test-scan", 9 | [], 10 | 90 11 | ); 12 | 13 | expect(count).toBe(2); 14 | expect(categories).toMatchInlineSnapshot(` 15 | Object { 16 | "Host": 1, 17 | "Open Port": 1, 18 | "fancy-category": 2, 19 | } 20 | `); 21 | expect(severities).toMatchInlineSnapshot(` 22 | Object { 23 | "high": 2, 24 | } 25 | `); 26 | }, 27 | 3 * 60 * 1000 28 | ); 29 | -------------------------------------------------------------------------------- /tests/integration/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "securecodebox-integration-tests", 3 | "version": "1.0.0", 4 | "description": "Integration Tests running on a real k8s cluster", 5 | "scripts": { 6 | "test": "jest" 7 | }, 8 | "keywords": [], 9 | "author": "iteratec GmbH", 10 | "license": "Apache-2.0", 11 | "devDependencies": { 12 | "@kubernetes/client-node": "^0.12.2", 13 | "jest": "^25.2.4", 14 | "prettier": "^2.0.2" 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /tests/integration/scanner/cascade.test.js: -------------------------------------------------------------------------------- 1 | const { cascadingScan } = require('../helpers') 2 | 3 | test( 4 | "Cascading Scan nmap -> ncrack on dummy-ssh", 5 | async () => { 6 | const { categories, severities, count } = await cascadingScan( 7 | "nmap-dummy-ssh", 8 | "nmap", 9 | ["-Pn", "-sV", "dummy-ssh.demo-apps.svc"], 10 | { 11 | nameCascade: "ncrack-ssh", 12 | matchLabels: { 13 | "securecodebox.io/invasive": "invasive", 14 | "securecodebox.io/intensive": "high" 15 | } 16 | }, 17 | 120 18 | ); 19 | 20 | expect(count).toBe(1); 21 | expect(categories).toEqual( 22 | { 23 | "Discovered Credentials": 1, 24 | } 25 | ); 26 | expect(severities).toEqual( 27 | { 28 | "high": 1, 29 | } 30 | ); 31 | }, 32 | 3 * 60 * 1000 33 | ); 34 | -------------------------------------------------------------------------------- /tests/integration/scanner/kube-hunter.test.js: -------------------------------------------------------------------------------- 1 | const { scan } = require("../helpers"); 2 | 3 | test( 4 | "kube-hunter should find a fixed number of findings for the kind cluster", 5 | async () => { 6 | await scan( 7 | "kube-hunter-in-cluster", 8 | "kube-hunter", 9 | ["--pod", "--quick"], 10 | 4 * 60 11 | ); 12 | 13 | // If we got here the scan succeded 14 | // as the number of findings will depend on the cluster, we just check if it is defined at all 15 | expect(true).toBe(true); 16 | }, 17 | 5 * 60 * 1000 18 | ); 19 | -------------------------------------------------------------------------------- /tests/integration/scanner/ncrack.test.js: -------------------------------------------------------------------------------- 1 | const { scan } = require('../helpers') 2 | 3 | test( 4 | "ncrack should find 1 credential in vulnerable ssh service", 5 | async () => { 6 | const { categories, severities, count } = await scan( 7 | "ncrack-dummy-ssh", 8 | "ncrack", 9 | ["-v","--user=root,admin", "--pass=THEPASSWORDYOUCREATED,12345", "ssh://dummy-ssh.demo-apps.svc"], 10 | 90 11 | ); 12 | 13 | expect(count).toBe(1); 14 | expect(categories).toEqual( 15 | { 16 | "Discovered Credentials": 1, 17 | } 18 | ); 19 | expect(severities).toEqual( 20 | { 21 | "high": 1, 22 | } 23 | ); 24 | }, 25 | 3 * 60 * 1000 26 | ); 27 | 28 | -------------------------------------------------------------------------------- /tests/integration/scanner/nmap.test.js: -------------------------------------------------------------------------------- 1 | const { scan } = require('../helpers') 2 | 3 | test( 4 | "localhost port scan should only find a host finding", 5 | async () => { 6 | const { categories, severities, count } = await scan( 7 | "nmap-localhost", 8 | "nmap", 9 | ["localhost"], 10 | 90 11 | ); 12 | 13 | expect(count).toBe(1); 14 | expect(categories).toMatchInlineSnapshot(` 15 | Object { 16 | "Host": 1, 17 | } 18 | `); 19 | expect(severities).toMatchInlineSnapshot(` 20 | Object { 21 | "informational": 1, 22 | } 23 | `); 24 | }, 25 | 3 * 60 * 1000 26 | ); 27 | 28 | test( 29 | "invalid port scan should be marked as errored", 30 | async () => { 31 | await expect(scan( 32 | "nmap-localhost", 33 | "nmap", 34 | ["-invalidFlag", "localhost"], 35 | 90 36 | )).rejects.toThrow('Scan failed with description "Failed to run the Scan Container, check k8s Job and its logs for more details"'); 37 | }, 38 | 3 * 60 * 1000 39 | ); 40 | -------------------------------------------------------------------------------- /tests/integration/scanner/ssh-scan.test.js: -------------------------------------------------------------------------------- 1 | // todo: Integrate into github ci pipeline 2 | const { scan } = require("../helpers"); 3 | 4 | test( 5 | "ssh-scan should find a couple of findings for a dummy ssh service", 6 | async () => { 7 | const { categories, severities, count } = await scan( 8 | "ssh-scan-dummy-ssh", 9 | "ssh-scan", 10 | ["-t", "dummy-ssh.demo-apps.svc"], 11 | 90 12 | ); 13 | 14 | expect(count).toBe(4); 15 | expect(categories).toMatchInlineSnapshot(` 16 | Object { 17 | "SSH Policy Violation": 3, 18 | "SSH Service": 1, 19 | } 20 | `); 21 | expect(severities).toMatchInlineSnapshot(` 22 | Object { 23 | "informational": 1, 24 | "medium": 3, 25 | } 26 | `); 27 | }, 28 | 3 * 60 * 1000 29 | ); 30 | 31 | test( 32 | "ssh-scan should gracefully handle a non-existing target", 33 | async () => { 34 | await expect( 35 | scan( 36 | "ssh-scan-non-existing", 37 | "ssh-scan", 38 | ["-t", "this-target-doesnt-exist.demo-apps.svc"], 39 | 180 40 | ) 41 | ).rejects.toThrow( 42 | 'Scan failed with description "Failed to run the Scan Container, check k8s Job and its logs for more details"' 43 | ); 44 | }, 45 | 3 * 60 * 1000 46 | ); 47 | -------------------------------------------------------------------------------- /tests/integration/scanner/zap.test.js: -------------------------------------------------------------------------------- 1 | const { scan } = require("../helpers"); 2 | 3 | test( 4 | "zap baseline scan against a plain nginx container should only find couple findings", 5 | async () => { 6 | const { categories, severities } = await scan( 7 | "zap-nginx-baseline", 8 | "zap-baseline", 9 | ["-t", "http://nginx.demo-apps.svc"], 10 | 60 * 4 11 | ); 12 | 13 | expect(categories).toMatchObject({ 14 | "Content Security Policy (CSP) Header Not Set": 1, 15 | 'Server Leaks Version Information via "Server" HTTP Response Header Field': 1, 16 | "X-Content-Type-Options Header Missing": 1, 17 | "X-Frame-Options Header Not Set": 1, 18 | }); 19 | expect(severities).toMatchObject({ 20 | low: 3, 21 | medium: 1, 22 | }); 23 | }, 24 | 5 * 60 * 1000 25 | ); 26 | --------------------------------------------------------------------------------