OWASP secureCodeBox is an automated and scalable open source solution that can be used to integrate various security vulnerability scanners with a simple and lightweight interface. The secureCodeBox mission is to support DevSecOps Teams to make it easy to automate security vulnerability testing in different scenarios.
With the secureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.
The secureCodeBox project is running on Kubernetes. To install it you need Helm, a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure.
You can find resources to help you get started on our documentation website including instruction on how to install the secureCodeBox project and guides to help you run your first scans with it.
The secureCodeBox operator is running on Kubernetes and is the core component of the complete secureCodeBox stack, responsible for managing all scans and resources.
Homepage: https://www.securecodebox.io/docs/getting-started/installation
The operator chart can be deployed via helm:
# Install HelmChart (use -n to configure another namespace)
helm upgrade --install operator secureCodeBox/operatorKubernetes: >=v1.11.0-0
| Repository | Name | Version |
|---|---|---|
| https://charts.bitnami.com/bitnami | minio | 11.9.4 |
The secureCodeBox Operator can be deployed via helm:
# Add the secureCodeBox Helm Repo
helm repo add secureCodeBox https://charts.securecodebox.io
# Create a new namespace for the secureCodeBox Operator
kubectl create namespace securecodebox-system
# Install the Operator & CRDs
helm install securecodebox-operator secureCodeBox/operator| Key | Type | Default | Description |
|---|---|---|---|
| customCACertificate | object | {"certificate":"public.crt","existingCertificate":null} |
Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s) |
| customCACertificate.certificate | string | "public.crt" |
key in the configmap holding the certificate(s) |
| customCACertificate.existingCertificate | string | nil |
name of the configMap holding the ca certificate(s), needs to be the same across all namespaces |
| image.pullPolicy | string | "IfNotPresent" |
Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
| image.repository | string | "docker.io/securecodebox/operator" |
The operator image repository |
| image.tag | string | defaults to the charts version | Parser image tag |
| imagePullSecrets | list | [] |
Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
| lurker.image.pullPolicy | string | "IfNotPresent" |
Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
| lurker.image.repository | string | "docker.io/securecodebox/lurker" |
The operator image repository |
| lurker.image.tag | string | defaults to the charts version | Parser image tag |
| minio | object | {"auth":{"rootPassword":"password","rootUser":"admin"},"defaultBuckets":"securecodebox","enabled":true,"resources":{"requests":{"memory":"256Mi"}},"tls":{"enabled":false}} |
Minio default config. More config options an info: https://github.com/minio/minio/blob/master/helm/minio/values.yaml |
| minio.enabled | bool | true |
Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc. |
| podSecurityContext | object | {} |
Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container |
| presignedUrlExpirationTimes | object | {"hooks":"1h","parsers":"1h","scanners":"12h"} |
Duration how long presigned urls are valid |
| resources | object | {"limits":{"cpu":"100m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}} |
CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
| s3.authType | string | "access-secret-key" |
Authentication method. Supports access-secret-key (used by most s3 endpoint) and aws-irsa (Used by AWS EKS IAM Role to Kubenetes Service Account Binding. Support for AWS IRSA is considered experimental in the secureCodeBox) |
| s3.awsStsEndpoint | string | "https://sts.amazonaws.com" |
STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-irsa" |
| s3.bucket | string | "my-bucket" |
|
| s3.enabled | bool | false |
|
| s3.endpoint | string | "fra1.digitaloceanspaces.com" |
|
| s3.keySecret | string | "my-secret" |
|
| s3.port | string | nil |
|
| s3.secretAttributeNames.accesskey | string | "accesskey" |
|
| s3.secretAttributeNames.secretkey | string | "secretkey" |
|
| s3.urlTemplate | string | scan-{{ .Scan.UID }}/{{ .Filename }} | Go Template that generates the path used to store raw result file and findings.json file in the s3 bucket. Can be used to store the files in a subfolder of the s3 bucket |
| securityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true} |
Sets the securityContext on the operators container level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |
| securityContext.allowPrivilegeEscalation | bool | false |
Ensure that users privileges cannot be escalated |
| securityContext.capabilities.drop[0] | string | "all" |
This drops all linux privileges from the operator container. They are not required |
| securityContext.privileged | bool | false |
Ensures that the operator container is not run in privileged mode |
| securityContext.readOnlyRootFilesystem | bool | true |
Prevents write access to the containers file system |
| securityContext.runAsNonRoot | bool | true |
Enforces that the Operator image is run as a non root user |
| serviceAccount.annotations | object | {} |
Annotations of the serviceAccount the operator uses to talk to the k8s api |
| serviceAccount.labels | object | {} |
Labels of the serviceAccount the operator uses to talk to the k8s api |
| serviceAccount.name | string | "securecodebox-operator" |
Name of the serviceAccount the operator uses to talk to the k8s api |
| telemetryEnabled | bool | true |
The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry |
Contributions are welcome and extremely helpful 🙌 Please have a look at Contributing
You are welcome, please join us on... 👋
secureCodeBox is an official OWASP project.
Code of secureCodeBox is licensed under the Apache License 2.0.