secureCodeBox
diff --git a/‎auto-discovery/kubernetes/README.md‎
Lines changed: 10 additions & 6 deletions b/‎auto-discovery/kubernetes/README.md‎
Lines changed: 10 additions & 6 deletions
diff --git a/‎auto-discovery/kubernetes/api/v1/autodiscoveryconfig_types.go‎
Lines changed: 8 additions & 5 deletions b/‎auto-discovery/kubernetes/api/v1/autodiscoveryconfig_types.go‎
Lines changed: 8 additions & 5 deletions
diff --git a/‎auto-discovery/kubernetes/api/v1/zz_generated.deepcopy.go‎
Lines changed: 15 additions & 0 deletions b/‎auto-discovery/kubernetes/api/v1/zz_generated.deepcopy.go‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎auto-discovery/kubernetes/controllers/container_scan_controller.go‎
Lines changed: 31 additions & 27 deletions b/‎auto-discovery/kubernetes/controllers/container_scan_controller.go‎
Lines changed: 31 additions & 27 deletions
diff --git a/‎auto-discovery/kubernetes/controllers/service_scan_controller.go‎
Lines changed: 32 additions & 54 deletions b/‎auto-discovery/kubernetes/controllers/service_scan_controller.go‎
Lines changed: 32 additions & 54 deletions
@@ -135,11 +135,13 @@ kubectl -n juice-shop annotate service juice-shop auto-discovery.securecodebox.i
 | config.apiVersion | string | `"config.securecodebox.io/v1"` |  |
 | config.cluster.name | string | `"docker-desktop"` |  |
 | config.containerAutoDiscovery.enabled | bool | `false` |  |
-| config.containerAutoDiscovery.scanConfig.annotations | object | `{}` | annotations to be added to the scans started by the auto-discovery |
-| config.containerAutoDiscovery.scanConfig.labels | object | `{}` | labels to be added to the scans started by the auto-discovery |
-| config.containerAutoDiscovery.scanConfig.parameters | list | `["{{ .ImageID }}"]` | parameters used for the scans created by the containerAutoDiscovery |
+| config.containerAutoDiscovery.scanConfig.annotations | object | `{}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating |
+| config.containerAutoDiscovery.scanConfig.labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating |
+| config.containerAutoDiscovery.scanConfig.parameters | list | `["{{ .ImageID }}"]` | parameters used for the scans created by the containerAutoDiscovery, all parameters support templating |
 | config.containerAutoDiscovery.scanConfig.repeatInterval | string | `"168h"` | interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset. |
 | config.containerAutoDiscovery.scanConfig.scanType | string | `"trivy"` |  |
+| config.containerAutoDiscovery.scanConfig.volumeMounts | list | `[]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating |
+| config.containerAutoDiscovery.scanConfig.volumes | list | `[]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating |
 | config.health.healthProbeBindAddress | string | `":8081"` |  |
 | config.kind | string | `"AutoDiscoveryConfig"` |  |
 | config.leaderElection.leaderElect | bool | `true` |  |
@@ -148,11 +150,13 @@ kubectl -n juice-shop annotate service juice-shop auto-discovery.securecodebox.i
 | config.resourceInclusion.mode | string | `"enabled-per-namespace"` |  |
 | config.serviceAutoDiscovery.enabled | bool | `true` |  |
 | config.serviceAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every service is re-checked for updated pods, if service object is updated directly this the service will get reconciled immediately |
-| config.serviceAutoDiscovery.scanConfig.annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery |
-| config.serviceAutoDiscovery.scanConfig.labels | object | `{}` | labels to be added to the scans started by the auto-discovery |
-| config.serviceAutoDiscovery.scanConfig.parameters | list | `["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"]` | parameters used for the scans created by the serviceAutoDiscovery |
+| config.serviceAutoDiscovery.scanConfig.annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating |
+| config.serviceAutoDiscovery.scanConfig.labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating |
+| config.serviceAutoDiscovery.scanConfig.parameters | list | `["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"]` | parameters used for the scans created by the serviceAutoDiscovery, all parameters support templating |
 | config.serviceAutoDiscovery.scanConfig.repeatInterval | string | `"168h"` | interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset. |
 | config.serviceAutoDiscovery.scanConfig.scanType | string | `"zap-advanced-scan"` | scanType used for the scans created by the serviceAutoDiscovery |
+| config.serviceAutoDiscovery.scanConfig.volumeMounts | list | `[]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating |
+| config.serviceAutoDiscovery.scanConfig.volumes | list | `[]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
 | image.repository | string | `"securecodebox/auto-discovery-kubernetes"` |  |
 | image.tag | string | `nil` |  |
 
@@ -5,6 +5,7 @@
 package v1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	cfg "sigs.k8s.io/controller-runtime/pkg/config/v1alpha1"
 )
@@ -51,11 +52,13 @@ type ResourceInclusionConfig struct {
 }
 
 type ScanConfig struct {
-	RepeatInterval metav1.Duration   `json:"repeatInterval"`
-	Annotations    map[string]string `json:"annotations"`
-	Labels         map[string]string `json:"labels"`
-	ScanType       string            `json:"scanType"`
-	Parameters     []string          `json:"parameters"`
+	RepeatInterval metav1.Duration      `json:"repeatInterval"`
+	Annotations    map[string]string    `json:"annotations"`
+	Labels         map[string]string    `json:"labels"`
+	ScanType       string               `json:"scanType"`
+	Parameters     []string             `json:"parameters"`
+	Volumes        []corev1.Volume      `json:"volumes"`
+	VolumeMounts   []corev1.VolumeMount `json:"volumeMounts"`
 }
 
 func init() {
 
@@ -33,6 +33,18 @@ type ContainerScanReconciler struct {
 	Config   configv1.AutoDiscoveryConfig
 }
 
+type Cluster struct {
+	Name string
+}
+type ContainerAutoDiscoveryTemplateArgs struct {
+	Config     configv1.AutoDiscoveryConfig
+	ScanConfig configv1.ScanConfig
+	Cluster    configv1.ClusterConfig
+	Target     metav1.ObjectMeta
+	Namespace  corev1.Namespace
+	ImageID    string
+}
+
 // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;
 
 // Reconcile compares the Pod object against the state of the cluster and updates both if needed
@@ -159,7 +171,7 @@ func (r *ContainerScanReconciler) createScheduledScans(ctx context.Context, pod
 func (r *ContainerScanReconciler) createScheduledScan(ctx context.Context, pod corev1.Pod, imageID string) {
 	namespace := r.getNamespace(ctx, pod)
 
-	newScheduledScan := getScanSpec(r.Config, pod, imageID, namespace)
+	newScheduledScan := r.generateScan(pod, imageID, namespace)
 	err := r.Client.Create(ctx, &newScheduledScan)
 
 	if err != nil {
@@ -178,23 +190,26 @@ func (r *ContainerScanReconciler) getNamespace(ctx context.Context, pod corev1.P
 	return result
 }
 
-func getScanSpec(config configv1.AutoDiscoveryConfig, pod corev1.Pod, imageID string, namespace corev1.Namespace) executionv1.ScheduledScan {
-	containerScanConfig := config.ContainerAutoDiscoveryConfig.ScanConfig
+func (r *ContainerScanReconciler) generateScan(pod corev1.Pod, imageID string, namespace corev1.Namespace) executionv1.ScheduledScan {
+	scanConfig := r.Config.ContainerAutoDiscoveryConfig.ScanConfig
+	templateArgs := ContainerAutoDiscoveryTemplateArgs{
+		Config:     r.Config,
+		ScanConfig: scanConfig,
+		Cluster:    r.Config.Cluster,
+		Target:     pod.ObjectMeta,
+		Namespace:  namespace,
+		ImageID:    imageID,
+	}
+	scanSpec := util.GenerateScanSpec(scanConfig, templateArgs)
 
 	newScheduledScan := executionv1.ScheduledScan{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        getScanName(imageID),
 			Namespace:   pod.Namespace,
-			Annotations: getScanAnnotations(config, pod, imageID, namespace),
-			Labels:      getScanLabels(config, pod, imageID, namespace),
-		},
-		Spec: executionv1.ScheduledScanSpec{
-			Interval: containerScanConfig.RepeatInterval,
-			ScanSpec: &executionv1.ScanSpec{
-				ScanType:   containerScanConfig.ScanType,
-				Parameters: getScanParameters(config, pod, imageID, namespace),
-			},
+			Annotations: getScanAnnotations(scanConfig, templateArgs),
+			Labels:      getScanLabels(scanConfig, templateArgs),
 		},
+		Spec: scanSpec,
 	}
 	return newScheduledScan
 }
@@ -273,23 +288,12 @@ func (r *ContainerScanReconciler) getScan(ctx context.Context, pod corev1.Pod, i
 	return scan, err
 }
 
-func getScanAnnotations(config configv1.AutoDiscoveryConfig, pod corev1.Pod, imageID string, namespace corev1.Namespace) map[string]string {
-	data := util.TemplateArgs{Target: pod.ObjectMeta, Namespace: namespace.ObjectMeta, Cluster: util.Cluster(config.Cluster), ImageID: imageID}
-	templates := config.ContainerAutoDiscoveryConfig.ScanConfig.Annotations
-	return util.ParseMapTemplate(data, templates)
-}
-
-func getScanParameters(config configv1.AutoDiscoveryConfig, pod corev1.Pod, imageID string, namespace corev1.Namespace) []string {
-	data := util.TemplateArgs{Target: pod.ObjectMeta, Namespace: namespace.ObjectMeta, Cluster: util.Cluster(config.Cluster), ImageID: imageID}
-	templates := config.ContainerAutoDiscoveryConfig.ScanConfig.Parameters
-	return util.ParseListTemplate(data, templates)
+func getScanAnnotations(scanConfig configv1.ScanConfig, templateArgs ContainerAutoDiscoveryTemplateArgs) map[string]string {
+	return util.ParseMapTemplate(templateArgs, scanConfig.Annotations)
 }
 
-func getScanLabels(config configv1.AutoDiscoveryConfig, pod corev1.Pod, imageID string, namespace corev1.Namespace) map[string]string {
-	data := util.TemplateArgs{Target: pod.ObjectMeta, Namespace: namespace.ObjectMeta, Cluster: util.Cluster(config.Cluster), ImageID: imageID}
-	templates := config.ContainerAutoDiscoveryConfig.ScanConfig.Labels
-
-	generatedLabels := util.ParseMapTemplate(data, templates)
+func getScanLabels(scanConfig configv1.ScanConfig, templateArgs ContainerAutoDiscoveryTemplateArgs) map[string]string {
+	generatedLabels := util.ParseMapTemplate(templateArgs, scanConfig.Labels)
 	generatedLabels["app.kubernetes.io/managed-by"] = "securecodebox-autodiscovery"
 
 	return generatedLabels
 
@@ -36,6 +36,16 @@ type ServiceScanReconciler struct {
 	Config   configv1.AutoDiscoveryConfig
 }
 
+type ServiceAutoDiscoveryTemplateArgs struct {
+	Config     configv1.AutoDiscoveryConfig
+	ScanConfig configv1.ScanConfig
+	Cluster    configv1.ClusterConfig
+	Target     metav1.ObjectMeta
+	Service    corev1.Service
+	Namespace  corev1.Namespace
+	Host       HostPort
+}
+
 const requeueInterval = 5 * time.Second
 
 // +kubebuilder:rbac:groups="execution.securecodebox.io",resources=scantypes,verbs=get;list;watch
@@ -129,23 +139,35 @@ func (r *ServiceScanReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		var previousScan executionv1.ScheduledScan
 		err := r.Client.Get(ctx, types.NamespacedName{Name: fmt.Sprintf("%s-service-port-%d", service.Name, host.Port), Namespace: service.Namespace}, &previousScan)
 
+		// generate the scan spec for the current state of the service
+		templateArgs := ServiceAutoDiscoveryTemplateArgs{
+			Config:     r.Config,
+			ScanConfig: r.Config.ServiceAutoDiscoveryConfig.ScanConfig,
+			Cluster:    r.Config.Cluster,
+			Target:     service.ObjectMeta,
+			Service:    service,
+			Namespace:  namespace,
+			Host:       host,
+		}
+		scanSpec := util.GenerateScanSpec(r.Config.ServiceAutoDiscoveryConfig.ScanConfig, templateArgs)
+
 		if apierrors.IsNotFound(err) {
 			// service was never scanned
 			log.Info("Discovered new unscanned service, scanning it now", "service", service.Name, "namespace", service.Namespace)
 
 			// label is added after the initial query as it was added later and isn't garanteed to be on every auto-discovery managed scan.
 			versionedLabels["app.kubernetes.io/managed-by"] = "securecodebox-autodiscovery"
-			versionedLabels = addLabels(versionedLabels, r.Config, service, namespace)
+			versionedLabels = generateScanLabels(versionedLabels, r.Config.ServiceAutoDiscoveryConfig.ScanConfig, templateArgs)
 
 			// No scan for this pod digest yet. Scanning now
 			scan := executionv1.ScheduledScan{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:        fmt.Sprintf("%s-service-port-%d", service.Name, host.Port),
 					Namespace:   service.Namespace,
 					Labels:      versionedLabels,
-					Annotations: generateScanAnnotations(r.Config.ServiceAutoDiscoveryConfig.ScanConfig, r.Config.Cluster, service, namespace),
+					Annotations: generateScanAnnotations(service.Annotations, r.Config.ServiceAutoDiscoveryConfig.ScanConfig, templateArgs),
 				},
-				Spec: generateScanSpec(r.Config, r.Config.ServiceAutoDiscoveryConfig.ScanConfig, host, service, namespace),
+				Spec: scanSpec,
 			}
 
 			// Ensure ScanType actually exists
@@ -181,11 +203,11 @@ func (r *ServiceScanReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 			// label is added after the initial query as it was added later and isn't garanteed to be on every auto-discovery managed scan.
 			versionedLabels["app.kubernetes.io/managed-by"] = "securecodebox-autodiscovery"
-			versionedLabels = addLabels(versionedLabels, r.Config, service, namespace)
+			versionedLabels = generateScanLabels(versionedLabels, r.Config.ServiceAutoDiscoveryConfig.ScanConfig, templateArgs)
 
 			previousScan.ObjectMeta.Labels = versionedLabels
-			previousScan.ObjectMeta.Annotations = generateScanAnnotations(r.Config.ServiceAutoDiscoveryConfig.ScanConfig, r.Config.Cluster, service, namespace)
-			previousScan.Spec = generateScanSpec(r.Config, r.Config.ServiceAutoDiscoveryConfig.ScanConfig, host, service, namespace)
+			previousScan.ObjectMeta.Annotations = generateScanAnnotations(service.Annotations, r.Config.ServiceAutoDiscoveryConfig.ScanConfig, templateArgs)
+			previousScan.Spec = scanSpec
 
 			log.V(8).Info("Updating previousScan Spec")
 			err := r.Update(ctx, &previousScan)
@@ -363,19 +385,12 @@ podLoop:
 	return false
 }
 
-func generateScanAnnotations(scanConfig configv1.ScanConfig, clusterConfig configv1.ClusterConfig, service corev1.Service, namespace corev1.Namespace) map[string]string {
-	templateArgs := util.TemplateArgs{
-		Target:    service.ObjectMeta,
-		Namespace: namespace.ObjectMeta,
-		Cluster: util.Cluster{
-			Name: clusterConfig.Name,
-		},
-	}
+func generateScanAnnotations(currentAnnotations map[string]string, scanConfig configv1.ScanConfig, templateArgs ServiceAutoDiscoveryTemplateArgs) map[string]string {
 	annotations := util.ParseMapTemplate(templateArgs, scanConfig.Annotations)
 
 	// Copy over securecodebox.io annotations to the created scan
 	re := regexp.MustCompile(`.*securecodebox\.io/.*`)
-	for key, value := range service.Annotations {
+	for key, value := range currentAnnotations {
 		if matches := re.MatchString(key); matches {
 			annotations[key] = value
 		}
@@ -384,45 +399,8 @@ func generateScanAnnotations(scanConfig configv1.ScanConfig, clusterConfig confi
 
 }
 
-// Takes in both autoDiscoveryConfig and scanConfig as this function might be used by other controllers in the future, which can then pass in the their relevant scanConfig into this function
-func generateScanSpec(autoDiscoveryConfig configv1.AutoDiscoveryConfig, scanConfig configv1.ScanConfig, host HostPort, service corev1.Service, namespace corev1.Namespace) executionv1.ScheduledScanSpec {
-	type TemplateArgs struct {
-		Config     configv1.AutoDiscoveryConfig
-		ScanConfig configv1.ScanConfig
-		Service    corev1.Service
-		Namespace  corev1.Namespace
-		Host       HostPort
-	}
-	parameters := scanConfig.Parameters
-
-	templateArgs := TemplateArgs{
-		Config:    autoDiscoveryConfig,
-		Service:   service,
-		Namespace: namespace,
-		Host:      host,
-	}
-
-	params := util.ParseListTemplate(templateArgs, parameters)
-
-	scheduledScanSpec := executionv1.ScheduledScanSpec{
-		Interval: scanConfig.RepeatInterval,
-		ScanSpec: &executionv1.ScanSpec{
-			ScanType:   scanConfig.ScanType,
-			Parameters: params,
-		},
-		RetriggerOnScanTypeChange: true,
-	}
-
-	return scheduledScanSpec
-}
-
-func addLabels(currentLabels map[string]string, config configv1.AutoDiscoveryConfig, service corev1.Service, namespace corev1.Namespace) map[string]string {
-	data := util.TemplateArgs{
-		Target:    service.ObjectMeta,
-		Namespace: namespace.ObjectMeta,
-		Cluster:   util.Cluster(config.Cluster),
-	}
-	newLabels := util.ParseMapTemplate(data, config.ServiceAutoDiscoveryConfig.ScanConfig.Labels)
+func generateScanLabels(currentLabels map[string]string, scanConfig configv1.ScanConfig, templateArgs ServiceAutoDiscoveryTemplateArgs) map[string]string {
+	newLabels := util.ParseMapTemplate(templateArgs, scanConfig.Labels)
 
 	for key, value := range newLabels {
 		currentLabels[key] = value