From a6275b2cb251157bb19193386631f379e00e3a36 Mon Sep 17 00:00:00 2001 From: Samreet Singh Date: Thu, 11 Apr 2024 14:00:14 +0200 Subject: [PATCH 1/3] #2024 Removed OWASP references from the ZAP documentation due to ZAP moving to the Software Security Project Signed-off-by: Samreet Singh --- scanners/zap/.helm-docs.gotmpl | 5 ++--- scanners/zap/Chart.yaml | 3 +-- scanners/zap/examples/demo-bodgeit-baseline-scan/scan.yaml | 2 -- scanners/zap/examples/demo-bodgeit-full-scan/scan.yaml | 2 -- .../zap/examples/demo-juice-shop-baseline-scan/scan.yaml | 2 -- scanners/zap/examples/demo-juice-shop-full-scan/scan.yaml | 2 -- scanners/zap/examples/demo-nginx-automation-scan/scan.yaml | 2 -- scanners/zap/examples/demo-petstore-api-scan/scan.yaml | 2 -- 8 files changed, 3 insertions(+), 17 deletions(-) diff --git a/scanners/zap/.helm-docs.gotmpl b/scanners/zap/.helm-docs.gotmpl index aa7f23464b..0abcd4af9b 100644 --- a/scanners/zap/.helm-docs.gotmpl +++ b/scanners/zap/.helm-docs.gotmpl @@ -25,9 +25,9 @@ usecase: "WebApp & OpenAPI Vulnerability Scanner" {{- end }} {{- define "extra.chartAboutSection" -}} -## What is OWASP ZAP? +## What is ZAP? -The [OWASP Zed Attack Proxy (ZAP)][zap owasp project] is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing. +The Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing. To learn more about the ZAP scanner itself visit [https://www.zaproxy.org/](https://www.zaproxy.org/). To learn more about the ZAP Automation Framework itself visit [https://www.zaproxy.org/docs/desktop/addons/automation-framework/](https://www.zaproxy.org/docs/desktop/addons/automation-framework/). @@ -245,7 +245,6 @@ Alternatively, have a look at the [official documentation](https://www.zaproxy.o {{- end }} {{- define "extra.scannerLinksSection" -}} -[zap owasp project]: https://owasp.org/www-project-zap/ [zap github]: https://github.com/zaproxy/zaproxy/ [zap user guide]: https://www.zaproxy.org/docs/ [zap automation framework]: https://www.zaproxy.org/docs/desktop/addons/automation-framework/ diff --git a/scanners/zap/Chart.yaml b/scanners/zap/Chart.yaml index 30d8670d33..9cfe016a26 100644 --- a/scanners/zap/Chart.yaml +++ b/scanners/zap/Chart.yaml @@ -4,7 +4,7 @@ apiVersion: v2 name: zap -description: A Helm chart for the OWASP ZAP security scanner that integrates with the secureCodeBox. +description: A Helm chart for the ZAP security scanner that integrates with the secureCodeBox. type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: v3.1.0-alpha1 @@ -16,7 +16,6 @@ annotations: keywords: - security - Zap - - OWASP - scanner - secureCodeBox home: https://www.securecodebox.io/docs/scanners/ZAP diff --git a/scanners/zap/examples/demo-bodgeit-baseline-scan/scan.yaml b/scanners/zap/examples/demo-bodgeit-baseline-scan/scan.yaml index 1af10a1563..8f1b39a18e 100644 --- a/scanners/zap/examples/demo-bodgeit-baseline-scan/scan.yaml +++ b/scanners/zap/examples/demo-bodgeit-baseline-scan/scan.yaml @@ -6,8 +6,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-baseline-scan-bodgeit" - labels: - organization: "OWASP" spec: scanType: "zap-baseline-scan" parameters: diff --git a/scanners/zap/examples/demo-bodgeit-full-scan/scan.yaml b/scanners/zap/examples/demo-bodgeit-full-scan/scan.yaml index 265068a051..cf919c0a31 100644 --- a/scanners/zap/examples/demo-bodgeit-full-scan/scan.yaml +++ b/scanners/zap/examples/demo-bodgeit-full-scan/scan.yaml @@ -6,8 +6,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-full-scan-bodgeit" - labels: - organization: "OWASP" spec: scanType: "zap-full-scan" parameters: diff --git a/scanners/zap/examples/demo-juice-shop-baseline-scan/scan.yaml b/scanners/zap/examples/demo-juice-shop-baseline-scan/scan.yaml index 989a01846f..8049cf4ca6 100644 --- a/scanners/zap/examples/demo-juice-shop-baseline-scan/scan.yaml +++ b/scanners/zap/examples/demo-juice-shop-baseline-scan/scan.yaml @@ -6,8 +6,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-baseline-scan-juiceshop" - labels: - organization: "OWASP" spec: scanType: "zap-baseline-scan" parameters: diff --git a/scanners/zap/examples/demo-juice-shop-full-scan/scan.yaml b/scanners/zap/examples/demo-juice-shop-full-scan/scan.yaml index 49fae8945b..ef3c7156de 100644 --- a/scanners/zap/examples/demo-juice-shop-full-scan/scan.yaml +++ b/scanners/zap/examples/demo-juice-shop-full-scan/scan.yaml @@ -6,8 +6,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-full-scan-juiceshop" - labels: - organization: "OWASP" spec: scanType: "zap-full-scan" parameters: diff --git a/scanners/zap/examples/demo-nginx-automation-scan/scan.yaml b/scanners/zap/examples/demo-nginx-automation-scan/scan.yaml index 27aac1a4bb..c09d3e4a50 100644 --- a/scanners/zap/examples/demo-nginx-automation-scan/scan.yaml +++ b/scanners/zap/examples/demo-nginx-automation-scan/scan.yaml @@ -60,8 +60,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-automation-scan-juice-shop" - labels: - organization: "OWASP" spec: scanType: "zap-automation-scan" parameters: diff --git a/scanners/zap/examples/demo-petstore-api-scan/scan.yaml b/scanners/zap/examples/demo-petstore-api-scan/scan.yaml index a49f579c91..9c4db43d9e 100644 --- a/scanners/zap/examples/demo-petstore-api-scan/scan.yaml +++ b/scanners/zap/examples/demo-petstore-api-scan/scan.yaml @@ -6,8 +6,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-api-petstore" - labels: - organization: "OWASP" spec: scanType: "zap-api-scan" parameters: From 8b2888ecf53568e0182e6be0aecc4bbfdda83b66 Mon Sep 17 00:00:00 2001 From: Samreet Singh Date: Thu, 11 Apr 2024 14:09:05 +0200 Subject: [PATCH 2/3] #2024 Removed OWASP references from the ZAP-advanced documentation due to ZAP moving to the Software Security Project Signed-off-by: Samreet Singh --- scanners/zap-advanced/.helm-docs.gotmpl | 15 +++++++-------- .../demo-bodgeit-scan-authenticated/scan.yaml | 2 -- .../demo-bodgeit-scan-unauthenticated/scan.yaml | 2 -- .../demo-juiceshop-scan-authenticated/scan.yaml | 2 -- .../demo-juiceshop-scan-unauthenticated/scan.yaml | 2 -- .../scan.yaml | 2 -- .../demo-petstoreapi-scan-authenticated/scan.yaml | 2 -- .../scan.yaml | 2 -- .../examples/secureCodeBox.io-scan/scan.yaml | 2 -- 9 files changed, 7 insertions(+), 24 deletions(-) diff --git a/scanners/zap-advanced/.helm-docs.gotmpl b/scanners/zap-advanced/.helm-docs.gotmpl index 9a40e9f115..5ab32572e7 100644 --- a/scanners/zap-advanced/.helm-docs.gotmpl +++ b/scanners/zap-advanced/.helm-docs.gotmpl @@ -25,9 +25,9 @@ usecase: "WebApp & OpenAPI Vulnerability Scanner extend with authentication feat {{- end }} {{- define "extra.chartAboutSection" -}} -## What is OWASP ZAP? +## What is ZAP? -The [OWASP Zed Attack Proxy (ZAP)][zap owasp project] is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing. +The Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing. To learn more about the ZAP scanner itself visit [https://www.zaproxy.org/](https://www.zaproxy.org/). {{- end }} @@ -42,7 +42,7 @@ The command line interface can be used to easily run server scans: `-t www.examp ```bash usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD] -OWASP secureCodeBox OWASP ZAP Client (can be used to automate OWASP ZAP instances based on YAML configuration files.) +OWASP secureCodeBox ZAP Client (can be used to automate ZAP instances based on YAML configuration files.) optional arguments: -h, --help show this help message and exit @@ -51,13 +51,13 @@ optional arguments: -a API_KEY, --api-key API_KEY The ZAP API Key used to call the ZAP API. -c CONFIG_FOLDER, --config-folder CONFIG_FOLDER - The path to a local folder containing the additional ZAP configuration YAMLs used to configure OWASP ZAP. + The path to a local folder containing the additional ZAP configuration YAMLs used to configure ZAP. -t TARGET, --target TARGET - The target to scan with OWASP ZAP. + The target to scan with ZAP. -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER The path to a local folder used to store the output files, eg. the ZAP Report or logfiles. -r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD, --report-type XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD - The OWASP ZAP Report Type. + The ZAP Report Type. ``` {{- end }} @@ -88,7 +88,7 @@ Additionally, there will be some ZAP Scripts included, these are stored in the c │This CM contains ZAP session │ │ ▼ │ │A YAML configuration for ZAP that │ │scripts that are already included │ │ │ ┌───────────────────┐ │ │ │relates to a single scan execution. │ │within the zap-advanced scanner. │ │ │ │ │ │- can by used for selected scans │ -│Feel free to add your own. │────────┼─────┼─▶│ OWASP ZAP Proxy │ │ │ │- not created by default │ +│Feel free to add your own. │────────┼─────┼─▶│ ZAP Proxy │ │ │ │- not created by default │ │ │ │ │ │ └───────│- add your scan target specific config │ │ConfigMap: zap-scripts-session │ │ │ └───────────────────┘ │ │- needs to be referenced in Scan │ └──────────────────────────────────────┘ │ │- please use SecretMap for credentials! │ @@ -459,7 +459,6 @@ zapConfiguration: {{- end }} {{- define "extra.scannerLinksSection" -}} -[zap owasp project]: https://owasp.org/www-project-zap/ [zap github]: https://github.com/zaproxy/zaproxy/ [zap user guide]: https://www.zaproxy.org/docs/ {{- end }} diff --git a/scanners/zap-advanced/examples/demo-bodgeit-scan-authenticated/scan.yaml b/scanners/zap-advanced/examples/demo-bodgeit-scan-authenticated/scan.yaml index c089be246c..3e83112693 100644 --- a/scanners/zap-advanced/examples/demo-bodgeit-scan-authenticated/scan.yaml +++ b/scanners/zap-advanced/examples/demo-bodgeit-scan-authenticated/scan.yaml @@ -102,8 +102,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-authenticated-full-scan-bodgeit" - labels: - organization: "OWASP" spec: scanType: "zap-advanced-scan" parameters: diff --git a/scanners/zap-advanced/examples/demo-bodgeit-scan-unauthenticated/scan.yaml b/scanners/zap-advanced/examples/demo-bodgeit-scan-unauthenticated/scan.yaml index 51a9422557..6fbcd6e4db 100644 --- a/scanners/zap-advanced/examples/demo-bodgeit-scan-unauthenticated/scan.yaml +++ b/scanners/zap-advanced/examples/demo-bodgeit-scan-unauthenticated/scan.yaml @@ -51,8 +51,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-authenticated-baseline-scan-bodgeit" - labels: - organization: "OWASP" spec: scanType: "zap-advanced-scan" parameters: diff --git a/scanners/zap-advanced/examples/demo-juiceshop-scan-authenticated/scan.yaml b/scanners/zap-advanced/examples/demo-juiceshop-scan-authenticated/scan.yaml index 492662f2f0..bfec98bf10 100644 --- a/scanners/zap-advanced/examples/demo-juiceshop-scan-authenticated/scan.yaml +++ b/scanners/zap-advanced/examples/demo-juiceshop-scan-authenticated/scan.yaml @@ -116,8 +116,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-authenticated-full-scan-juiceshop" - labels: - organization: "OWASP" spec: scanType: "zap-advanced-scan" parameters: diff --git a/scanners/zap-advanced/examples/demo-juiceshop-scan-unauthenticated/scan.yaml b/scanners/zap-advanced/examples/demo-juiceshop-scan-unauthenticated/scan.yaml index bed4c2f5f4..a139341d7c 100644 --- a/scanners/zap-advanced/examples/demo-juiceshop-scan-unauthenticated/scan.yaml +++ b/scanners/zap-advanced/examples/demo-juiceshop-scan-unauthenticated/scan.yaml @@ -76,8 +76,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-authenticated-baseline-scan-juiceshop" - labels: - organization: "OWASP" spec: scanType: "zap-advanced-scan" parameters: diff --git a/scanners/zap-advanced/examples/demo-petstoreapi-scan-authenticated-no-hardcoded-urls/scan.yaml b/scanners/zap-advanced/examples/demo-petstoreapi-scan-authenticated-no-hardcoded-urls/scan.yaml index 69e4fd8b98..a4b119dbaa 100644 --- a/scanners/zap-advanced/examples/demo-petstoreapi-scan-authenticated-no-hardcoded-urls/scan.yaml +++ b/scanners/zap-advanced/examples/demo-petstoreapi-scan-authenticated-no-hardcoded-urls/scan.yaml @@ -52,8 +52,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-advanced-api-scan-petstore" - labels: - organization: "OWASP" spec: scanType: "zap-advanced-scan" parameters: diff --git a/scanners/zap-advanced/examples/demo-petstoreapi-scan-authenticated/scan.yaml b/scanners/zap-advanced/examples/demo-petstoreapi-scan-authenticated/scan.yaml index a6ad76b47a..43212c5f22 100644 --- a/scanners/zap-advanced/examples/demo-petstoreapi-scan-authenticated/scan.yaml +++ b/scanners/zap-advanced/examples/demo-petstoreapi-scan-authenticated/scan.yaml @@ -127,8 +127,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-advanced-api-scan-petstore" - labels: - organization: "OWASP" spec: scanType: "zap-advanced-scan" parameters: diff --git a/scanners/zap-advanced/examples/demo-petstoreapi-scan-unauthenticated/scan.yaml b/scanners/zap-advanced/examples/demo-petstoreapi-scan-unauthenticated/scan.yaml index 03d9227452..f6973c87fb 100644 --- a/scanners/zap-advanced/examples/demo-petstoreapi-scan-unauthenticated/scan.yaml +++ b/scanners/zap-advanced/examples/demo-petstoreapi-scan-unauthenticated/scan.yaml @@ -110,8 +110,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-api-baseline-scan-petstore" - labels: - organization: "OWASP" spec: scanType: "zap-advanced-scan" parameters: diff --git a/scanners/zap-advanced/examples/secureCodeBox.io-scan/scan.yaml b/scanners/zap-advanced/examples/secureCodeBox.io-scan/scan.yaml index 23f14265d0..910b116a49 100644 --- a/scanners/zap-advanced/examples/secureCodeBox.io-scan/scan.yaml +++ b/scanners/zap-advanced/examples/secureCodeBox.io-scan/scan.yaml @@ -7,8 +7,6 @@ apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "zap-advanced-scan-securecodebox" - labels: - organization: "OWASP" spec: scanType: "zap-advanced-scan" parameters: From b03a87f4da359699d086199d90098032f3b11a73 Mon Sep 17 00:00:00 2001 From: Samreet Singh Date: Thu, 18 Apr 2024 18:27:50 +0200 Subject: [PATCH 3/3] #2024 Changed remaining occcurances from OWASP ZAP in the documentation This commit also includes the removal of OWASP in the auto-discovery, blog and how-tos Signed-off-by: Samreet Singh --- auto-discovery/kubernetes/.helm-docs.gotmpl | 4 +- auto-discovery/kubernetes/README.md | 98 +++++++-------- .../kubernetes/docs/README.ArtifactHub.md | 96 +++++++-------- .../kubernetes/docs/README.DockerHub-Core.md | 2 +- auto-discovery/readme.md | 2 +- ...-09-01-automate-zap-with-authentication.md | 2 +- documentation/docs/auto-discovery/overview.md | 2 +- .../docs/how-tos/scanning-web-applications.md | 2 +- scanners/zap-advanced/Chart.yaml | 2 +- scanners/zap-advanced/README.md | 116 +++++++++--------- .../zap-advanced/docs/README.ArtifactHub.md | 116 +++++++++--------- .../docs/README.DockerHub-Scanner.md | 10 +- .../scanner/zapclient/__main__.py | 8 +- scanners/zap/README.md | 78 ++++++------ scanners/zap/docs/README.ArtifactHub.md | 78 ++++++------ scanners/zap/docs/README.DockerHub-Parser.md | 2 +- 16 files changed, 309 insertions(+), 309 deletions(-) diff --git a/auto-discovery/kubernetes/.helm-docs.gotmpl b/auto-discovery/kubernetes/.helm-docs.gotmpl index 38f8985452..29f26736d7 100644 --- a/auto-discovery/kubernetes/.helm-docs.gotmpl +++ b/auto-discovery/kubernetes/.helm-docs.gotmpl @@ -23,7 +23,7 @@ The Kubernetes AutoDiscovery needs to be deployed along side the secureCodeBox O The AutoDiscovery controller will automatically detect these new resources (services and containers) and start secureCodeBox _scans_ for them: -1. A ZAP Baseline Scan to detect basic web vulnerabilities in the service. (Using OWASP ZAP) +1. A ZAP Baseline Scan to detect basic web vulnerabilities in the service. (Using ZAP) 2. An image scan scanning for vulnerable libraries in the docker / container image of the deployment. (Using trivy) 3. (WIP) A TLS Scan against the certificate of the ingress for the host. (Using SSLyze) @@ -43,7 +43,7 @@ The AutoDiscovery automatically tracks the lifecycle of the kubernetes resources This example deploys [JuiceShop](https://owasp.org/www-project-juice-shop/) to a new Kubernetes Namespace. (You can find the kubernetes manifests for the deployment [here](./demo/juice-shop.yaml)) -The AutoDiscovery will automatically pick up this new deployment and then starts a OWASP ZAP Scan against it. +The AutoDiscovery will automatically pick up this new deployment and then starts a ZAP Scan against it. The scan created uses our `zap-advanced` ScanType by default, this can be changed with the `config.serviceAutoDiscovery.scanConfig.scanType` config on the autoDiscovery helm release. When the ContainerAutoDiscovery is enabled, the AutoDiscovery can also create a trivy scan for each unique container image (having multiple pods with the same container will only create one scan). The scan type can be defined with `config.containerAutoDiscovery.scanConfig.scanType`. diff --git a/auto-discovery/kubernetes/README.md b/auto-discovery/kubernetes/README.md index a56739ab8e..c7bd28151b 100644 --- a/auto-discovery/kubernetes/README.md +++ b/auto-discovery/kubernetes/README.md @@ -16,7 +16,7 @@ The Kubernetes AutoDiscovery needs to be deployed along side the secureCodeBox O The AutoDiscovery controller will automatically detect these new resources (services and containers) and start secureCodeBox _scans_ for them: -1. A ZAP Baseline Scan to detect basic web vulnerabilities in the service. (Using OWASP ZAP) +1. A ZAP Baseline Scan to detect basic web vulnerabilities in the service. (Using ZAP) 2. An image scan scanning for vulnerable libraries in the docker / container image of the deployment. (Using trivy) 3. (WIP) A TLS Scan against the certificate of the ingress for the host. (Using SSLyze) @@ -57,7 +57,7 @@ Otherwise your changes will be reverted/overwritten automatically due to the bui This example deploys [JuiceShop](https://owasp.org/www-project-juice-shop/) to a new Kubernetes Namespace. (You can find the kubernetes manifests for the deployment [here](./demo/juice-shop.yaml)) -The AutoDiscovery will automatically pick up this new deployment and then starts a OWASP ZAP Scan against it. +The AutoDiscovery will automatically pick up this new deployment and then starts a ZAP Scan against it. The scan created uses our `zap-advanced` ScanType by default, this can be changed with the `config.serviceAutoDiscovery.scanConfig.scanType` config on the autoDiscovery helm release. When the ContainerAutoDiscovery is enabled, the AutoDiscovery can also create a trivy scan for each unique container image (having multiple pods with the same container will only create one scan). The scan type can be defined with `config.containerAutoDiscovery.scanConfig.scanType`. @@ -130,53 +130,53 @@ kubectl -n juice-shop annotate service juice-shop auto-discovery.securecodebox.i ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| config.apiVersion | string | `"config.securecodebox.io/v1"` | | -| config.cluster.name | string | `"docker-desktop"` | | -| config.containerAutoDiscovery.enabled | bool | `false` | | -| config.containerAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every pod is re-checked for updates, currently used to periodically check if the configured scantype is installed in the namespace of the pod | -| config.containerAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating | -| config.containerAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | hookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. | -| config.containerAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating | -| config.containerAutoDiscovery.scanConfigs[0].name | string | `"trivy"` | unique name to distinguish scans | -| config.containerAutoDiscovery.scanConfigs[0].parameters | list | `["{{ .ImageID }}"]` | parameters used for the scans created by the containerAutoDiscovery, all parameters support templating | -| config.containerAutoDiscovery.scanConfigs[0].repeatInterval | string | `"168h"` | interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset. | -| config.containerAutoDiscovery.scanConfigs[0].scanType | string | `"trivy-image-autodiscovery"` | | -| config.containerAutoDiscovery.scanConfigs[0].volumeMounts | list | `[]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating | -| config.containerAutoDiscovery.scanConfigs[0].volumes | list | `[]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating | -| config.health.healthProbeBindAddress | string | `":8081"` | | -| config.imagePullSecretConfig.mapImagePullSecretsToEnvironmentVariables | bool | `true` | | -| config.imagePullSecretConfig.passwordEnvironmentVariableName | string | `"TRIVY_PASSWORD"` | | -| config.imagePullSecretConfig.usernameEnvironmentVariableName | string | `"TRIVY_USERNAME"` | | -| config.kind | string | `"AutoDiscoveryConfig"` | | -| config.leaderElection.leaderElect | bool | `true` | | -| config.leaderElection.resourceName | string | `"0e41a1f4.securecodebox.io"` | | -| config.metrics.bindAddress | string | `"127.0.0.1:8080"` | | -| config.resourceInclusion.mode | string | `"enabled-per-namespace"` | | -| config.serviceAutoDiscovery.enabled | bool | `true` | | -| config.serviceAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every service is re-checked for updated pods, if service object is updated directly this the service will get reconciled immediately | -| config.serviceAutoDiscovery.scanConfigs[0] | object | `{"annotations":{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"},"hookSelector":{},"labels":{},"name":"zap","parameters":["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"],"repeatInterval":"168h","scanType":"zap-advanced-scan","volumeMounts":[],"volumes":[]}` | scanType used for the scans created by the serviceAutoDiscovery | -| config.serviceAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating | -| config.serviceAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | HookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. | -| config.serviceAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating | -| config.serviceAutoDiscovery.scanConfigs[0].name | string | `"zap"` | unique name to distinguish scans | -| config.serviceAutoDiscovery.scanConfigs[0].parameters | list | `["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"]` | parameters used for the scans created by the serviceAutoDiscovery, all parameters support templating | -| config.serviceAutoDiscovery.scanConfigs[0].repeatInterval | string | `"168h"` | interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset. | -| config.serviceAutoDiscovery.scanConfigs[0].volumeMounts | list | `[]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating | -| config.serviceAutoDiscovery.scanConfigs[0].volumes | list | `[]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating | -| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| image.repository | string | `"securecodebox/auto-discovery-kubernetes"` | | -| image.tag | string | `nil` | | -| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | -| podSecurityContext | object | `{}` | Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container | -| resources | object | `{"limits":{"cpu":"100m","memory":"100Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Sets the securityContext on the operators container level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | -| securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | -| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the operator container. They are not required | -| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privileged mode | -| securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | -| securityContext.runAsNonRoot | bool | `true` | Enforces that the Operator image is run as a non root user | +| Key | Type | Default | Description | +| ---------------------------------------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| config.apiVersion | string | `"config.securecodebox.io/v1"` | | +| config.cluster.name | string | `"docker-desktop"` | | +| config.containerAutoDiscovery.enabled | bool | `false` | | +| config.containerAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every pod is re-checked for updates, currently used to periodically check if the configured scantype is installed in the namespace of the pod | +| config.containerAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating | +| config.containerAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | hookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. | +| config.containerAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating | +| config.containerAutoDiscovery.scanConfigs[0].name | string | `"trivy"` | unique name to distinguish scans | +| config.containerAutoDiscovery.scanConfigs[0].parameters | list | `["{{ .ImageID }}"]` | parameters used for the scans created by the containerAutoDiscovery, all parameters support templating | +| config.containerAutoDiscovery.scanConfigs[0].repeatInterval | string | `"168h"` | interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset. | +| config.containerAutoDiscovery.scanConfigs[0].scanType | string | `"trivy-image-autodiscovery"` | | +| config.containerAutoDiscovery.scanConfigs[0].volumeMounts | list | `[]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating | +| config.containerAutoDiscovery.scanConfigs[0].volumes | list | `[]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating | +| config.health.healthProbeBindAddress | string | `":8081"` | | +| config.imagePullSecretConfig.mapImagePullSecretsToEnvironmentVariables | bool | `true` | | +| config.imagePullSecretConfig.passwordEnvironmentVariableName | string | `"TRIVY_PASSWORD"` | | +| config.imagePullSecretConfig.usernameEnvironmentVariableName | string | `"TRIVY_USERNAME"` | | +| config.kind | string | `"AutoDiscoveryConfig"` | | +| config.leaderElection.leaderElect | bool | `true` | | +| config.leaderElection.resourceName | string | `"0e41a1f4.securecodebox.io"` | | +| config.metrics.bindAddress | string | `"127.0.0.1:8080"` | | +| config.resourceInclusion.mode | string | `"enabled-per-namespace"` | | +| config.serviceAutoDiscovery.enabled | bool | `true` | | +| config.serviceAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every service is re-checked for updated pods, if service object is updated directly this the service will get reconciled immediately | +| config.serviceAutoDiscovery.scanConfigs[0] | object | `{"annotations":{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"},"hookSelector":{},"labels":{},"name":"zap","parameters":["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"],"repeatInterval":"168h","scanType":"zap-advanced-scan","volumeMounts":[],"volumes":[]}` | scanType used for the scans created by the serviceAutoDiscovery | +| config.serviceAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating | +| config.serviceAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | HookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. | +| config.serviceAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating | +| config.serviceAutoDiscovery.scanConfigs[0].name | string | `"zap"` | unique name to distinguish scans | +| config.serviceAutoDiscovery.scanConfigs[0].parameters | list | `["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"]` | parameters used for the scans created by the serviceAutoDiscovery, all parameters support templating | +| config.serviceAutoDiscovery.scanConfigs[0].repeatInterval | string | `"168h"` | interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset. | +| config.serviceAutoDiscovery.scanConfigs[0].volumeMounts | list | `[]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating | +| config.serviceAutoDiscovery.scanConfigs[0].volumes | list | `[]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| image.repository | string | `"securecodebox/auto-discovery-kubernetes"` | | +| image.tag | string | `nil` | | +| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | +| podSecurityContext | object | `{}` | Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container | +| resources | object | `{"limits":{"cpu":"100m","memory":"100Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Sets the securityContext on the operators container level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | +| securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | +| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the operator container. They are not required | +| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privileged mode | +| securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | +| securityContext.runAsNonRoot | bool | `true` | Enforces that the Operator image is run as a non root user | ## License [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) diff --git a/auto-discovery/kubernetes/docs/README.ArtifactHub.md b/auto-discovery/kubernetes/docs/README.ArtifactHub.md index b31355315e..64c8d81833 100644 --- a/auto-discovery/kubernetes/docs/README.ArtifactHub.md +++ b/auto-discovery/kubernetes/docs/README.ArtifactHub.md @@ -49,7 +49,7 @@ You can find resources to help you get started on our [documentation website](ht This example deploys [JuiceShop](https://owasp.org/www-project-juice-shop/) to a new Kubernetes Namespace. (You can find the kubernetes manifests for the deployment [here](./demo/juice-shop.yaml)) -The AutoDiscovery will automatically pick up this new deployment and then starts a OWASP ZAP Scan against it. +The AutoDiscovery will automatically pick up this new deployment and then starts a ZAP Scan against it. The scan created uses our `zap-advanced` ScanType by default, this can be changed with the `config.serviceAutoDiscovery.scanConfig.scanType` config on the autoDiscovery helm release. When the ContainerAutoDiscovery is enabled, the AutoDiscovery can also create a trivy scan for each unique container image (having multiple pods with the same container will only create one scan). The scan type can be defined with `config.containerAutoDiscovery.scanConfig.scanType`. @@ -122,53 +122,53 @@ kubectl -n juice-shop annotate service juice-shop auto-discovery.securecodebox.i ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| config.apiVersion | string | `"config.securecodebox.io/v1"` | | -| config.cluster.name | string | `"docker-desktop"` | | -| config.containerAutoDiscovery.enabled | bool | `false` | | -| config.containerAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every pod is re-checked for updates, currently used to periodically check if the configured scantype is installed in the namespace of the pod | -| config.containerAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating | -| config.containerAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | hookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. | -| config.containerAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating | -| config.containerAutoDiscovery.scanConfigs[0].name | string | `"trivy"` | unique name to distinguish scans | -| config.containerAutoDiscovery.scanConfigs[0].parameters | list | `["{{ .ImageID }}"]` | parameters used for the scans created by the containerAutoDiscovery, all parameters support templating | -| config.containerAutoDiscovery.scanConfigs[0].repeatInterval | string | `"168h"` | interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset. | -| config.containerAutoDiscovery.scanConfigs[0].scanType | string | `"trivy-image-autodiscovery"` | | -| config.containerAutoDiscovery.scanConfigs[0].volumeMounts | list | `[]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating | -| config.containerAutoDiscovery.scanConfigs[0].volumes | list | `[]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating | -| config.health.healthProbeBindAddress | string | `":8081"` | | -| config.imagePullSecretConfig.mapImagePullSecretsToEnvironmentVariables | bool | `true` | | -| config.imagePullSecretConfig.passwordEnvironmentVariableName | string | `"TRIVY_PASSWORD"` | | -| config.imagePullSecretConfig.usernameEnvironmentVariableName | string | `"TRIVY_USERNAME"` | | -| config.kind | string | `"AutoDiscoveryConfig"` | | -| config.leaderElection.leaderElect | bool | `true` | | -| config.leaderElection.resourceName | string | `"0e41a1f4.securecodebox.io"` | | -| config.metrics.bindAddress | string | `"127.0.0.1:8080"` | | -| config.resourceInclusion.mode | string | `"enabled-per-namespace"` | | -| config.serviceAutoDiscovery.enabled | bool | `true` | | -| config.serviceAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every service is re-checked for updated pods, if service object is updated directly this the service will get reconciled immediately | -| config.serviceAutoDiscovery.scanConfigs[0] | object | `{"annotations":{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"},"hookSelector":{},"labels":{},"name":"zap","parameters":["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"],"repeatInterval":"168h","scanType":"zap-advanced-scan","volumeMounts":[],"volumes":[]}` | scanType used for the scans created by the serviceAutoDiscovery | -| config.serviceAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating | -| config.serviceAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | HookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. | -| config.serviceAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating | -| config.serviceAutoDiscovery.scanConfigs[0].name | string | `"zap"` | unique name to distinguish scans | -| config.serviceAutoDiscovery.scanConfigs[0].parameters | list | `["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"]` | parameters used for the scans created by the serviceAutoDiscovery, all parameters support templating | -| config.serviceAutoDiscovery.scanConfigs[0].repeatInterval | string | `"168h"` | interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset. | -| config.serviceAutoDiscovery.scanConfigs[0].volumeMounts | list | `[]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating | -| config.serviceAutoDiscovery.scanConfigs[0].volumes | list | `[]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating | -| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| image.repository | string | `"securecodebox/auto-discovery-kubernetes"` | | -| image.tag | string | `nil` | | -| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | -| podSecurityContext | object | `{}` | Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container | -| resources | object | `{"limits":{"cpu":"100m","memory":"100Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Sets the securityContext on the operators container level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | -| securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | -| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the operator container. They are not required | -| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privileged mode | -| securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | -| securityContext.runAsNonRoot | bool | `true` | Enforces that the Operator image is run as a non root user | +| Key | Type | Default | Description | +| ---------------------------------------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| config.apiVersion | string | `"config.securecodebox.io/v1"` | | +| config.cluster.name | string | `"docker-desktop"` | | +| config.containerAutoDiscovery.enabled | bool | `false` | | +| config.containerAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every pod is re-checked for updates, currently used to periodically check if the configured scantype is installed in the namespace of the pod | +| config.containerAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating | +| config.containerAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | hookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. | +| config.containerAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating | +| config.containerAutoDiscovery.scanConfigs[0].name | string | `"trivy"` | unique name to distinguish scans | +| config.containerAutoDiscovery.scanConfigs[0].parameters | list | `["{{ .ImageID }}"]` | parameters used for the scans created by the containerAutoDiscovery, all parameters support templating | +| config.containerAutoDiscovery.scanConfigs[0].repeatInterval | string | `"168h"` | interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset. | +| config.containerAutoDiscovery.scanConfigs[0].scanType | string | `"trivy-image-autodiscovery"` | | +| config.containerAutoDiscovery.scanConfigs[0].volumeMounts | list | `[]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating | +| config.containerAutoDiscovery.scanConfigs[0].volumes | list | `[]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating | +| config.health.healthProbeBindAddress | string | `":8081"` | | +| config.imagePullSecretConfig.mapImagePullSecretsToEnvironmentVariables | bool | `true` | | +| config.imagePullSecretConfig.passwordEnvironmentVariableName | string | `"TRIVY_PASSWORD"` | | +| config.imagePullSecretConfig.usernameEnvironmentVariableName | string | `"TRIVY_USERNAME"` | | +| config.kind | string | `"AutoDiscoveryConfig"` | | +| config.leaderElection.leaderElect | bool | `true` | | +| config.leaderElection.resourceName | string | `"0e41a1f4.securecodebox.io"` | | +| config.metrics.bindAddress | string | `"127.0.0.1:8080"` | | +| config.resourceInclusion.mode | string | `"enabled-per-namespace"` | | +| config.serviceAutoDiscovery.enabled | bool | `true` | | +| config.serviceAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every service is re-checked for updated pods, if service object is updated directly this the service will get reconciled immediately | +| config.serviceAutoDiscovery.scanConfigs[0] | object | `{"annotations":{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"},"hookSelector":{},"labels":{},"name":"zap","parameters":["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"],"repeatInterval":"168h","scanType":"zap-advanced-scan","volumeMounts":[],"volumes":[]}` | scanType used for the scans created by the serviceAutoDiscovery | +| config.serviceAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating | +| config.serviceAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | HookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. | +| config.serviceAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating | +| config.serviceAutoDiscovery.scanConfigs[0].name | string | `"zap"` | unique name to distinguish scans | +| config.serviceAutoDiscovery.scanConfigs[0].parameters | list | `["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"]` | parameters used for the scans created by the serviceAutoDiscovery, all parameters support templating | +| config.serviceAutoDiscovery.scanConfigs[0].repeatInterval | string | `"168h"` | interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset. | +| config.serviceAutoDiscovery.scanConfigs[0].volumeMounts | list | `[]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating | +| config.serviceAutoDiscovery.scanConfigs[0].volumes | list | `[]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| image.repository | string | `"securecodebox/auto-discovery-kubernetes"` | | +| image.tag | string | `nil` | | +| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | +| podSecurityContext | object | `{}` | Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container | +| resources | object | `{"limits":{"cpu":"100m","memory":"100Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Sets the securityContext on the operators container level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | +| securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | +| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the operator container. They are not required | +| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privileged mode | +| securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | +| securityContext.runAsNonRoot | bool | `true` | Enforces that the Operator image is run as a non root user | ## Contributing diff --git a/auto-discovery/kubernetes/docs/README.DockerHub-Core.md b/auto-discovery/kubernetes/docs/README.DockerHub-Core.md index 19ed288979..2668749495 100644 --- a/auto-discovery/kubernetes/docs/README.DockerHub-Core.md +++ b/auto-discovery/kubernetes/docs/README.DockerHub-Core.md @@ -56,7 +56,7 @@ docker pull securecodebox/auto-discovery-kubernetes This example deploys [JuiceShop](https://owasp.org/www-project-juice-shop/) to a new Kubernetes Namespace. (You can find the kubernetes manifests for the deployment [here](./demo/juice-shop.yaml)) -The AutoDiscovery will automatically pick up this new deployment and then starts a OWASP ZAP Scan against it. +The AutoDiscovery will automatically pick up this new deployment and then starts a ZAP Scan against it. The scan created uses our `zap-advanced` ScanType by default, this can be changed with the `config.serviceAutoDiscovery.scanConfig.scanType` config on the autoDiscovery helm release. When the ContainerAutoDiscovery is enabled, the AutoDiscovery can also create a trivy scan for each unique container image (having multiple pods with the same container will only create one scan). The scan type can be defined with `config.containerAutoDiscovery.scanConfig.scanType`. diff --git a/auto-discovery/readme.md b/auto-discovery/readme.md index 5ede30041f..b3bea983d8 100644 --- a/auto-discovery/readme.md +++ b/auto-discovery/readme.md @@ -17,4 +17,4 @@ The scans it would start: 1. A image scan scanning for vulnerable libraries in the docker / container image of the deployment. (Using trivy) 2. A TLS scan against the certificate of the ingress for the host. (Using SSLyze) -3. A ZAP scan to detect basic web vulnerabilities in the service. (Using OWASP ZAP) +3. A ZAP scan to detect basic web vulnerabilities in the service. (Using ZAP) diff --git a/documentation/blog/2023-09-01-automate-zap-with-authentication.md b/documentation/blog/2023-09-01-automate-zap-with-authentication.md index 2730317ba3..c6eaf9e311 100644 --- a/documentation/blog/2023-09-01-automate-zap-with-authentication.md +++ b/documentation/blog/2023-09-01-automate-zap-with-authentication.md @@ -15,7 +15,7 @@ authors: image_url: https://avatars.githubusercontent.com/u/1688580?v=4 tags: - secureCodeBox -- OWASP ZAP automation +- ZAP automation - Authentication description: This post describes how to automate ZAP to authenticate against an API --- diff --git a/documentation/docs/auto-discovery/overview.md b/documentation/docs/auto-discovery/overview.md index 5fc4885b37..35823951b8 100644 --- a/documentation/docs/auto-discovery/overview.md +++ b/documentation/docs/auto-discovery/overview.md @@ -13,6 +13,6 @@ sidebar_position: 0 The secureCodeBox (SCB) AutoDiscovery is an optional component that automates the process of setting up scheduled scans for Kubernetes resources inside a cluster. The AutoDiscovery will observe the scanned Kubernetes resources over their whole lifecycle. It will automatically create, update and delete scans when necessary. Currently the SCB AutoDiscovery supports two modes that can be enabled independently: -- [Service AutoDiscovery](./service-auto-discovery): Creates scans for (http) services inside a kubernetes cluster. With it you can automatically start scanners like OWASP ZAP or nuclei for all web applications inside the cluster. +- [Service AutoDiscovery](./service-auto-discovery): Creates scans for (http) services inside a kubernetes cluster. With it you can automatically start scanners like ZAP or nuclei for all web applications inside the cluster. - [Container AutoDiscovery](./container-auto-discovery): Creates scans for containers running inside a kubernetes cluster. This allows you to automatically create trivy container image scans for all container images inside a cluster. diff --git a/documentation/docs/how-tos/scanning-web-applications.md b/documentation/docs/how-tos/scanning-web-applications.md index 4128db8bf6..f542b17a44 100644 --- a/documentation/docs/how-tos/scanning-web-applications.md +++ b/documentation/docs/how-tos/scanning-web-applications.md @@ -4,7 +4,7 @@ # SPDX-License-Identifier: Apache-2.0 title: "Scanning Web Applications" -description: "Automating OWASP ZAP with the secureCodeBox" +description: "Automating ZAP with the secureCodeBox" sidebar_position: 3 --- diff --git a/scanners/zap-advanced/Chart.yaml b/scanners/zap-advanced/Chart.yaml index afa3bbb08d..15640252f1 100644 --- a/scanners/zap-advanced/Chart.yaml +++ b/scanners/zap-advanced/Chart.yaml @@ -4,7 +4,7 @@ apiVersion: v2 name: zap-advanced -description: A Helm chart for the OWASP ZAP (extended with advanced authentication features) security scanner that integrates with the secureCodeBox. +description: A Helm chart for the ZAP (extended with advanced authentication features) security scanner that integrates with the secureCodeBox. type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: v3.1.0-alpha1 diff --git a/scanners/zap-advanced/README.md b/scanners/zap-advanced/README.md index a9ab26706c..67101d6b95 100644 --- a/scanners/zap-advanced/README.md +++ b/scanners/zap-advanced/README.md @@ -35,7 +35,7 @@ Otherwise your changes will be reverted/overwritten automatically due to the bui Mastodon Follower

-## What is OWASP ZAP? +## What is ZAP? The [OWASP Zed Attack Proxy (ZAP)][zap owasp project] is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing. @@ -58,7 +58,7 @@ The command line interface can be used to easily run server scans: `-t www.examp ```bash usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD] -OWASP secureCodeBox OWASP ZAP Client (can be used to automate OWASP ZAP instances based on YAML configuration files.) +OWASP secureCodeBox ZAP Client (can be used to automate ZAP instances based on YAML configuration files.) optional arguments: -h, --help show this help message and exit @@ -67,13 +67,13 @@ optional arguments: -a API_KEY, --api-key API_KEY The ZAP API Key used to call the ZAP API. -c CONFIG_FOLDER, --config-folder CONFIG_FOLDER - The path to a local folder containing the additional ZAP configuration YAMLs used to configure OWASP ZAP. + The path to a local folder containing the additional ZAP configuration YAMLs used to configure ZAP. -t TARGET, --target TARGET - The target to scan with OWASP ZAP. + The target to scan with ZAP. -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER The path to a local folder used to store the output files, eg. the ZAP Report or logfiles. -r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD, --report-type XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD - The OWASP ZAP Report Type. + The ZAP Report Type. ``` ## Requirements @@ -106,7 +106,7 @@ Additionally, there will be some ZAP Scripts included, these are stored in the c │This CM contains ZAP session │ │ ▼ │ │A YAML configuration for ZAP that │ │scripts that are already included │ │ │ ┌───────────────────┐ │ │ │relates to a single scan execution. │ │within the zap-advanced scanner. │ │ │ │ │ │- can by used for selected scans │ -│Feel free to add your own. │────────┼─────┼─▶│ OWASP ZAP Proxy │ │ │ │- not created by default │ +│Feel free to add your own. │────────┼─────┼─▶│ ZAP Proxy │ │ │ │- not created by default │ │ │ │ │ │ └───────│- add your scan target specific config │ │ConfigMap: zap-scripts-session │ │ │ └───────────────────┘ │ │- needs to be referenced in Scan │ └──────────────────────────────────────┘ │ │- please use SecretMap for credentials! │ @@ -477,58 +477,58 @@ zapConfiguration: ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | -| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | -| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | -| parser.image.tag | string | defaults to the charts version | Parser image tag | -| parser.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| parser.resources | object | `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | -| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | -| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | -| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scanner.extraVolumeMounts | list | `[{"mountPath":"/home/securecodebox/configs/1-zap-advanced-scantype.yaml","name":"zap-advanced-scantype-config","readOnly":true,"subPath":"1-zap-advanced-scantype.yaml"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.extraVolumes | list | `[{"configMap":{"name":"zap-advanced-scantype-config","optional":true},"name":"zap-advanced-scantype-config"},{"configMap":{"name":"zap-scripts-authentication"},"name":"zap-scripts-authentication"},{"configMap":{"name":"zap-scripts-session"},"name":"zap-scripts-session"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| scanner.image.repository | string | `"docker.io/securecodebox/scanner-zap-advanced"` | Container Image to run the scan | -| scanner.image.tag | string | `nil` | defaults to the charts version | -| scanner.nameAppend | string | `nil` | append a string to the default scantype name. | -| scanner.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.reportType | string | "XML" | Optional to configure the reportType of the scan ZAP Scan. Must be one of the supported formats: XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD | -| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | -| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | -| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | -| scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | -| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | -| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume ` or using a job scheduler like kueue | -| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| zapConfiguration | object | `{}` | All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overridden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options. | -| zapContainer.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| zapContainer.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | -| zapContainer.extraVolumeMounts | list | `[{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/authentication/","name":"zap-scripts-authentication","readOnly":true},{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/session/","name":"zap-scripts-session","readOnly":true}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| zapContainer.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| zapContainer.image.repository | string | `"softwaresecurityproject/zap-stable"` | Container Image to run the scan | -| zapContainer.image.tag | string | `nil` | defaults to the charts appVersion | -| zapContainer.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| zapContainer.securityContext.allowPrivilegeEscalation | bool | `false` | | -| zapContainer.securityContext.capabilities.drop[0] | string | `"all"` | | -| zapContainer.securityContext.privileged | bool | `false` | | -| zapContainer.securityContext.readOnlyRootFilesystem | bool | `false` | | -| zapContainer.securityContext.runAsNonRoot | bool | `false` | | +| Key | Type | Default | Description | +| ----------------------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | +| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | +| parser.resources | object | `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[{"mountPath":"/home/securecodebox/configs/1-zap-advanced-scantype.yaml","name":"zap-advanced-scantype-config","readOnly":true,"subPath":"1-zap-advanced-scantype.yaml"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[{"configMap":{"name":"zap-advanced-scantype-config","optional":true},"name":"zap-advanced-scantype-config"},{"configMap":{"name":"zap-scripts-authentication"},"name":"zap-scripts-authentication"},{"configMap":{"name":"zap-scripts-session"},"name":"zap-scripts-session"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-zap-advanced"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts version | +| scanner.nameAppend | string | `nil` | append a string to the default scantype name. | +| scanner.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | +| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.reportType | string | "XML" | Optional to configure the reportType of the scan ZAP Scan. Must be one of the supported formats: XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | +| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | +| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | +| scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | +| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume ` or using a job scheduler like kueue | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| zapConfiguration | object | `{}` | All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overridden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options. | +| zapContainer.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| zapContainer.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | +| zapContainer.extraVolumeMounts | list | `[{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/authentication/","name":"zap-scripts-authentication","readOnly":true},{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/session/","name":"zap-scripts-session","readOnly":true}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| zapContainer.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| zapContainer.image.repository | string | `"softwaresecurityproject/zap-stable"` | Container Image to run the scan | +| zapContainer.image.tag | string | `nil` | defaults to the charts appVersion | +| zapContainer.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| zapContainer.securityContext.allowPrivilegeEscalation | bool | `false` | | +| zapContainer.securityContext.capabilities.drop[0] | string | `"all"` | | +| zapContainer.securityContext.privileged | bool | `false` | | +| zapContainer.securityContext.readOnlyRootFilesystem | bool | `false` | | +| zapContainer.securityContext.runAsNonRoot | bool | `false` | | ## License [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) diff --git a/scanners/zap-advanced/docs/README.ArtifactHub.md b/scanners/zap-advanced/docs/README.ArtifactHub.md index 6786646621..9deb6286a4 100644 --- a/scanners/zap-advanced/docs/README.ArtifactHub.md +++ b/scanners/zap-advanced/docs/README.ArtifactHub.md @@ -40,7 +40,7 @@ The secureCodeBox project is running on [Kubernetes](https://kubernetes.io/). To You can find resources to help you get started on our [documentation website](https://www.securecodebox.io) including instruction on how to [install the secureCodeBox project](https://www.securecodebox.io/docs/getting-started/installation) and guides to help you [run your first scans](https://www.securecodebox.io/docs/getting-started/first-scans) with it. -## What is OWASP ZAP? +## What is ZAP? The [OWASP Zed Attack Proxy (ZAP)][zap owasp project] is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing. @@ -63,7 +63,7 @@ The command line interface can be used to easily run server scans: `-t www.examp ```bash usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD] -OWASP secureCodeBox OWASP ZAP Client (can be used to automate OWASP ZAP instances based on YAML configuration files.) +OWASP secureCodeBox ZAP Client (can be used to automate ZAP instances based on YAML configuration files.) optional arguments: -h, --help show this help message and exit @@ -72,13 +72,13 @@ optional arguments: -a API_KEY, --api-key API_KEY The ZAP API Key used to call the ZAP API. -c CONFIG_FOLDER, --config-folder CONFIG_FOLDER - The path to a local folder containing the additional ZAP configuration YAMLs used to configure OWASP ZAP. + The path to a local folder containing the additional ZAP configuration YAMLs used to configure ZAP. -t TARGET, --target TARGET - The target to scan with OWASP ZAP. + The target to scan with ZAP. -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER The path to a local folder used to store the output files, eg. the ZAP Report or logfiles. -r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD, --report-type XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD - The OWASP ZAP Report Type. + The ZAP Report Type. ``` ## Requirements @@ -111,7 +111,7 @@ Additionally, there will be some ZAP Scripts included, these are stored in the c │This CM contains ZAP session │ │ ▼ │ │A YAML configuration for ZAP that │ │scripts that are already included │ │ │ ┌───────────────────┐ │ │ │relates to a single scan execution. │ │within the zap-advanced scanner. │ │ │ │ │ │- can by used for selected scans │ -│Feel free to add your own. │────────┼─────┼─▶│ OWASP ZAP Proxy │ │ │ │- not created by default │ +│Feel free to add your own. │────────┼─────┼─▶│ ZAP Proxy │ │ │ │- not created by default │ │ │ │ │ │ └───────│- add your scan target specific config │ │ConfigMap: zap-scripts-session │ │ │ └───────────────────┘ │ │- needs to be referenced in Scan │ └──────────────────────────────────────┘ │ │- please use SecretMap for credentials! │ @@ -482,58 +482,58 @@ zapConfiguration: ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | -| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | -| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | -| parser.image.tag | string | defaults to the charts version | Parser image tag | -| parser.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| parser.resources | object | `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | -| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | -| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | -| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scanner.extraVolumeMounts | list | `[{"mountPath":"/home/securecodebox/configs/1-zap-advanced-scantype.yaml","name":"zap-advanced-scantype-config","readOnly":true,"subPath":"1-zap-advanced-scantype.yaml"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.extraVolumes | list | `[{"configMap":{"name":"zap-advanced-scantype-config","optional":true},"name":"zap-advanced-scantype-config"},{"configMap":{"name":"zap-scripts-authentication"},"name":"zap-scripts-authentication"},{"configMap":{"name":"zap-scripts-session"},"name":"zap-scripts-session"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| scanner.image.repository | string | `"docker.io/securecodebox/scanner-zap-advanced"` | Container Image to run the scan | -| scanner.image.tag | string | `nil` | defaults to the charts version | -| scanner.nameAppend | string | `nil` | append a string to the default scantype name. | -| scanner.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.reportType | string | "XML" | Optional to configure the reportType of the scan ZAP Scan. Must be one of the supported formats: XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD | -| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | -| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | -| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | -| scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | -| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | -| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume ` or using a job scheduler like kueue | -| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| zapConfiguration | object | `{}` | All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overridden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options. | -| zapContainer.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| zapContainer.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | -| zapContainer.extraVolumeMounts | list | `[{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/authentication/","name":"zap-scripts-authentication","readOnly":true},{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/session/","name":"zap-scripts-session","readOnly":true}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| zapContainer.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| zapContainer.image.repository | string | `"softwaresecurityproject/zap-stable"` | Container Image to run the scan | -| zapContainer.image.tag | string | `nil` | defaults to the charts appVersion | -| zapContainer.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| zapContainer.securityContext.allowPrivilegeEscalation | bool | `false` | | -| zapContainer.securityContext.capabilities.drop[0] | string | `"all"` | | -| zapContainer.securityContext.privileged | bool | `false` | | -| zapContainer.securityContext.readOnlyRootFilesystem | bool | `false` | | -| zapContainer.securityContext.runAsNonRoot | bool | `false` | | +| Key | Type | Default | Description | +| ----------------------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | +| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | +| parser.resources | object | `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[{"mountPath":"/home/securecodebox/configs/1-zap-advanced-scantype.yaml","name":"zap-advanced-scantype-config","readOnly":true,"subPath":"1-zap-advanced-scantype.yaml"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[{"configMap":{"name":"zap-advanced-scantype-config","optional":true},"name":"zap-advanced-scantype-config"},{"configMap":{"name":"zap-scripts-authentication"},"name":"zap-scripts-authentication"},{"configMap":{"name":"zap-scripts-session"},"name":"zap-scripts-session"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-zap-advanced"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts version | +| scanner.nameAppend | string | `nil` | append a string to the default scantype name. | +| scanner.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | +| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.reportType | string | "XML" | Optional to configure the reportType of the scan ZAP Scan. Must be one of the supported formats: XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | +| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | +| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | +| scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | +| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume ` or using a job scheduler like kueue | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| zapConfiguration | object | `{}` | All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overridden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options. | +| zapContainer.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| zapContainer.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | +| zapContainer.extraVolumeMounts | list | `[{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/authentication/","name":"zap-scripts-authentication","readOnly":true},{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/session/","name":"zap-scripts-session","readOnly":true}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| zapContainer.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| zapContainer.image.repository | string | `"softwaresecurityproject/zap-stable"` | Container Image to run the scan | +| zapContainer.image.tag | string | `nil` | defaults to the charts appVersion | +| zapContainer.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| zapContainer.securityContext.allowPrivilegeEscalation | bool | `false` | | +| zapContainer.securityContext.capabilities.drop[0] | string | `"all"` | | +| zapContainer.securityContext.privileged | bool | `false` | | +| zapContainer.securityContext.readOnlyRootFilesystem | bool | `false` | | +| zapContainer.securityContext.runAsNonRoot | bool | `false` | | ## Contributing diff --git a/scanners/zap-advanced/docs/README.DockerHub-Scanner.md b/scanners/zap-advanced/docs/README.DockerHub-Scanner.md index 79391d86d3..de03cd691c 100644 --- a/scanners/zap-advanced/docs/README.DockerHub-Scanner.md +++ b/scanners/zap-advanced/docs/README.DockerHub-Scanner.md @@ -51,7 +51,7 @@ This `scanner` image is intended to work in combination with the corresponding ` docker pull securecodebox/scanner-zap-advanced ``` -## What is OWASP ZAP? +## What is ZAP? The [OWASP Zed Attack Proxy (ZAP)][zap owasp project] is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing. @@ -66,7 +66,7 @@ The command line interface can be used to easily run server scans: `-t www.examp ```bash usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD] -OWASP secureCodeBox OWASP ZAP Client (can be used to automate OWASP ZAP instances based on YAML configuration files.) +OWASP secureCodeBox ZAP Client (can be used to automate ZAP instances based on YAML configuration files.) optional arguments: -h, --help show this help message and exit @@ -75,13 +75,13 @@ optional arguments: -a API_KEY, --api-key API_KEY The ZAP API Key used to call the ZAP API. -c CONFIG_FOLDER, --config-folder CONFIG_FOLDER - The path to a local folder containing the additional ZAP configuration YAMLs used to configure OWASP ZAP. + The path to a local folder containing the additional ZAP configuration YAMLs used to configure ZAP. -t TARGET, --target TARGET - The target to scan with OWASP ZAP. + The target to scan with ZAP. -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER The path to a local folder used to store the output files, eg. the ZAP Report or logfiles. -r XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD, --report-type XML,XML-plus,JSON,JSON-plus,HTML,HTML-plus,MD - The OWASP ZAP Report Type. + The ZAP Report Type. ``` ## Community diff --git a/scanners/zap-advanced/scanner/zapclient/__main__.py b/scanners/zap-advanced/scanner/zapclient/__main__.py index b6a5081407..df03854284 100644 --- a/scanners/zap-advanced/scanner/zapclient/__main__.py +++ b/scanners/zap-advanced/scanner/zapclient/__main__.py @@ -91,7 +91,7 @@ def process(args): def get_parser_args(args=None): parser = argparse.ArgumentParser( prog="zap-client", - description="OWASP secureCodeBox OWASP ZAP Client (can be used to automate OWASP ZAP instances based on YAML configuration files.)", + description="OWASP secureCodeBox ZAP Client (can be used to automate ZAP instances based on YAML configuration files.)", ) parser.add_argument( "-z", @@ -110,14 +110,14 @@ def get_parser_args(args=None): parser.add_argument( "-c", "--config-folder", - help="The path to a local folder containing the additional ZAP configuration YAMLs used to configure OWASP ZAP.", + help="The path to a local folder containing the additional ZAP configuration YAMLs used to configure ZAP.", default="/home/securecodebox/configs/", required=False, ) parser.add_argument( "-t", "--target", - help="The target to scan with OWASP ZAP.", + help="The target to scan with ZAP.", default=None, required=True, ), @@ -136,7 +136,7 @@ def get_parser_args(args=None): parser.add_argument( "-r", "--report-type", - help="The OWASP ZAP Report Type.", + help="The ZAP Report Type.", choices=["XML", "XML-plus", "JSON", "JSON-plus", "HTML", "HTML-plus", "MD"], default=None, required=False, diff --git a/scanners/zap/README.md b/scanners/zap/README.md index e0eca82825..2ed45663f1 100644 --- a/scanners/zap/README.md +++ b/scanners/zap/README.md @@ -35,7 +35,7 @@ Otherwise your changes will be reverted/overwritten automatically due to the bui Mastodon Follower

-## What is OWASP ZAP? +## What is ZAP? The [OWASP Zed Attack Proxy (ZAP)][zap owasp project] is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing. @@ -261,44 +261,44 @@ Alternatively, have a look at the [official documentation](https://www.zaproxy.o ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | -| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | -| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | -| parser.image.tag | string | defaults to the charts version | Parser image tag | -| parser.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| parser.resources | object | `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | -| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | -| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | -| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scanner.extraVolumeMounts | list | `[{"mountPath":"/zap/wrk","name":"zap-workdir"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.extraVolumes | list | `[{"emptyDir":{},"name":"zap-workdir"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| scanner.image.repository | string | `"softwaresecurityproject/zap-stable"` | Container Image to run the scan | -| scanner.image.tag | string | `nil` | defaults to the charts appVersion | -| scanner.nameAppend | string | `nil` | append a string to the default scantype name. | -| scanner.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | -| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | -| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | -| scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | -| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | -| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume ` or using a job scheduler like kueue | -| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| Key | Type | Default | Description | +| ------------------------------------------------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | +| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | +| parser.resources | object | `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[{"mountPath":"/zap/wrk","name":"zap-workdir"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[{"emptyDir":{},"name":"zap-workdir"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| scanner.image.repository | string | `"softwaresecurityproject/zap-stable"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts appVersion | +| scanner.nameAppend | string | `nil` | append a string to the default scantype name. | +| scanner.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | +| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | +| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | +| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | +| scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | +| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume ` or using a job scheduler like kueue | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) diff --git a/scanners/zap/docs/README.ArtifactHub.md b/scanners/zap/docs/README.ArtifactHub.md index 08ee3ea595..d886482a5c 100644 --- a/scanners/zap/docs/README.ArtifactHub.md +++ b/scanners/zap/docs/README.ArtifactHub.md @@ -40,7 +40,7 @@ The secureCodeBox project is running on [Kubernetes](https://kubernetes.io/). To You can find resources to help you get started on our [documentation website](https://www.securecodebox.io) including instruction on how to [install the secureCodeBox project](https://www.securecodebox.io/docs/getting-started/installation) and guides to help you [run your first scans](https://www.securecodebox.io/docs/getting-started/first-scans) with it. -## What is OWASP ZAP? +## What is ZAP? The [OWASP Zed Attack Proxy (ZAP)][zap owasp project] is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing. @@ -266,44 +266,44 @@ Alternatively, have a look at the [official documentation](https://www.zaproxy.o ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | -| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | -| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | -| parser.image.tag | string | defaults to the charts version | Parser image tag | -| parser.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| parser.resources | object | `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | -| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | -| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | -| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scanner.extraVolumeMounts | list | `[{"mountPath":"/zap/wrk","name":"zap-workdir"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.extraVolumes | list | `[{"emptyDir":{},"name":"zap-workdir"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| scanner.image.repository | string | `"softwaresecurityproject/zap-stable"` | Container Image to run the scan | -| scanner.image.tag | string | `nil` | defaults to the charts appVersion | -| scanner.nameAppend | string | `nil` | append a string to the default scantype name. | -| scanner.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | -| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | -| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | -| scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | -| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | -| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume ` or using a job scheduler like kueue | -| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| Key | Type | Default | Description | +| ------------------------------------------------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | +| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | +| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | +| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | +| parser.resources | object | `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | +| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | +| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[{"mountPath":"/zap/wrk","name":"zap-workdir"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[{"emptyDir":{},"name":"zap-workdir"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| scanner.image.repository | string | `"softwaresecurityproject/zap-stable"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts appVersion | +| scanner.nameAppend | string | `nil` | append a string to the default scantype name. | +| scanner.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | +| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | +| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | +| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | +| scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | +| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | +| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume ` or using a job scheduler like kueue | +| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## Contributing diff --git a/scanners/zap/docs/README.DockerHub-Parser.md b/scanners/zap/docs/README.DockerHub-Parser.md index 9891894521..7a9ae978eb 100644 --- a/scanners/zap/docs/README.DockerHub-Parser.md +++ b/scanners/zap/docs/README.DockerHub-Parser.md @@ -51,7 +51,7 @@ This `parser` image is intended to work in combination with the corresponding se docker pull securecodebox/parser-zap ``` -## What is OWASP ZAP? +## What is ZAP? The [OWASP Zed Attack Proxy (ZAP)][zap owasp project] is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing.