diff --git a/scanners/zap-automation-framework/templates/zap-entry-point.yaml b/scanners/zap-automation-framework/templates/zap-entry-point.yaml new file mode 100644 index 0000000000..68197db365 --- /dev/null +++ b/scanners/zap-automation-framework/templates/zap-entry-point.yaml @@ -0,0 +1,13 @@ +# SPDX-FileCopyrightText: the secureCodeBox authors +# +# SPDX-License-Identifier: Apache-2.0 + +kind: ConfigMap +apiVersion: v1 +metadata: + name: zap-automation-framework-entrypoint +data: + zap-entrypoint.bash: | + + # ensures that zap still exits with a exit code of zero when the scan logged warnings: see https://www.zaproxy.org/docs/automate/automation-framework/ + ./zap.sh -cmd $@ || [ $? -ne 1 ] diff --git a/scanners/zap-automation-framework/templates/zap-scan-type.yaml b/scanners/zap-automation-framework/templates/zap-scan-type.yaml index 02afddb3e2..fee1be8559 100644 --- a/scanners/zap-automation-framework/templates/zap-scan-type.yaml +++ b/scanners/zap-automation-framework/templates/zap-scan-type.yaml @@ -30,8 +30,8 @@ spec: image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.scanner.image.pullPolicy }} command: - - "zap.sh" - - "-cmd" + - "bash" + - "/zap/zap-entrypoint.bash" resources: {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: diff --git a/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap b/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap index adde58f02e..cc80532f09 100644 --- a/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap +++ b/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap @@ -44,6 +44,15 @@ matches the snapshot: - https://{{$.hostOrIP}}:{{attributes.port}} scanType: zap-automation-framework 3: | + apiVersion: v1 + data: + zap-entrypoint.bash: |2 + # ensures that zap still exits with a exit code of zero when the scan logged warnings: see https://www.zaproxy.org/docs/automate/automation-framework/ + ./zap.sh -cmd $@ || [ $? -ne 1 ] + kind: ConfigMap + metadata: + name: zap-automation-framework-entrypoint + 4: | apiVersion: execution.securecodebox.io/v1 kind: ParseDefinition metadata: @@ -63,7 +72,7 @@ matches the snapshot: tolerations: - foo: bar ttlSecondsAfterFinished: null - 4: | + 5: | apiVersion: execution.securecodebox.io/v1 kind: ScanType metadata: @@ -81,8 +90,8 @@ matches the snapshot: foo: bar containers: - command: - - zap.sh - - -cmd + - bash + - /zap/zap-entrypoint.bash env: [] envFrom: [] image: softwaresecurityproject/zap-stable:0.0.0 @@ -101,6 +110,10 @@ matches the snapshot: volumeMounts: - mountPath: /zap/wrk name: zap-workdir + - mountPath: /zap/zap-entrypoint.bash + name: zap-automation-framework-entrypoint + readOnly: true + subPath: zap-entrypoint.bash - image: bar name: foo restartPolicy: Never @@ -110,3 +123,6 @@ matches the snapshot: volumes: - emptyDir: {} name: zap-workdir + - configMap: + name: zap-automation-framework-entrypoint + name: zap-automation-framework-entrypoint diff --git a/scanners/zap-automation-framework/values.yaml b/scanners/zap-automation-framework/values.yaml index 7ed512f928..5c88a1b927 100644 --- a/scanners/zap-automation-framework/values.yaml +++ b/scanners/zap-automation-framework/values.yaml @@ -75,11 +75,18 @@ scanner: extraVolumes: - name: zap-workdir emptyDir: {} + - name: zap-automation-framework-entrypoint + configMap: + name: zap-automation-framework-entrypoint # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: - mountPath: /zap/wrk name: zap-workdir + - name: zap-automation-framework-entrypoint + mountPath: "/zap/zap-entrypoint.bash" + readOnly: true + subPath: zap-entrypoint.bash # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: []