secureCodeBox · rfelber · Feb 23, 2022 · Jan 6, 2022 · Jan 6, 2022 · Jan 6, 2022
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -426,6 +426,7 @@ jobs:
           - finding-post-processing
           - generic-webhook
           - notification
+          - persistence-azure-monitor
           - persistence-elastic
           - persistence-defectdojo
           - update-field

diff --git a/hooks/persistence-azure-monitor/.helm-docs.gotmpl b/hooks/persistence-azure-monitor/.helm-docs.gotmpl
@@ -0,0 +1,55 @@
+{{- /*
+SPDX-FileCopyrightText: 2021 iteratec GmbH
+
+SPDX-License-Identifier: Apache-2.0
+*/ -}}
+
+{{- define "extra.docsSection" -}}
+---
+title: "Azure Monitor"
+category: "hook"
+type: "persistenceProvider"
+state: "released"
+usecase: "Publishes all Scan Findings to Azure Monitor."
+---
+{{- end }}
+
+{{- define "extra.dockerDeploymentSection" -}}
+## Supported Tags
+- `latest`  (represents the latest stable release build)
+- tagged releases, e.g. `3.0.0`, `2.9.0`, `2.8.0`, `2.7.0`
+{{- end }}
+
+{{- define "extra.chartAboutSection" -}}
+## What is "Persistence Azure Monitor" Hook about?
+The Azure Monitor persistenceProvider hook saves all findings and reports into the configured Azure Monitor workspace using the [Data Collector API](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api).
+This allows working with the data in [Azure Monitor](https://azure.microsoft.com/en-us/services/monitor/) or [Microsoft Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/overview) to configure alerting based on new findings.
+It will create a custom log type for every scantype titled SCB_[scantype_name].
+
+Installing the Azure Monitor persistenceProvider hook will add a _ReadOnly Hook_ to your namespace.
+{{- end }}
+
+{{- define "extra.scannerConfigurationSection" -}}{{- end }}
+
+{{- define "extra.chartConfigurationSection" -}}
+## Additional Chart Configurations
+The hook requires the Azure Monitor Workspace ID and its Primary Key for authentication. For details on how to find them, see [this page](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api#sample-requests).
+Create a Kubernetes secret with these values using
+
+```bash
+# Create the secret (use a leading space to avoid having secrets in your shell history)
+# Replace "workspace=your-workspace-id" with your Workspace ID
+# Replace "sharedkey=your-shared-key" with your Primary Key
+ kubectl create secret generic azure-monitor --from-literal=workspace=your-workspace-id --from-literal=sharedkey=your-shared-key
+```
+
+Then, configure the hook to use this secret when installing it:
+```bash
+helm upgrade --install persistence-azure-monitor . --wait \
+             --set="monitor.authentication.apiKeySecret="azure-monitor""
+```
+
+{{- end }}
+
+{{- define "extra.scannerLinksSection" -}}
+{{- end }}
diff --git a/hooks/persistence-azure-monitor/.helmignore b/hooks/persistence-azure-monitor/.helmignore
@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2021 iteratec GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# Node.js files
+node_modules/*
+package.json
+package-lock.json
+src/*
+config/*
+Dockerfile
+.dockerignore
+docs/*
+*.tar
+hook/*
+integration-tests/*
+examples/*
+coverage/*
+Makefile
diff --git a/hooks/persistence-azure-monitor/Chart.yaml b/hooks/persistence-azure-monitor/Chart.yaml
@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2022 iteratec GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v2
+name: persistence-azure-monitor
+description: The Azure Monitor persistence provider persists secureCodeBox findings into Azure Monitor.
+
+type: application
+
+# version - gets automatically set to the secureCodeBox release version when the helm charts gets published
+version: v3.1.0-alpha1
+kubeVersion: ">=v1.11.0-0"
+
+keywords:
+  - security
+  - secureCodeBox
+  - hook
+  - azure
+  - sentinel
+home: https://docs.securecodebox.io/docs/hooks/azure-monitor
+icon: https://docs.securecodebox.io/img/integrationIcons/AzureMonitor.svg
+sources:
+  - https://github.com/secureCodeBox/secureCodeBox
+maintainers:
+  - name: iteratec GmbH
+    email: secureCodeBox@iteratec.com
+
+dependencies: []
diff --git a/hooks/persistence-azure-monitor/Makefile b/hooks/persistence-azure-monitor/Makefile
@@ -0,0 +1,14 @@
+#!/usr/bin/make -f
+#
+# SPDX-FileCopyrightText: 2022 iteratec GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+include_guard = set
+hook = persistence-azure-monitor
+
+include ../../hooks.mk
+
+unit-tests:
+	@$(MAKE) -s unit-test-js
diff --git a/hooks/persistence-azure-monitor/README.md b/hooks/persistence-azure-monitor/README.md
@@ -0,0 +1,99 @@
+---
+title: "Azure Monitor"
+category: "hook"
+type: "persistenceProvider"
+state: "released"
+usecase: "Publishes all Scan Findings to Azure Monitor."
+---
+
+<!--
+SPDX-FileCopyrightText: the secureCodeBox authors
+
+SPDX-License-Identifier: Apache-2.0
+-->
+<!--
+.: IMPORTANT! :.
+--------------------------
+This file is generated automatically with `helm-docs` based on the following template files:
+- ./.helm-docs/templates.gotmpl (general template data for all charts)
+- ./chart-folder/.helm-docs.gotmpl (chart specific template data)
+
+Please be aware of that and apply your changes only within those template files instead of this file.
+Otherwise your changes will be reverted/overwritten automatically due to the build process `./.github/workflows/helm-docs.yaml`
+--------------------------
+-->
+
+<p align="center">
+  <a href="https://opensource.org/licenses/Apache-2.0"><img alt="License Apache-2.0" src="https://img.shields.io/badge/License-Apache%202.0-blue.svg"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/releases/latest"><img alt="GitHub release (latest SemVer)" src="https://img.shields.io/github/v/release/secureCodeBox/secureCodeBox?sort=semver"/></a>
+  <a href="https://owasp.org/www-project-securecodebox/"><img alt="OWASP Incubator Project" src="https://img.shields.io/badge/OWASP-Incubator%20Project-365EAA"/></a>
+  <a href="https://artifacthub.io/packages/search?repo=securecodebox"><img alt="Artifact HUB" src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/securecodebox"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/"><img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/secureCodeBox/secureCodeBox?logo=GitHub"/></a>
+  <a href="https://twitter.com/securecodebox"><img alt="Twitter Follower" src="https://img.shields.io/twitter/follow/securecodebox?style=flat&color=blue&logo=twitter"/></a>
+</p>
+
+## What is "Persistence Azure Monitor" Hook about?
+The Azure Monitor persistenceProvider hook saves all findings and reports into the configured Azure Monitor workspace using the [Data Collector API](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api).
+This allows working with the data in [Azure Monitor](https://azure.microsoft.com/en-us/services/monitor/) or [Microsoft Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/overview) to configure alerting based on new findings.
+It will create a custom log type for every scantype titled SCB_[scantype_name].
+
+Installing the Azure Monitor persistenceProvider hook will add a _ReadOnly Hook_ to your namespace.
+
+## Deployment
+The persistence-azure-monitor chart can be deployed via helm:
+
+```bash
+# Install HelmChart (use -n to configure another namespace)
+helm upgrade --install persistence-azure-monitor secureCodeBox/persistence-azure-monitor
+```
+
+## Requirements
+
+Kubernetes: `>=v1.11.0-0`
+
+## Additional Chart Configurations
+The hook requires the Azure Monitor Workspace ID and its Primary Key for authentication. For details on how to find them, see [this page](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api#sample-requests).
+Create a Kubernetes secret with these values using
+
+```bash
+# Create the secret (use a leading space to avoid having secrets in your shell history)
+# Replace "workspace=your-workspace-id" with your Workspace ID
+# Replace "sharedkey=your-shared-key" with your Primary Key
+ kubectl create secret generic azure-monitor --from-literal=workspace=your-workspace-id --from-literal=sharedkey=your-shared-key
+```
+
+Then, configure the hook to use this secret when installing it:
+```bash
+helm upgrade --install persistence-azure-monitor . --wait \
+             --set="monitor.authentication.apiKeySecret="azure-monitor""
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
+| hook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
+| hook.image.repository | string | `"docker.io/securecodebox/hook-persistence-azure-monitor"` | Hook image repository |
+| hook.image.tag | string | defaults to the charts version | Container image tag |
+| hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition |
+| hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
+| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
+| hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
+| monitor.authentication | object | `{"apiKeySecret":null}` | Configure authentication schema and credentials the persistence provider should use to connect to Azure Monitor |
+| monitor.authentication.apiKeySecret | string | `nil` | Link a pre-existing generic secret with `workspace` and `sharedkey` key / value pairs |
+| monitor.logtypePrefix | string | `"SCB"` |  |
+
+## License
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+
+Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license].
+
+[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox
+[scb-docs]: https://docs.securecodebox.io/
+[scb-site]: https://www.securecodebox.io/
+[scb-github]: https://github.com/secureCodeBox/
+[scb-twitter]: https://twitter.com/secureCodeBox
+[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU
+[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE
+
diff --git a/hooks/persistence-azure-monitor/docs/README.ArtifactHub.md b/hooks/persistence-azure-monitor/docs/README.ArtifactHub.md
@@ -0,0 +1,122 @@
+<!--
+SPDX-FileCopyrightText: the secureCodeBox authors
+
+SPDX-License-Identifier: Apache-2.0
+-->
+<!--
+.: IMPORTANT! :.
+--------------------------
+This file is generated automatically with `helm-docs` based on the following template files:
+- ./.helm-docs/templates.gotmpl (general template data for all charts)
+- ./chart-folder/.helm-docs.gotmpl (chart specific template data)
+
+Please be aware of that and apply your changes only within those template files instead of this file.
+Otherwise your changes will be reverted/overwritten automatically due to the build process `./.github/workflows/helm-docs.yaml`
+--------------------------
+-->
+
+<p align="center">
+  <a href="https://opensource.org/licenses/Apache-2.0"><img alt="License Apache-2.0" src="https://img.shields.io/badge/License-Apache%202.0-blue.svg"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/releases/latest"><img alt="GitHub release (latest SemVer)" src="https://img.shields.io/github/v/release/secureCodeBox/secureCodeBox?sort=semver"/></a>
+  <a href="https://owasp.org/www-project-securecodebox/"><img alt="OWASP Incubator Project" src="https://img.shields.io/badge/OWASP-Incubator%20Project-365EAA"/></a>
+  <a href="https://artifacthub.io/packages/search?repo=securecodebox"><img alt="Artifact HUB" src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/securecodebox"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/"><img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/secureCodeBox/secureCodeBox?logo=GitHub"/></a>
+  <a href="https://twitter.com/securecodebox"><img alt="Twitter Follower" src="https://img.shields.io/twitter/follow/securecodebox?style=flat&color=blue&logo=twitter"/></a>
+</p>
+
+## What is OWASP secureCodeBox?
+
+<p align="center">
+  <img alt="secureCodeBox Logo" src="https://docs.securecodebox.io/img/Logo_Color.svg" width="250px"/>
+</p>
+
+_[OWASP secureCodeBox][scb-github]_ is an automated and scalable open source solution that can be used to integrate various *security vulnerability scanners* with a simple and lightweight interface. The _secureCodeBox_ mission is to support *DevSecOps* Teams to make it easy to automate security vulnerability testing in different scenarios.
+
+With the _secureCodeBox_ we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.
+
+The secureCodeBox project is running on [Kubernetes](https://kubernetes.io/). To install it you need [Helm](https://helm.sh), a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure.
+
+### Quickstart with secureCodeBox on kubernetes
+
+You can find resources to help you get started on our [documentation website](https://docs.securecodebox.io) including instruction on how to [install the secureCodeBox project](https://docs.securecodebox.io/docs/getting-started/installation) and guides to help you [run your first scans](https://docs.securecodebox.io/docs/getting-started/first-scans) with it.
+
+## What is "Persistence Azure Monitor" Hook about?
+The Azure Monitor persistenceProvider hook saves all findings and reports into the configured Azure Monitor workspace using the [Data Collector API](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api).
+This allows working with the data in [Azure Monitor](https://azure.microsoft.com/en-us/services/monitor/) or [Microsoft Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/overview) to configure alerting based on new findings.
+It will create a custom log type for every scantype titled SCB_[scantype_name].
+
+Installing the Azure Monitor persistenceProvider hook will add a _ReadOnly Hook_ to your namespace.
+
+## Deployment
+The persistence-azure-monitor chart can be deployed via helm:
+
+```bash
+# Install HelmChart (use -n to configure another namespace)
+helm upgrade --install persistence-azure-monitor secureCodeBox/persistence-azure-monitor
+```
+
+## Requirements
+
+Kubernetes: `>=v1.11.0-0`
+
+## Additional Chart Configurations
+The hook requires the Azure Monitor Workspace ID and its Primary Key for authentication. For details on how to find them, see [this page](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api#sample-requests).
+Create a Kubernetes secret with these values using
+
+```bash
+# Create the secret (use a leading space to avoid having secrets in your shell history)
+# Replace "workspace=your-workspace-id" with your Workspace ID
+# Replace "sharedkey=your-shared-key" with your Primary Key
+ kubectl create secret generic azure-monitor --from-literal=workspace=your-workspace-id --from-literal=sharedkey=your-shared-key
+```
+
+Then, configure the hook to use this secret when installing it:
+```bash
+helm upgrade --install persistence-azure-monitor . --wait \
+             --set="monitor.authentication.apiKeySecret="azure-monitor""
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| hook.affinity | object | `{}` | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
+| hook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
+| hook.image.repository | string | `"docker.io/securecodebox/hook-persistence-azure-monitor"` | Hook image repository |
+| hook.image.tag | string | defaults to the charts version | Container image tag |
+| hook.labels | object | `{}` | Add Kubernetes Labels to the hook definition |
+| hook.priority | int | `0` | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
+| hook.tolerations | list | `[]` | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
+| hook.ttlSecondsAfterFinished | string | `nil` | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
+| monitor.authentication | object | `{"apiKeySecret":null}` | Configure authentication schema and credentials the persistence provider should use to connect to Azure Monitor |
+| monitor.authentication.apiKeySecret | string | `nil` | Link a pre-existing generic secret with `workspace` and `sharedkey` key / value pairs |
+| monitor.logtypePrefix | string | `"SCB"` |  |
+
+## Contributing
+
+Contributions are welcome and extremely helpful 🙌
+Please have a look at [Contributing](./CONTRIBUTING.md)
+
+## Community
+
+You are welcome, please join us on... 👋
+
+- [GitHub][scb-github]
+- [Slack][scb-slack]
+- [Twitter][scb-twitter]
+
+secureCodeBox is an official [OWASP][scb-owasp] project.
+
+## License
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+
+Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license].
+
+[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox
+[scb-docs]: https://docs.securecodebox.io/
+[scb-site]: https://www.securecodebox.io/
+[scb-github]: https://github.com/secureCodeBox/
+[scb-twitter]: https://twitter.com/secureCodeBox
+[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU
+[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE
+