diff --git a/.github/workflows/helm-docs.yaml b/.github/workflows/helm-docs.yaml new file mode 100644 index 00000000..a54811d7 --- /dev/null +++ b/.github/workflows/helm-docs.yaml @@ -0,0 +1,32 @@ +name: "Update Helm Docs" + +on: + push: + +jobs: + helm-docs: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.head_ref }} + + - name: Download Helm Docs + run: | + mkdir helm-docs + cd helm-docs + + curl --output helm-docs.tar.gz --location https://github.com/norwoodj/helm-docs/releases/download/v0.15.0/helm-docs_0.15.0_Linux_x86_64.tar.gz + tar -xvf helm-docs.tar.gz + # Verify install + ./helm-docs --version + + - name: Generate Helm Docs + run: | + ./helm-docs/helm-docs + # Remove helm-docs download to ensure they dont get commited back + rm -rf helm-docs + - uses: stefanzweifel/git-auto-commit-action@v4.5.1 + with: + commit_message: Updating Helm Docs diff --git a/demo-apps/bodgeit/README.md b/demo-apps/bodgeit/README.md new file mode 100644 index 00000000..faf99dfc --- /dev/null +++ b/demo-apps/bodgeit/README.md @@ -0,0 +1,42 @@ +# bodgeit + +![Version: latest](https://img.shields.io/badge/Version-latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.4.0](https://img.shields.io/badge/AppVersion-v1.4.0-informational?style=flat-square) + +The BodgeIt Store is a vulnerable web app which is aimed at people who are new to pen testing + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | security@iteratec.com | | + +## Source Code + +* +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"psiinon/bodgeit"` | | +| imagePullSecrets | list | `[]` | | +| ingress.annotations | object | `{}` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths | list | `[]` | | +| ingress.tls | list | `[]` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.port | int | `8080` | | +| service.type | string | `"ClusterIP"` | | +| tolerations | list | `[]` | | diff --git a/demo-apps/dummy-ssh/README.md b/demo-apps/dummy-ssh/README.md new file mode 100644 index 00000000..09830cd0 --- /dev/null +++ b/demo-apps/dummy-ssh/README.md @@ -0,0 +1,36 @@ +# dummy-ssh + +![Version: latest](https://img.shields.io/badge/Version-latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0](https://img.shields.io/badge/AppVersion-v1.0.0-informational?style=flat-square) + +SSH Server for scan testing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | security@iteratec.com | | + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"securecodebox/dummy-ssh"` | | +| imagePullSecrets | list | `[]` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.port | int | `22` | | +| service.type | string | `"ClusterIP"` | | +| tolerations | list | `[]` | | diff --git a/demo-apps/http-webhook/README.md b/demo-apps/http-webhook/README.md new file mode 100644 index 00000000..7081da32 --- /dev/null +++ b/demo-apps/http-webhook/README.md @@ -0,0 +1,39 @@ +# http-webhook + +![Version: latest](https://img.shields.io/badge/Version-latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +A Dummy webserver to echo HTTP requests in log + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.registry | string | `"docker.io"` | | +| image.repository | string | `"mendhak/http-https-echo"` | | +| image.tag | string | `"latest"` | | +| imagePullSecrets | list | `[]` | | +| ingress.annotations | object | `{}` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths | list | `[]` | | +| ingress.tls | list | `[]` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.port | int | `80` | | +| service.type | string | `"ClusterIP"` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| tolerations | list | `[]` | | diff --git a/demo-apps/juice-shop/README.md b/demo-apps/juice-shop/README.md new file mode 100644 index 00000000..495f93d4 --- /dev/null +++ b/demo-apps/juice-shop/README.md @@ -0,0 +1,42 @@ +# juice-shop + +![Version: latest](https://img.shields.io/badge/Version-latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v12.0.2](https://img.shields.io/badge/AppVersion-v12.0.2-informational?style=flat-square) + +OWASP Juice Shop: Probably the most modern and sophisticated insecure web application + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | security@iteratec.com | | + +## Source Code + +* +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"bkimminich/juice-shop"` | | +| imagePullSecrets | list | `[]` | | +| ingress.annotations | object | `{}` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths | list | `[]` | | +| ingress.tls | list | `[]` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.port | int | `3000` | | +| service.type | string | `"ClusterIP"` | | +| tolerations | list | `[]` | | diff --git a/demo-apps/old-wordpress/README.md b/demo-apps/old-wordpress/README.md new file mode 100644 index 00000000..244ae386 --- /dev/null +++ b/demo-apps/old-wordpress/README.md @@ -0,0 +1,37 @@ +# old-wordpress + +![Version: latest](https://img.shields.io/badge/Version-latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.0](https://img.shields.io/badge/AppVersion-4.0-informational?style=flat-square) + +Insecure & Outdated Wordpress Instance: Never expose it to the internet! + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | security@iteratec.com | | + +## Source Code + +* +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"securecodebox/old-wordpress"` | | +| imagePullSecrets | list | `[]` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.port | int | `80` | | +| service.type | string | `"ClusterIP"` | | +| tolerations | list | `[]` | | diff --git a/demo-apps/swagger-petstore/README.md b/demo-apps/swagger-petstore/README.md new file mode 100644 index 00000000..50f23a38 --- /dev/null +++ b/demo-apps/swagger-petstore/README.md @@ -0,0 +1,43 @@ +# swagger-petstore + +![Version: latest](https://img.shields.io/badge/Version-latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.3](https://img.shields.io/badge/AppVersion-1.0.3-informational?style=flat-square) + +This is the sample petstore application + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| iteratec GmbH | security@iteratec.com | | + +## Source Code + +* +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"swaggerapi/petstore"` | | +| imagePullSecrets | list | `[]` | | +| ingress.annotations | object | `{}` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths | list | `[]` | | +| ingress.tls | list | `[]` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.port | int | `80` | | +| service.type | string | `"ClusterIP"` | | +| swaggerHostOverride | string | `"http://swagger-petstore.demo-apps.svc"` | | +| tolerations | list | `[]` | | diff --git a/hooks/declarative-subsequent-scans/Chart.yaml b/hooks/declarative-subsequent-scans/Chart.yaml index fdc20d99..f3bd0dc3 100644 --- a/hooks/declarative-subsequent-scans/Chart.yaml +++ b/hooks/declarative-subsequent-scans/Chart.yaml @@ -6,5 +6,6 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest +kubeVersion: ">=v1.11.0" dependencies: [] diff --git a/hooks/declarative-subsequent-scans/README.md b/hooks/declarative-subsequent-scans/README.md index dd875b57..fcdec3df 100644 --- a/hooks/declarative-subsequent-scans/README.md +++ b/hooks/declarative-subsequent-scans/README.md @@ -11,7 +11,7 @@ usecase: "Cascading Scans based declarative Rules." ## Deployment -Installing the Cascading Scans hook will add a ReadOnly Hook to your namespace which looks for matching _CascadingRules_ in the namespace and start the according scans. +Installing the Cascading Scans hook will add a ReadOnly Hook to your namespace which looks for matching _CascadingRules_ in the namespace and start the according scans. ```bash helm upgrade --install dssh ./hooks/declarative-subsequent-scans/ @@ -25,7 +25,7 @@ dssh ReadOnly docker.io/scbexperimental/hook-declarative-subsequent-scans:la ``` ## CascadingScan Rules -The CascadingRules are included directly in each helm chart of the individual scanners. +The CascadingRules are included directly in each helm chart of the individual scanners. ```bash # Check your CascadingRules @@ -113,4 +113,11 @@ pop3s-tls-scan sslyze non-invasive light smtps-tls-scan sslyze non-invasive light ssh-scan ssh-scan non-invasive light zap-http zap-baseline non-invasive medium -``` \ No newline at end of file +``` + +## Chart Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.repository | string | `"docker.io/scbexperimental/hook-declarative-subsequent-scans"` | Hook image repository | +| image.tag | string | `nil` | | diff --git a/hooks/declarative-subsequent-scans/README.md.gotmpl b/hooks/declarative-subsequent-scans/README.md.gotmpl new file mode 100644 index 00000000..666e4bfb --- /dev/null +++ b/hooks/declarative-subsequent-scans/README.md.gotmpl @@ -0,0 +1,120 @@ +--- +title: "Cascading Scans" +path: "hooks/declarative-subsequent-scans" +category: "hook" +type: "processing" +state: "released" +usecase: "Cascading Scans based declarative Rules." +--- + + + +## Deployment + +Installing the Cascading Scans hook will add a ReadOnly Hook to your namespace which looks for matching _CascadingRules_ in the namespace and start the according scans. + +```bash +helm upgrade --install dssh ./hooks/declarative-subsequent-scans/ +``` + +### Verification +```bash +kubectl get ScanCompletionHooks +NAME TYPE IMAGE +dssh ReadOnly docker.io/scbexperimental/hook-declarative-subsequent-scans:latest +``` + +## CascadingScan Rules +The CascadingRules are included directly in each helm chart of the individual scanners. + +```bash +# Check your CascadingRules +kubectl get CascadingRules +NAME STARTS INVASIVENESS INTENSIVENESS +https-tls-scan sslyze non-invasive light +imaps-tls-scan sslyze non-invasive light +nikto-http nikto non-invasive medium +nmap-smb nmap non-invasive light +pop3s-tls-scan sslyze non-invasive light +smtps-tls-scan sslyze non-invasive light +ssh-scan ssh-scan non-invasive light +zap-http zap-baseline non-invasive medium +``` + +## Starting a cascading Scan +When you start a normal Scan, no CascadingRule will be applied. To use a _CascadingRule_ the scan must be marked to allow cascading rules. +This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one. + +### Example +```yaml +cat <=v1.11.0" \ No newline at end of file diff --git a/hooks/declarative-subsequent-scans/values.yaml b/hooks/declarative-subsequent-scans/values.yaml index df7baf1d..bd59b59e 100644 --- a/hooks/declarative-subsequent-scans/values.yaml +++ b/hooks/declarative-subsequent-scans/values.yaml @@ -3,6 +3,8 @@ # Declare variables to be passed into your templates. image: + # image.repository -- Hook image repository repository: docker.io/scbexperimental/hook-declarative-subsequent-scans - # image.tag - defaults to the charts version + # parserImage.tag -- Parser image tag + # @default -- defaults to the charts version tag: null diff --git a/hooks/generic-webhook/Chart.yaml b/hooks/generic-webhook/Chart.yaml index 3b494501..30b67881 100644 --- a/hooks/generic-webhook/Chart.yaml +++ b/hooks/generic-webhook/Chart.yaml @@ -6,5 +6,6 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest +kubeVersion: ">=v1.11.0" dependencies: [] diff --git a/hooks/generic-webhook/README.md b/hooks/generic-webhook/README.md index ffef9221..abdf6940 100644 --- a/hooks/generic-webhook/README.md +++ b/hooks/generic-webhook/README.md @@ -11,9 +11,17 @@ usecase: "Publishes Scan Findings as WebHook." ## Deployment -Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace. +Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace. ```bash helm upgrade --install gwh ./hooks/generic-webhook/ --set webhookUrl="http://example.com/my/webhook/target" ``` -> ✍ This documentation is currently work-in-progress. \ No newline at end of file +> ✍ This documentation is currently work-in-progress. + +## Chart Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.repository | string | `"docker.io/scbexperimental/generic-webhook"` | Hook image repository | +| image.tag | string | `nil` | | +| webhookUrl | string | `"http://example.com"` | The URL of your WebHook endpoint | diff --git a/hooks/generic-webhook/README.md.gotmpl b/hooks/generic-webhook/README.md.gotmpl new file mode 100644 index 00000000..ecb28bf2 --- /dev/null +++ b/hooks/generic-webhook/README.md.gotmpl @@ -0,0 +1,23 @@ +--- +title: "Generic WebHook" +path: "hooks/generic-webhook" +category: "hook" +type: "integration" +state: "released" +usecase: "Publishes Scan Findings as WebHook." +--- + + + +## Deployment + +Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace. + +```bash +helm upgrade --install gwh ./hooks/generic-webhook/ --set webhookUrl="http://example.com/my/webhook/target" +``` +> ✍ This documentation is currently work-in-progress. + +## Chart Configuration + +{{ template "chart.valuesTable" . }} diff --git a/hooks/generic-webhook/helm2.Chart.yaml b/hooks/generic-webhook/helm2.Chart.yaml index c48efb7e..526d6785 100644 --- a/hooks/generic-webhook/helm2.Chart.yaml +++ b/hooks/generic-webhook/helm2.Chart.yaml @@ -5,4 +5,5 @@ description: Lets you send http webhooks after scans are completed type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published -version: latest \ No newline at end of file +version: latest +kubeVersion: ">=v1.11.0" \ No newline at end of file diff --git a/hooks/generic-webhook/values.yaml b/hooks/generic-webhook/values.yaml index 1084e8f6..ccb90e85 100644 --- a/hooks/generic-webhook/values.yaml +++ b/hooks/generic-webhook/values.yaml @@ -2,9 +2,12 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# webhookUrl -- The URL of your WebHook endpoint webhookUrl: "http://example.com" image: + # image.repository -- Hook image repository repository: docker.io/scbexperimental/generic-webhook - # image.tag - defaults to the charts version + # parserImage.tag -- Parser image tag + # @default -- defaults to the charts version tag: null diff --git a/hooks/imperative-subsequent-scans/Chart.yaml b/hooks/imperative-subsequent-scans/Chart.yaml index 024265e8..a321cdb0 100644 --- a/hooks/imperative-subsequent-scans/Chart.yaml +++ b/hooks/imperative-subsequent-scans/Chart.yaml @@ -6,5 +6,6 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest +kubeVersion: ">=v1.11.0" dependencies: [] diff --git a/hooks/imperative-subsequent-scans/README.md b/hooks/imperative-subsequent-scans/README.md index c4b471fc..cb1a7e11 100644 --- a/hooks/imperative-subsequent-scans/README.md +++ b/hooks/imperative-subsequent-scans/README.md @@ -7,4 +7,24 @@ state: "roadmap" usecase: "Cascading Scans based imperative Rules." --- -> πŸ”§ The implementation is currently work-in-progress and still undergoing major changes. It'll be released here once it has stabilized. \ No newline at end of file +## Deployment + +Installing the imperative-subsequent-scans hook will add a ReadOnly Hook to your namespace. + +```bash +helm upgrade --install issh ./hooks/imperative-subsequent-scans/ +``` +> ✍ This documentation is currently work-in-progress. + +## Chart Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cascade.amassNmap | bool | `false` | True if you want to cascade nmap scans for each subdomain found by amass, otherwise false. | +| cascade.nmapNikto | bool | `false` | True if you want to cascade Nikto scans for each HTTP Port found by nmap, otherwise false. | +| cascade.nmapSmb | bool | `false` | True if you want to cascade nmap SMB scans for each SMB Port found by nmap, otherwise false. | +| cascade.nmapSsh | bool | `false` | True if you want to cascade SSH scans for each SSH Port found by nmap, otherwise false. | +| cascade.nmapSsl | bool | `false` | True if you want to cascade SSL scans for each HTTP Port found by nmap, otherwise false. | +| cascade.nmapZapBaseline | bool | `false` | True if you want to cascade ZAP scans for each HTTP Port found by nmap, otherwise false. | +| image.repository | string | `"docker.io/scbexperimental/hook-imperative-subsequent-scans"` | Hook image repository | +| image.tag | string | `nil` | | diff --git a/hooks/imperative-subsequent-scans/README.md.gotmpl b/hooks/imperative-subsequent-scans/README.md.gotmpl new file mode 100644 index 00000000..68d2bac7 --- /dev/null +++ b/hooks/imperative-subsequent-scans/README.md.gotmpl @@ -0,0 +1,21 @@ +--- +title: "Imperative Scans" +path: "hooks/imperative-subsequent-scans" +category: "hook" +type: "integration" +state: "roadmap" +usecase: "Cascading Scans based imperative Rules." +--- + +## Deployment + +Installing the imperative-subsequent-scans hook will add a ReadOnly Hook to your namespace. + +```bash +helm upgrade --install issh ./hooks/imperative-subsequent-scans/ +``` +> ✍ This documentation is currently work-in-progress. + +## Chart Configuration + +{{ template "chart.valuesTable" . }} diff --git a/hooks/imperative-subsequent-scans/helm2.Chart.yaml b/hooks/imperative-subsequent-scans/helm2.Chart.yaml index 8b7d6cb3..0710481f 100644 --- a/hooks/imperative-subsequent-scans/helm2.Chart.yaml +++ b/hooks/imperative-subsequent-scans/helm2.Chart.yaml @@ -5,4 +5,5 @@ description: Starts possible subsequent security scans based on findings (e.g. o type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published -version: latest \ No newline at end of file +version: latest +kubeVersion: ">=v1.11.0" \ No newline at end of file diff --git a/hooks/imperative-subsequent-scans/values.yaml b/hooks/imperative-subsequent-scans/values.yaml index 2372d5d2..db9fbb37 100644 --- a/hooks/imperative-subsequent-scans/values.yaml +++ b/hooks/imperative-subsequent-scans/values.yaml @@ -3,20 +3,22 @@ # Declare variables to be passed into your templates. cascade: - # Cascade nmap scans for each subdomain found by amass - amassNmap: true - # Cascade nmap SMB scans for each SMB Port found by nmap + # cascade.amassNmap -- True if you want to cascade nmap scans for each subdomain found by amass, otherwise false. + amassNmap: false + # cascade.nmapSmb -- True if you want to cascade nmap SMB scans for each SMB Port found by nmap, otherwise false. nmapSmb: false - # Cascade SSH scans for each SSH Port found by nmap - nmapSsh: true - # Cascade SSL scans for each HTTP Port found by nmap - nmapSsl: true - # Cascade Nikto scans for each HTTP Port found by nmap + # cascade.nmapSsh -- True if you want to cascade SSH scans for each SSH Port found by nmap, otherwise false. + nmapSsh: false + # cascade.nmapSsl -- True if you want to cascade SSL scans for each HTTP Port found by nmap, otherwise false. + nmapSsl: false + # cascade.nmapNikto -- True if you want to cascade Nikto scans for each HTTP Port found by nmap, otherwise false. nmapNikto: false - # Cascade ZAP scans for each HTTP Port found by nmap + # cascade.nmapZapBaseline -- True if you want to cascade ZAP scans for each HTTP Port found by nmap, otherwise false. nmapZapBaseline: false image: + # image.repository -- Hook image repository repository: docker.io/scbexperimental/hook-imperative-subsequent-scans - # image.tag - defaults to the charts version + # parserImage.tag -- Parser image tag + # @default -- defaults to the charts version tag: null diff --git a/hooks/persistence-elastic/Chart.yaml b/hooks/persistence-elastic/Chart.yaml index 52216b01..e5f71a25 100644 --- a/hooks/persistence-elastic/Chart.yaml +++ b/hooks/persistence-elastic/Chart.yaml @@ -6,8 +6,8 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest - appVersion: 7.6.1 +kubeVersion: ">=v1.11.0" dependencies: - name: elasticsearch diff --git a/hooks/persistence-elastic/README.md b/hooks/persistence-elastic/README.md index 21170803..39b91192 100644 --- a/hooks/persistence-elastic/README.md +++ b/hooks/persistence-elastic/README.md @@ -14,44 +14,39 @@ The ElasticSearch persistenceProvider hook saves all findings and reports into t ## Deployment -Installing the Elasticsearch persistenceProvider hook will add a _ReadOnly Hook_ to your namespace. +Installing the Elasticsearch persistenceProvider hook will add a _ReadOnly Hook_ to your namespace. ```bash helm upgrade --install elkh ./hooks/persistence-elastic/ ``` -## Configuration -see values.yaml - -```yaml -# Define a specific index prefix -indexPrefix: "scbv2" - -# Enable this when you already have an Elastic Stack running to which you want to send your results -externalElasticStack: - enabled: false - elasticsearchAddress: "https://elasticsearch.example.com" - kibanaAddress: "https://kibana.example.com" - -# Configure authentication schema and credentials the persistence provider should use to connect to elasticsearch -# user and apikey are mutually exclusive, only set one! -authentication: - # Link a pre-existing generic secret with `username` and `password` key / value pairs - userSecret: null - # Link a pre-existing generic secret with `id` and `key` key / value pairs - apiKeySecret: null - -# Configures included Elasticsearch subchart -elasticsearch: - enabled: true - replicas: 1 - minimumMasterNodes: 1 - # image: docker.elastic.co/elasticsearch/elasticsearch-oss - -# Configures included Elasticsearch subchart -kibana: - enabled: true - # image: docker.elastic.co/kibana/kibana-oss -``` +## Chart Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| authentication | object | `{"apiKeySecret":null,"userSecret":null}` | Configure authentication schema and credentials the persistence provider should use to connect to elasticsearch user and apikey are mutually exclusive, only set one! | +| authentication.apiKeySecret | string | `nil` | Link a pre-existing generic secret with `id` and `key` key / value pairs | +| authentication.userSecret | string | `nil` | Link a pre-existing generic secret with `username` and `password` key / value pairs | +| elasticsearch | object | `{"enabled":true,"minimumMasterNodes":1,"replicas":1}` | Configures the included elasticsearch subchart (see: https://github.com/elastic/helm-charts/tree/elasticsearch) | +| elasticsearch.enabled | bool | `true` | Enable if you want to deploy an elasticsearch service. | +| elasticsearch.minimumMasterNodes | int | `1` | The value for discovery.zen.minimum_master_nodes. Should be set to (master_eligible_nodes / 2) + 1. Ignored in Elasticsearch versions >= 7 | +| elasticsearch.replicas | int | `1` | Kubernetes replica count for the StatefulSet (i.e. how many pods) | +| externalElasticStack.elasticsearchAddress | string | `"https://elasticsearch.example.com"` | The URL of the elasticsearch service to persists all findings to. | +| externalElasticStack.enabled | bool | `false` | Enable this when you already have an Elastic Stack running to which you want to send your results | +| externalElasticStack.kibanaAddress | string | `"https://kibana.example.com"` | The URL of the kibana service used to visualize all findings. | +| fullnameOverride | string | `""` | | +| image.repository | string | `"docker.io/scbexperimental/persistence-elastic"` | Hook image repository | +| image.tag | string | `nil` | | +| imagePullSecrets | list | `[]` | | +| indexPrefix | string | `"scbv2"` | Define a specific index prefix used for all elasticsearch indices. | +| kibana | object | `{"enabled":true}` | Configures included Elasticsearch subchart | +| kibana.enabled | bool | `true` | Enable if you want to deploy an kibana service (see: https://github.com/elastic/helm-charts/tree/master/kibana) | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podSecurityContext | object | `{}` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| tolerations | list | `[]` | | [elastic.io]: https://www.elastic.co/products/elasticsearch \ No newline at end of file diff --git a/hooks/persistence-elastic/README.md.gotmpl b/hooks/persistence-elastic/README.md.gotmpl new file mode 100644 index 00000000..e6841ab4 --- /dev/null +++ b/hooks/persistence-elastic/README.md.gotmpl @@ -0,0 +1,28 @@ +--- +title: "Elasticsearch" +path: "hooks/persistence-elastic" +category: "hook" +type: "persistenceProvider" +state: "released" +usecase: "Publishes all Scan Findings to Elasticsearch." +--- + + + +## About +The ElasticSearch persistenceProvider hook saves all findings and reports into the configured ElasticSearch index. This allows for some easy searching and visualization of the findings. To learn more about Elasticsearch visit [elastic.io]. + +## Deployment + +Installing the Elasticsearch persistenceProvider hook will add a _ReadOnly Hook_ to your namespace. + +```bash +helm upgrade --install elkh ./hooks/persistence-elastic/ +``` + +## Chart Configuration + +{{ template "chart.valuesTable" . }} + + +[elastic.io]: https://www.elastic.co/products/elasticsearch \ No newline at end of file diff --git a/hooks/persistence-elastic/helm2.Chart.yaml b/hooks/persistence-elastic/helm2.Chart.yaml index 9b4c102e..f84938d0 100644 --- a/hooks/persistence-elastic/helm2.Chart.yaml +++ b/hooks/persistence-elastic/helm2.Chart.yaml @@ -6,5 +6,5 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest - -appVersion: 7.6.1 \ No newline at end of file +appVersion: 7.6.1 +kubeVersion: ">=v1.11.0" \ No newline at end of file diff --git a/hooks/persistence-elastic/values.yaml b/hooks/persistence-elastic/values.yaml index 4f77b409..76b444df 100644 --- a/hooks/persistence-elastic/values.yaml +++ b/hooks/persistence-elastic/values.yaml @@ -3,36 +3,44 @@ # Declare variables to be passed into your templates. image: + # image.repository -- Hook image repository repository: docker.io/scbexperimental/persistence-elastic - # image.tag - defaults to the charts version + # parserImage.tag -- Parser image tag + # @default -- defaults to the charts version tag: null -# Define a specific index prefix +# indexPrefix -- Define a specific index prefix used for all elasticsearch indices. indexPrefix: "scbv2" -# Enable this when you already have an Elastic Stack running to which you want to send your results externalElasticStack: + # externalElasticStack.enabled -- Enable this when you already have an Elastic Stack running to which you want to send your results enabled: false + # externalElasticStack.elasticsearchAddress -- The URL of the elasticsearch service to persists all findings to. elasticsearchAddress: "https://elasticsearch.example.com" + # externalElasticStack.kibanaAddress -- The URL of the kibana service used to visualize all findings. kibanaAddress: "https://kibana.example.com" -# Configure authentication schema and credentials the persistence provider should use to connect to elasticsearch +# authentication -- Configure authentication schema and credentials the persistence provider should use to connect to elasticsearch # user and apikey are mutually exclusive, only set one! authentication: - # Link a pre-existing generic secret with `username` and `password` key / value pairs + # authentication.userSecret -- Link a pre-existing generic secret with `username` and `password` key / value pairs userSecret: null - # Link a pre-existing generic secret with `id` and `key` key / value pairs + # authentication.apiKeySecret -- Link a pre-existing generic secret with `id` and `key` key / value pairs apiKeySecret: null -# Configures included Elasticsearch subchart +# elasticsearch -- Configures the included elasticsearch subchart (see: https://github.com/elastic/helm-charts/tree/elasticsearch) elasticsearch: + # elasticsearch.enabled -- Enable if you want to deploy an elasticsearch service. enabled: true + # elasticsearch.replicas -- Kubernetes replica count for the StatefulSet (i.e. how many pods) replicas: 1 + # elasticsearch.minimumMasterNodes -- The value for discovery.zen.minimum_master_nodes. Should be set to (master_eligible_nodes / 2) + 1. Ignored in Elasticsearch versions >= 7 minimumMasterNodes: 1 # image: docker.elastic.co/elasticsearch/elasticsearch-oss -# Configures included Elasticsearch subchart +# kibana -- Configures included Elasticsearch subchart kibana: + # kibana.enabled -- Enable if you want to deploy an kibana service (see: https://github.com/elastic/helm-charts/tree/master/kibana) enabled: true # image: docker.elastic.co/kibana/kibana-oss diff --git a/hooks/update-field/Chart.yaml b/hooks/update-field/Chart.yaml index 7d4fbc9f..89401637 100644 --- a/hooks/update-field/Chart.yaml +++ b/hooks/update-field/Chart.yaml @@ -6,5 +6,6 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest +kubeVersion: ">=v1.11.0" dependencies: [] diff --git a/hooks/update-field/README.md b/hooks/update-field/README.md index 10f6c3a4..6ecdb700 100644 --- a/hooks/update-field/README.md +++ b/hooks/update-field/README.md @@ -11,10 +11,19 @@ usecase: "Updates fields in finding results." ## Deployment -Installing the _Update Field_ hook will add a ReadOnly Hook to your namespace. +Installing the _Update Field_ hook will add a ReadOnly Hook to your namespace. ```bash helm upgrade --install ufh ./hooks/update-field/ --set attribute.name="category" --set attribute.value="my-own-category" ``` -> ✍ This documentation is currently work-in-progress. +> ✍ This documentation is currently work-in-progress. + +## Chart Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| attribute.name | string | `"category"` | The name of the attribute you want to add to each finding result | +| attribute.value | string | `"my-own-category"` | The value of the attribute you want to add to each finding result | +| image.repository | string | `"docker.io/scbexperimental/update-field"` | Hook image repository | +| image.tag | string | `nil` | | diff --git a/hooks/update-field/README.md.gotmpl b/hooks/update-field/README.md.gotmpl new file mode 100644 index 00000000..bfc20599 --- /dev/null +++ b/hooks/update-field/README.md.gotmpl @@ -0,0 +1,24 @@ +--- +title: "Update Field" +path: "hooks/update-field" +category: "hook" +type: "dataProcessing" +state: "released" +usecase: "Updates fields in finding results." +--- + + + +## Deployment + +Installing the _Update Field_ hook will add a ReadOnly Hook to your namespace. + +```bash +helm upgrade --install ufh ./hooks/update-field/ --set attribute.name="category" --set attribute.value="my-own-category" +``` + +> ✍ This documentation is currently work-in-progress. + +## Chart Configuration + +{{ template "chart.valuesTable" . }} diff --git a/hooks/update-field/helm2.Chart.yaml b/hooks/update-field/helm2.Chart.yaml index 18476835..ddcaec8b 100644 --- a/hooks/update-field/helm2.Chart.yaml +++ b/hooks/update-field/helm2.Chart.yaml @@ -5,4 +5,5 @@ description: Lets you add or override a field to every finding type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published -version: latest \ No newline at end of file +version: latest +kubeVersion: ">=v1.11.0" \ No newline at end of file diff --git a/hooks/update-field/values.yaml b/hooks/update-field/values.yaml index 4e09ffa5..257c3d88 100644 --- a/hooks/update-field/values.yaml +++ b/hooks/update-field/values.yaml @@ -3,10 +3,14 @@ # Declare variables to be passed into your templates. attribute: + # attribute.name -- The name of the attribute you want to add to each finding result name: "category" + # attribute.value -- The value of the attribute you want to add to each finding result value: my-own-category image: + # image.repository -- Hook image repository repository: docker.io/scbexperimental/update-field - # image.tag - defaults to the charts version + # parserImage.tag -- Parser image tag + # @default -- defaults to the charts version tag: null diff --git a/operator/Chart.yaml b/operator/Chart.yaml index 7b436ba3..662939a6 100644 --- a/operator/Chart.yaml +++ b/operator/Chart.yaml @@ -6,6 +6,19 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest +kubeVersion: ">=v1.11.0" + +keywords: + - security + - secureCodeBox + - operator +home: https://docs.securecodebox.io/docs/getting-started/installation +icon: https://docs.securecodebox.io/img/Logo%20Color.svg +sources: + - https://github.com/secureCodeBox/secureCodeBox-v2 +maintainers: + - name: iteratec GmbH + email: secureCodeBox@iteratec.com dependencies: - name: minio diff --git a/operator/README.md b/operator/README.md new file mode 100644 index 00000000..b9e46fbe --- /dev/null +++ b/operator/README.md @@ -0,0 +1,42 @@ +![operator logo](https://docs.securecodebox.io/img/Logo%20Color.svg) + +The secureCodeBox operator is runniing on kubernetes and the core component of the complete secureCodeBox stack, responsible for operating all scans and ressources. + + + +## Deployment + +The secureCodeBox Operator can be deployed via helm: + +```bash +# Add the secureCodeBox Helm Repo +helm repo add secureCodeBox https://charts.securecodebox.io +# Create a new namespace for the secureCodeBox Operator +kubectl create namespace securecodebox-system +# Install the Operator & CRD's +helm install securecodebox-operator secureCodeBox/operator +``` + +## Chart Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.repository | string | `"docker.io/scbexperimental/operator"` | The operator image repository | +| image.tag | string | defaults to the charts version | Parser image tag | +| lurcher.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| lurcher.image.repository | string | `"docker.io/scbexperimental/lurcher"` | The operator image repository | +| lurcher.image.tag | string | defaults to the charts version | Parser image tag | +| minio.defaultBucket.enabled | bool | `true` | | +| minio.defaultBucket.name | string | `"securecodebox"` | | +| minio.enabled | bool | `true` | | +| resources | object | `{"limits":{"cpu":"100m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| s3.bucket | string | `"my-bucket"` | | +| s3.enabled | bool | `false` | | +| s3.endpoint | string | `"fra1.digitaloceanspaces.com"` | | +| s3.keySecret | string | `"my-secret"` | | +| s3.port | string | `nil` | | +| s3.secretAttributeNames.accesskey | string | `"accesskey"` | | +| s3.secretAttributeNames.secretkey | string | `"secretkey"` | | +| telemetryEnabled | bool | `true` | The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry | + diff --git a/operator/README.md.gotmpl b/operator/README.md.gotmpl new file mode 100644 index 00000000..0fbbc7c8 --- /dev/null +++ b/operator/README.md.gotmpl @@ -0,0 +1,23 @@ +![operator logo](https://docs.securecodebox.io/img/Logo%20Color.svg) + +The secureCodeBox operator is runniing on kubernetes and the core component of the complete secureCodeBox stack, responsible for operating all scans and ressources. + + + +## Deployment + +The secureCodeBox Operator can be deployed via helm: + +```bash +# Add the secureCodeBox Helm Repo +helm repo add secureCodeBox https://charts.securecodebox.io +# Create a new namespace for the secureCodeBox Operator +kubectl create namespace securecodebox-system +# Install the Operator & CRD's +helm install securecodebox-operator secureCodeBox/operator +``` + +## Chart Configuration + +{{ template "chart.valuesTable" . }} + diff --git a/operator/helm2.Chart.yaml b/operator/helm2.Chart.yaml index 85d698a8..6748cf00 100644 --- a/operator/helm2.Chart.yaml +++ b/operator/helm2.Chart.yaml @@ -5,4 +5,23 @@ description: secureCodeBox Operator to automate the execution of security scans type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published -version: latest \ No newline at end of file +version: latest +kubeVersion: ">=v1.11.0" + +keywords: + - security + - secureCodeBox + - operator +home: https://docs.securecodebox.io/docs/getting-started/installation +icon: https://docs.securecodebox.io/img/Logo%20Color.svg +sources: + - https://github.com/secureCodeBox/secureCodeBox-v2 +maintainers: + - name: iteratec GmbH + email: secureCodeBox@iteratec.com + +dependencies: + - name: minio + version: 5.0.19 + repository: https://kubernetes-charts.storage.googleapis.com/ + condition: minio.enabled diff --git a/operator/values.yaml b/operator/values.yaml index a9fdd3da..e6ab5b82 100644 --- a/operator/values.yaml +++ b/operator/values.yaml @@ -6,27 +6,34 @@ telemetryEnabled: true image: + # image.repository -- The operator image repository repository: docker.io/scbexperimental/operator - # image.tag -- defaults to the charts version + # image.tag -- Parser image tag + # @default -- defaults to the charts version tag: null + # image.pullPolicy -- Image pull policy pullPolicy: Always lurcher: image: + # lurcher.image.repository -- The operator image repository repository: docker.io/scbexperimental/lurcher - # lurcher.image.tag -- defaults to the charts version + # lurcher.image.tag -- Parser image tag + # @default -- defaults to the charts version tag: null + # lurcher.image.pullPolicy -- Image pull policy pullPolicy: IfNotPresent minio: + # minio.enabled Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc. enabled: true defaultBucket: enabled: true name: "securecodebox" # Config for external s3 systems -# enable this and disable minio if you want to directly connect agains AWS S3, Google Cloud Storage, DigitalOcean Spaces etc. s3: + # s3.enabled Enable this and disable minio if you want to directly connect agains AWS S3, Google Cloud Storage, DigitalOcean Spaces etc. enabled: false endpoint: "fra1.digitaloceanspaces.com" bucket: "my-bucket" @@ -45,6 +52,7 @@ s3: # # Config for the operator ressource limits # +# resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: limits: cpu: 100m diff --git a/scanners/amass/Chart.yaml b/scanners/amass/Chart.yaml index 2c8f4c2c..b2cbc9a2 100644 --- a/scanners/amass/Chart.yaml +++ b/scanners/amass/Chart.yaml @@ -6,6 +6,7 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest appVersion: 3.10.3 +kubeVersion: ">=v1.11.0" keywords: - security diff --git a/scanners/amass/README.md b/scanners/amass/README.md index 5509ba4f..84344bcd 100644 --- a/scanners/amass/README.md +++ b/scanners/amass/README.md @@ -22,7 +22,7 @@ The AMASS scanType can be deployed via helm: helm upgrade --install amass ./scanners/amass/ ``` -## Configuration +## Scanner Configuration The following security scan configuration example are based on the [Amass User Guide], please take a look at the original documentation for more configuration examples. @@ -36,6 +36,19 @@ Special command line options: - Disable saving data into a local database `amass enum -nolocaldb -d example.com` - Domain names separated by commas (can be used multiple times) `amass enum -d example.com` +## Chart Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| parserImage.repository | string | `"docker.io/scbexperimental/parser-amass"` | Parser image repository | +| parserImage.tag | string | defaults to the charts version | Parser image tag | +| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | + [owasp_amass_project]: https://owasp.org/www-project-amass/ [amass github]: https://github.com/OWASP/Amass -[amass user guide]: https://github.com/OWASP/Amass/blob/master/doc/user_guide.md +[amass user guide]: https://github.com/OWASP/Amass/blob/master/doc/user_guide.md \ No newline at end of file diff --git a/scanners/amass/README.md.gotmpl b/scanners/amass/README.md.gotmpl new file mode 100644 index 00000000..957aa9c5 --- /dev/null +++ b/scanners/amass/README.md.gotmpl @@ -0,0 +1,45 @@ +--- +title: "Amass" +path: "scanners/amass" +category: "scanner" +type: "Network" +state: "released" +appVersion: "3.10.3" +usecase: "Subdomain Enumeration Scanner" +--- + +![owasp logo](https://owasp.org/assets/images/logo.png) + +The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques. To learn more about the Amass scanner itself visit [OWASP_Amass_Project] or [Amass GitHub]. + + + +## Deployment + +The AMASS scanType can be deployed via helm: + +```bash +helm upgrade --install amass ./scanners/amass/ +``` + +## Scanner Configuration + +The following security scan configuration example are based on the [Amass User Guide], please take a look at the original documentation for more configuration examples. + +- The most basic use of the tool for subdomain enumeration: `amass enum -d example.com` +- Typical parameters for DNS enumeration: `amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com` + +Special command line options: + +- Disable generation of altered names `amass enum -noalts -d example.com` +- Turn off recursive brute forcing `amass enum -brute -norecursive -d example.com` +- Disable saving data into a local database `amass enum -nolocaldb -d example.com` +- Domain names separated by commas (can be used multiple times) `amass enum -d example.com` + +## Chart Configuration + +{{ template "chart.valuesTable" . }} + +[owasp_amass_project]: https://owasp.org/www-project-amass/ +[amass github]: https://github.com/OWASP/Amass +[amass user guide]: https://github.com/OWASP/Amass/blob/master/doc/user_guide.md \ No newline at end of file diff --git a/scanners/amass/helm2.Chart.yaml b/scanners/amass/helm2.Chart.yaml index 1e200bd2..b1cc68da 100644 --- a/scanners/amass/helm2.Chart.yaml +++ b/scanners/amass/helm2.Chart.yaml @@ -6,6 +6,7 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest appVersion: 3.10.3 +kubeVersion: ">=v1.11.0" keywords: - security diff --git a/scanners/amass/values.yaml b/scanners/amass/values.yaml index 2cf199b6..124c97b3 100644 --- a/scanners/amass/values.yaml +++ b/scanners/amass/values.yaml @@ -1,12 +1,16 @@ parserImage: + # parserImage.repository -- Parser image repository repository: docker.io/scbexperimental/parser-amass - # parserImage.tag - defaults to the charts version + # parserImage.tag -- Parser image tag + # @default -- defaults to the charts version tag: null scannerJob: + # scannerJob.ttlSecondsAfterFinished -- Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) ttlSecondsAfterFinished: null + + # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# scannerJob: # resources: # requests: # memory: "256Mi" @@ -14,3 +18,15 @@ scannerJob: # limits: # memory: "512Mi" # cpu: "500m" + + # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + env: [] + + # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + extraVolumes: [] + + # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + extraVolumeMounts: [] + + # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + extraContainers: [] \ No newline at end of file diff --git a/scanners/kube-hunter/Chart.yaml b/scanners/kube-hunter/Chart.yaml index e4074db7..0618ecb8 100644 --- a/scanners/kube-hunter/Chart.yaml +++ b/scanners/kube-hunter/Chart.yaml @@ -6,6 +6,7 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest appVersion: v0.3.0 +kubeVersion: ">=v1.11.0" keywords: - security diff --git a/scanners/kube-hunter/README.md b/scanners/kube-hunter/README.md index e60d7413..937ce3e2 100644 --- a/scanners/kube-hunter/README.md +++ b/scanners/kube-hunter/README.md @@ -22,7 +22,7 @@ The kube-hunter ScanType can be deployed via helm: helm upgrade --install kube-hunter ./scanners/kube-hunter/ ``` -## Configuration +## Scanner Configuration The following security scan configuration example are based on the [kube-hunter Documentation], please take a look at the original documentation for more configuration examples. @@ -30,6 +30,19 @@ The following security scan configuration example are based on the [kube-hunter * To specify interface scanning, you can use the --interface option (this will scan all of the machine's network interfaces). Example: `kube-hunter --interface` * To specify a specific CIDR to scan, use the --cidr option. Example: `kube-hunter --cidr 192.168.0.0/24` +## Chart Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| parserImage.repository | string | `"docker.io/scbexperimental/parser-kube-hunter"` | Parser image repository | +| parserImage.tag | string | defaults to the charts version | Parser image tag | +| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | + [kube-hunter Website]: https://kube-hunter.aquasec.com/ [kube-hunter GitHub]: https://github.com/aquasecurity/kube-hunter [kube-hunter Documentation]: https://github.com/aquasecurity/kube-hunter#scanning-options diff --git a/scanners/kube-hunter/README.md.gotmpl b/scanners/kube-hunter/README.md.gotmpl new file mode 100644 index 00000000..c6646967 --- /dev/null +++ b/scanners/kube-hunter/README.md.gotmpl @@ -0,0 +1,39 @@ +--- +title: "kube-hunter" +path: "scanners/kube-hunter" +category: "scanner" +type: "Kubernetes" +state: "released" +appVersion: "0.3.1" +usecase: "Kubernetes Vulnerability Scanner" +--- + +kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don't own! + +To learn more about the kube-hunter scanner itself visit [kube-hunter GitHub] or [kube-hunter Website]. + + + +## Deployment + +The kube-hunter ScanType can be deployed via helm: + +```bash +helm upgrade --install kube-hunter ./scanners/kube-hunter/ +``` + +## Scanner Configuration + +The following security scan configuration example are based on the [kube-hunter Documentation], please take a look at the original documentation for more configuration examples. + +* To specify remote machines for hunting, select option 1 or use the --remote option. Example: `kube-hunter --remote some.node.com` +* To specify interface scanning, you can use the --interface option (this will scan all of the machine's network interfaces). Example: `kube-hunter --interface` +* To specify a specific CIDR to scan, use the --cidr option. Example: `kube-hunter --cidr 192.168.0.0/24` + +## Chart Configuration + +{{ template "chart.valuesTable" . }} + +[kube-hunter Website]: https://kube-hunter.aquasec.com/ +[kube-hunter GitHub]: https://github.com/aquasecurity/kube-hunter +[kube-hunter Documentation]: https://github.com/aquasecurity/kube-hunter#scanning-options diff --git a/scanners/kube-hunter/helm2.Chart.yaml b/scanners/kube-hunter/helm2.Chart.yaml index e519e1dd..aad800a8 100644 --- a/scanners/kube-hunter/helm2.Chart.yaml +++ b/scanners/kube-hunter/helm2.Chart.yaml @@ -6,6 +6,7 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest appVersion: v0.3.0 +kubeVersion: ">=v1.11.0" keywords: - security diff --git a/scanners/kube-hunter/values.yaml b/scanners/kube-hunter/values.yaml index c70b3bad..ab4c6bb4 100644 --- a/scanners/kube-hunter/values.yaml +++ b/scanners/kube-hunter/values.yaml @@ -1,8 +1,32 @@ parserImage: + # parserImage.repository -- Parser image repository repository: docker.io/scbexperimental/parser-kube-hunter - # parserImage.tag - defaults to the charts version + # parserImage.tag -- Parser image tag + # @default -- defaults to the charts version tag: null scannerJob: + # scannerJob.ttlSecondsAfterFinished -- Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) ttlSecondsAfterFinished: null + + # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} +# resources: +# requests: +# memory: "256Mi" +# cpu: "250m" +# limits: +# memory: "512Mi" +# cpu: "500m" + + # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + env: [] + + # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + extraVolumes: [] + + # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + extraVolumeMounts: [] + + # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + extraContainers: [] diff --git a/scanners/ncrack/Chart.yaml b/scanners/ncrack/Chart.yaml index f7b32b49..fc0d650c 100644 --- a/scanners/ncrack/Chart.yaml +++ b/scanners/ncrack/Chart.yaml @@ -6,6 +6,7 @@ type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest appVersion: 0.7 +kubeVersion: ">=v1.11.0" keywords: - security diff --git a/scanners/ncrack/README.md b/scanners/ncrack/README.md index 358590fb..79cac4db 100644 --- a/scanners/ncrack/README.md +++ b/scanners/ncrack/README.md @@ -25,8 +25,7 @@ kubectl create secret generic --from-file users.txt --from-file passwords.txt nc IMPORTANT: Use an extra empty line at the end of your files, otherwise the last letter of the last line will be omitted (due to a bug in k8) - -Now we created a secret named "ncrack-lists". +Now we created a secret named "ncrack-lists". But before we can use the files, we have to install the ncrack ScanType: ```bash @@ -60,12 +59,99 @@ helm upgrade --install ncrack ./scanners/ncrack/ helm delete ncrack ``` -#### Options +## Scanner Configuration -All additional options for ncrack can be found on [Ncrack Documentation]. +The following security scan configuration example are based on the [Ncrack Documentation], please take a look at the original documentation for more configuration examples. ---- +This options summary is printed when Ncrack is run with no arguments. It helps people remember the most common options, but is no substitute for the in-depth documentation in the rest of this manual. + +``` +Ncrack 0.7 ( http://ncrack.org ) +Usage: ncrack [Options] {target and service specification} +TARGET SPECIFICATION: + Can pass hostnames, IP addresses, networks, etc. + Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 + -iX : Input from Nmap's -oX XML output format + -iN : Input from Nmap's -oN Normal output format + -iL : Input from list of hosts/networks + --exclude : Exclude hosts/networks + --excludefile : Exclude list from file +SERVICE SPECIFICATION: + Can pass target specific services in ://target (standard) notation or + using -p which will be applied to all hosts in non-standard notation. + Service arguments can be specified to be host-specific, type of service-specific + (-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000 + Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl + -p : services will be applied to all non-standard notation hosts + -m :: options will be applied to all services of this type + -g : options will be applied to every service globally + Misc options: + ssl: enable SSL over this service + path : used in modules like HTTP ('=' needs escaping if used) + db : used in modules like MongoDB to specify the database + domain : used in modules like WinRM to specify the domain +TIMING AND PERFORMANCE: + Options which take