From 1d9e0d34de1e1a4c073cfe72d8e849db6e55dc48 Mon Sep 17 00:00:00 2001 From: Felix Hoffmann <19827840+zzzFelix@users.noreply.github.com> Date: Tue, 11 Aug 2020 14:41:50 +0200 Subject: [PATCH 1/3] First draft for declarative combined scans --- docs/user-guide/README.md | 122 +++++++++++++++++++++++++++++++++++++- 1 file changed, 121 insertions(+), 1 deletion(-) diff --git a/docs/user-guide/README.md b/docs/user-guide/README.md index 5df2506c..97ce5375 100644 --- a/docs/user-guide/README.md +++ b/docs/user-guide/README.md @@ -1,3 +1,123 @@ # Using the secureCodeBox -follwing... \ No newline at end of file +## Declarative Combines Scans +### Install Hook +Installing the Declarative Combined Scan hook will add a ReadOnly Hook to your namespace which looks for matching CascadingRules in the namespace and start subsequent scans accordingly. + +```bash +helm install combined-scans ./hooks/declarative-subsequent-scans +``` + +### Verify Hook Installation + +Successful installation can be verified by retrieving installed ScanCompletionHooks. + +```bash +$ kubectl get ScanCompletionHooks +``` + +The result should contain a hook for declarative subsequent scans. + +```bash +NAME TYPE IMAGE +combined-scans-declarative-subsequent-scans ReadOnly docker.io/scbexperimental/hook-declarative-subsequent-scans:latest +``` + +### Verify CascadingRules + +CascadingRules are included in each individual scanner's Helm chart. + +```bash +$ kubectl get CascadingRules +``` +Output should show these CascadingRules: + +```bash +NAME STARTS INVASIVENESS INTENSIVENESS +https-tls-scan sslyze non-invasive light +imaps-tls-scan sslyze non-invasive light +nikto-http nikto non-invasive medium +nmap-smb nmap non-invasive light +pop3s-tls-scan sslyze non-invasive light +smtps-tls-scan sslyze non-invasive light +ssh-scan ssh-scan non-invasive light +zap-http zap-baseline non-invasive medium +``` + +### Start Scans + +When you start a normal Scan, no CascadingRule will be applied. +To use CascadingRules the scan must be marked to allow cascading rules. +This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one. + +### Example + +```bash +cat < Date: Tue, 11 Aug 2020 14:44:38 +0200 Subject: [PATCH 2/3] Fix typos --- docs/user-guide/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/user-guide/README.md b/docs/user-guide/README.md index 97ce5375..4966f24a 100644 --- a/docs/user-guide/README.md +++ b/docs/user-guide/README.md @@ -1,8 +1,8 @@ # Using the secureCodeBox -## Declarative Combines Scans +## Declarative Combined Scans ### Install Hook -Installing the Declarative Combined Scan hook will add a ReadOnly Hook to your namespace which looks for matching CascadingRules in the namespace and start subsequent scans accordingly. +Installing the Declarative Combined Scan hook will add a ReadOnly Hook to your namespace which looks for matching CascadingRules in the namespace and starts subsequent scans accordingly. ```bash helm install combined-scans ./hooks/declarative-subsequent-scans @@ -48,6 +48,7 @@ zap-http zap-baseline non-invasive medium When you start a normal Scan, no CascadingRule will be applied. To use CascadingRules the scan must be marked to allow cascading rules. + This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one. ### Example From e1ad99e47df0bcfea2e16b2b5958c59a24aff163 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Mon, 17 Aug 2020 10:02:50 +0200 Subject: [PATCH 3/3] Remove leading $ signs from bash blocks --- docs/user-guide/README.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/user-guide/README.md b/docs/user-guide/README.md index 4966f24a..94826694 100644 --- a/docs/user-guide/README.md +++ b/docs/user-guide/README.md @@ -1,7 +1,9 @@ # Using the secureCodeBox ## Declarative Combined Scans + ### Install Hook + Installing the Declarative Combined Scan hook will add a ReadOnly Hook to your namespace which looks for matching CascadingRules in the namespace and starts subsequent scans accordingly. ```bash @@ -13,7 +15,7 @@ helm install combined-scans ./hooks/declarative-subsequent-scans Successful installation can be verified by retrieving installed ScanCompletionHooks. ```bash -$ kubectl get ScanCompletionHooks +kubectl get ScanCompletionHooks ``` The result should contain a hook for declarative subsequent scans. @@ -28,8 +30,9 @@ combined-scans-declarative-subsequent-scans ReadOnly docker.io/scbexperiment CascadingRules are included in each individual scanner's Helm chart. ```bash -$ kubectl get CascadingRules +kubectl get CascadingRules ``` + Output should show these CascadingRules: ```bash @@ -75,7 +78,7 @@ This Scan will used all CascadingRules which are labeled with a "light" intensit You can lookup which CascadingRules this selects by running: ```bash -$ kubectl get CascadingRules -l "securecodebox.io/intensive=light" +kubectl get CascadingRules -l "securecodebox.io/intensive=light" NAME STARTS INVASIVENESS INTENSIVENESS https-tls-scan sslyze non-invasive light imaps-tls-scan sslyze non-invasive light @@ -121,4 +124,4 @@ pop3s-tls-scan sslyze non-invasive light smtps-tls-scan sslyze non-invasive light ssh-scan ssh-scan non-invasive light zap-http zap-baseline non-invasive medium -``` \ No newline at end of file +```