Apply code review comments

J12934 · J12934 · commit 8210699f7a47 · 2020-10-05T13:11:53.000+02:00
diff --git a/hook-sdk/nodejs/Dockerfile b/hook-sdk/nodejs/Dockerfile
@@ -11,4 +11,4 @@ COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/
 COPY --chown=app:app ./hook-wrapper.js ./hook-wrapper.js
 USER 1001
 ENV NODE_ENV ${NODE_ENV:-production}
-ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"]
+ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"]
diff --git a/operator/README.md b/operator/README.md
@@ -21,7 +21,7 @@ helm install securecodebox-operator secureCodeBox/operator
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| image.pullPolicy | string | `"Always"` | Image pull policy |
 | image.repository | string | `"docker.io/securecodebox/operator"` | The operator image repository |
 | image.tag | string | defaults to the charts version | Parser image tag |
 | lurcher.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
@@ -38,9 +38,9 @@ helm install securecodebox-operator secureCodeBox/operator
 | s3.port | string | `nil` |  |
 | s3.secretAttributeNames.accesskey | string | `"accesskey"` |  |
 | s3.secretAttributeNames.secretkey | string | `"secretkey"` |  |
-| securityContext.allowPrivilegeEscalation | bool | `false` | Ensures that users privilidges canout be escalated |
-| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privilidges from the operator container. They are not required |
-| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privilidged mode |
+| securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated |
+| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the operator container. They are not required |
+| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privileged mode |
 | securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system |
 | securityContext.runAsNonRoot | bool | `true` | Enforces that the Operator image is run as a non root user |
 | telemetryEnabled | bool | `true` | The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry |
diff --git a/operator/values.yaml b/operator/values.yaml
@@ -12,20 +12,20 @@ image:
   # @default -- defaults to the charts version
   tag: null
   # image.pullPolicy -- Image pull policy
-  pullPolicy: IfNotPresent
+  pullPolicy: Always
 
 securityContext:
   # securityContext.runAsNonRoot -- Enforces that the Operator image is run as a non root user
   runAsNonRoot: true
   # securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system
   readOnlyRootFilesystem: true
-  # securityContext.allowPrivilegeEscalation -- Ensures that users privilidges canout be escalated
+  # securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated
   allowPrivilegeEscalation: false
-  # securityContext.privileged -- Ensures that the operator container is not run in privilidged mode
+  # securityContext.privileged -- Ensures that the operator container is not run in privileged mode
   privileged: false
   capabilities:
     drop:
-      # securityContext.capabilities.drop[0] -- This drops all linux privilidges from the operator container. They are not required
+      # securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required
       - all
 
 lurcher:
diff --git a/parser-sdk/nodejs/Dockerfile b/parser-sdk/nodejs/Dockerfile
@@ -11,4 +11,4 @@ COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/
 COPY --chown=app:app ./parser-wrapper.js ./parser-wrapper.js
 USER 1001
 ENV NODE_ENV ${NODE_ENV:-production}
-ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"]
+ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"]
diff --git a/scanners/nmap/README.md b/scanners/nmap/README.md
@@ -50,10 +50,10 @@ Warning! This is currently not tested and might require additional testing to wo
 
 If you want to use Nmap to identify operating systems of hosts you'll need to weaken the securityContext config, as Nmap requires the capability to send raw sockets to identify operating systems. See [Nmap Docs](https://secwiki.org/w/Running_nmap_as_an_unprivileged_user)
 
-You can deployed the ScanType with the config like this:
+You can deploy the ScanType with the config like this:
 
 ```bash
-cat <<EOF | helm install nmap-privilidged ./scanners/nmap --values -
+cat <<EOF | helm install nmap-privileged ./scanners/nmap --values -
 scannerJob:
   env:
     - name: "NMAP_PRIVILEGED"
@@ -77,7 +77,7 @@ kind: Scan
 metadata:
   name: "nmap-os-scan"
 spec:
-  scanType: "nmap-privilidged"
+  scanType: "nmap-privileged"
   parameters:
     - --privileged
     - "-O"
@@ -98,9 +98,9 @@ spec:
 | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
 | scannerJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
-| scannerJob.securityContext.allowPrivilegeEscalation | bool | `false` | Ensures that users privilidges canout be escalated |
-| scannerJob.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privilidges from the container. |
-| scannerJob.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privilidged mode |
+| scannerJob.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated |
+| scannerJob.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. |
+| scannerJob.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode |
 | scannerJob.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system |
 | scannerJob.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user |
 | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) |
diff --git a/scanners/nmap/README.md.gotmpl b/scanners/nmap/README.md.gotmpl
@@ -50,10 +50,10 @@ Warning! This is currently not tested and might require additional testing to wo
 
 If you want to use Nmap to identify operating systems of hosts you'll need to weaken the securityContext config, as Nmap requires the capability to send raw sockets to identify operating systems. See [Nmap Docs](https://secwiki.org/w/Running_nmap_as_an_unprivileged_user)
 
-You can deployed the ScanType with the config like this:
+You can deploy the ScanType with the config like this:
 
 ```bash
-cat <<EOF | helm install nmap-privilidged ./scanners/nmap --values -
+cat <<EOF | helm install nmap-privileged ./scanners/nmap --values -
 scannerJob:
   env:
     - name: "NMAP_PRIVILEGED"
@@ -77,7 +77,7 @@ kind: Scan
 metadata:
   name: "nmap-os-scan"
 spec:
-  scanType: "nmap-privilidged"
+  scanType: "nmap-privileged"
   parameters:
     - --privileged
     - "-O"
@@ -86,4 +86,4 @@ spec:
 
 ## Chart Configuration
 
-{{ template "chart.valuesTable" . }}
+{{ template "chart.valuesTable" . }}
diff --git a/scanners/nmap/scanner/Dockerfile b/scanners/nmap/scanner/Dockerfile
@@ -2,4 +2,4 @@ FROM alpine:3.12
 RUN apk add --no-cache nmap=7.80-r2 nmap-scripts=7.80-r2
 RUN addgroup --system --gid 1001 nmap && adduser nmap --system --uid 1001 --ingroup nmap
 USER 1001
-CMD [nmap]
+CMD [nmap]
diff --git a/scanners/nmap/values.yaml b/scanners/nmap/values.yaml
@@ -42,11 +42,11 @@ scannerJob:
     runAsNonRoot: true
     # scannerJob.securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system
     readOnlyRootFilesystem: true
-    # scannerJob.securityContext.allowPrivilegeEscalation -- Ensures that users privilidges canout be escalated
+    # scannerJob.securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated
     allowPrivilegeEscalation: false
-    # scannerJob.securityContext.privileged -- Ensures that the scanner container is not run in privilidged mode
+    # scannerJob.securityContext.privileged -- Ensures that the scanner container is not run in privileged mode
     privileged: false
     capabilities:
       drop:
-        # scannerJob.securityContext.capabilities.drop[0] -- This drops all linux privilidges from the container.
+        # scannerJob.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container.
         - all
diff --git a/scanners/sslyze/templates/sslyze-scan-type.yaml b/scanners/sslyze/templates/sslyze-scan-type.yaml
@@ -33,4 +33,4 @@ spec:
             {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }}
             {{- end }}
           volumes:
-            {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}
+            {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}
diff --git a/scanners/test-scan/templates/test-scan-scan-type.yaml b/scanners/test-scan/templates/test-scan-scan-type.yaml
@@ -31,4 +31,4 @@ spec:
             {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }}
             {{- end }}
           volumes:
-            {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}
+            {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}
diff --git a/scanners/trivy/templates/trivy-scan-type.yaml b/scanners/trivy/templates/trivy-scan-type.yaml
@@ -38,4 +38,4 @@ spec:
             {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }}
             {{- end }}
           volumes:
-            {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}
+            {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}
diff --git a/scanners/wpscan/templates/wpscan-scan-type.yaml b/scanners/wpscan/templates/wpscan-scan-type.yaml
@@ -36,4 +36,4 @@ spec:
             {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }}
             {{- end }}
           volumes:
-            {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}
+            {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}
