diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 232ce5f749..e0ca0d272e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -22,13 +22,13 @@ env: # renovate: datasource=github-releases depName=python/cpython PYTHON_VERSION: "3.13.5" # renovate: datasource=github-releases depName=kubernetes/kubernetes - KUBECTL_VERSION: "v1.34.2" + KUBECTL_VERSION: "v1.34.3" # renovate: datasource=github-releases depName=kubernetes-sigs/kind KIND_BINARY_VERSION: "v0.30.0" # renovate: datasource=github-releases depName=helm/helm - HELM_VERSION: "v3.19.1" + HELM_VERSION: "v4.0.1" # renovate: datasource=github-releases depName=helm-unittest/helm-unittest - HELM_PLUGIN_UNITTEST_VERSION: "1.0.0" + HELM_PLUGIN_UNITTEST_VERSION: "1.0.3" # renovate: datasource=github-releases depName=go-task/task TASK_VERSION: "v3.45.5" @@ -37,7 +37,7 @@ jobs: name: "Unit Test | Node.js Scanner Test Helpers" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install bun uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2 @@ -53,7 +53,7 @@ jobs: name: "Setup Kind & Kubectl & Helm & Task" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install Kind run: | @@ -111,7 +111,7 @@ jobs: needs: - k8s-setup steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Download Helm uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -128,7 +128,7 @@ jobs: - name: Install Helm Unit Test Plugin run: | - helm plugin install https://github.com/helm-unittest/helm-unittest.git --version ${{ env.HELM_PLUGIN_UNITTEST_VERSION }} + helm plugin install https://github.com/helm-unittest/helm-unittest.git --version ${{ env.HELM_PLUGIN_UNITTEST_VERSION }} --verify=false - name: Download Task uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -150,11 +150,11 @@ jobs: matrix: unit: ["persistence-defectdojo"] steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: Set up JDK 17 - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0 + uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0 with: distribution: "temurin" # required Java distribution java-version: "17" # The JDK version to make available on the path. @@ -191,10 +191,10 @@ jobs: component: ["operator", "lurker"] steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Go Setup - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: "operator/go.mod" @@ -230,10 +230,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Go Setup - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: "auto-discovery/kubernetes/go.mod" @@ -270,10 +270,10 @@ jobs: - k8s-setup steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Go Setup - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: "auto-discovery/kubernetes/go.mod" @@ -363,10 +363,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Go Setup - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: "auto-discovery/cloud-aws/go.mod" @@ -407,7 +407,7 @@ jobs: - hook-sdk steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Build Image working-directory: ./${{ matrix.sdk }}/nodejs @@ -457,7 +457,7 @@ jobs: - zap-automation-framework steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install bun uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2 @@ -610,7 +610,7 @@ jobs: # - persistence-static-report (WIP) steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install bun uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2 @@ -744,10 +744,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Go - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: "scbctl/go.mod" diff --git a/.github/workflows/documentation-roulette.yaml b/.github/workflows/documentation-roulette.yaml index 3f854ba98c..0b87dc6b53 100644 --- a/.github/workflows/documentation-roulette.yaml +++ b/.github/workflows/documentation-roulette.yaml @@ -21,7 +21,7 @@ jobs: if: github.repository == 'secureCodeBox/secureCodeBox' steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # Request team members with the GitHub API using their gh cli - name: Fetch core-team members diff --git a/.github/workflows/helm-charts-release-ghcr.yaml b/.github/workflows/helm-charts-release-ghcr.yaml index 1c9e11e319..4a6bbfd772 100644 --- a/.github/workflows/helm-charts-release-ghcr.yaml +++ b/.github/workflows/helm-charts-release-ghcr.yaml @@ -20,7 +20,7 @@ jobs: name: "Publish Helm Charts to GHCR" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Parse Release Version run: | diff --git a/.github/workflows/helm-charts-release.yaml b/.github/workflows/helm-charts-release.yaml index 26459d32ee..667a3da4cc 100644 --- a/.github/workflows/helm-charts-release.yaml +++ b/.github/workflows/helm-charts-release.yaml @@ -18,7 +18,7 @@ jobs: name: Package and Publish runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: "Install yq" run: | sudo snap install yq diff --git a/.github/workflows/helm-docs.yaml b/.github/workflows/helm-docs.yaml index 28e1178684..30074751d7 100644 --- a/.github/workflows/helm-docs.yaml +++ b/.github/workflows/helm-docs.yaml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-24.04 if: github.repository == 'secureCodeBox/secureCodeBox' steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: ${{ github.head_ref }} token: ${{ secrets.SCB_BOT_USER_TOKEN }} diff --git a/.github/workflows/label-commenter.yml b/.github/workflows/label-commenter.yml index 7882bf9089..abe871f668 100644 --- a/.github/workflows/label-commenter.yml +++ b/.github/workflows/label-commenter.yml @@ -19,7 +19,7 @@ jobs: comment: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Label Commenter uses: peaceiris/actions-label-commenter@f0dbbef043eb1b150b566db36b0bdc8b7f505579 # v1.10.0 with: diff --git a/.github/workflows/license-check.yaml b/.github/workflows/license-check.yaml index f9cadf756c..5accc5694b 100644 --- a/.github/workflows/license-check.yaml +++ b/.github/workflows/license-check.yaml @@ -19,7 +19,7 @@ jobs: if: github.repository == 'secureCodeBox/secureCodeBox' steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: REUSE Compliance Check uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index a18a208d88..b7f28353e3 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -36,7 +36,7 @@ jobs: steps: # Git Checkout - name: Checkout Code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} fetch-depth: 0 @@ -46,7 +46,7 @@ jobs: id: ml # You can override MegaLinter flavor used to have faster performances # More info at https://megalinter.github.io/flavors/ - uses: oxsecurity/megalinter@62c799d895af9bcbca5eacfebca29d527f125a57 # v9.1.0 + uses: oxsecurity/megalinter@55a59b24a441e0e1943080d4a512d827710d4a9d # v9.2.0 env: # All available variables are described in documentation # https://megalinter.github.io/configuration/ diff --git a/.github/workflows/move-bot-pr-to-review.yaml b/.github/workflows/move-bot-pr-to-review.yaml index 3169a8029f..2e4bcfabcc 100644 --- a/.github/workflows/move-bot-pr-to-review.yaml +++ b/.github/workflows/move-bot-pr-to-review.yaml @@ -19,7 +19,7 @@ jobs: # only run if the branch starts with 'dependabot/' or 'dependencies/upgrading' if: startsWith(github.head_ref, 'dependabot/') || startsWith(github.head_ref, 'dependencies/upgrading') steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Add bot PR to project run: | diff --git a/.github/workflows/oss-scorecard.yaml b/.github/workflows/oss-scorecard.yaml index 0eed3743a8..ec5e52c344 100644 --- a/.github/workflows/oss-scorecard.yaml +++ b/.github/workflows/oss-scorecard.yaml @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false @@ -33,6 +33,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: results.sarif diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml index f8e28f7def..28557a6ced 100644 --- a/.github/workflows/release-build.yaml +++ b/.github/workflows/release-build.yaml @@ -31,11 +31,11 @@ jobs: component: ["operator", "lurker"] steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.DOCKER_NAMESPACE }}/${{ matrix.component }} tags: | @@ -78,11 +78,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.DOCKER_NAMESPACE }}/auto-discovery-kubernetes tags: | @@ -125,11 +125,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.DOCKER_NAMESPACE }}/auto-discovery-pull-secret-extractor tags: | @@ -178,11 +178,11 @@ jobs: - hook-sdk steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.DOCKER_NAMESPACE }}/${{ matrix.sdk }}-nodejs tags: | @@ -231,11 +231,11 @@ jobs: - update-field-hook steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.DOCKER_NAMESPACE }}/hook-${{ matrix.hook }} tags: | @@ -285,11 +285,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.DOCKER_NAMESPACE }}/persistence-elastic-dashboard-importer tags: | @@ -347,11 +347,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.DOCKER_NAMESPACE }}/parser-${{ matrix.parser }} tags: | @@ -422,10 +422,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set ENV Var with Scanner Version - uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 + uses: mikefarah/yq@7ccaf8e700ce99eb3f0f6cef7f5930a0b3c827cd # v4.49.2 # Notice: The current version of the scanner is provided via the Chart.yaml to ensure # there is only one place to edit the version of a scanner with: @@ -433,13 +433,13 @@ jobs: # extract the supported cpu architectures from the Chart.yaml - name: Set ENV Var with Supported Platforms - uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 + uses: mikefarah/yq@7ccaf8e700ce99eb3f0f6cef7f5930a0b3c827cd # v4.49.2 with: cmd: echo supportedPlatforms=$(yq e .annotations.supported-platforms scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV - name: Docker Meta id: docker_meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.DOCKER_NAMESPACE }}/scanner-${{ matrix.scanner }} tags: | @@ -492,11 +492,11 @@ jobs: - test-scan steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.DOCKER_NAMESPACE }}/scanner-${{ matrix.scanner }} tags: | @@ -552,10 +552,10 @@ jobs: - old-wordpress steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set ENV Var with Demo-Target Version - uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 + uses: mikefarah/yq@7ccaf8e700ce99eb3f0f6cef7f5930a0b3c827cd # v4.49.2 # Notice: The current version of the demo-target is provided via the Chart.yaml to ensure # there is only one place to edit the version of a scanner with: @@ -563,7 +563,7 @@ jobs: - name: Docker Meta id: docker_meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.DOCKER_NAMESPACE }}/demo-target-${{ matrix.target }} tags: | diff --git a/.github/workflows/scb-bot.yaml b/.github/workflows/scb-bot.yaml index c95dc20ed9..e19179506f 100644 --- a/.github/workflows/scb-bot.yaml +++ b/.github/workflows/scb-bot.yaml @@ -48,7 +48,7 @@ jobs: - zap-automation-framework # missing scanners are : nmap, nikto steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Import GPG key uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 @@ -61,14 +61,14 @@ jobs: # Fetching scanner version from local chart .appVersion attribute # this would look like 1.1.1 or v1.1.1 depending on the corresponding Docker image tag - name: Fetch local scanner version - uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 + uses: mikefarah/yq@7ccaf8e700ce99eb3f0f6cef7f5930a0b3c827cd # v4.49.2 with: cmd: echo local=$(yq e .appVersion scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV # Fetching scanner version API from local chart .annotations.versionApi attribute # This would look like https://api.github.com/repos/projectdiscovery/nuclei/releases/latest - name: Fetch scanner's version API - uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 + uses: mikefarah/yq@7ccaf8e700ce99eb3f0f6cef7f5930a0b3c827cd # v4.49.2 with: cmd: echo versionApi=$(yq e .annotations.versionApi scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV @@ -143,7 +143,7 @@ jobs: - name: Upgrade Scanner Helm Chart if: ${{ env.release != env.local && env.prExists == 0 && env.release != null}} - uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 + uses: mikefarah/yq@7ccaf8e700ce99eb3f0f6cef7f5930a0b3c827cd # v4.49.2 with: # appVersion value in chart is replaced with release value. Empty lines are deleted in the process cmd: yq e --inplace '.appVersion = "${{env.release}}"' ./scanners/${{ matrix.scanner }}/Chart.yaml @@ -189,7 +189,7 @@ jobs: - name: Create Pull Request if: ${{ env.release != env.local && env.prExists == 0 && env.release != null }} - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: token: ${{ secrets.SCB_BOT_USER_TOKEN }} committer: secureCodeBoxBot diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index ad4696f13d..d6071c23be 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -61,3 +61,4 @@ Committing with `git commit -s` will add the sign-off at the end of the commit m - Kai Schäfer - Joel Saß - Patrick Weiss +- Conleth Kennedy diff --git a/auto-discovery/cloud-aws/Dockerfile b/auto-discovery/cloud-aws/Dockerfile index 4daf5d24f3..5a6264fac4 100644 --- a/auto-discovery/cloud-aws/Dockerfile +++ b/auto-discovery/cloud-aws/Dockerfile @@ -3,7 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 # Build the service binary -FROM --platform=$BUILDPLATFORM golang:1.25.4 AS builder +FROM --platform=$BUILDPLATFORM golang:1.25.5 AS builder WORKDIR /workspace # Copy the Go Modules manifests diff --git a/auto-discovery/kubernetes/Dockerfile b/auto-discovery/kubernetes/Dockerfile index a570a4711b..535b1188cc 100644 --- a/auto-discovery/kubernetes/Dockerfile +++ b/auto-discovery/kubernetes/Dockerfile @@ -3,7 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 # Build the manager binary -FROM --platform=$BUILDPLATFORM golang:1.25.4 AS builder +FROM --platform=$BUILDPLATFORM golang:1.25.5 AS builder WORKDIR /workspace # Copy the Go Modules manifests diff --git a/auto-discovery/kubernetes/pull-secret-extractor/Dockerfile b/auto-discovery/kubernetes/pull-secret-extractor/Dockerfile index 0984e12ae1..b34b6ad815 100644 --- a/auto-discovery/kubernetes/pull-secret-extractor/Dockerfile +++ b/auto-discovery/kubernetes/pull-secret-extractor/Dockerfile @@ -3,7 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 # Build the pull-secret-extractor binary -FROM --platform=$BUILDPLATFORM golang:1.25.4 AS builder +FROM --platform=$BUILDPLATFORM golang:1.25.5 AS builder WORKDIR /workspace # Copy the Go Modules manifests diff --git a/demo-targets/bodgeit/tests/__snapshot__/bodgeit_test.yaml.snap b/demo-targets/bodgeit/tests/__snapshot__/bodgeit_test.yaml.snap index 3835ba9ab9..3a10cf6f3b 100644 --- a/demo-targets/bodgeit/tests/__snapshot__/bodgeit_test.yaml.snap +++ b/demo-targets/bodgeit/tests/__snapshot__/bodgeit_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: 2: | apiVersion: apps/v1 diff --git a/demo-targets/dummy-ssh/tests/__snapshot__/dummy-ssh_test.yaml.snap b/demo-targets/dummy-ssh/tests/__snapshot__/dummy-ssh_test.yaml.snap index 8de190c814..c0756779de 100644 --- a/demo-targets/dummy-ssh/tests/__snapshot__/dummy-ssh_test.yaml.snap +++ b/demo-targets/dummy-ssh/tests/__snapshot__/dummy-ssh_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Demo SSH Server deployed. Note this should used for demo and test purposes. diff --git a/demo-targets/http-webhook/tests/__snapshot__/http-webhook_test.yaml.snap b/demo-targets/http-webhook/tests/__snapshot__/http-webhook_test.yaml.snap index 024edcd3d0..94194b0c4b 100644 --- a/demo-targets/http-webhook/tests/__snapshot__/http-webhook_test.yaml.snap +++ b/demo-targets/http-webhook/tests/__snapshot__/http-webhook_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: 2: | apiVersion: apps/v1 diff --git a/demo-targets/juice-shop/tests/__snapshot__/juice-shop_test.yaml.snap b/demo-targets/juice-shop/tests/__snapshot__/juice-shop_test.yaml.snap index fd100f1438..735e87c3f8 100644 --- a/demo-targets/juice-shop/tests/__snapshot__/juice-shop_test.yaml.snap +++ b/demo-targets/juice-shop/tests/__snapshot__/juice-shop_test.yaml.snap @@ -1,12 +1,12 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: https://chart-example.localmap[path:/] 2: | apiVersion: v1 data: - customConfig.yml: |2 + customConfig.yml: | application: domain: juice-sh.op name: OWASP Juice Shop diff --git a/demo-targets/old-joomla/tests/__snapshot__/old-joomla_test.yaml.snap b/demo-targets/old-joomla/tests/__snapshot__/old-joomla_test.yaml.snap index a683a28857..5a8d342b20 100644 --- a/demo-targets/old-joomla/tests/__snapshot__/old-joomla_test.yaml.snap +++ b/demo-targets/old-joomla/tests/__snapshot__/old-joomla_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: 2: | apiVersion: apps/v1 diff --git a/demo-targets/old-typo3/tests/__snapshot__/old-typo3_test.yaml.snap b/demo-targets/old-typo3/tests/__snapshot__/old-typo3_test.yaml.snap index 1afbb74652..2e066d0952 100644 --- a/demo-targets/old-typo3/tests/__snapshot__/old-typo3_test.yaml.snap +++ b/demo-targets/old-typo3/tests/__snapshot__/old-typo3_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: 2: | apiVersion: apps/v1 diff --git a/demo-targets/old-wordpress/tests/__snapshot__/old-wordpress_test.yaml.snap b/demo-targets/old-wordpress/tests/__snapshot__/old-wordpress_test.yaml.snap index 40ce2b37bd..b7cc885edd 100644 --- a/demo-targets/old-wordpress/tests/__snapshot__/old-wordpress_test.yaml.snap +++ b/demo-targets/old-wordpress/tests/__snapshot__/old-wordpress_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Old Wordpress Instance deployed. Note this should used for demo and test purposes. diff --git a/demo-targets/swagger-petstore/tests/__snapshot__/swagger-petstore_test.yaml.snap b/demo-targets/swagger-petstore/tests/__snapshot__/swagger-petstore_test.yaml.snap index 4432cfedd5..d9eda818f4 100644 --- a/demo-targets/swagger-petstore/tests/__snapshot__/swagger-petstore_test.yaml.snap +++ b/demo-targets/swagger-petstore/tests/__snapshot__/swagger-petstore_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: 2: | apiVersion: apps/v1 diff --git a/demo-targets/unsafe-https/tests/__snapshot__/unsafe-https_test.yaml.snap b/demo-targets/unsafe-https/tests/__snapshot__/unsafe-https_test.yaml.snap index 979ea466bd..175e11372a 100644 --- a/demo-targets/unsafe-https/tests/__snapshot__/unsafe-https_test.yaml.snap +++ b/demo-targets/unsafe-https/tests/__snapshot__/unsafe-https_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Demo Unsafe Https Server deployed. Note this should only be used for demo and test purposes. diff --git a/demo-targets/vulnerable-log4j/tests/__snapshot__/vulnerable-log4j_test.yaml.snap b/demo-targets/vulnerable-log4j/tests/__snapshot__/vulnerable-log4j_test.yaml.snap index 754289a782..9b15039fcf 100644 --- a/demo-targets/vulnerable-log4j/tests/__snapshot__/vulnerable-log4j_test.yaml.snap +++ b/demo-targets/vulnerable-log4j/tests/__snapshot__/vulnerable-log4j_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Vulnerable log4j Instance deployed. Note this should used for demo and test purposes. diff --git a/documentation/docs/12-mentions.md b/documentation/docs/12-mentions.md index ee3b7c28cb..56f3c6c66a 100644 --- a/documentation/docs/12-mentions.md +++ b/documentation/docs/12-mentions.md @@ -11,6 +11,7 @@ Here we collect blog posts, articles, talks about etc. _secureCodeBox_. They are ## Blog Posts and Articles +- [Automating Penetration Testing with SecureCodeBox on Kubernetes Kind Clusters Using GitHub Actions][gharbi-post] 🇬🇧 by [Yasmine Gharbi][gharbi-author]. - [Wprowadzenie do OWASP secureCodeBox][lukasz-post] 🇵🇱 by [Łukasz Mieczkowski][lukasz-blog]. - [Exploring secureCodeBox — An Open-Source Continuous Security Testing Solution for DevSecOps][theowni-post] 🇬🇧 by [Krzysztof Pranczk][theowni-author]. - [SecureCodeBox — k8s based, toolchain for continuous security scans][gortega-post] 🇬🇧 by [Gustavo Ortega][gortega-author]. @@ -30,6 +31,8 @@ Here we collect blog posts, articles, talks about etc. _secureCodeBox_. They are - [Interview with RadioTux on YouTube][radiotux-youtube] 🇩🇪 ([Podcast Episode][radiotux-podcast]). - [35 DevSecOps Tools to Add Sec to Your DevOps][thechief.io] 🇬🇧. +[gharbi-author]: https://www.linkedin.com/in/yasmine-gharbi-39b67221a/ +[gharbi-post]: https://medium.com/@gyasmine29/automating-penetration-testing-with-securecodebox-on-kubernetes-kind-clusters-using-github-actions-27230b8b087c [theowni-post]: https://itnext.io/exploring-securecodebox-an-open-source-continuous-security-testing-solution-for-devsecops-b233fc5341e1 [theowni-author]: https://medium.com/@theowni [gortega-post]: https://gortega.medium.com/securecodebox-an-interesting-tool-bab410185b77 diff --git a/documentation/package-lock.json b/documentation/package-lock.json index 71080ada7f..7d790fffe7 100644 --- a/documentation/package-lock.json +++ b/documentation/package-lock.json @@ -21,9 +21,9 @@ "mustache": "^4.2.0", "node-fetch": "^3.1.1", "prism-react-renderer": "^2.4.1", - "react": "^19.2.0", - "react-dom": "^19.2.0", - "rimraf": "^6.1.0", + "react": "^19.2.1", + "react-dom": "^19.2.1", + "rimraf": "^6.1.2", "sass": "1.94" }, "devDependencies": { @@ -31,7 +31,7 @@ "@docusaurus/tsconfig": "^3.9.2", "@docusaurus/types": "^3.6.0", "@types/node": "^24.10.1", - "@types/react": "^19.2.5", + "@types/react": "^19.2.7", "@types/react-helmet": "^6.1.11", "@types/react-router-dom": "^5.1.8", "sass-loader": "^16.0.6", @@ -247,6 +247,7 @@ "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-5.40.1.tgz", "integrity": "sha512-Mw6pAUF121MfngQtcUb5quZVqMC68pSYYjCRZkSITC085S3zdk+h/g7i6FxnVdbSU6OztxikSDMh1r7Z+4iPlA==", "license": "MIT", + "peer": true, "dependencies": { "@algolia/client-common": "5.40.1", "@algolia/requester-browser-xhr": "5.40.1", @@ -385,6 +386,7 @@ "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.26.0.tgz", "integrity": "sha512-i1SLeK+DzNnQ3LL/CswPCa/E5u4lh1k6IAEphON8F+cXt0t9euTshDru0q7/IqMa1PMPz5RnHuHscF8/ZJsStg==", "license": "MIT", + "peer": true, "dependencies": { "@ampproject/remapping": "^2.2.0", "@babel/code-frame": "^7.26.0", @@ -2189,6 +2191,7 @@ } ], "license": "MIT", + "peer": true, "engines": { "node": ">=18" }, @@ -2211,6 +2214,7 @@ } ], "license": "MIT", + "peer": true, "engines": { "node": ">=18" } @@ -2320,6 +2324,7 @@ "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz", "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==", "license": "MIT", + "peer": true, "dependencies": { "cssesc": "^3.0.0", "util-deprecate": "^1.0.2" @@ -2741,6 +2746,7 @@ "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz", "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==", "license": "MIT", + "peer": true, "dependencies": { "cssesc": "^3.0.0", "util-deprecate": "^1.0.2" @@ -3422,6 +3428,7 @@ "resolved": "https://registry.npmjs.org/@docusaurus/core/-/core-3.9.2.tgz", "integrity": "sha512-HbjwKeC+pHUFBfLMNzuSjqFE/58+rLVKmOU3lxQrpsxLBOGosYco/Q0GduBb0/jEMRiyEqjNT/01rRdOMWq5pw==", "license": "MIT", + "peer": true, "dependencies": { "@docusaurus/babel": "3.9.2", "@docusaurus/bundler": "3.9.2", @@ -3603,6 +3610,7 @@ "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-docs/-/plugin-content-docs-3.9.2.tgz", "integrity": "sha512-C5wZsGuKTY8jEYsqdxhhFOe1ZDjH0uIYJ9T/jebHwkyxqnr4wW0jTkB72OMqNjsoQRcb0JN3PcSeTwFlVgzCZg==", "license": "MIT", + "peer": true, "dependencies": { "@docusaurus/core": "3.9.2", "@docusaurus/logger": "3.9.2", @@ -4389,6 +4397,7 @@ "resolved": "https://registry.npmjs.org/@mdx-js/react/-/react-3.1.1.tgz", "integrity": "sha512-f++rKLQgUVYDAtECQ6fn/is15GkEH9+nZPM3MS0RcxVqoTfawHvDlSCH7JbMhAM6uJ32v3eXLvLmLvjGu7PTQw==", "license": "MIT", + "peer": true, "dependencies": { "@types/mdx": "^2.0.0" }, @@ -5117,6 +5126,7 @@ "resolved": "https://registry.npmjs.org/@svgr/core/-/core-8.1.0.tgz", "integrity": "sha512-8QqtOQT5ACVlmsvKOJNEaWmRPmcojMOzCz4Hs2BGG/toAp/K38LcsMRyLp349glq5AzJbCEeimEoxaX6v/fLrA==", "license": "MIT", + "peer": true, "dependencies": { "@babel/core": "^7.21.3", "@svgr/babel-preset": "8.1.0", @@ -5490,12 +5500,13 @@ "license": "MIT" }, "node_modules/@types/react": { - "version": "19.2.5", - "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.5.tgz", - "integrity": "sha512-keKxkZMqnDicuvFoJbzrhbtdLSPhj/rZThDlKWCDbgXmUg0rEUFtRssDXKYmtXluZlIqiC5VqkCgRwzuyLHKHw==", + "version": "19.2.7", + "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.7.tgz", + "integrity": "sha512-MWtvHrGZLFttgeEj28VXHxpmwYbor/ATPYbBfSFZEIRK0ecCFLl2Qo55z52Hss+UV9CRN7trSeq1zbgx7YDWWg==", "license": "MIT", + "peer": true, "dependencies": { - "csstype": "^3.0.2" + "csstype": "^3.2.2" } }, "node_modules/@types/react-helmet": { @@ -5845,6 +5856,7 @@ "version": "6.4.2", "resolved": "https://registry.npmjs.org/acorn/-/acorn-6.4.2.tgz", "integrity": "sha512-XtGIhXwF8YM8bJhGxG5kXgjkEuNGLTkoYqVE+KMR+aspr4KGYmKYg7yUe3KghyQ9yheNwLnjmzh/7+gfDBmHCQ==", + "peer": true, "bin": { "acorn": "bin/acorn" }, @@ -5945,6 +5957,7 @@ "version": "6.12.6", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", + "peer": true, "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", @@ -6008,6 +6021,7 @@ "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-5.40.1.tgz", "integrity": "sha512-iUNxcXUNg9085TJx0HJLjqtDE0r1RZ0GOGrt8KNQqQT5ugu8lZsHuMUYW/e0lHhq6xBvmktU9Bw4CXP9VQeKrg==", "license": "MIT", + "peer": true, "dependencies": { "@algolia/abtesting": "1.6.1", "@algolia/client-abtesting": "5.40.1", @@ -6489,6 +6503,7 @@ } ], "license": "MIT", + "peer": true, "dependencies": { "baseline-browser-mapping": "^2.8.3", "caniuse-lite": "^1.0.30001741", @@ -7432,6 +7447,7 @@ "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz", "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==", "license": "MIT", + "peer": true, "dependencies": { "cssesc": "^3.0.0", "util-deprecate": "^1.0.2" @@ -7745,9 +7761,10 @@ "license": "CC0-1.0" }, "node_modules/csstype": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.2.tgz", - "integrity": "sha512-I7K1Uu0MBPzaFKg4nI5Q7Vs2t+3gWWW648spaF+Rg7pI9ds18Ugn+lvg4SHczUdKlHI5LWBXyqfS8+DufyBsgQ==" + "version": "3.2.3", + "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz", + "integrity": "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==", + "license": "MIT" }, "node_modules/data-uri-to-buffer": { "version": "4.0.1", @@ -9311,21 +9328,15 @@ "license": "ISC" }, "node_modules/glob": { - "version": "11.1.0", - "resolved": "https://registry.npmjs.org/glob/-/glob-11.1.0.tgz", - "integrity": "sha512-vuNwKSaKiqm7g0THUBu2x7ckSs3XJLXE+2ssL7/MfTGPLLcrJQ/4Uq1CjPTtO5cCIiRxqvN6Twy1qOwhL0Xjcw==", + "version": "13.0.0", + "resolved": "https://registry.npmjs.org/glob/-/glob-13.0.0.tgz", + "integrity": "sha512-tvZgpqk6fz4BaNZ66ZsRaZnbHvP/jG3uKJvAZOwEVUL4RTA5nJeeLYfyN9/VA8NX/V3IBG+hkeuGpKjvELkVhA==", "license": "BlueOak-1.0.0", "dependencies": { - "foreground-child": "^3.3.1", - "jackspeak": "^4.1.1", "minimatch": "^10.1.1", "minipass": "^7.1.2", - "package-json-from-dist": "^1.0.0", "path-scurry": "^2.0.0" }, - "bin": { - "glob": "dist/esm/bin.mjs" - }, "engines": { "node": "20 || >=22" }, @@ -9391,9 +9402,9 @@ } }, "node_modules/glob/node_modules/path-scurry": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-2.0.0.tgz", - "integrity": "sha512-ypGJsmGtdXUOeM5u93TyeIEfEhM6s+ljAhrk5vAvSx8uyY/02OvrZnA0YNGUrPXfpJMgI1ODd3nwz8Npx4O4cg==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-2.0.1.tgz", + "integrity": "sha512-oWyT4gICAu+kaA7QWk/jvCHWarMKNs6pXOGWKDTr7cw4IGcUbW+PeTfbaQiLGheFRpjo6O9J0PmyMfQPjH71oA==", "license": "BlueOak-1.0.0", "dependencies": { "lru-cache": "^11.0.0", @@ -10779,21 +10790,6 @@ "node": ">=0.10.0" } }, - "node_modules/jackspeak": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-4.1.1.tgz", - "integrity": "sha512-zptv57P3GpL+O0I7VdMJNBZCu+BPHVQUk55Ft8/QCJjTVxrnJHuVuX/0Bl2A6/+2oyR/ZMEuFKwmzqqZ/U5nPQ==", - "license": "BlueOak-1.0.0", - "dependencies": { - "@isaacs/cliui": "^8.0.2" - }, - "engines": { - "node": "20 || >=22" - }, - "funding": { - "url": "https://github.com/sponsors/isaacs" - } - }, "node_modules/jest-util": { "version": "29.7.0", "resolved": "https://registry.npmjs.org/jest-util/-/jest-util-29.7.0.tgz", @@ -11517,9 +11513,9 @@ } }, "node_modules/mdast-util-to-hast": { - "version": "13.2.0", - "resolved": "https://registry.npmjs.org/mdast-util-to-hast/-/mdast-util-to-hast-13.2.0.tgz", - "integrity": "sha512-QGYKEuUsYT9ykKBCMOEDLsU5JRObWQusAolFMeko/tYPufNkRffBAQjIE+99jbA87xv6FgmjLtwjh9wBWajwAA==", + "version": "13.2.1", + "resolved": "https://registry.npmjs.org/mdast-util-to-hast/-/mdast-util-to-hast-13.2.1.tgz", + "integrity": "sha512-cctsq2wp5vTsLIcaymblUriiTcZd0CwWtCbLvrOzYCDZoWyMNV8sZ7krj09FSnsiJi3WVsHLM4k6Dq/yaPyCXA==", "license": "MIT", "dependencies": { "@types/hast": "^3.0.0", @@ -13672,9 +13668,9 @@ } }, "node_modules/node-forge": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz", - "integrity": "sha512-dPEtOeMvF9VMcYV/1Wb8CPoVAXtp6MKMlcbAt4ddqmGqUJ6fQZFXkNZNkNlfevtNkGtaSoXf/vNNNSvgrdXwtA==", + "version": "1.3.2", + "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.2.tgz", + "integrity": "sha512-6xKiQ+cph9KImrRh0VsjH2d8/GXA4FIMlgU4B757iI1ApvcyA9VlouP0yZJha01V+huImO+kKMU7ih+2+E14fw==", "license": "(BSD-3-Clause OR GPL-2.0)", "engines": { "node": ">= 6.13.0" @@ -14288,6 +14284,7 @@ } ], "license": "MIT", + "peer": true, "dependencies": { "nanoid": "^3.3.11", "picocolors": "^1.1.1", @@ -15191,6 +15188,7 @@ "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz", "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==", "license": "MIT", + "peer": true, "dependencies": { "cssesc": "^3.0.0", "util-deprecate": "^1.0.2" @@ -15954,24 +15952,26 @@ } }, "node_modules/react": { - "version": "19.2.0", - "resolved": "https://registry.npmjs.org/react/-/react-19.2.0.tgz", - "integrity": "sha512-tmbWg6W31tQLeB5cdIBOicJDJRR2KzXsV7uSK9iNfLWQ5bIZfxuPEHp7M8wiHyHnn0DD1i7w3Zmin0FtkrwoCQ==", + "version": "19.2.1", + "resolved": "https://registry.npmjs.org/react/-/react-19.2.1.tgz", + "integrity": "sha512-DGrYcCWK7tvYMnWh79yrPHt+vdx9tY+1gPZa7nJQtO/p8bLTDaHp4dzwEhQB7pZ4Xe3ok4XKuEPrVuc+wlpkmw==", "license": "MIT", + "peer": true, "engines": { "node": ">=0.10.0" } }, "node_modules/react-dom": { - "version": "19.2.0", - "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.0.tgz", - "integrity": "sha512-UlbRu4cAiGaIewkPyiRGJk0imDN2T3JjieT6spoL2UeSf5od4n5LB/mQ4ejmxhCFT1tYe8IvaFulzynWovsEFQ==", + "version": "19.2.1", + "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.1.tgz", + "integrity": "sha512-ibrK8llX2a4eOskq1mXKu/TGZj9qzomO+sNfO98M6d9zIPOEhlBkMkBUBLd1vgS0gQsLDBzA+8jJBVXDnfHmJg==", "license": "MIT", + "peer": true, "dependencies": { "scheduler": "^0.27.0" }, "peerDependencies": { - "react": "^19.2.0" + "react": "^19.2.1" } }, "node_modules/react-fast-compare": { @@ -16037,6 +16037,7 @@ "resolved": "https://registry.npmjs.org/@docusaurus/react-loadable/-/react-loadable-6.0.0.tgz", "integrity": "sha512-YMMxTUQV/QFSnbgrP3tjDzLHRg7vsbMn8e9HAa8o/1iXoiomo48b7sk/kkmWEuWNDPJVlKSJRB6Y2fHqdJk+SQ==", "license": "MIT", + "peer": true, "dependencies": { "@types/react": "*" }, @@ -16063,6 +16064,7 @@ "version": "5.3.4", "resolved": "https://registry.npmjs.org/react-router/-/react-router-5.3.4.tgz", "integrity": "sha512-Ys9K+ppnJah3QuaRiLxk+jDWOR1MekYQrlytiXxC1RyfbdsZkS5pvKAzCCr031xHixZwpnsYNT5xysdFHQaYsA==", + "peer": true, "dependencies": { "@babel/runtime": "^7.12.13", "history": "^4.9.0", @@ -16825,12 +16827,12 @@ } }, "node_modules/rimraf": { - "version": "6.1.0", - "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-6.1.0.tgz", - "integrity": "sha512-DxdlA1bdNzkZK7JiNWH+BAx1x4tEJWoTofIopFo6qWUU94jYrFZ0ubY05TqH3nWPJ1nKa1JWVFDINZ3fnrle/A==", + "version": "6.1.2", + "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-6.1.2.tgz", + "integrity": "sha512-cFCkPslJv7BAXJsYlK1dZsbP8/ZNLkCAQ0bi1hf5EKX2QHegmDFEFA6QhuYJlk7UDdc+02JjO80YSOrWPpw06g==", "license": "BlueOak-1.0.0", "dependencies": { - "glob": "^11.0.3", + "glob": "^13.0.0", "package-json-from-dist": "^1.0.1" }, "bin": { @@ -16921,10 +16923,11 @@ "license": "MIT" }, "node_modules/sass": { - "version": "1.94.0", - "resolved": "https://registry.npmjs.org/sass/-/sass-1.94.0.tgz", - "integrity": "sha512-Dqh7SiYcaFtdv5Wvku6QgS5IGPm281L+ZtVD1U2FJa7Q0EFRlq8Z3sjYtz6gYObsYThUOz9ArwFqPZx+1azILQ==", + "version": "1.94.2", + "resolved": "https://registry.npmjs.org/sass/-/sass-1.94.2.tgz", + "integrity": "sha512-N+7WK20/wOr7CzA2snJcUSSNTCzeCGUTFY3OgeQP3mZ1aj9NMQ0mSTXwlrnd89j33zzQJGqIN52GIOmYrfq46A==", "license": "MIT", + "peer": true, "dependencies": { "chokidar": "^4.0.0", "immutable": "^5.0.2", @@ -17048,6 +17051,7 @@ "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz", "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==", "license": "MIT", + "peer": true, "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", @@ -18332,7 +18336,8 @@ "node_modules/tslib": { "version": "2.8.1", "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz", - "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==" + "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==", + "peer": true }, "node_modules/type-fest": { "version": "2.19.0", @@ -18393,6 +18398,7 @@ "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", "devOptional": true, "license": "Apache-2.0", + "peer": true, "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" @@ -18941,6 +18947,7 @@ "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.96.1.tgz", "integrity": "sha512-l2LlBSvVZGhL4ZrPwyr8+37AunkcYj5qh8o6u2/2rzoPc8gxFJkLj1WxNgooi9pnoc06jh0BjuXnamM4qlujZA==", "license": "MIT", + "peer": true, "dependencies": { "@types/eslint-scope": "^3.7.7", "@types/estree": "^1.0.6", @@ -19643,6 +19650,7 @@ "resolved": "https://registry.npmjs.org/zod/-/zod-4.1.12.tgz", "integrity": "sha512-JInaHOamG8pt5+Ey8kGmdcAcg3OL9reK8ltczgHTAwNhMys/6ThXHityHxVV2p3fkw/c+MAvBHFVYHFZDmjMCQ==", "license": "MIT", + "peer": true, "funding": { "url": "https://github.com/sponsors/colinhacks" } diff --git a/documentation/package.json b/documentation/package.json index 19ac3475e3..6634d834f5 100644 --- a/documentation/package.json +++ b/documentation/package.json @@ -31,9 +31,9 @@ "mustache": "^4.2.0", "node-fetch": "^3.1.1", "prism-react-renderer": "^2.4.1", - "react": "^19.2.0", - "react-dom": "^19.2.0", - "rimraf": "^6.1.0", + "react": "^19.2.1", + "react-dom": "^19.2.1", + "rimraf": "^6.1.2", "sass": "1.94" }, "browserslist": { @@ -53,7 +53,7 @@ "@docusaurus/tsconfig": "^3.9.2", "@docusaurus/types": "^3.6.0", "@types/node": "^24.10.1", - "@types/react": "^19.2.5", + "@types/react": "^19.2.7", "@types/react-helmet": "^6.1.11", "@types/react-router-dom": "^5.1.8", "sass-loader": "^16.0.6", diff --git a/hook-sdk/nodejs/package-lock.json b/hook-sdk/nodejs/package-lock.json index c1e05a4ab3..9c5d645efe 100644 --- a/hook-sdk/nodejs/package-lock.json +++ b/hook-sdk/nodejs/package-lock.json @@ -66,9 +66,9 @@ "license": "MIT" }, "node_modules/@types/node": { - "version": "24.10.0", - "resolved": "https://registry.npmjs.org/@types/node/-/node-24.10.0.tgz", - "integrity": "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A==", + "version": "24.10.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-24.10.1.tgz", + "integrity": "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ==", "dependencies": { "undici-types": "~7.16.0" } diff --git a/hooks/cascading-scans/tests/__snapshot__/cascading-scans_test.yaml.snap b/hooks/cascading-scans/tests/__snapshot__/cascading-scans_test.yaml.snap index 59c1494779..a91282dfb7 100644 --- a/hooks/cascading-scans/tests/__snapshot__/cascading-scans_test.yaml.snap +++ b/hooks/cascading-scans/tests/__snapshot__/cascading-scans_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Cascading Scan Hook deployed. This will allow you to start Scans based on previous findings. diff --git a/hooks/finding-post-processing/tests/__snapshot__/finding-post-processing_test.yaml.snap b/hooks/finding-post-processing/tests/__snapshot__/finding-post-processing_test.yaml.snap index 6491d79a3f..0d76f02841 100644 --- a/hooks/finding-post-processing/tests/__snapshot__/finding-post-processing_test.yaml.snap +++ b/hooks/finding-post-processing/tests/__snapshot__/finding-post-processing_test.yaml.snap @@ -1,7 +1,6 @@ matches the snapshot: 1: | - raw: |2 - + raw: | FindingPostProcessing Hook deployed. This will add postprocessing on every finding in this namespace matching these rules: [{"matches":[{"anyOf":[{"attributes":{"port":21,"state":"open"},"category":"Open Port"},{"attributes":{"port":389,"state":"open"},"category":"Open Port"}]}],"override":{"description":"Telnet is bad","severity":"high"}}]. 2: | diff --git a/hooks/generic-webhook/tests/__snapshot__/generic-webhook_test.yaml.snap b/hooks/generic-webhook/tests/__snapshot__/generic-webhook_test.yaml.snap index f6b7db66df..51b945b48c 100644 --- a/hooks/generic-webhook/tests/__snapshot__/generic-webhook_test.yaml.snap +++ b/hooks/generic-webhook/tests/__snapshot__/generic-webhook_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | GenericWebhook deployed. Will send requests to: POST http://example.com diff --git a/hooks/notification/hook/package-lock.json b/hooks/notification/hook/package-lock.json index bb6bc147af..f41944635a 100644 --- a/hooks/notification/hook/package-lock.json +++ b/hooks/notification/hook/package-lock.json @@ -12,7 +12,7 @@ "@types/js-yaml": "^4.0.2", "js-yaml": "^4.1.1", "lodash-es": "^4.17.21", - "nodemailer": "^7.0.7", + "nodemailer": "^7.0.11", "nunjucks": "^3.2.4" }, "devDependencies": { @@ -1706,9 +1706,9 @@ } }, "node_modules/nodemailer": { - "version": "7.0.7", - "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.7.tgz", - "integrity": "sha512-jGOaRznodf62TVzdyhKt/f1Q/c3kYynk8629sgJHpRzGZj01ezbgMMWJSAjHADcwTKxco3B68/R+KHJY2T5BaA==", + "version": "7.0.11", + "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.11.tgz", + "integrity": "sha512-gnXhNRE0FNhD7wPSCGhdNh46Hs6nm+uTyg+Kq0cZukNQiYdnCsoQjodNP9BQVG9XrcK/v6/MgpAPBUFyzh9pvw==", "engines": { "node": ">=6.0.0" } @@ -3094,9 +3094,9 @@ } }, "nodemailer": { - "version": "7.0.7", - "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.7.tgz", - "integrity": "sha512-jGOaRznodf62TVzdyhKt/f1Q/c3kYynk8629sgJHpRzGZj01ezbgMMWJSAjHADcwTKxco3B68/R+KHJY2T5BaA==" + "version": "7.0.11", + "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.11.tgz", + "integrity": "sha512-gnXhNRE0FNhD7wPSCGhdNh46Hs6nm+uTyg+Kq0cZukNQiYdnCsoQjodNP9BQVG9XrcK/v6/MgpAPBUFyzh9pvw==" }, "nunjucks": { "version": "3.2.4", diff --git a/hooks/notification/hook/package.json b/hooks/notification/hook/package.json index 80601ba916..ff8998029c 100644 --- a/hooks/notification/hook/package.json +++ b/hooks/notification/hook/package.json @@ -37,7 +37,7 @@ "@types/js-yaml": "^4.0.2", "js-yaml": "^4.1.1", "lodash-es": "^4.17.21", - "nodemailer": "^7.0.7", + "nodemailer": "^7.0.11", "nunjucks": "^3.2.4" } } diff --git a/hooks/notification/tests/__snapshot__/notification_test.yaml.snap b/hooks/notification/tests/__snapshot__/notification_test.yaml.snap index 4887549b2b..8ff76dc93d 100644 --- a/hooks/notification/tests/__snapshot__/notification_test.yaml.snap +++ b/hooks/notification/tests/__snapshot__/notification_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Notification hook deployed. Will send requests to: - slack: SOME_ENV_KEY @@ -11,7 +11,7 @@ matches the snapshot: 2: | apiVersion: v1 data: - notification-channel.yaml: |2 + notification-channel.yaml: | - endPoint: SOME_ENV_KEY name: slack rules: diff --git a/hooks/persistence-azure-monitor/tests/__snapshot__/persistence-azure-monitor_test.yaml.snap b/hooks/persistence-azure-monitor/tests/__snapshot__/persistence-azure-monitor_test.yaml.snap index 75aefdeb7b..0194bfda50 100644 --- a/hooks/persistence-azure-monitor/tests/__snapshot__/persistence-azure-monitor_test.yaml.snap +++ b/hooks/persistence-azure-monitor/tests/__snapshot__/persistence-azure-monitor_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Azure Monitor PersistenceProvider deployed. 2: | apiVersion: execution.securecodebox.io/v1 diff --git a/hooks/persistence-defectdojo/hook/build.gradle b/hooks/persistence-defectdojo/hook/build.gradle index 6376257663..98ae54974a 100644 --- a/hooks/persistence-defectdojo/hook/build.gradle +++ b/hooks/persistence-defectdojo/hook/build.gradle @@ -8,7 +8,7 @@ plugins { // https://github.com/ben-manes/gradle-versions-plugin // Run: ./gradlew dependencyUpdates -Drevision=release id "com.github.ben-manes.versions" version "0.53.0" - id "org.sonarqube" version "7.0.1.6134" + id "org.sonarqube" version "7.2.0.6526" } group = "io.securecodebox" @@ -24,7 +24,7 @@ repositories { dependencies { implementation group: "io.securecodebox", name: "defectdojo-client", version: "2.0.1" implementation group: "io.kubernetes", name: "client-java", version: "20.0.1" - implementation group: "org.springframework", name: "spring-web", version: "6.2.12" + implementation group: "org.springframework", name: "spring-web", version: "7.0.1" // https://github.com/FasterXML/jackson-bom implementation platform("com.fasterxml.jackson:jackson-bom:2.20.1") implementation "com.fasterxml.jackson.core:jackson-core" diff --git a/hooks/persistence-defectdojo/tests/__snapshot__/persistence-defectdojo_test.yaml.snap b/hooks/persistence-defectdojo/tests/__snapshot__/persistence-defectdojo_test.yaml.snap index cdef1bfcc5..92d3a37bc8 100644 --- a/hooks/persistence-defectdojo/tests/__snapshot__/persistence-defectdojo_test.yaml.snap +++ b/hooks/persistence-defectdojo/tests/__snapshot__/persistence-defectdojo_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: "\nDefectDojo PersistenceProvider succesfully deployed \U0001F389.\n" + raw: "DefectDojo PersistenceProvider succesfully deployed \U0001F389.\n" 2: | apiVersion: execution.securecodebox.io/v1 kind: ScanCompletionHook diff --git a/hooks/persistence-elastic/dashboard-importer/Dockerfile b/hooks/persistence-elastic/dashboard-importer/Dockerfile index b809bbd02d..e7b55f396d 100644 --- a/hooks/persistence-elastic/dashboard-importer/Dockerfile +++ b/hooks/persistence-elastic/dashboard-importer/Dockerfile @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -FROM alpine:3.22 +FROM alpine:3.23 RUN apk add --no-cache curl bash diff --git a/hooks/persistence-elastic/hook/hook.js b/hooks/persistence-elastic/hook/hook.js index e9ea8077e6..9079005a56 100644 --- a/hooks/persistence-elastic/hook/hook.js +++ b/hooks/persistence-elastic/hook/hook.js @@ -105,9 +105,10 @@ export async function handle({ }, ]); - const { body: bulkResponse } = await client.bulk({ refresh: true, body }); + const bulkResponseRaw = await client.bulk({ refresh: true, body }); + const bulkResponse = bulkResponseRaw?.body ?? bulkResponseRaw; - if (bulkResponse.errors) { + if (bulkResponse?.errors) { console.error("Bulk Request had errors:"); console.log(bulkResponse); } diff --git a/hooks/persistence-elastic/hook/hook.test.js b/hooks/persistence-elastic/hook/hook.test.js index 08b5e7b16e..84c9184f0c 100644 --- a/hooks/persistence-elastic/hook/hook.test.js +++ b/hooks/persistence-elastic/hook/hook.test.js @@ -5,6 +5,7 @@ import { handle } from "./hook"; let elasticClient; +const buildGetFindings = (findings) => async () => findings; beforeEach(() => { elasticClient = { @@ -32,10 +33,36 @@ const scan = { const testDate = new Date("2020-11-11"); +const scanDocumentBody = { + "@timestamp": testDate, + id: scan.metadata.uid, + labels: scan.metadata.labels, + name: scan.metadata.name, + parameters: scan.spec.parameters, + scan_type: scan.spec.scanType, + type: "scan", +}; + +const expectScanIndexCalledWith = (index, client = elasticClient) => { + expect(client.index).toHaveBeenCalledTimes(1); + expect(client.index).toHaveBeenCalledWith({ + body: scanDocumentBody, + index, + }); +}; + +const findingsWithOpenPort = [ + { + id: "4560b3e6-1219-4f5f-9b44-6579f5a32407", + name: "Port 5601 is open", + category: "Open Port", + }, +]; + test("should only send scan summary document if no findings are passing in", async () => { const findings = []; - const getFindings = async () => findings; + const getFindings = buildGetFindings(findings); await handle({ getFindings, @@ -46,34 +73,12 @@ test("should only send scan summary document if no findings are passing in", asy client: elasticClient, }); - expect(elasticClient.index).toHaveBeenCalledTimes(1); - expect(elasticClient.index).toHaveBeenCalledWith({ - body: { - "@timestamp": testDate, - id: "09988cdf-1fc7-4f85-95ee-1b1d65dbc7cc", - labels: { - company: "iteratec", - }, - name: "demo-scan", - parameters: ["-Pn", "localhost"], - scan_type: "Nmap", - type: "scan", - }, - index: `scb_default_2020-11-11`, - }); + expectScanIndexCalledWith(`scb_default_2020-11-11`); expect(elasticClient.bulk).not.toHaveBeenCalled(); }); test("should send findings to elasticsearch with given prefix", async () => { - const findings = [ - { - id: "4560b3e6-1219-4f5f-9b44-6579f5a32407", - name: "Port 5601 is open", - category: "Open Port", - }, - ]; - - const getFindings = async () => findings; + const getFindings = buildGetFindings(findingsWithOpenPort); await handle({ getFindings, @@ -85,21 +90,7 @@ test("should send findings to elasticsearch with given prefix", async () => { client: elasticClient, }); - expect(elasticClient.index).toHaveBeenCalledTimes(1); - expect(elasticClient.index).toHaveBeenCalledWith({ - body: { - "@timestamp": testDate, - id: "09988cdf-1fc7-4f85-95ee-1b1d65dbc7cc", - labels: { - company: "iteratec", - }, - name: "demo-scan", - parameters: ["-Pn", "localhost"], - scan_type: "Nmap", - type: "scan", - }, - index: `myPrefix_default_2020-11-11`, - }); + expectScanIndexCalledWith(`myPrefix_default_2020-11-11`); expect(elasticClient.bulk).toHaveBeenCalledTimes(1); expect(elasticClient.bulk).toHaveBeenCalledWith({ @@ -130,7 +121,7 @@ test("should send findings to elasticsearch with given prefix", async () => { test("should not append namespace if 'appendNamespace' is null", async () => { const findings = []; - const getFindings = async () => findings; + const getFindings = buildGetFindings(findings); await handle({ getFindings, @@ -140,27 +131,13 @@ test("should not append namespace if 'appendNamespace' is null", async () => { client: elasticClient, }); - expect(elasticClient.index).toBeCalledTimes(1); - expect(elasticClient.index).toBeCalledWith({ - body: { - "@timestamp": testDate, - id: "09988cdf-1fc7-4f85-95ee-1b1d65dbc7cc", - labels: { - company: "iteratec", - }, - name: "demo-scan", - parameters: ["-Pn", "localhost"], - scan_type: "Nmap", - type: "scan", - }, - index: `scb_2020-11-11`, - }); + expectScanIndexCalledWith(`scb_2020-11-11`); }); test("should append date format yyyy", async () => { const findings = []; - const getFindings = async () => findings; + const getFindings = buildGetFindings(findings); await handle({ getFindings, @@ -171,27 +148,13 @@ test("should append date format yyyy", async () => { client: elasticClient, }); - expect(elasticClient.index).toBeCalledTimes(1); - expect(elasticClient.index).toBeCalledWith({ - body: { - "@timestamp": testDate, - id: "09988cdf-1fc7-4f85-95ee-1b1d65dbc7cc", - labels: { - company: "iteratec", - }, - name: "demo-scan", - parameters: ["-Pn", "localhost"], - scan_type: "Nmap", - type: "scan", - }, - index: `scb_2020`, - }); + expectScanIndexCalledWith(`scb_2020`); }); test("should append week format like yyyy/'W'W -> 2020/W46", async () => { const findings = []; - const getFindings = async () => findings; + const getFindings = buildGetFindings(findings); await handle({ getFindings, @@ -202,19 +165,41 @@ test("should append week format like yyyy/'W'W -> 2020/W46", async () => { client: elasticClient, }); - expect(elasticClient.index).toBeCalledTimes(1); - expect(elasticClient.index).toBeCalledWith({ - body: { - "@timestamp": testDate, - id: "09988cdf-1fc7-4f85-95ee-1b1d65dbc7cc", - labels: { - company: "iteratec", - }, - name: "demo-scan", - parameters: ["-Pn", "localhost"], - scan_type: "Nmap", - type: "scan", + expectScanIndexCalledWith(`scb_2020/W46`); +}); + +test("should handle elasticsearch v8 bulk response shape", async () => { + const findings = findingsWithOpenPort; + const getFindings = buildGetFindings(findings); + const v8BulkResponse = { errors: true, items: [] }; + + const v8Client = { + indices: { + create: jest.fn(), }, - index: `scb_2020/W46`, - }); + index: jest.fn(), + bulk: jest.fn(() => v8BulkResponse), + }; + + const consoleErrorSpy = jest + .spyOn(console, "error") + .mockImplementation(() => {}); + const consoleLogSpy = jest.spyOn(console, "log").mockImplementation(() => {}); + + try { + await handle({ + getFindings, + scan, + now: testDate, + tenant: "default", + appendNamespace: true, + client: v8Client, + }); + expect(v8Client.bulk).toHaveBeenCalledTimes(1); + expect(consoleErrorSpy).toHaveBeenCalledWith("Bulk Request had errors:"); + expect(consoleLogSpy).toHaveBeenCalledWith(v8BulkResponse); + } finally { + consoleErrorSpy.mockRestore(); + consoleLogSpy.mockRestore(); + } }); diff --git a/hooks/persistence-elastic/tests/__snapshot__/persistence-elastic_test.yaml.snap b/hooks/persistence-elastic/tests/__snapshot__/persistence-elastic_test.yaml.snap index 8f851fd788..b4d93791b5 100644 --- a/hooks/persistence-elastic/tests/__snapshot__/persistence-elastic_test.yaml.snap +++ b/hooks/persistence-elastic/tests/__snapshot__/persistence-elastic_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Elastic Stack PersistenceProvider deployed. 2: | apiVersion: batch/v1 diff --git a/hooks/update-field-hook/tests/__snapshot__/update-field-hook_test.yaml.snap b/hooks/update-field-hook/tests/__snapshot__/update-field-hook_test.yaml.snap index 8c46f4d71b..9aeee5375f 100644 --- a/hooks/update-field-hook/tests/__snapshot__/update-field-hook_test.yaml.snap +++ b/hooks/update-field-hook/tests/__snapshot__/update-field-hook_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | UpdateField Hook deployed. This will add or override "category: my-own-category" on every finding in this namespace. 2: | diff --git a/lurker/Dockerfile b/lurker/Dockerfile index 631dba6b5d..5f655da42d 100644 --- a/lurker/Dockerfile +++ b/lurker/Dockerfile @@ -3,7 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 # Build the manager binary -FROM --platform=$BUILDPLATFORM golang:1.25.4 AS builder +FROM --platform=$BUILDPLATFORM golang:1.25.5 AS builder WORKDIR /workspace # Copy the Go Modules manifests diff --git a/operator/Dockerfile b/operator/Dockerfile index e059aeb0da..3545a7948a 100644 --- a/operator/Dockerfile +++ b/operator/Dockerfile @@ -3,7 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 # Build the manager binary -FROM --platform=$BUILDPLATFORM golang:1.25.4 AS builder +FROM --platform=$BUILDPLATFORM golang:1.25.5 AS builder WORKDIR /workspace # Copy the Go Modules manifests diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml index c9ef6de29e..a0ea088958 100644 --- a/operator/templates/manager/manager.yaml +++ b/operator/templates/manager/manager.yaml @@ -71,12 +71,12 @@ spec: - name: MINIO_ACCESS_KEY valueFrom: secretKeyRef: - name: "{{ .Release.Name }}-minio" + name: {{ .Values.minio.auth.existingSecret | default (printf "%s-minio" (include "operator.fullname" .)) }} key: root-user - name: MINIO_SECRET_KEY valueFrom: secretKeyRef: - name: "{{ .Release.Name }}-minio" + name: {{ .Values.minio.auth.existingSecret | default (printf "%s-minio" (include "operator.fullname" .)) }} key: root-password - name: S3_BUCKET value: {{ .Values.minio.defaultBuckets }} diff --git a/operator/tests/__snapshot__/operator_test.yaml.snap b/operator/tests/__snapshot__/operator_test.yaml.snap index adb9dcda10..0df925307e 100644 --- a/operator/tests/__snapshot__/operator_test.yaml.snap +++ b/operator/tests/__snapshot__/operator_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: "\nsecureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n" + raw: "secureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n" 2: | apiVersion: v1 kind: Service @@ -56,12 +56,12 @@ matches the snapshot: valueFrom: secretKeyRef: key: root-user - name: RELEASE-NAME-minio + name: RELEASE-NAME-operator-minio - name: MINIO_SECRET_KEY valueFrom: secretKeyRef: key: root-password - name: RELEASE-NAME-minio + name: RELEASE-NAME-operator-minio - name: S3_BUCKET value: securecodebox - name: LURKER_IMAGE @@ -134,6 +134,177 @@ matches the snapshot: name: foo name: ca-certificate 4: | + apiVersion: v1 + data: + root-password: dGVzdHBhc3N3b3Jk + root-user: dGVzdHVzZXI= + kind: Secret + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + type: Opaque + 5: | + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + spec: + ports: + - name: api + port: 9000 + protocol: TCP + targetPort: 9000 + - name: console + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + type: ClusterIP + 6: | + apiVersion: apps/v1 + kind: StatefulSet + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + serviceName: RELEASE-NAME-operator-minio + template: + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + spec: + automountServiceAccountToken: false + containers: + - args: + - | + set -e + echo "Starting minio server..." + minio server /data --console-address ":9001" & + MINIO_PID=$! + + echo "Waiting for minio to be ready..." + sleep 5 + + echo "Creating bucket: $MINIO_DEFAULT_BUCKETS" + mc alias set myminio http://localhost:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD + mc mb myminio/$MINIO_DEFAULT_BUCKETS --ignore-existing || true + echo "Bucket creation completed" + + wait $MINIO_PID + command: + - /bin/bash + - -c + env: + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + key: root-user + name: RELEASE-NAME-operator-minio + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + key: root-password + name: RELEASE-NAME-operator-minio + - name: MINIO_DEFAULT_BUCKETS + value: securecodebox + image: docker.io/minio/minio:RELEASE.2025-07-23T15-54-02Z + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /minio/health/live + port: api + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: minio + ports: + - containerPort: 9000 + name: api + protocol: TCP + - containerPort: 9001 + name: console + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /minio/health/ready + port: api + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + ephemeral-storage: 1Gi + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /data + name: data + imagePullSecrets: + - name: foo + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + 7: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -157,7 +328,7 @@ matches the snapshot: - cascadingrules/status verbs: - get - 5: | + 8: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -177,7 +348,7 @@ matches the snapshot: - cascadingrules/status verbs: - get - 6: | + 9: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -214,7 +385,7 @@ matches the snapshot: verbs: - create - patch - 7: | + 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -227,7 +398,7 @@ matches the snapshot: - kind: ServiceAccount name: securecodebox-operator namespace: NAMESPACE - 8: | + 11: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -251,7 +422,7 @@ matches the snapshot: - parsedefinitions/status verbs: - get - 9: | + 12: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -271,7 +442,7 @@ matches the snapshot: - parsedefinitions/status verbs: - get - 10: | + 13: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -370,7 +541,7 @@ matches the snapshot: - list - update - watch - 11: | + 14: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -383,7 +554,7 @@ matches the snapshot: - kind: ServiceAccount name: securecodebox-operator namespace: NAMESPACE - 12: | + 15: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -407,7 +578,7 @@ matches the snapshot: - scans/status verbs: - get - 13: | + 16: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -427,7 +598,7 @@ matches the snapshot: - scans/status verbs: - get - 14: | + 17: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -451,7 +622,7 @@ matches the snapshot: - scancompletionhooks/status verbs: - get - 15: | + 18: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -471,7 +642,7 @@ matches the snapshot: - scancompletionhooks/status verbs: - get - 16: | + 19: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -495,7 +666,7 @@ matches the snapshot: - scantypes/status verbs: - get - 17: | + 20: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -515,57 +686,6 @@ matches the snapshot: - scantypes/status verbs: - get - 18: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: scheduledscan-editor-role - rules: - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans/status - verbs: - - get - 19: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: scheduledscan-viewer-role - rules: - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans - verbs: - - get - - list - - watch - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans/status - verbs: - - get - 20: | - apiVersion: v1 - kind: ServiceAccount - metadata: - annotations: {} - labels: {} - name: securecodebox-operator 21: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -619,7 +739,7 @@ matches the snapshot: name: securecodebox-operator properly-renders-the-service-monitor-when-enabled: 1: | - raw: "\nsecureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n" + raw: "secureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n" 2: | apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -688,12 +808,12 @@ properly-renders-the-service-monitor-when-enabled: valueFrom: secretKeyRef: key: root-user - name: RELEASE-NAME-minio + name: RELEASE-NAME-operator-minio - name: MINIO_SECRET_KEY valueFrom: secretKeyRef: key: root-password - name: RELEASE-NAME-minio + name: RELEASE-NAME-operator-minio - name: S3_BUCKET value: securecodebox - name: LURKER_IMAGE @@ -766,6 +886,177 @@ properly-renders-the-service-monitor-when-enabled: name: foo name: ca-certificate 5: | + apiVersion: v1 + data: + root-password: dGVzdHBhc3N3b3Jk + root-user: dGVzdHVzZXI= + kind: Secret + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + type: Opaque + 6: | + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + spec: + ports: + - name: api + port: 9000 + protocol: TCP + targetPort: 9000 + - name: console + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + type: ClusterIP + 7: | + apiVersion: apps/v1 + kind: StatefulSet + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + serviceName: RELEASE-NAME-operator-minio + template: + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + spec: + automountServiceAccountToken: false + containers: + - args: + - | + set -e + echo "Starting minio server..." + minio server /data --console-address ":9001" & + MINIO_PID=$! + + echo "Waiting for minio to be ready..." + sleep 5 + + echo "Creating bucket: $MINIO_DEFAULT_BUCKETS" + mc alias set myminio http://localhost:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD + mc mb myminio/$MINIO_DEFAULT_BUCKETS --ignore-existing || true + echo "Bucket creation completed" + + wait $MINIO_PID + command: + - /bin/bash + - -c + env: + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + key: root-user + name: RELEASE-NAME-operator-minio + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + key: root-password + name: RELEASE-NAME-operator-minio + - name: MINIO_DEFAULT_BUCKETS + value: securecodebox + image: docker.io/minio/minio:RELEASE.2025-07-23T15-54-02Z + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /minio/health/live + port: api + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: minio + ports: + - containerPort: 9000 + name: api + protocol: TCP + - containerPort: 9001 + name: console + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /minio/health/ready + port: api + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + ephemeral-storage: 1Gi + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /data + name: data + imagePullSecrets: + - name: foo + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + 8: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -789,7 +1080,7 @@ properly-renders-the-service-monitor-when-enabled: - cascadingrules/status verbs: - get - 6: | + 9: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -809,7 +1100,7 @@ properly-renders-the-service-monitor-when-enabled: - cascadingrules/status verbs: - get - 7: | + 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -846,7 +1137,7 @@ properly-renders-the-service-monitor-when-enabled: verbs: - create - patch - 8: | + 11: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -859,7 +1150,7 @@ properly-renders-the-service-monitor-when-enabled: - kind: ServiceAccount name: securecodebox-operator namespace: NAMESPACE - 9: | + 12: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -883,7 +1174,7 @@ properly-renders-the-service-monitor-when-enabled: - parsedefinitions/status verbs: - get - 10: | + 13: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -903,7 +1194,7 @@ properly-renders-the-service-monitor-when-enabled: - parsedefinitions/status verbs: - get - 11: | + 14: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1002,7 +1293,7 @@ properly-renders-the-service-monitor-when-enabled: - list - update - watch - 12: | + 15: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -1015,7 +1306,7 @@ properly-renders-the-service-monitor-when-enabled: - kind: ServiceAccount name: securecodebox-operator namespace: NAMESPACE - 13: | + 16: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1039,7 +1330,7 @@ properly-renders-the-service-monitor-when-enabled: - scans/status verbs: - get - 14: | + 17: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1059,7 +1350,7 @@ properly-renders-the-service-monitor-when-enabled: - scans/status verbs: - get - 15: | + 18: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1083,7 +1374,7 @@ properly-renders-the-service-monitor-when-enabled: - scancompletionhooks/status verbs: - get - 16: | + 19: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1103,7 +1394,7 @@ properly-renders-the-service-monitor-when-enabled: - scancompletionhooks/status verbs: - get - 17: | + 20: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1127,7 +1418,7 @@ properly-renders-the-service-monitor-when-enabled: - scantypes/status verbs: - get - 18: | + 21: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1147,57 +1438,6 @@ properly-renders-the-service-monitor-when-enabled: - scantypes/status verbs: - get - 19: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: scheduledscan-editor-role - rules: - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans/status - verbs: - - get - 20: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: scheduledscan-viewer-role - rules: - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans - verbs: - - get - - list - - watch - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans/status - verbs: - - get - 21: | - apiVersion: v1 - kind: ServiceAccount - metadata: - annotations: {} - labels: {} - name: securecodebox-operator 22: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/operator/tests/operator_test.yaml b/operator/tests/operator_test.yaml index f27d9347b1..6c8dbc6380 100644 --- a/operator/tests/operator_test.yaml +++ b/operator/tests/operator_test.yaml @@ -18,6 +18,11 @@ tests: customCACertificate.existingCertificate: foo serviceaccount: {create: true, annotations: {foo: bar}, name: foo} podSecurityContext: {fsGroup: 1234} + minio: + enabled: true + auth: + rootUser: testuser + rootPassword: testpassword asserts: - matchSnapshot: {} - it: properly-renders-the-service-monitor-when-enabled @@ -32,6 +37,11 @@ tests: metrics: serviceMonitor: enabled: true + minio: + enabled: true + auth: + rootUser: testuser + rootPassword: testpassword asserts: - matchSnapshot: {} - it: renders minio resources when minio is enabled diff --git a/parser-sdk/nodejs/package-lock.json b/parser-sdk/nodejs/package-lock.json index 6e2c6559eb..fe50ae78f8 100644 --- a/parser-sdk/nodejs/package-lock.json +++ b/parser-sdk/nodejs/package-lock.json @@ -16,7 +16,7 @@ "jsonpointer": "^5.0.1" }, "devDependencies": { - "@types/node": "^24.10.0" + "@types/node": "^24.10.1" } }, "node_modules/@jsep-plugin/assignment": { @@ -73,9 +73,9 @@ "license": "MIT" }, "node_modules/@types/node": { - "version": "24.10.0", - "resolved": "https://registry.npmjs.org/@types/node/-/node-24.10.0.tgz", - "integrity": "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A==", + "version": "24.10.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-24.10.1.tgz", + "integrity": "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ==", "dependencies": { "undici-types": "~7.16.0" } @@ -867,9 +867,9 @@ "integrity": "sha512-k4MGaQl5TGo/iipqb2UDG2UwjXziSWkh0uysQelTlJpX1qGlpUZYm8PnO4DxG1qBomtJUdYJ6qR6xdIah10JLg==" }, "@types/node": { - "version": "24.10.0", - "resolved": "https://registry.npmjs.org/@types/node/-/node-24.10.0.tgz", - "integrity": "sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A==", + "version": "24.10.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-24.10.1.tgz", + "integrity": "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ==", "requires": { "undici-types": "~7.16.0" } diff --git a/parser-sdk/nodejs/package.json b/parser-sdk/nodejs/package.json index 8cf8239a52..29394bc26c 100644 --- a/parser-sdk/nodejs/package.json +++ b/parser-sdk/nodejs/package.json @@ -18,6 +18,6 @@ "jsonpointer": "^5.0.1" }, "devDependencies": { - "@types/node": "^24.10.0" + "@types/node": "^24.10.1" } } diff --git a/scanners/gitleaks/Chart.yaml b/scanners/gitleaks/Chart.yaml index 28ee904867..b53e1eac7d 100644 --- a/scanners/gitleaks/Chart.yaml +++ b/scanners/gitleaks/Chart.yaml @@ -8,7 +8,7 @@ description: A Helm chart for the gitleaks repository scanner that integrates wi type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: v3.1.0-alpha1 -appVersion: "v8.29.0" +appVersion: "v8.30.0" kubeVersion: ">=v1.11.0-0" annotations: versionApi: https://api.github.com/repos/zricethezav/gitleaks/releases/latest diff --git a/scanners/gitleaks/README.md b/scanners/gitleaks/README.md index 9bd30f7a0b..5d5cef98d7 100644 --- a/scanners/gitleaks/README.md +++ b/scanners/gitleaks/README.md @@ -3,7 +3,7 @@ title: "Gitleaks" category: "scanner" type: "Repository" state: "released" -appVersion: "v8.29.0" +appVersion: "v8.30.0" usecase: "Find potential secrets in repositories" --- diff --git a/scanners/gitleaks/docs/README.DockerHub-Parser.md b/scanners/gitleaks/docs/README.DockerHub-Parser.md index 6248ab5305..2b96784304 100644 --- a/scanners/gitleaks/docs/README.DockerHub-Parser.md +++ b/scanners/gitleaks/docs/README.DockerHub-Parser.md @@ -42,7 +42,7 @@ You can find resources to help you get started on our [documentation website](ht ## Supported Tags - `latest` (represents the latest stable release build) -- tagged releases, e.g. `v8.29.0` +- tagged releases, e.g. `v8.30.0` ## How to use this image This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more information details please take a look at the documentation page: https://www.securecodebox.io/docs/scanners/gitleaks. diff --git a/scanners/nikto/scanner/Dockerfile b/scanners/nikto/scanner/Dockerfile index f49753c78a..4618f0cfd5 100644 --- a/scanners/nikto/scanner/Dockerfile +++ b/scanners/nikto/scanner/Dockerfile @@ -2,12 +2,12 @@ # # SPDX-License-Identifier: Apache-2.0 -FROM alpine:3.22 AS build +FROM alpine:3.23 AS build ARG scannerVersion RUN apk add git RUN git clone --depth 1 https://github.com/sullo/nikto.git /nikto -FROM alpine:3.22 +FROM alpine:3.23 ENV PATH=${PATH}:/nikto diff --git a/scanners/nmap/scanner/Dockerfile b/scanners/nmap/scanner/Dockerfile index 412cbbb33f..7ed1f3865b 100644 --- a/scanners/nmap/scanner/Dockerfile +++ b/scanners/nmap/scanner/Dockerfile @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -FROM alpine:3.22 +FROM alpine:3.23 ARG scannerVersion RUN apk add --no-cache nmap=$scannerVersion nmap-scripts=$scannerVersion RUN addgroup --system --gid 1001 nmap && adduser nmap --system --uid 1001 --ingroup nmap diff --git a/scanners/nuclei/Chart.yaml b/scanners/nuclei/Chart.yaml index 9afaa08274..e17c1b4841 100644 --- a/scanners/nuclei/Chart.yaml +++ b/scanners/nuclei/Chart.yaml @@ -8,7 +8,7 @@ description: A Helm chart for the nuclei security scanner that integrates with t type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: v3.1.0-alpha1 -appVersion: "v3.5.1" +appVersion: "v3.6.0" kubeVersion: ">=v1.11.0-0" annotations: versionApi: https://api.github.com/repos/projectdiscovery/nuclei/releases/latest diff --git a/scanners/nuclei/README.md b/scanners/nuclei/README.md index 8d2847c06a..379f23972d 100644 --- a/scanners/nuclei/README.md +++ b/scanners/nuclei/README.md @@ -3,7 +3,7 @@ title: "Nuclei" category: "scanner" type: "Website" state: "released" -appVersion: "v3.5.1" +appVersion: "v3.6.0" usecase: "Nuclei is a fast, template based vulnerability scanner." --- diff --git a/scanners/nuclei/docs/README.DockerHub-Parser.md b/scanners/nuclei/docs/README.DockerHub-Parser.md index bd1a96fb2a..d9b85d29a5 100644 --- a/scanners/nuclei/docs/README.DockerHub-Parser.md +++ b/scanners/nuclei/docs/README.DockerHub-Parser.md @@ -42,7 +42,7 @@ You can find resources to help you get started on our [documentation website](ht ## Supported Tags - `latest` (represents the latest stable release build) -- tagged releases, e.g. `v3.5.1` +- tagged releases, e.g. `v3.6.0` ## How to use this image This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more information details please take a look at the documentation page: https://www.securecodebox.io/docs/scanners/nuclei. diff --git a/scanners/semgrep/Chart.yaml b/scanners/semgrep/Chart.yaml index a81d89417a..f748c65345 100644 --- a/scanners/semgrep/Chart.yaml +++ b/scanners/semgrep/Chart.yaml @@ -22,7 +22,7 @@ version: "v3.1.0-alpha1" # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.143.0" +appVersion: "1.145.0" annotations: versionApi: https://api.github.com/repos/semgrep/semgrep/releases/latest supported-platforms: linux/amd64,linux/arm64 diff --git a/scanners/semgrep/README.md b/scanners/semgrep/README.md index b3c8a3d2bc..f7c2636a9d 100644 --- a/scanners/semgrep/README.md +++ b/scanners/semgrep/README.md @@ -3,7 +3,7 @@ title: "Semgrep" category: "scanner" type: "Repository" state: "released" -appVersion: "1.143.0" +appVersion: "1.145.0" usecase: "Static Code Analysis" --- diff --git a/scanners/semgrep/docs/README.DockerHub-Parser.md b/scanners/semgrep/docs/README.DockerHub-Parser.md index af63176482..6e2f0d2b57 100644 --- a/scanners/semgrep/docs/README.DockerHub-Parser.md +++ b/scanners/semgrep/docs/README.DockerHub-Parser.md @@ -42,7 +42,7 @@ You can find resources to help you get started on our [documentation website](ht ## Supported Tags - `latest` (represents the latest stable release build) -- tagged releases, e.g. `1.143.0` +- tagged releases, e.g. `1.145.0` ## How to use this image This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more information details please take a look at the documentation page: https://www.securecodebox.io/docs/scanners/semgrep. diff --git a/scanners/semgrep/tests/__snapshot__/scanner_test.yaml.snap b/scanners/semgrep/tests/__snapshot__/scanner_test.yaml.snap index ba0ebb78e5..965e552737 100644 --- a/scanners/semgrep/tests/__snapshot__/scanner_test.yaml.snap +++ b/scanners/semgrep/tests/__snapshot__/scanner_test.yaml.snap @@ -10,7 +10,7 @@ matches the snapshot: env: - name: foo value: bar - image: securecodebox/parser-semgrep:0.0.0 + image: docker.io/securecodebox/parser-semgrep:0.0.0 imagePullPolicy: IfNotPresent imagePullSecrets: - name: foo diff --git a/scanners/ssh-audit/tests/__snapshot__/scanner_test.yaml.snap b/scanners/ssh-audit/tests/__snapshot__/scanner_test.yaml.snap index d018204b51..6b282b25a4 100644 --- a/scanners/ssh-audit/tests/__snapshot__/scanner_test.yaml.snap +++ b/scanners/ssh-audit/tests/__snapshot__/scanner_test.yaml.snap @@ -49,6 +49,8 @@ matches the snapshot: suspend: false template: spec: + affinity: + foo: bar containers: - command: - sh @@ -71,5 +73,11 @@ matches the snapshot: volumeMounts: [] - image: bar name: foo - restartPolicy: Never + imagePullSecrets: + - name: foo + restartPolicy: OnFailure + securityContext: + fsGroup: 1234 + tolerations: + - foo: bar volumes: [] diff --git a/scanners/subfinder/Chart.yaml b/scanners/subfinder/Chart.yaml index d43c2dbe13..7ee5e363d9 100644 --- a/scanners/subfinder/Chart.yaml +++ b/scanners/subfinder/Chart.yaml @@ -8,7 +8,7 @@ description: A Helm chart for the subfinder security Scanner that integrates wit type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: v3.1.0-alpha1 -appVersion: "v2.10.0" +appVersion: "v2.10.1" kubeVersion: ">=v1.11.0-0" annotations: versionApi: https://api.github.com/repos/projectdiscovery/subfinder/releases/latest diff --git a/scanners/subfinder/README.md b/scanners/subfinder/README.md index 9adbf9e009..a636193cba 100644 --- a/scanners/subfinder/README.md +++ b/scanners/subfinder/README.md @@ -3,7 +3,7 @@ title: "subfinder" category: "scanner" type: "Network" state: "released" -appVersion: "v2.10.0" +appVersion: "v2.10.1" usecase: "Subdomain Enumeration Scanner" --- diff --git a/scanners/subfinder/docs/README.DockerHub-Parser.md b/scanners/subfinder/docs/README.DockerHub-Parser.md index 56575cba0b..e4e5ad9bf1 100644 --- a/scanners/subfinder/docs/README.DockerHub-Parser.md +++ b/scanners/subfinder/docs/README.DockerHub-Parser.md @@ -42,7 +42,7 @@ You can find resources to help you get started on our [documentation website](ht ## Supported Tags - `latest` (represents the latest stable release build) -- tagged releases, e.g. `v2.10.0` +- tagged releases, e.g. `v2.10.1` ## How to use this image This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more information details please take a look at the documentation page: https://github.com/projectdiscovery/subfinder. diff --git a/scanners/test-scan/scanner/Dockerfile b/scanners/test-scan/scanner/Dockerfile index 95da799e08..36572dc1b5 100644 --- a/scanners/test-scan/scanner/Dockerfile +++ b/scanners/test-scan/scanner/Dockerfile @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -FROM alpine:3.22 +FROM alpine:3.23 RUN addgroup --system --gid 1001 test && adduser test --system --uid 1001 --ingroup test WORKDIR /home/securecodebox/ USER 1001 diff --git a/scanners/trivy-sbom/Chart.yaml b/scanners/trivy-sbom/Chart.yaml index cfd7003151..e24aec0955 100644 --- a/scanners/trivy-sbom/Chart.yaml +++ b/scanners/trivy-sbom/Chart.yaml @@ -8,7 +8,7 @@ description: A Helm chart for the trivy-sbom security scanner that integrates wi type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: v3.1.0-alpha1 -appVersion: "0.67.2" +appVersion: "0.68.1" kubeVersion: ">=v1.11.0-0" annotations: versionApi: https://api.github.com/repos/aquasecurity/trivy/releases/latest diff --git a/scanners/trivy-sbom/README.md b/scanners/trivy-sbom/README.md index ddff6b43db..1f165b73b9 100644 --- a/scanners/trivy-sbom/README.md +++ b/scanners/trivy-sbom/README.md @@ -3,7 +3,7 @@ title: "Trivy SBOM" category: "scanner" type: "Container" state: "released" -appVersion: "0.67.2" +appVersion: "0.68.1" usecase: "Container Dependency Scanner" --- diff --git a/scanners/trivy-sbom/docs/README.DockerHub-Parser.md b/scanners/trivy-sbom/docs/README.DockerHub-Parser.md index 02c6e2b93a..6f82b20ce7 100644 --- a/scanners/trivy-sbom/docs/README.DockerHub-Parser.md +++ b/scanners/trivy-sbom/docs/README.DockerHub-Parser.md @@ -42,7 +42,7 @@ You can find resources to help you get started on our [documentation website](ht ## Supported Tags - `latest` (represents the latest stable release build) -- tagged releases, e.g. `0.67.2` +- tagged releases, e.g. `0.68.1` ## How to use this image This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more information details please take a look at the documentation page: https://www.securecodebox.io/docs/scanners/trivy-sbom. diff --git a/scanners/trivy/Chart.yaml b/scanners/trivy/Chart.yaml index 33307718cc..1c47a78cfa 100644 --- a/scanners/trivy/Chart.yaml +++ b/scanners/trivy/Chart.yaml @@ -8,7 +8,7 @@ description: A Helm chart for the trivy security scanner that integrates with th type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: v3.1.0-alpha1 -appVersion: "0.67.2" +appVersion: "0.68.1" kubeVersion: ">=v1.11.0-0" annotations: versionApi: https://api.github.com/repos/aquasecurity/trivy/releases/latest diff --git a/scanners/trivy/README.md b/scanners/trivy/README.md index ab963f7c75..753741e86a 100644 --- a/scanners/trivy/README.md +++ b/scanners/trivy/README.md @@ -3,7 +3,7 @@ title: "Trivy" category: "scanner" type: "Container" state: "released" -appVersion: "0.67.2" +appVersion: "0.68.1" usecase: "Container Vulnerability Scanner" --- diff --git a/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap b/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap index 0b40b866dd..ce04f6b6d5 100644 --- a/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap +++ b/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap @@ -97,7 +97,7 @@ matches the snapshot: 4: | apiVersion: v1 data: - zap-entrypoint.bash: |2 + zap-entrypoint.bash: | # ensures that zap still exits with a exit code of zero when the scan logged warnings: see https://www.zaproxy.org/docs/automate/automation-framework/ ./zap.sh -cmd $@ || [ $? -ne 1 ] kind: ConfigMap