You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This release brings some long awaited improvements and optimizations.
Some of this required breaking changes, these are listed below.
💣 Breaking
Removed / Replaced ScanTypes
zap-baseline-scan and zap-advanced in favor of the zap-automation-framework. The zap-automation-framework ScanTpye includes all functionalities of the removed ScanTypes and can be customized easily. The default ScanType for the AutoDiscovery has been changed to the zap-automation-framework as well. For migrating to the zap-automation-framework please refer to migration to zap-automation framework guide.
amass has been replaced with subfinder. Amass is still an amzing tool, but with its focus on becoming more of a standalone platform / database for attack surfaces keeping it integrated and updated in the secureCodeBox was getting harder and harder. subfinder is a very good replacement for subdomain discovery, thats also generally quicker and produces a similar result.
typo3scan was removed as the scanner itself isn't maintaned anymore. Most security aspects of typo3 are now hard to verify from the outside as it requires authentication (which is really good). Some typo3 security aspects (e.g. a incomplete installation) can be verified by nuclei.
doggo was removed. Doggo was added primarily as an experimentation to be used to deduplicate duplicate scan target from cascading rules based on DNS entries. That approach hasn't worked out unfortunately. The doggo integration has been non-functional for a while (see: Fix Doggo Scanner and it's tests #2853). As an alternative, nuclei already includes some DNS record based checks, if checks for specific records are required custom nuclei rules could be used to fulfil those requirements.
cmseek was removed. cmseek has seen little updates in the last years. Our secureCodeBox integration with cmseek was always pretty basic, only supporting joomla (a specfifc CMS) results, which hasn't been a big focus for us. As a replacement we recommend using nuclei which has joomla rules which will likely receive more updates in the future.
To avoid naming collisions with other cluster‑scoped resources, the operator's ClusterRole formerly called manager-role has been renamed to securecodebox‑manager-role, and the corresponding ClusterRoleBinding manager-rolebinding is now securecodebox‑manager-rolebinding. The official Helm chart will automatically create and reference these new names when you update the operator.
If you maintain a custom deployment that directly references manager-role or manager-rolebinding, be sure to update those references to securecodebox‑manager-role and securecodebox‑manager-rolebinding respectively.
The kubeauditScope on the trivy ScanType chart was renamed to k8sScanScope Scope. The previous name was used for consistency with the kubeaudit ScanType, but it never really made sense and was confusing.
The default k8sScanScope scope was also changed from cluster to namespace, The cluster mode needs cluster wide permissions, which makes the trivy chart hard to install in properly locked down RBAC setups.
Removed Integrated Elasticsearch and Kibana Helm Charts
The integrated Elasticsearch and Kibana Helm charts have been dropped from the Persistence ElasticSearch Hook. These charts were intended as a quick-start option, but since Elastic no longer provides their own Helm charts, they have been removed. The documentation has been updated with guidance on setting up an Elasticsearch cluster using the ECK operator.
The default Elasticsearch index has been updated from scbv2 to scb. The inclusion of v2 was a confusing oversight that has been outdated since the release of secureCodeBox v3.
If you had previously ingested finding using the scbv2 index prefix you can keep using it by setting the indexPrefix helm value back to scbv2 or by migrating your existing indexes to match the new naming scheme.
Replaced Bitnami MinIO Subchart with Direct MinIO Deployment
Due to upcoming deprecations in Bitn
8000
ami Helm charts, the operator's MinIO integration has been changed from using the Bitnami MinIO subchart to a direct MinIO deployment using the official docker.io/minio/minio image.
⚠️ Important Migration Notes:
Data will NOT be migrated automatically from the old Bitnami MinIO deployment to the new direct MinIO deployment
If you have important scan data stored in the old MinIO instance, you must manually backup and restore it before upgrading
The new MinIO deployment uses different naming conventions and storage configurations
For Production Environments:
The included MinIO deployment is intended only for quickstart and development setups. For production environments, you should:
Use an external S3-compatible storage service (AWS S3, Google Cloud Storage, etc.)
Set minio.enabled=false and configure the s3 section in your values
If you need to continue using the embedded MinIO for development, the new deployment will create a fresh MinIO instance with the same default bucket configuration.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
What's Changed
This release brings some long awaited improvements and optimizations.
Some of this required breaking changes, these are listed below.
💣 Breaking
Removed / Replaced ScanTypes
zap-baseline-scanandzap-advancedin favor of thezap-automation-framework. Thezap-automation-frameworkScanTpye includes all functionalities of the removed ScanTypes and can be customized easily. The default ScanType for the AutoDiscovery has been changed to thezap-automation-frameworkas well. For migrating to thezap-automation-frameworkplease refer to migration to zap-automation framework guide.amasshas been replaced withsubfinder. Amass is still an amzing tool, but with its focus on becoming more of a standalone platform / database for attack surfaces keeping it integrated and updated in the secureCodeBox was getting harder and harder. subfinder is a very good replacement for subdomain discovery, thats also generally quicker and produces a similar result.kubeauditwas removed as the scanner itself isn't maintaned anymore. As a replacement you can use thetrivywith it'sk8sscanning mode, see trivy ScanType k8s example.typo3scanwas removed as the scanner itself isn't maintaned anymore. Most security aspects of typo3 are now hard to verify from the outside as it requires authentication (which is really good). Some typo3 security aspects (e.g. a incomplete installation) can be verified by nuclei.doggowas removed. Doggo was added primarily as an experimentation to be used to deduplicate duplicate scan target from cascading rules based on DNS entries. That approach hasn't worked out unfortunately. The doggo integration has been non-functional for a while (see: Fix Doggo Scanner and it's tests #2853). As an alternative, nuclei already includes some DNS record based checks, if checks for specific records are required custom nuclei rules could be used to fulfil those requirements.cmseekwas removed. cmseek has seen little updates in the last years. Our secureCodeBox integration with cmseek was always pretty basic, only supporting joomla (a specfifc CMS) results, which hasn't been a big focus for us. As a replacement we recommend using nuclei which has joomla rules which will likely receive more updates in the future.➡️ Reference: #2670
Renamed ClusterRole and ClusterRoleBinding
To avoid naming collisions with other cluster‑scoped resources, the operator's ClusterRole formerly called
manager-rolehas been renamed tosecurecodebox‑manager-role, and the corresponding ClusterRoleBindingmanager-rolebindingis nowsecurecodebox‑manager-rolebinding. The official Helm chart will automatically create and reference these new names when you update the operator.If you maintain a custom deployment that directly references
manager-roleormanager-rolebinding, be sure to update those references tosecurecodebox‑manager-roleandsecurecodebox‑manager-rolebindingrespectively.➡️ Reference: #3002
Changes to trivy k8s scope (namespace / cluster)
The
kubeauditScopeon thetrivyScanType chart was renamed tok8sScanScopeScope. The previous name was used for consistency with thekubeauditScanType, but it never really made sense and was confusing.The default
k8sScanScopescope was also changed fromclustertonamespace, The cluster mode needs cluster wide permissions, which makes the trivy chart hard to install in properly locked down RBAC setups.➡️ Reference: #3025
Removed Integrated Elasticsearch and Kibana Helm Charts
The integrated Elasticsearch and Kibana Helm charts have been dropped from the Persistence ElasticSearch Hook. These charts were intended as a quick-start option, but since Elastic no longer provides their own Helm charts, they have been removed. The documentation has been updated with guidance on setting up an Elasticsearch cluster using the ECK operator.
➡️ Reference: #2892
Changed Default Elasticsearch Index
The default Elasticsearch index has been updated from
scbv2toscb. The inclusion ofv2was a confusing oversight that has been outdated since the release of secureCodeBox v3.If you had previously ingested finding using the scbv2 index prefix you can keep using it by setting the
indexPrefixhelm value back toscbv2or by migrating your existing indexes to match the new naming scheme.➡️ Reference: #2892
Replaced Bitnami MinIO Subchart with Direct MinIO Deployment
Due to upcoming deprecations in Bitn 8000 ami Helm charts, the operator's MinIO integration has been changed from using the Bitnami MinIO subchart to a direct MinIO deployment using the official
docker.io/minio/minioimage.For Production Environments:
The included MinIO deployment is intended only for quickstart and development setups. For production environments, you should:
minio.enabled=falseand configure thes3section in your valuesIf you need to continue using the embedded MinIO for development, the new deployment will create a fresh MinIO instance with the same default bucket configuration.
🚀 Features
🚓 Security Scanner
🐛 Bug Fixes
📚 Documentation
🔧 Maintenance
📌 Dependencies
Minor dependency updates (63 pull requests). Click to expand.
New Contributors
Full Changelog: v4.16.0...v5.0.0
This discussion was created from the release v5.0.0.
Beta Was this translation helpful? Give feedback.
All reactions