From 46a3b8bc7f09807f74a1c53af817395d2bf09516 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 7 May 2025 19:18:53 +0200 Subject: [PATCH 1/2] Remove deprecated kubeaudit scanner Signed-off-by: Jannik Hollenbach --- .github/workflows/ci.yaml | 1 - .github/workflows/release-build.yaml | 2 - .github/workflows/scb-bot.yaml | 1 - bin/release-note-grouper.js | 2 - .../integrating-a-scanner/makefile.md | 14 +- .../docs/getting-started/upgrading.md | 1 + operator/internal/telemetry/telemetry.go | 2 +- .../github-secureCodeBox-scan/findings.yaml | 21 -- .../git-scanner-test-findings.json | 18 -- .../git-repo-scanner/parser/parser.test.js | 18 -- scanners/kubeaudit/.gitignore | 5 - scanners/kubeaudit/.helm-docs.gotmpl | 54 ---- scanners/kubeaudit/.helmignore | 40 --- scanners/kubeaudit/Chart.yaml | 28 --- scanners/kubeaudit/Makefile | 29 --- scanners/kubeaudit/README.md | 122 --------- scanners/kubeaudit/docs/README.ArtifactHub.md | 144 ----------- .../kubeaudit/docs/README.DockerHub-Parser.md | 91 ------- .../docs/README.DockerHub-Scanner.md | 99 -------- .../kubeaudit/examples/juice-shop/README.md | 36 --- .../examples/juice-shop/findings.json | 51 ---- .../examples/juice-shop/findings.json.license | 3 - .../kubeaudit/examples/juice-shop/scan.yaml | 13 - .../integration-tests/kubeaudit.test.js | 35 --- scanners/kubeaudit/parser/Dockerfile | 9 - .../parser/__snapshots__/parser.test.js.snap | 234 ------------------ .../__snapshots__/parser.test.js.snap.license | 3 - .../parser/__testFiles__/juice-shop.jsonl | 23 -- .../__testFiles__/juice-shop.jsonl.license | 3 - .../__testFiles__/test-empty-report.jsonl | 1 - .../test-empty-report.jsonl.license | 3 - scanners/kubeaudit/parser/parser.js | 141 ----------- scanners/kubeaudit/parser/parser.test.js | 35 --- scanners/kubeaudit/scanner/Dockerfile | 26 -- scanners/kubeaudit/scanner/wrapper.sh | 5 - .../templates/kubeaudit-parse-definition.yaml | 32 --- .../kubeaudit/templates/kubeaudit-rbac.yaml | 109 -------- .../templates/kubeaudit-scan-type.yaml | 65 ----- .../tests/__snapshot__/scanner_test.yaml.snap | 151 ----------- scanners/kubeaudit/tests/scanner_test.yaml | 30 --- scanners/kubeaudit/values.yaml | 117 --------- .../nikto/examples/demo-juice-shop/README.md | 5 +- .../parser/__snapshots__/parser.test.js.snap | 15 -- .../__testFiles__/docs.securecodebox.io.xml | 15 -- .../parser/__snapshots__/parser.test.js.snap | 15 -- .../__testFiles__/docs.securecodebox.io.xml | 15 -- scbctl/cmd/scans_test.go | 6 +- 47 files changed, 14 insertions(+), 1874 deletions(-) delete mode 100644 scanners/kubeaudit/.gitignore delete mode 100644 scanners/kubeaudit/.helm-docs.gotmpl delete mode 100644 scanners/kubeaudit/.helmignore delete mode 100644 scanners/kubeaudit/Chart.yaml delete mode 100644 scanners/kubeaudit/Makefile delete mode 100644 scanners/kubeaudit/README.md delete mode 100644 scanners/kubeaudit/docs/README.ArtifactHub.md delete mode 100644 scanners/kubeaudit/docs/README.DockerHub-Parser.md delete mode 100644 scanners/kubeaudit/docs/README.DockerHub-Scanner.md delete mode 100644 scanners/kubeaudit/examples/juice-shop/README.md delete mode 100644 scanners/kubeaudit/examples/juice-shop/findings.json delete mode 100644 scanners/kubeaudit/examples/juice-shop/findings.json.license delete mode 100644 scanners/kubeaudit/examples/juice-shop/scan.yaml delete mode 100644 scanners/kubeaudit/integration-tests/kubeaudit.test.js delete mode 100644 scanners/kubeaudit/parser/Dockerfile delete mode 100644 scanners/kubeaudit/parser/__snapshots__/parser.test.js.snap delete mode 100644 scanners/kubeaudit/parser/__snapshots__/parser.test.js.snap.license delete mode 100644 scanners/kubeaudit/parser/__testFiles__/juice-shop.jsonl delete mode 100644 scanners/kubeaudit/parser/__testFiles__/juice-shop.jsonl.license delete mode 100644 scanners/kubeaudit/parser/__testFiles__/test-empty-report.jsonl delete mode 100644 scanners/kubeaudit/parser/__testFiles__/test-empty-report.jsonl.license delete mode 100644 scanners/kubeaudit/parser/parser.js delete mode 100644 scanners/kubeaudit/parser/parser.test.js delete mode 100644 scanners/kubeaudit/scanner/Dockerfile delete mode 100644 scanners/kubeaudit/scanner/wrapper.sh delete mode 100644 scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml delete mode 100644 scanners/kubeaudit/templates/kubeaudit-rbac.yaml delete mode 100644 scanners/kubeaudit/templates/kubeaudit-scan-type.yaml delete mode 100644 scanners/kubeaudit/tests/__snapshot__/scanner_test.yaml.snap delete mode 100644 scanners/kubeaudit/tests/scanner_test.yaml delete mode 100644 scanners/kubeaudit/values.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b6eaabc7c5..85b48c750a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -424,7 +424,6 @@ jobs: - ffuf - git-repo-scanner - gitleaks - - kubeaudit - kube-hunter - ncrack - nikto diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml index aeff74bcb9..a87694518e 100644 --- a/.github/workflows/release-build.yaml +++ b/.github/workflows/release-build.yaml @@ -329,7 +329,6 @@ jobs: - git-repo-scanner - gitleaks - kube-hunter - - kubeaudit - ncrack - nikto - nmap @@ -415,7 +414,6 @@ jobs: - cmseek - ffuf - kube-hunter - - kubeaudit - ncrack - nmap - nikto diff --git a/.github/workflows/scb-bot.yaml b/.github/workflows/scb-bot.yaml index 02bbd55d45..fac55f3c20 100644 --- a/.github/workflows/scb-bot.yaml +++ b/.github/workflows/scb-bot.yaml @@ -33,7 +33,6 @@ jobs: - ffuf - gitleaks - kube-hunter - - kubeaudit - ncrack - nuclei - semgrep diff --git a/bin/release-note-grouper.js b/bin/release-note-grouper.js index e922fc0efc..d41e09ff1f 100755 --- a/bin/release-note-grouper.js +++ b/bin/release-note-grouper.js @@ -13,7 +13,6 @@ Example Usage: `pbpaste | release-version-grouper.js` E.g. turn this: ```md - [SCB-Bot] Upgraded kubeaudit from 0.22.0 to 0.22.1 @secureCodeBoxBot (#2111) [SCB-Bot] Upgraded semgrep from 1.50.0 to 1.51.0 @secureCodeBoxBot (#2112) [SCB-Bot] Upgraded nuclei from v3.0.4 to v3.1.0 @secureCodeBoxBot (#2114) [SCB-Bot] Upgraded gitleaks from v8.18.0 to v8.18.1 @secureCodeBoxBot (#2103) @@ -23,7 +22,6 @@ E.g. turn this: into this: ```md - Upgraded gitleaks from v8.18.0 to v8.18.1 @secureCodeBoxBot (#2103) - - Upgraded kubeaudit from 0.22.0 to 0.22.1 @secureCodeBoxBot (#2111) - Upgraded nuclei from v3.0.3 to v3.1.0 @secureCodeBoxBot (#2114, #2104) - Upgraded semgrep from 1.48.0 to 1.51.0 @secureCodeBoxBot (#2112, #2101) ``` diff --git a/documentation/docs/contributing/integrating-a-scanner/makefile.md b/documentation/docs/contributing/integrating-a-scanner/makefile.md index 768bca0033..b7e215b279 100644 --- a/documentation/docs/contributing/integrating-a-scanner/makefile.md +++ b/documentation/docs/contributing/integrating-a-scanner/makefile.md @@ -56,7 +56,7 @@ This adds the old-wordpress demo-target to your integration tests. You can find ```makefile #!/usr/bin/make -f include_guard = set -scanner = kubeaudit +scanner = nmap custom_scanner = set include ../../scanners.mk @@ -67,18 +67,16 @@ deploy-with-scanner: --set="parser.image.repository=docker.io/$(IMG_NS)/$(parser-prefix)-$(scanner)" \ --set="parser.image.tag=$(IMG_TAG)" \ --set="scanner.image.repository=docker.io/$(IMG_NS)/$(scanner-prefix)-$(scanner)" \ - --set="scanner.image.tag=$(IMG_TAG)" \ - --set="kubeauditScope=cluster" + --set="scanner.image.tag=$(IMG_TAG)" deploy-test-deps: # If not exists create namespace where the tests will be executed - kubectl create namespace kubeaudit-tests --dry-run=client -o yaml | kubectl apply -f - - # Install jshop in kubeaudit-tests namespace - helm -n kubeaudit-tests upgrade --install juice-shop ../../demo-targets/juice-shop/ --wait + kubectl create namespace nmap-tests --dry-run=client -o yaml | kubectl apply -f - + # Install jshop in nmap-tests namespace + helm -n nmap-tests upgrade --install juice-shop ../../demo-targets/juice-shop/ --wait ``` -This makefile overrides the deploy-with-scanner target such that the `kubeauditScope` can be overwritten. -Furthermore, it overrides the deploy-test-deps target such that juice-shop is installed in the correct namespace (kubeaudit-tests). +Furthermore, it overrides the deploy-test-deps target such that juice-shop is installed in the correct namespace (nmap-tests). ### Reusing components from other scanners diff --git a/documentation/docs/getting-started/upgrading.md b/documentation/docs/getting-started/upgrading.md index 0d74ee91c3..1618ab887e 100644 --- a/documentation/docs/getting-started/upgrading.md +++ b/documentation/docs/getting-started/upgrading.md @@ -15,6 +15,7 @@ sidebar_position: 3 ### Removed / Replaced ScanTypes * `typo3scan` was removed as the scanner itself [isn't maintaned anymore](https://github.com/whoot/Typo3Scan?tab=readme-ov-file#unsupported). Most security aspects of typo3 are now hard to verify from the outside as it requires authentication (which is really good). Some typo3 security aspects (e.g. a incomplete installation) can be verified by [nuclei](https://www.securecodebox.io/docs/scanners/nuclei). +* `kubeaudit` was removed as the scanner itself [isn't maintaned anymore](https://github.com/Shopify/kubeaudit?tab=readme-ov-file#-deprecation-notice-). As a replacement you can use the `trivy` with it's `k8s` scanning mode, see [trivy ScanType k8s example](https://www.securecodebox.io/docs/scanners/trivy#k8s). ➡️ [Reference: #2670](https://github.com/secureCodeBox/secureCodeBox/issues/2670) diff --git a/operator/internal/telemetry/telemetry.go b/operator/internal/telemetry/telemetry.go index 249d887508..3fda757dbc 100644 --- a/operator/internal/telemetry/telemetry.go +++ b/operator/internal/telemetry/telemetry.go @@ -31,7 +31,7 @@ var officialScanTypes map[string]bool = map[string]bool{ "git-repo-scanner": true, "gitleaks": true, "kube-hunter": true, - "kubeaudit": true, + "kubeaudit": true, // deprecated. we'll keep it in this list to still recieve telemetry data from older versions "ncrack": true, "nikto": true, "nmap": true, diff --git a/scanners/git-repo-scanner/examples/github-secureCodeBox-scan/findings.yaml b/scanners/git-repo-scanner/examples/github-secureCodeBox-scan/findings.yaml index b2f279621b..ab51e98e35 100644 --- a/scanners/git-repo-scanner/examples/github-secureCodeBox-scan/findings.yaml +++ b/scanners/git-repo-scanner/examples/github-secureCodeBox-scan/findings.yaml @@ -487,27 +487,6 @@ "archived": false, }, }, - { - "name": "GitHub Repo", - "description": "A GitHub repository", - "category": "Git Repository", - "osi_layer": "APPLICATION", - "severity": "INFORMATIONAL", - "attributes": - { - "id": "303349727", - "web_url": "https://github.com/secureCodeBox/kubeaudit", - "full_name": "secureCodeBox/kubeaudit", - "owner_type": "Organization", - "owner_id": "34573705", - "topics": [], - "owner_name": "secureCodeBox", - "created_at": "2020-10-12T09:58:26Z", - "last_activity_at": "2020-10-12T09:58:28Z", - "visibility": "public", - "archived": false, - }, - }, { "name": "GitHub Repo", "description": "A GitHub repository", diff --git a/scanners/git-repo-scanner/parser/__testFiles__/git-scanner-test-findings.json b/scanners/git-repo-scanner/parser/__testFiles__/git-scanner-test-findings.json index c24243dfd9..435b7428f7 100644 --- a/scanners/git-repo-scanner/parser/__testFiles__/git-scanner-test-findings.json +++ b/scanners/git-repo-scanner/parser/__testFiles__/git-scanner-test-findings.json @@ -520,23 +520,5 @@ "last_activity_at": "2020-10-21T15:11:56Z", "visibility": "private" } - }, - { - "name": "GitHub Repo", - "description": "A GitHub repository", - "category": "Git Repository", - "osi_layer": "APPLICATION", - "severity": "INFORMATIONAL", - "attributes": { - "id": 303349727, - "web_url": "https://github.com/secureCodeBox/kubeaudit", - "full_name": "secureCodeBox/kubeaudit", - "owner_type": "Organization", - "owner_id": 34573705, - "owner_name": "secureCodeBox", - "created_at": "2020-10-12T09:58:26Z", - "last_activity_at": "2020-10-12T09:58:28Z", - "visibility": "public" - } } ] diff --git a/scanners/git-repo-scanner/parser/parser.test.js b/scanners/git-repo-scanner/parser/parser.test.js index 719862a8dc..c473e15a20 100644 --- a/scanners/git-repo-scanner/parser/parser.test.js +++ b/scanners/git-repo-scanner/parser/parser.test.js @@ -554,24 +554,6 @@ test("should properly parse git-scanner json file", async () => { "osi_layer": "APPLICATION", "severity": "INFORMATIONAL", }, - Object { - "attributes": Object { - "created_at": "2020-10-12T09:58:26Z", - "full_name": "secureCodeBox/kubeaudit", - "id": 303349727, - "last_activity_at": "2020-10-12T09:58:28Z", - "owner_id": 34573705, - "owner_name": "secureCodeBox", - "owner_type": "Organization", - "visibility": "public", - "web_url": "https://github.com/secureCodeBox/kubeaudit", - }, - "category": "Git Repository", - "description": "A GitHub repository", - "name": "GitHub Repo", - "osi_layer": "APPLICATION", - "severity": "INFORMATIONAL", - }, ] `); }); diff --git a/scanners/kubeaudit/.gitignore b/scanners/kubeaudit/.gitignore deleted file mode 100644 index a5be59dc8d..0000000000 --- a/scanners/kubeaudit/.gitignore +++ /dev/null @@ -1,5 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -*.tar diff --git a/scanners/kubeaudit/.helm-docs.gotmpl b/scanners/kubeaudit/.helm-docs.gotmpl deleted file mode 100644 index d468a1a5a8..0000000000 --- a/scanners/kubeaudit/.helm-docs.gotmpl +++ /dev/null @@ -1,54 +0,0 @@ -{{- /* -SPDX-FileCopyrightText: the secureCodeBox authors - -SPDX-License-Identifier: Apache-2.0 -*/ -}} - -{{- define "extra.docsSection" -}} ---- -title: "Kubeaudit" -category: "scanner" -type: "Kubernetes" -state: "released" -appVersion: "{{ template "chart.appVersion" . }}" -usecase: "Kubernetes Configuration Scanner" ---- -{{- end }} - -{{- define "extra.dockerDeploymentSection" -}} -## Supported Tags -- `latest` (represents the latest stable release build) -- tagged releases, e.g. `{{ template "chart.appVersion" . }}` -{{- end }} - -{{- define "extra.chartAboutSection" -}} -## What is Kubeaudit? - -:::caution Deprecation Notice -The `kubeaudit ` ScanType is being deprecated in the secureCodeBox since it will no longer be maintained as described in the [GitHub repository](kubeaudit GitHub). The scanner will be removed in the upcoming v5 release. -::: - -Kubeaudit finds security misconfigurations in you Kubernetes Resources and gives tips on how to resolve these. - -Kubeaudit comes with a large lists of "auditors" which test various aspects, like the SecurityContext of pods. -You can find the complete list of [auditors here](https://github.com/Shopify/kubeaudit/tree/master/docs/auditors). - -To learn more about the kubeaudit itself visit [kubeaudit GitHub]. -{{- end }} - -{{- define "extra.scannerConfigurationSection" -}} -## Scanner Configuration - -The following security scan configuration example are based on the [kube-hunter Documentation], please take a look at the original documentation for more configuration examples. - -* To specify remote machines for hunting, select option 1 or use the --remote option. Example: `kube-hunter --remote some.node.com` -* To specify interface scanning, you can use the --interface option (this will scan all the machine's network interfaces). Example: `kube-hunter --interface` -* To specify a specific CIDR to scan, use the --cidr option. Example: `kube-hunter --cidr 192.168.0.0/24` -{{- end }} - -{{- define "extra.chartConfigurationSection" -}} -{{- end }} - -{{- define "extra.scannerLinksSection" -}} -[kubeaudit GitHub]: https://github.com/Shopify/kubeaudit/ -{{- end }} diff --git a/scanners/kubeaudit/.helmignore b/scanners/kubeaudit/.helmignore deleted file mode 100644 index 1b2144b9bb..0000000000 --- a/scanners/kubeaudit/.helmignore +++ /dev/null @@ -1,40 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ -# Node.js files -node_modules/* -package.json -package-lock.json -src/* -config/* -Dockerfile -.dockerignore -*.tar -parser/* -scanner/* -integration-tests/* -examples/* -docs/* -Makefile diff --git a/scanners/kubeaudit/Chart.yaml b/scanners/kubeaudit/Chart.yaml deleted file mode 100644 index 916995882b..0000000000 --- a/scanners/kubeaudit/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: v2 -name: kubeaudit -description: A Helm chart for the kubeaudit security scanner that integrates with the secureCodeBox. -type: application -version: v3.1.0-alpha1 -appVersion: "0.22.2" -kubeVersion: ">=v1.11.0-0" -annotations: - versionApi: https://api.github.com/repos/Shopify/kubeaudit/releases/latest - # supported cpu architectures for which docker images for the scanner should be build - supported-platforms: linux/amd64 -keywords: - - security - - kubeaudit - - scanner - - secureCodeBox -home: https://www.securecodebox.io/docs/scanners/kubeaudit -icon: https://www.securecodebox.io/img/integrationIcons/kubeaudit.svg -sources: - - https://github.com/secureCodeBox/secureCodeBox - - https://github.com/Shopify/kubeaudit/ -maintainers: - - name: iteratec GmbH - email: secureCodeBox@iteratec.com diff --git a/scanners/kubeaudit/Makefile b/scanners/kubeaudit/Makefile deleted file mode 100644 index f50f051c66..0000000000 --- a/scanners/kubeaudit/Makefile +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/make -f -# -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 -# - -include_guard = set -scanner = kubeaudit -custom_scanner = set - -include ../../scanners.mk - -.PHONY: deploy-with-scanner -deploy-with-scanner: - @echo ".: 💾 Deploying custom '$(scanner)' scanner HelmChart with the docker tag '$(IMG_TAG)' into kind namespace 'integration-tests'." - helm -n integration-tests upgrade --install $(scanner) ./ --wait \ - --set="parser.image.repository=docker.io/$(IMG_NS)/$(parser-prefix)-$(scanner)" \ - --set="parser.image.tag=$(IMG_TAG)" \ - --set="scanner.image.repository=docker.io/$(IMG_NS)/$(scanner-prefix)-$(scanner)" \ - --set="scanner.image.tag=$(IMG_TAG)" \ - --set="kubeauditScope=cluster" - -.PHONY: deploy-test-deps -deploy-test-deps: - # If not exists create namespace where the tests will be executed - kubectl create namespace kubeaudit-tests --dry-run=client -o yaml | kubectl apply -f - - # Install jshop in kubeaudit-tests namespace - helm -n kubeaudit-tests upgrade --install juice-shop ../../demo-targets/juice-shop/ --wait diff --git a/scanners/kubeaudit/README.md b/scanners/kubeaudit/README.md deleted file mode 100644 index 7fab3b681c..0000000000 --- a/scanners/kubeaudit/README.md +++ /dev/null @@ -1,122 +0,0 @@ ---- -title: "Kubeaudit" -category: "scanner" -type: "Kubernetes" -state: "released" -appVersion: "0.22.2" -usecase: "Kubernetes Configuration Scanner" ---- - - - - -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Lab Project - Artifact HUB - GitHub Repo stars - Mastodon Follower -

- -## What is Kubeaudit? - -:::caution Deprecation Notice -The `kubeaudit ` ScanType is being deprecated in the secureCodeBox since it will no longer be maintained as described in the [GitHub repository](kubeaudit GitHub). The scanner will be removed in the upcoming v5 release. -::: - -Kubeaudit finds security misconfigurations in you Kubernetes Resources and gives tips on how to resolve these. - -Kubeaudit comes with a large lists of "auditors" which test various aspects, like the SecurityContext of pods. -You can find the complete list of [auditors here](https://github.com/Shopify/kubeaudit/tree/master/docs/auditors). - -To learn more about the kubeaudit itself visit [kubeaudit GitHub]. - -## Deployment -The kubeaudit chart can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install kubeaudit oci://ghcr.io/securecodebox/helm/kubeaudit -``` - -## Scanner Configuration - -The following security scan configuration example are based on the [kube-hunter Documentation], please take a look at the original documentation for more configuration examples. - -* To specify remote machines for hunting, select option 1 or use the --remote option. Example: `kube-hunter --remote some.node.com` -* To specify interface scanning, you can use the --interface option (this will scan all the machine's network interfaces). Example: `kube-hunter --interface` -* To specify a specific CIDR to scan, use the --cidr option. Example: `kube-hunter --cidr 192.168.0.0/24` - -## Requirements - -Kubernetes: `>=v1.11.0-0` - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | -| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | -| kubeauditScope | string | `"namespace"` | Automatically sets up rbac roles for kubeaudit to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) | -| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| parser.image.repository | string | `"docker.io/securecodebox/parser-kubeaudit"` | Parser image repository | -| parser.image.tag | string | defaults to the charts version | Parser image tag | -| parser.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| parser.resources | object | `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | -| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | -| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| scanner.image.repository | string | `"docker.io/securecodebox/scanner-kubeaudit"` | Container Image to run the scan | -| scanner.image.tag | string | `nil` | defaults to the charts appVersion | -| scanner.nameAppend | string | `nil` | append a string to the default scantype name. | -| scanner.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | -| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | -| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | -| scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | -| scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | -| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume ` or using a job scheduler like kueue | -| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | - -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://www.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-mastodon]: https://infosec.exchange/@secureCodeBox -[scb-slack]: https://owasp.org/slack/invite -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE -[kubeaudit GitHub]: https://github.com/Shopify/kubeaudit/ diff --git a/scanners/kubeaudit/docs/README.ArtifactHub.md b/scanners/kubeaudit/docs/README.ArtifactHub.md deleted file mode 100644 index 90ebe50a55..0000000000 --- a/scanners/kubeaudit/docs/README.ArtifactHub.md +++ /dev/null @@ -1,144 +0,0 @@ - - - -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Lab Project - Artifact HUB - GitHub Repo stars - Mastodon Follower -

- -## What is OWASP secureCodeBox? - -

- secureCodeBox Logo -

- -_[OWASP secureCodeBox][scb-github]_ is an automated and scalable open source solution that can be used to integrate various *security vulnerability scanners* with a simple and lightweight interface. The _secureCodeBox_ mission is to support *DevSecOps* Teams to make it easy to automate security vulnerability testing in different scenarios. - -With the _secureCodeBox_ we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues. - -The secureCodeBox project is running on [Kubernetes](https://kubernetes.io/). To install it you need [Helm](https://helm.sh), a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure. - -### Quickstart with secureCodeBox on Kubernetes - -You can find resources to help you get started on our [documentation website](https://www.securecodebox.io) including instruction on how to [install the secureCodeBox project](https://www.securecodebox.io/docs/getting-started/installation) and guides to help you [run your first scans](https://www.securecodebox.io/docs/getting-started/first-scans) with it. - -## What is Kubeaudit? - -:::caution Deprecation Notice -The `kubeaudit ` ScanType is being deprecated in the secureCodeBox since it will no longer be maintained as described in the [GitHub repository](kubeaudit GitHub). The scanner will be removed in the upcoming v5 release. -::: - -Kubeaudit finds security misconfigurations in you Kubernetes Resources and gives tips on how to resolve these. - -Kubeaudit comes with a large lists of "auditors" which test various aspects, like the SecurityContext of pods. -You can find the complete list of [auditors here](https://github.com/Shopify/kubeaudit/tree/master/docs/auditors). - -To learn more about the kubeaudit itself visit [kubeaudit GitHub]. - -## Deployment -The kubeaudit chart can be deployed via helm: - -```bash -# Install HelmChart (use -n to configure another namespace) -helm upgrade --install kubeaudit oci://ghcr.io/securecodebox/helm/kubeaudit -``` - -## Scanner Configuration - -The following security scan configuration example are based on the [kube-hunter Documentation], please take a look at the original documentation for more configuration examples. - -* To specify remote machines for hunting, select option 1 or use the --remote option. Example: `kube-hunter --remote some.node.com` -* To specify interface scanning, you can use the --interface option (this will scan all the machine's network interfaces). Example: `kube-hunter --interface` -* To specify a specific CIDR to scan, use the --cidr option. Example: `kube-hunter --cidr 192.168.0.0/24` - -## Requirements - -Kubernetes: `>=v1.11.0-0` - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner | -| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | -| kubeauditScope | string | `"namespace"` | Automatically sets up rbac roles for kubeaudit to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) | -| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| parser.image.repository | string | `"docker.io/securecodebox/parser-kubeaudit"` | Parser image repository | -| parser.image.tag | string | defaults to the charts version | Parser image tag | -| parser.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| parser.resources | object | `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. | -| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | -| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | -| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| scanner.image.repository | string | `"docker.io/securecodebox/scanner-kubeaudit"` | Container Image to run the scan | -| scanner.image.tag | string | `nil` | defaults to the charts appVersion | -| scanner.nameAppend | string | `nil` | append a string to the default scantype name. | -| scanner.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | -| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | -| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | -| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | -| scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | -| scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | -| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume ` or using a job scheduler like kueue | -| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | -| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | - -## Contributing - -Contributions are welcome and extremely helpful 🙌 -Please have a look at [Contributing](./CONTRIBUTING.md) - -## Community - -You are welcome, please join us on... 👋 - -- [GitHub][scb-github] -- [OWASP Slack (Channel #project-securecodebox)][scb-slack] -- [Mastodon][scb-mastodon] - -secureCodeBox is an official [OWASP][scb-owasp] project. - -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license]. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://www.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-mastodon]: https://infosec.exchange/@secureCodeBox -[scb-slack]: https://owasp.org/slack/invite -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE -[kubeaudit GitHub]: https://github.com/Shopify/kubeaudit/ diff --git a/scanners/kubeaudit/docs/README.DockerHub-Parser.md b/scanners/kubeaudit/docs/README.DockerHub-Parser.md deleted file mode 100644 index 783704f5ff..0000000000 --- a/scanners/kubeaudit/docs/README.DockerHub-Parser.md +++ /dev/null @@ -1,91 +0,0 @@ - - - -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Lab Project - Artifact HUB - GitHub Repo stars - Mastodon Follower -

- -## What is OWASP secureCodeBox? - -

- secureCodeBox Logo -

- -_[OWASP secureCodeBox][scb-github]_ is an automated and scalable open source solution that can be used to integrate various *security vulnerability scanners* with a simple and lightweight interface. The _secureCodeBox_ mission is to support *DevSecOps* Teams to make it easy to automate security vulnerability testing in different scenarios. - -With the _secureCodeBox_ we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues. - -The secureCodeBox project is running on [Kubernetes](https://kubernetes.io/). To install it you need [Helm](https://helm.sh), a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure. - -### Quickstart with secureCodeBox on Kubernetes - -You can find resources to help you get started on our [documentation website](https://www.securecodebox.io) including instruction on how to [install the secureCodeBox project](https://www.securecodebox.io/docs/getting-started/installation) and guides to help you [run your first scans](https://www.securecodebox.io/docs/getting-started/first-scans) with it. - -## Supported Tags -- `latest` (represents the latest stable release build) -- tagged releases, e.g. `0.22.2` - -## How to use this image -This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more information details please take a look at the documentation page: https://www.securecodebox.io/docs/scanners/kubeaudit. - -```bash -docker pull securecodebox/parser-kubeaudit -``` - -## What is Kubeaudit? - -:::caution Deprecation Notice -The `kubeaudit ` ScanType is being deprecated in the secureCodeBox since it will no longer be maintained as described in the [GitHub repository](kubeaudit GitHub). The scanner will be removed in the upcoming v5 release. -::: - -Kubeaudit finds security misconfigurations in you Kubernetes Resources and gives tips on how to resolve these. - -Kubeaudit comes with a large lists of "auditors" which test various aspects, like the SecurityContext of pods. -You can find the complete list of [auditors here](https://github.com/Shopify/kubeaudit/tree/master/docs/auditors). - -To learn more about the kubeaudit itself visit [kubeaudit GitHub]. - -## Community - -You are welcome, please join us on... 👋 - -- [GitHub][scb-github] -- [OWASP Slack (Channel #project-securecodebox)][scb-slack] -- [Mastodon][scb-mastodon] - -secureCodeBox is an official [OWASP][scb-owasp] project. - -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained). - -As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://www.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-mastodon]: https://infosec.exchange/@secureCodeBox -[scb-slack]: https://owasp.org/slack/invite -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE -[kubeaudit GitHub]: https://github.com/Shopify/kubeaudit/ diff --git a/scanners/kubeaudit/docs/README.DockerHub-Scanner.md b/scanners/kubeaudit/docs/README.DockerHub-Scanner.md deleted file mode 100644 index 8d316d8d95..0000000000 --- a/scanners/kubeaudit/docs/README.DockerHub-Scanner.md +++ /dev/null @@ -1,99 +0,0 @@ - - - -

- License Apache-2.0 - GitHub release (latest SemVer) - OWASP Lab Project - Artifact HUB - GitHub Repo stars - Mastodon Follower -

- -## What is OWASP secureCodeBox? - -

- secureCodeBox Logo -

- -_[OWASP secureCodeBox][scb-github]_ is an automated and scalable open source solution that can be used to integrate various *security vulnerability scanners* with a simple and lightweight interface. The _secureCodeBox_ mission is to support *DevSecOps* Teams to make it easy to automate security vulnerability testing in different scenarios. - -With the _secureCodeBox_ we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues. - -The secureCodeBox project is running on [Kubernetes](https://kubernetes.io/). To install it you need [Helm](https://helm.sh), a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure. - -### Quickstart with secureCodeBox on Kubernetes - -You can find resources to help you get started on our [documentation website](https://www.securecodebox.io) including instruction on how to [install the secureCodeBox project](https://www.securecodebox.io/docs/getting-started/installation) and guides to help you [run your first scans](https://www.securecodebox.io/docs/getting-started/first-scans) with it. - -## Supported Tags -- `latest` (represents the latest stable release build) -- tagged releases, e.g. `0.22.2` - -## How to use this image -This `scanner` image is intended to work in combination with the corresponding `parser` image to parse the scanner `findings` to generic secureCodeBox results. For more information details please take a look at the [project page][scb-docs] or [documentation page][https://www.securecodebox.io/docs/scanners/kubeaudit]. - -```bash -docker pull securecodebox/scanner-kubeaudit -``` - -## What is Kubeaudit? - -:::caution Deprecation Notice -The `kubeaudit ` ScanType is being deprecated in the secureCodeBox since it will no longer be maintained as described in the [GitHub repository](kubeaudit GitHub). The scanner will be removed in the upcoming v5 release. -::: - -Kubeaudit finds security misconfigurations in you Kubernetes Resources and gives tips on how to resolve these. - -Kubeaudit comes with a large lists of "auditors" which test various aspects, like the SecurityContext of pods. -You can find the complete list of [auditors here](https://github.com/Shopify/kubeaudit/tree/master/docs/auditors). - -To learn more about the kubeaudit itself visit [kubeaudit GitHub]. - -## Scanner Configuration - -The following security scan configuration example are based on the [kube-hunter Documentation], please take a look at the original documentation for more configuration examples. - -* To specify remote machines for hunting, select option 1 or use the --remote option. Example: `kube-hunter --remote some.node.com` -* To specify interface scanning, you can use the --interface option (this will scan all the machine's network interfaces). Example: `kube-hunter --interface` -* To specify a specific CIDR to scan, use the --cidr option. Example: `kube-hunter --cidr 192.168.0.0/24` - -## Community - -You are welcome, please join us on... 👋 - -- [GitHub][scb-github] -- [OWASP Slack (Channel #project-securecodebox)][scb-slack] -- [Mastodon][scb-mastodon] - -secureCodeBox is an official [OWASP][scb-owasp] project. - -## License -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) - -As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained). - -As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within. - -[scb-owasp]: https://www.owasp.org/index.php/OWASP_secureCodeBox -[scb-docs]: https://www.securecodebox.io/ -[scb-site]: https://www.securecodebox.io/ -[scb-github]: https://github.com/secureCodeBox/ -[scb-mastodon]: https://infosec.exchange/@secureCodeBox -[scb-slack]: https://owasp.org/slack/invite -[scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE -[kubeaudit GitHub]: https://github.com/Shopify/kubeaudit/ diff --git a/scanners/kubeaudit/examples/juice-shop/README.md b/scanners/kubeaudit/examples/juice-shop/README.md deleted file mode 100644 index 5fef09e03f..0000000000 --- a/scanners/kubeaudit/examples/juice-shop/README.md +++ /dev/null @@ -1,36 +0,0 @@ - - -In this example we execute an kubeaudit scan against the intentional vulnerable [juice-shop](https://github.com/juice-shop/juice-shop) - -#### Initialize juice-shop in cluster - -Before executing the scan, make sure to setup juice-shop - -```bash -helm upgrade --install juice-shop oci://ghcr.io/securecodebox/helm/juice-shop --wait -``` - -After that you can execute the scan in this directory: -```bash -kubectl apply -f scan.yaml -``` - -#### Troubleshooting: - Make sure to install juice-shop in the same namespace as the scanner! -If you juice-shop runs in, e.g., the `kubeaudit-tests` namespace, install the chart and run the scan there too -```bash -# Install HelmChart in kubeaudit-tests namespace -helm upgrade --install kubeaudit oci://ghcr.io/securecodebox/helm/kubeaudit -n kubeaudit-tests -# Run scan in kubeaudit-tests namespace -kubectl apply -f scan.yaml -n kubeaudit-tests -``` -Also, you must adjust the namespace in the scan.yaml with the `-n` flag. - -Alternatively, you can set the scope of kubeaudit to cluster: -```bash -helm upgrade --install kubeaudit oci://ghcr.io/securecodebox/helm/kubeaudit -n kubeaudit-tests --set="kubeauditScope=cluster" -``` \ No newline at end of file diff --git a/scanners/kubeaudit/examples/juice-shop/findings.json b/scanners/kubeaudit/examples/juice-shop/findings.json deleted file mode 100644 index 2fcf6a1203..0000000000 --- a/scanners/kubeaudit/examples/juice-shop/findings.json +++ /dev/null @@ -1,51 +0,0 @@ -[{ - "name": "Namespace \"default\" is missing a Default Deny NetworkPolicy", - "identified_at": "2023-08-22T12:32:05Z", - "description": "Namespace is missing a default deny ingress and egress NetworkPolicy.", - "category": "No Default Deny NetworkPolicy", - "location": "namespace://default", - "osi_layer": "NOT_APPLICABLE", - "severity": "MEDIUM", - "attributes": { - "Namespace": "default" - }, - "id": "8243db55-e6a1-41fd-97a5-3d7b1736886a", - "parsed_at": "2023-08-22T12:32:11.395Z" -}, { - "name": "Default ServiceAccount uses Automounted Service Account Token", - "identified_at": "2023-08-22T12:32:05Z", - "description": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.", - "category": "Automounted ServiceAccount Token", - "location": null, - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - "attributes": {}, - "id": "5ed793ce-e8c0-4abb-aaf7-2031356b9996", - "parsed_at": "2023-08-22T12:32:11.395Z" -}, { - "name": "NonRoot User not enforced for Container", - "identified_at": "2023-08-22T12:32:05Z", - "description": "runAsNonRoot should be set to true or runAsUser should be set to a value > 0 either in the container SecurityContext or PodSecurityContext.", - "category": "Non Root User Not Enforced", - "location": "container://juice-shop", - "osi_layer": "NOT_APPLICABLE", - "severity": "MEDIUM", - "attributes": { - "container": "juice-shop" - }, - "id": "6162326e-8d0c-463f-9b0c-147cf04a7a1f", - "parsed_at": "2023-08-22T12:32:11.395Z" -}, { - "name": "Container Uses a non ReadOnly Root Filesystem", - "identified_at": "2023-08-22T12:32:05Z", - "description": "readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.", - "category": "Non ReadOnly Root Filesystem", - "location": "container://juice-shop", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - "attributes": { - "container": "juice-shop" - }, - "id": "ea9d6b4a-365b-4fce-99b7-05b0e442db2a", - "parsed_at": "2023-08-22T12:32:11.395Z" -}] diff --git a/scanners/kubeaudit/examples/juice-shop/findings.json.license b/scanners/kubeaudit/examples/juice-shop/findings.json.license deleted file mode 100644 index 3034c0d74b..0000000000 --- a/scanners/kubeaudit/examples/juice-shop/findings.json.license +++ /dev/null @@ -1,3 +0,0 @@ -SPDX-FileCopyrightText: the secureCodeBox authors - -SPDX-License-Identifier: Apache-2.0 \ No newline at end of file diff --git a/scanners/kubeaudit/examples/juice-shop/scan.yaml b/scanners/kubeaudit/examples/juice-shop/scan.yaml deleted file mode 100644 index fccc2c7890..0000000000 --- a/scanners/kubeaudit/examples/juice-shop/scan.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "execution.securecodebox.io/v1" -kind: Scan -metadata: - name: "kubeaudit-juiceshop" -spec: - scanType: "kubeaudit" - parameters: - - "-n" - - "default" diff --git a/scanners/kubeaudit/integration-tests/kubeaudit.test.js b/scanners/kubeaudit/integration-tests/kubeaudit.test.js deleted file mode 100644 index 5833cd55cc..0000000000 --- a/scanners/kubeaudit/integration-tests/kubeaudit.test.js +++ /dev/null @@ -1,35 +0,0 @@ -// SPDX-FileCopyrightText: the secureCodeBox authors -// -// SPDX-License-Identifier: Apache-2.0 - -const { scan } = require("../../../tests/integration/helpers.js"); - -jest.retryTimes(3); - -test( - "kubeaudit should run and check the jshop in kubeaudit-tests namespace", - async () => { - const {categories, severities} = await scan( - "kubeaudit-tests", - "kubeaudit", - ["-n", "kubeaudit-tests"], - 90 - ); - - expect(categories).toMatchInlineSnapshot(` - { - "Automounted ServiceAccount Token": 1, - "No Default Deny NetworkPolicy": 1, - "Non ReadOnly Root Filesystem": 1, - "Non Root User Not Enforced": 1, - } - `); - expect(severities).toMatchInlineSnapshot(` - { - "low": 2, - "medium": 2, - } - `); - }, - 5 * 60 * 1000 -); diff --git a/scanners/kubeaudit/parser/Dockerfile b/scanners/kubeaudit/parser/Dockerfile deleted file mode 100644 index 86543ec4f1..0000000000 --- a/scanners/kubeaudit/parser/Dockerfile +++ /dev/null @@ -1,9 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -ARG namespace -ARG baseImageTag -FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} -WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js diff --git a/scanners/kubeaudit/parser/__snapshots__/parser.test.js.snap b/scanners/kubeaudit/parser/__snapshots__/parser.test.js.snap deleted file mode 100644 index fff6c081f9..0000000000 --- a/scanners/kubeaudit/parser/__snapshots__/parser.test.js.snap +++ /dev/null @@ -1,234 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`should properly parse kubeaudit juice-shop results 1`] = ` -[ - { - "attributes": {}, - "category": "Automounted ServiceAccount Token", - "description": "Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.", - "identified_at": "2020-10-09T08:32:57Z", - "location": null, - "name": "Default ServiceAccount uses Automounted Service Account Token", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "AUDIT_WRITE", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'AUDIT_WRITE' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "CHOWN", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'CHOWN' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "DAC_OVERRIDE", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'DAC_OVERRIDE' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "FOWNER", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'FOWNER' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "FSETID", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'FSETID' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "KILL", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'KILL' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "MKNOD", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'MKNOD' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "NET_BIND_SERVICE", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'NET_BIND_SERVICE' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "NET_RAW", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'NET_RAW' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "SETFCAP", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'SETFCAP' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "SETGID", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'SETGID' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "SETPCAP", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'SETPCAP' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "SETUID", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'SETUID' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "capability": "SYS_CHROOT", - "container": "juice-shop", - }, - "category": "Capability Not Dropped", - "description": "Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Capability 'SYS_CHROOT' Not Dropped", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "container": "juice-shop", - }, - "category": "Non Root User Not Enforced", - "description": "runAsNonRoot is not set in container SecurityContext nor the PodSecurityContext. It should be set to 'true' in at least one of the two.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "NonRoot User not enforced for Container", - "osi_layer": "NOT_APPLICABLE", - "severity": "MEDIUM", - }, - { - "attributes": { - "container": "juice-shop", - }, - "category": "Non ReadOnly Root Filesystem", - "description": "readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "container://juice-shop", - "name": "Container Uses a non ReadOnly Root Filesystem", - "osi_layer": "NOT_APPLICABLE", - "severity": "LOW", - }, - { - "attributes": { - "Namespace": "default", - }, - "category": "No Default Deny NetworkPolicy", - "description": "Namespace is missing a default deny ingress and egress NetworkPolicy.", - "identified_at": "2020-10-09T08:32:57Z", - "location": "namespace://default", - "name": "Namespace "default" is missing a Default Deny NetworkPolicy", - "osi_layer": "NOT_APPLICABLE", - "severity": "MEDIUM", - }, -] -`; diff --git a/scanners/kubeaudit/parser/__snapshots__/parser.test.js.snap.license b/scanners/kubeaudit/parser/__snapshots__/parser.test.js.snap.license deleted file mode 100644 index c95bc37185..0000000000 --- a/scanners/kubeaudit/parser/__snapshots__/parser.test.js.snap.license +++ /dev/null @@ -1,3 +0,0 @@ -SPDX-FileCopyrightText: the secureCodeBox authors - -SPDX-License-Identifier: Apache-2.0 diff --git a/scanners/kubeaudit/parser/__testFiles__/juice-shop.jsonl b/scanners/kubeaudit/parser/__testFiles__/juice-shop.jsonl deleted file mode 100644 index ef5cb75252..0000000000 --- a/scanners/kubeaudit/parser/__testFiles__/juice-shop.jsonl +++ /dev/null @@ -1,23 +0,0 @@ -{"AuditResultName":"AppArmorAnnotationMissing","Container":"juice-shop","MissingAnnotation":"container.apparmor.security.beta.kubernetes.io/juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"AppArmor annotation missing. The annotation 'container.apparmor.security.beta.kubernetes.io/juice-shop' should be added.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"AutomountServiceAccountTokenTrueAndDefaultSA","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"AUDIT_WRITE","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"CHOWN","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"DAC_OVERRIDE","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"FOWNER","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"FSETID","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"KILL","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"MKNOD","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"NET_BIND_SERVICE","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"NET_RAW","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"SETFCAP","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"SETGID","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"SETPCAP","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"SETUID","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"CapabilityNotDropped","Capability":"SYS_CHROOT","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Capability not dropped. Ideally, the capability drop list should include the single capability 'ALL' which drops all capabilities.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"LimitsNotSet","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"warning","msg":"Resource limits not set.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"RunAsNonRootPSCNilCSCNil","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"runAsNonRoot is not set in container SecurityContext nor the PodSecurityContext. It should be set to 'true' in at least one of the two.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"AllowPrivilegeEscalationNil","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"allowPrivilegeEscalation not set which allows privilege escalation. It should be set to 'false'.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"PrivilegedNil","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"warning","msg":"privileged is not set in container SecurityContext. Privileged defaults to 'false' but it should be explicitly set to 'false'.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"ReadOnlyRootFilesystemNil","Container":"juice-shop","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"SeccompAnnotationMissing","MissingAnnotation":"seccomp.security.alpha.kubernetes.io/pod","ResourceApiVersion":"apps/v1","ResourceKind":"Deployment","ResourceName":"juice-shop","ResourceNamespace":"default","level":"error","msg":"Seccomp annotation is missing. The annotation seccomp.security.alpha.kubernetes.io/pod: runtime/default should be added.","time":"2020-10-09T08:32:57Z"} -{"AuditResultName":"MissingDefaultDenyIngressAndEgressNetworkPolicy","Namespace":"default","ResourceApiVersion":"v1","ResourceKind":"Namespace","ResourceName":"default","level":"error","msg":"Namespace is missing a default deny ingress and egress NetworkPolicy.","time":"2020-10-09T08:32:57Z"} diff --git a/scanners/kubeaudit/parser/__testFiles__/juice-shop.jsonl.license b/scanners/kubeaudit/parser/__testFiles__/juice-shop.jsonl.license deleted file mode 100644 index c95bc37185..0000000000 --- a/scanners/kubeaudit/parser/__testFiles__/juice-shop.jsonl.license +++ /dev/null @@ -1,3 +0,0 @@ -SPDX-FileCopyrightText: the secureCodeBox authors - -SPDX-License-Identifier: Apache-2.0 diff --git a/scanners/kubeaudit/parser/__testFiles__/test-empty-report.jsonl b/scanners/kubeaudit/parser/__testFiles__/test-empty-report.jsonl deleted file mode 100644 index fe51488c70..0000000000 --- a/scanners/kubeaudit/parser/__testFiles__/test-empty-report.jsonl +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/scanners/kubeaudit/parser/__testFiles__/test-empty-report.jsonl.license b/scanners/kubeaudit/parser/__testFiles__/test-empty-report.jsonl.license deleted file mode 100644 index c95bc37185..0000000000 --- a/scanners/kubeaudit/parser/__testFiles__/test-empty-report.jsonl.license +++ /dev/null @@ -1,3 +0,0 @@ -SPDX-FileCopyrightText: the secureCodeBox authors - -SPDX-License-Identifier: Apache-2.0 diff --git a/scanners/kubeaudit/parser/parser.js b/scanners/kubeaudit/parser/parser.js deleted file mode 100644 index 90445710bd..0000000000 --- a/scanners/kubeaudit/parser/parser.js +++ /dev/null @@ -1,141 +0,0 @@ -// SPDX-FileCopyrightText: the secureCodeBox authors -// -// SPDX-License-Identifier: Apache-2.0 - -function createDropCapabilityFinding({ Capability, Container, msg, time }) { - return { - name: `Capability '${Capability}' Not Dropped`, - identified_at: time, - description: msg, - category: "Capability Not Dropped", - location: `container://${Container}`, - osi_layer: "NOT_APPLICABLE", - severity: "LOW", - attributes: { - capability: Capability, - container: Container, - }, - }; -} - -function createNonReadOnlyRootFsFinding({ Container, msg, time }) { - return { - name: `Container Uses a non ReadOnly Root Filesystem`, - identified_at: time, - description: msg, - category: "Non ReadOnly Root Filesystem", - location: `container://${Container}`, - osi_layer: "NOT_APPLICABLE", - severity: "LOW", - attributes: { - container: Container, - }, - }; -} - -function createPrivilegedContainerFinding({ Container, msg, time }) { - return { - name: `Container using Privileged Flag`, - identified_at: time, - description: msg, - category: "Privileged Container", - location: `container://${Container}`, - osi_layer: "NOT_APPLICABLE", - severity: "HIGH", - attributes: { - container: Container, - }, - }; -} - -function createAutomountedServiceAccountTokenFinding({ msg, time }) { - return { - name: `Default ServiceAccount uses Automounted Service Account Token`, - identified_at: time, - description: msg, - category: "Automounted ServiceAccount Token", - location: null, - osi_layer: "NOT_APPLICABLE", - severity: "LOW", - attributes: {}, - }; -} - -function createNonRootUserNotEnforcedFinding({ msg, Container, time }) { - return { - name: `NonRoot User not enforced for Container`, - identified_at: time, - description: msg, - category: "Non Root User Not Enforced", - location: `container://${Container}`, - osi_layer: "NOT_APPLICABLE", - severity: "MEDIUM", - attributes: { - container: Container, - }, - }; -} - -function createMissingNetworkPolicyFinding({ msg, Namespace, time }) { - return { - name: `Namespace "${Namespace}" is missing a Default Deny NetworkPolicy`, - identified_at: time, - description: msg, - category: "No Default Deny NetworkPolicy", - location: `namespace://${Namespace}`, - osi_layer: "NOT_APPLICABLE", - severity: "MEDIUM", - attributes: { - Namespace: Namespace, - }, - }; -} - -async function parse(fileContent) { - return fileContent - .split("\n") - .filter(Boolean) - .filter((line) => line && line.startsWith("{") && line.endsWith("}")) - .map(JSON.parse) - .map((finding) => { - if (!finding || !finding.AuditResultName) { - return null; - } - - if (finding.AuditResultName === "CapabilityNotDropped") { - return createDropCapabilityFinding(finding); - } - if ( - finding.AuditResultName === "ReadOnlyRootFilesystemFalse" || - finding.AuditResultName === "ReadOnlyRootFilesystemNil" - ) { - return createNonReadOnlyRootFsFinding(finding); - } - if (finding.AuditResultName === "PrivilegedTrue") { - return createPrivilegedContainerFinding(finding); - } - if ( - finding.AuditResultName === - "AutomountServiceAccountTokenTrueAndDefaultSA" - ) { - return createAutomountedServiceAccountTokenFinding(finding); - } - if ( - finding.AuditResultName === "RunAsNonRootCSCFalse" || - finding.AuditResultName === "RunAsNonRootPSCNilCSCNil" || - finding.AuditResultName === "RunAsNonRootPSCFalseCSCNil" - ) { - return createNonRootUserNotEnforcedFinding(finding); - } - if ( - finding.AuditResultName === "MissingDefaultDenyIngressAndEgressNetworkPolicy" - ) { - return createMissingNetworkPolicyFinding(finding); - } - - return null; - }) - .filter(Boolean); -} - -module.exports.parse = parse; diff --git a/scanners/kubeaudit/parser/parser.test.js b/scanners/kubeaudit/parser/parser.test.js deleted file mode 100644 index 379a207fe2..0000000000 --- a/scanners/kubeaudit/parser/parser.test.js +++ /dev/null @@ -1,35 +0,0 @@ -// SPDX-FileCopyrightText: the secureCodeBox authors -// -// SPDX-License-Identifier: Apache-2.0 - -const { readFile } = require("fs/promises"); -const { - validateParser, -} = require("@securecodebox/parser-sdk-nodejs/parser-utils"); - -const { parse } = require("./parser"); - -test("should properly parse kubeaudit juice-shop results", async () => { - const fileContent = await readFile( - __dirname + "/__testFiles__/juice-shop.jsonl", - { - encoding: "utf8", - } - ); - const findings = await parse(fileContent); - await expect(validateParser(findings)).resolves.toBeUndefined(); - - expect(findings).toMatchSnapshot(); -}); - -test("should properly parse empty kubeaudit jsonl file", async () => { - const jsonContent = await readFile( - __dirname + "/__testFiles__/test-empty-report.jsonl", - { - encoding: "utf8", - } - ); - const findings = await parse(jsonContent); - await expect(validateParser(findings)).resolves.toBeUndefined(); - expect(findings).toMatchInlineSnapshot(`[]`); -}); diff --git a/scanners/kubeaudit/scanner/Dockerfile b/scanners/kubeaudit/scanner/Dockerfile deleted file mode 100644 index a39e47b802..0000000000 --- a/scanners/kubeaudit/scanner/Dockerfile +++ /dev/null @@ -1,26 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -FROM golang:1.24.2 AS builder - -ARG scannerVersion - -# no need to include cgo bindings -ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64 - -# this is where we build our app -WORKDIR /go/src/app/ - -RUN git clone --depth 1 --branch v$scannerVersion https://github.com/Shopify/kubeaudit.git /go/src/app/ \ - && go mod download \ - && go build -a -ldflags '-w -s -extldflags "-static"' -o /go/bin/kubeaudit ./cmd/ \ - && chmod +x /go/bin/kubeaudit - -FROM alpine:3.12 -COPY --from=builder /go/bin/kubeaudit /kubeaudit -COPY wrapper.sh /wrapper.sh -RUN addgroup --system --gid 1001 kubeaudit && adduser kubeaudit --system --uid 1001 --ingroup kubeaudit -USER 1001 -ENTRYPOINT ["/kubeaudit"] -CMD ["all"] diff --git a/scanners/kubeaudit/scanner/wrapper.sh b/scanners/kubeaudit/scanner/wrapper.sh deleted file mode 100644 index 92ff965a26..0000000000 --- a/scanners/kubeaudit/scanner/wrapper.sh +++ /dev/null @@ -1,5 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -/kubeaudit $@ >/home/securecodebox/kubeaudit.jsonl diff --git a/scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml b/scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml deleted file mode 100644 index 610e840fd8..0000000000 --- a/scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "execution.securecodebox.io/v1" -kind: ParseDefinition -metadata: - name: "kubeaudit-jsonl" -spec: - image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" - imagePullPolicy: {{ .Values.parser.image.pullPolicy }} - ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} - env: - {{- toYaml .Values.parser.env | nindent 4 }} - scopeLimiterAliases: - {{- toYaml .Values.parser.scopeLimiterAliases | nindent 4 }} - affinity: - {{- toYaml .Values.parser.affinity | nindent 4 }} - tolerations: - {{- toYaml .Values.parser.tolerations | nindent 4 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.parser.resources }} - resources: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.parser.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/scanners/kubeaudit/templates/kubeaudit-rbac.yaml b/scanners/kubeaudit/templates/kubeaudit-rbac.yaml deleted file mode 100644 index f78f200772..0000000000 --- a/scanners/kubeaudit/templates/kubeaudit-rbac.yaml +++ /dev/null @@ -1,109 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kubeaudit - namespace: {{ .Release.Namespace}} ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kubeaudit-lurker - namespace: {{ .Release.Namespace}} -subjects: - - kind: ServiceAccount - name: kubeaudit - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: lurker ---- -{{- if eq .Values.kubeauditScope "namespace" }} -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kubeaudit - namespace: {{ .Release.Namespace}} -rules: - - apiGroups: [""] - resources: - - pods - - podtemplates - - replicationcontrollers - - namespaces - verbs: ["get", "list"] - - apiGroups: ["apps"] - resources: - - daemonsets - - statefulsets - - deployments - verbs: ["get", "list"] - - apiGroups: ["batch"] - resources: - - cronjobs - verbs: ["get", "list"] - - apiGroups: ["networking"] - resources: - - networkpolicies - verbs: ["get", "list"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kubeaudit - namespace: {{ .Release.Namespace}} -subjects: - - kind: ServiceAccount - name: kubeaudit - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kubeaudit -{{- end }} -{{- if eq .Values.kubeauditScope "cluster" }} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kubeaudit -rules: - - apiGroups: [""] - resources: - - pods - - podtemplates - - replicationcontrollers - - namespaces - verbs: ["get", "list"] - - apiGroups: ["apps"] - resources: - - daemonsets - - statefulsets - - deployments - verbs: ["get", "list"] - - apiGroups: ["batch"] - resources: - - cronjobs - verbs: ["get", "list"] - - apiGroups: ["networking"] - resources: - - networkpolicies - verbs: ["get", "list"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kubeaudit -subjects: - - kind: ServiceAccount - name: kubeaudit - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubeaudit -{{- end }} diff --git a/scanners/kubeaudit/templates/kubeaudit-scan-type.yaml b/scanners/kubeaudit/templates/kubeaudit-scan-type.yaml deleted file mode 100644 index 58801e3cb5..0000000000 --- a/scanners/kubeaudit/templates/kubeaudit-scan-type.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: "execution.securecodebox.io/v1" -kind: ScanType -metadata: - name: "kubeaudit{{ .Values.scanner.nameAppend | default ""}}" -spec: - extractResults: - type: kubeaudit-jsonl - location: "/home/securecodebox/kubeaudit.jsonl" - jobTemplate: - spec: - suspend: {{ .Values.scanner.suspend | default false }} - {{- if .Values.scanner.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} - {{- end }} - backoffLimit: {{ .Values.scanner.backoffLimit }} - {{- if .Values.scanner.activeDeadlineSeconds }} - activeDeadlineSeconds: {{ .Values.scanner.activeDeadlineSeconds }} - {{- end }} - template: - spec: - restartPolicy: OnFailure - affinity: - {{- toYaml .Values.scanner.affinity | nindent 12 }} - tolerations: - {{- toYaml .Values.scanner.tolerations | nindent 12 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 12 }} - {{- end }} - securityContext: - {{- toYaml .Values.scanner.podSecurityContext | nindent 12 }} - containers: - - name: kubeaudit - image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.scanner.image.pullPolicy }} - command: - - "sh" - - "/wrapper.sh" - - "all" - - "--exitcode" - - "0" - - "--format" - - "json" - resources: - {{- toYaml .Values.scanner.resources | nindent 16 }} - securityContext: - {{- toYaml .Values.scanner.securityContext | nindent 16 }} - env: - {{- toYaml .Values.scanner.env | nindent 16 }} - volumeMounts: - {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} - {{- if .Values.scanner.extraContainers }} - {{- toYaml .Values.scanner.extraContainers | nindent 12 }} - {{- end }} - volumes: - {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} - {{- with .Values.scanner.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 12 }} - {{- end }} - serviceAccountName: kubeaudit diff --git a/scanners/kubeaudit/tests/__snapshot__/scanner_test.yaml.snap b/scanners/kubeaudit/tests/__snapshot__/scanner_test.yaml.snap deleted file mode 100644 index f0e11ae3e2..0000000000 --- a/scanners/kubeaudit/tests/__snapshot__/scanner_test.yaml.snap +++ /dev/null @@ -1,151 +0,0 @@ -matches the snapshot: - 1: | - apiVersion: execution.securecodebox.io/v1 - kind: ParseDefinition - metadata: - name: kubeaudit-jsonl - spec: - affinity: - foo: bar - env: - - name: foo - value: bar - image: docker.io/securecodebox/parser-kubeaudit:0.0.0 - imagePullPolicy: IfNotPresent - imagePullSecrets: - - name: foo - resources: - foo: bar - scopeLimiterAliases: - foo: bar - tolerations: - - foo: bar - ttlSecondsAfterFinished: null - 2: | - apiVersion: v1 - kind: ServiceAccount - metadata: - name: kubeaudit - namespace: NAMESPACE - 3: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: kubeaudit-lurker - namespace: NAMESPACE - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: lurker - subjects: - - kind: ServiceAccount - name: kubeaudit - namespace: NAMESPACE - 4: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: kubeaudit - namespace: NAMESPACE - rules: - - apiGroups: - - "" - resources: - - pods - - podtemplates - - replicationcontrollers - - namespaces - verbs: - - get - - list - - apiGroups: - - apps - resources: - - daemonsets - - statefulsets - - deployments - verbs: - - get - - list - - apiGroups: - - batch - resources: - - cronjobs - verbs: - - get - - list - - apiGroups: - - networking - resources: - - networkpolicies - verbs: - - get - - list - 5: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: kubeaudit - namespace: NAMESPACE - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kubeaudit - subjects: - - kind: ServiceAccount - name: kubeaudit - namespace: NAMESPACE - 6: | - apiVersion: execution.securecodebox.io/v1 - kind: ScanType - metadata: - name: kubeauditfoo - spec: - extractResults: - location: /home/securecodebox/kubeaudit.jsonl - type: kubeaudit-jsonl - jobTemplate: - spec: - backoffLimit: 3 - suspend: false - template: - spec: - affinity: - foo: bar - containers: - - command: - - sh - - /wrapper.sh - - all - - --exitcode - - "0" - - --format - - json - env: - - name: foo - value: bar - image: docker.io/securecodebox/scanner-kubeaudit:0.0.0 - imagePullPolicy: IfNotPresent - name: kubeaudit - resources: - foo: bar - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: [] - - image: bar - name: foo - imagePullSecrets: - - name: foo - restartPolicy: OnFailure - securityContext: - fsGroup: 1234 - serviceAccountName: kubeaudit - tolerations: - - foo: bar - volumes: [] diff --git a/scanners/kubeaudit/tests/scanner_test.yaml b/scanners/kubeaudit/tests/scanner_test.yaml deleted file mode 100644 index c5b3b49c3a..0000000000 --- a/scanners/kubeaudit/tests/scanner_test.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 - -suite: Full Snapshot - -tests: - - it: matches the snapshot - chart: - version: 0.0.0 - appVersion: 0.0.0 - set: - cascadingRules.enabled: true - imagePullSecrets: [{name: foo}] - parser: - env: [{name: foo, value: bar}] - scopeLimiterAliases: {foo: bar} - affinity: {foo: bar} - tolerations: [{foo: bar}] - resources: {foo: bar} - scanner: - nameAppend: foo - resources: {foo: bar} - env: [{name: foo, value: bar}] - extraContainers: [{name: foo, image: bar}] - podSecurityContext: {fsGroup: 1234} - affinity: {foo: bar} - tolerations: [{foo: bar}] - asserts: - - matchSnapshot: {} diff --git a/scanners/kubeaudit/values.yaml b/scanners/kubeaudit/values.yaml deleted file mode 100644 index f70b6380c5..0000000000 --- a/scanners/kubeaudit/values.yaml +++ /dev/null @@ -1,117 +0,0 @@ -# SPDX-FileCopyrightText: the secureCodeBox authors -# -# SPDX-License-Identifier: Apache-2.0 -# -- Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) -imagePullSecrets: [] - -parser: - image: - # parser.image.repository -- Parser image repository - repository: docker.io/securecodebox/parser-kubeaudit - # parser.image.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - # -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - pullPolicy: IfNotPresent - - # parser.ttlSecondsAfterFinished -- seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ - ttlSecondsAfterFinished: null - # parser.env -- Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) - env: [] - - # parser.scopeLimiterAliases -- Optional finding aliases to be used in the scopeLimiter. - scopeLimiterAliases: {} - - # parser.nodeSelector -- Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) - nodeSelector: {} - - # parser.affinity -- Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) - affinity: {} - - # parser.tolerations -- Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) - tolerations: [] - - # -- Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - # @default -- `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` - resources: {} - -scanner: - image: - # scanner.image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-kubeaudit - # scanner.image.tag -- defaults to the charts appVersion - tag: null - # -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - pullPolicy: IfNotPresent - - # scanner.nameAppend -- append a string to the default scantype name. - nameAppend: null - - # -- seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ - ttlSecondsAfterFinished: null - # -- There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) - activeDeadlineSeconds: null - # -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) - # @default -- 3 - backoffLimit: 3 - - # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) - resources: {} - # resources: - # requests: - # memory: "256Mi" - # cpu: "250m" - # limits: - # memory: "512Mi" - # cpu: "500m" - - # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) - env: [] - - # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumes: [] - - # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumeMounts: [] - - # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) - extraContainers: [] - - # scanner.podSecurityContext -- Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) - podSecurityContext: - {} - # fsGroup: 2000 - - # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) - securityContext: - # scanner.securityContext.runAsNonRoot -- Enforces that the scanner image is run as a non root user - runAsNonRoot: true - # scanner.securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system - readOnlyRootFilesystem: true - # scanner.securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated - allowPrivilegeEscalation: false - # scanner.securityContext.privileged -- Ensures that the scanner container is not run in privileged mode - privileged: false - capabilities: - drop: - # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - - all - - # scanner.nodeSelector -- Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) - nodeSelector: {} - - # scanner.affinity -- Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) - affinity: {} - - # scanner.tolerations -- Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) - tolerations: [] - - # -- if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume ` or using a job scheduler like kueue - suspend: false - -# kubeauditScope -- Automatically sets up rbac roles for kubeaudit to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) -kubeauditScope: "namespace" - -cascadingRules: - # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner - enabled: false diff --git a/scanners/nikto/examples/demo-juice-shop/README.md b/scanners/nikto/examples/demo-juice-shop/README.md index be5e6ebf08..fb7f50808a 100644 --- a/scanners/nikto/examples/demo-juice-shop/README.md +++ b/scanners/nikto/examples/demo-juice-shop/README.md @@ -3,11 +3,12 @@ SPDX-FileCopyrightText: the secureCodeBox authors SPDX-License-Identifier: Apache-2.0 --> -In this example we execute an kubeaudit scan against the intentional vulnerable [juice-shop](https://github.com/juice-shop/juice-shop) +In this example we execute an nikto scan against the intentional vulnerable [juice-shop](https://github.com/juice-shop/juice-shop) #### Initialize juice-shop in cluster -Before executing the scan, make sure to setup juice-shop +Before executing the scan, make sure to setup juice-shop: + ```bash helm upgrade --install juice-shop oci://ghcr.io/securecodebox/helm/juice-shop --wait ``` diff --git a/scanners/zap-automation-framework/parser/__snapshots__/parser.test.js.snap b/scanners/zap-automation-framework/parser/__snapshots__/parser.test.js.snap index e03e88ca56..767451f430 100644 --- a/scanners/zap-automation-framework/parser/__snapshots__/parser.test.js.snap +++ b/scanners/zap-automation-framework/parser/__snapshots__/parser.test.js.snap @@ -2205,11 +2205,6 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "method": "GET", "uri": "https://docs.securecodebox.io/4465cfb6.2dca36b4.js", }, - { - "evidence": "24656292", - "method": "GET", - "uri": "https://docs.securecodebox.io/docs/scanners/kubeaudit", - }, { "evidence": "2147483647", "method": "GET", @@ -2265,11 +2260,6 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "method": "GET", "uri": "https://docs.securecodebox.io/docs/api/crds/scan-type/", }, - { - "evidence": "24668827", - "method": "GET", - "uri": "https://docs.securecodebox.io/img/integrationIcons/kubeaudit.svg", - }, { "evidence": "14356247", "method": "GET", @@ -3491,11 +3481,6 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "param": "X-Frame-Options", "uri": "https://docs.securecodebox.io/blog/", }, - { - "method": "GET", - "param": "X-Frame-Options", - "uri": "https://docs.securecodebox.io/docs/scanners/kubeaudit/", - }, { "method": "GET", "param": "X-Frame-Options", diff --git a/scanners/zap-automation-framework/parser/__testFiles__/docs.securecodebox.io.xml b/scanners/zap-automation-framework/parser/__testFiles__/docs.securecodebox.io.xml index 76cf2b5120..1df796c23d 100644 --- a/scanners/zap-automation-framework/parser/__testFiles__/docs.securecodebox.io.xml +++ b/scanners/zap-automation-framework/parser/__testFiles__/docs.securecodebox.io.xml @@ -30,11 +30,6 @@ SPDX-License-Identifier: Apache-2.0 24710355 - https://docs.securecodebox.io/docs/scanners/kubeaudit - GET - 24656292 - - https://docs.securecodebox.io/3.f6078885.js GET 2147483647 @@ -90,11 +85,6 @@ SPDX-License-Identifier: Apache-2.0 14356247 - https://docs.securecodebox.io/img/integrationIcons/kubeaudit.svg - GET - 24668827 - - https://docs.securecodebox.io/docs/scanners/wpscan GET 14356247 @@ -1101,11 +1091,6 @@ SPDX-License-Identifier: Apache-2.0 X-Frame-Options - https://docs.securecodebox.io/docs/scanners/kubeaudit/ - GET - X-Frame-Options - - https://docs.securecodebox.io/docs/hooks/defectdojo/ GET X-Frame-Options diff --git a/scanners/zap/parser/__snapshots__/parser.test.js.snap b/scanners/zap/parser/__snapshots__/parser.test.js.snap index e03e88ca56..767451f430 100644 --- a/scanners/zap/parser/__snapshots__/parser.test.js.snap +++ b/scanners/zap/parser/__snapshots__/parser.test.js.snap @@ -2205,11 +2205,6 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "method": "GET", "uri": "https://docs.securecodebox.io/4465cfb6.2dca36b4.js", }, - { - "evidence": "24656292", - "method": "GET", - "uri": "https://docs.securecodebox.io/docs/scanners/kubeaudit", - }, { "evidence": "2147483647", "method": "GET", @@ -2265,11 +2260,6 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "method": "GET", "uri": "https://docs.securecodebox.io/docs/api/crds/scan-type/", }, - { - "evidence": "24668827", - "method": "GET", - "uri": "https://docs.securecodebox.io/img/integrationIcons/kubeaudit.svg", - }, { "evidence": "14356247", "method": "GET", @@ -3491,11 +3481,6 @@ exports[`Parsing the docs.securecodebox.io results. 1`] = ` "param": "X-Frame-Options", "uri": "https://docs.securecodebox.io/blog/", }, - { - "method": "GET", - "param": "X-Frame-Options", - "uri": "https://docs.securecodebox.io/docs/scanners/kubeaudit/", - }, { "method": "GET", "param": "X-Frame-Options", diff --git a/scanners/zap/parser/__testFiles__/docs.securecodebox.io.xml b/scanners/zap/parser/__testFiles__/docs.securecodebox.io.xml index 76cf2b5120..1df796c23d 100644 --- a/scanners/zap/parser/__testFiles__/docs.securecodebox.io.xml +++ b/scanners/zap/parser/__testFiles__/docs.securecodebox.io.xml @@ -30,11 +30,6 @@ SPDX-License-Identifier: Apache-2.0 24710355 - https://docs.securecodebox.io/docs/scanners/kubeaudit - GET - 24656292 - - https://docs.securecodebox.io/3.f6078885.js GET 2147483647 @@ -90,11 +85,6 @@ SPDX-License-Identifier: Apache-2.0 14356247 - https://docs.securecodebox.io/img/integrationIcons/kubeaudit.svg - GET - 24668827 - - https://docs.securecodebox.io/docs/scanners/wpscan GET 14356247 @@ -1101,11 +1091,6 @@ SPDX-License-Identifier: Apache-2.0 X-Frame-Options - https://docs.securecodebox.io/docs/scanners/kubeaudit/ - GET - X-Frame-Options - - https://docs.securecodebox.io/docs/hooks/defectdojo/ GET X-Frame-Options diff --git a/scbctl/cmd/scans_test.go b/scbctl/cmd/scans_test.go index 0938800458..561192ff1b 100644 --- a/scbctl/cmd/scans_test.go +++ b/scbctl/cmd/scans_test.go @@ -91,11 +91,11 @@ func TestScanCommand(t *testing.T) { }, { name: "Flags provided after the `--` seperator should be passed as parameters, not flags", - args: []string{"scan", "--namespace", "foobar", "kubeaudit", "--", "--namespace", "some-other-namespace"}, + args: []string{"scan", "--namespace", "foobar", "kubehunter", "--", "--namespace", "some-other-namespace"}, expectedError: nil, expectedScan: &expectedScan{ - name: "kubeaudit", - scanType: "kubeaudit", + name: "kubehunter", + scanType: "kubehunter", namespace: "foobar", parameters: []string{"--namespace", "some-other-namespace"}, }, From 5635696f6a66f154009a8afc84dad6416c2500eb Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Fri, 9 May 2025 12:04:19 +0200 Subject: [PATCH 2/2] Update integrations file Signed-off-by: Jannik Hollenbach --- documentation/src/integrations.js | 7 ------- 1 file changed, 7 deletions(-) diff --git a/documentation/src/integrations.js b/documentation/src/integrations.js index 7d9b08d0cf..bf29b62377 100644 --- a/documentation/src/integrations.js +++ b/documentation/src/integrations.js @@ -126,13 +126,6 @@ export const Scanners = [ path: "docs/scanners/kube-hunter", imageUrl: "img/integrationIcons/Default.svg", }, - { - title: "Kubeaudit", - type: "Kubernetes", - usecase: "Kubernetes Configuration Scanner", - path: "docs/scanners/kubeaudit", - imageUrl: "img/integrationIcons/Kubeaudit.svg", - }, { title: "Ncrack", type: "Authentication",