diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b10f6d2558..2b9ed0ff1c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -28,7 +28,7 @@ env: # renovate: datasource=github-releases depName=helm/helm HELM_VERSION: "v3.19.0" # renovate: datasource=github-releases depName=helm-unittest/helm-unittest - HELM_PLUGIN_UNITTEST_VERSION: "1.0.0" + HELM_PLUGIN_UNITTEST_VERSION: "1.0.3" # renovate: datasource=github-releases depName=go-task/task TASK_VERSION: "v3.45.4" diff --git a/demo-targets/bodgeit/tests/__snapshot__/bodgeit_test.yaml.snap b/demo-targets/bodgeit/tests/__snapshot__/bodgeit_test.yaml.snap index 3835ba9ab9..3a10cf6f3b 100644 --- a/demo-targets/bodgeit/tests/__snapshot__/bodgeit_test.yaml.snap +++ b/demo-targets/bodgeit/tests/__snapshot__/bodgeit_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: 2: | apiVersion: apps/v1 diff --git a/demo-targets/dummy-ssh/tests/__snapshot__/dummy-ssh_test.yaml.snap b/demo-targets/dummy-ssh/tests/__snapshot__/dummy-ssh_test.yaml.snap index 8de190c814..c0756779de 100644 --- a/demo-targets/dummy-ssh/tests/__snapshot__/dummy-ssh_test.yaml.snap +++ b/demo-targets/dummy-ssh/tests/__snapshot__/dummy-ssh_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Demo SSH Server deployed. Note this should used for demo and test purposes. diff --git a/demo-targets/http-webhook/tests/__snapshot__/http-webhook_test.yaml.snap b/demo-targets/http-webhook/tests/__snapshot__/http-webhook_test.yaml.snap index 024edcd3d0..94194b0c4b 100644 --- a/demo-targets/http-webhook/tests/__snapshot__/http-webhook_test.yaml.snap +++ b/demo-targets/http-webhook/tests/__snapshot__/http-webhook_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: 2: | apiVersion: apps/v1 diff --git a/demo-targets/juice-shop/tests/__snapshot__/juice-shop_test.yaml.snap b/demo-targets/juice-shop/tests/__snapshot__/juice-shop_test.yaml.snap index fd100f1438..735e87c3f8 100644 --- a/demo-targets/juice-shop/tests/__snapshot__/juice-shop_test.yaml.snap +++ b/demo-targets/juice-shop/tests/__snapshot__/juice-shop_test.yaml.snap @@ -1,12 +1,12 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: https://chart-example.localmap[path:/] 2: | apiVersion: v1 data: - customConfig.yml: |2 + customConfig.yml: | application: domain: juice-sh.op name: OWASP Juice Shop diff --git a/demo-targets/old-joomla/tests/__snapshot__/old-joomla_test.yaml.snap b/demo-targets/old-joomla/tests/__snapshot__/old-joomla_test.yaml.snap index a683a28857..5a8d342b20 100644 --- a/demo-targets/old-joomla/tests/__snapshot__/old-joomla_test.yaml.snap +++ b/demo-targets/old-joomla/tests/__snapshot__/old-joomla_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: 2: | apiVersion: apps/v1 diff --git a/demo-targets/old-typo3/tests/__snapshot__/old-typo3_test.yaml.snap b/demo-targets/old-typo3/tests/__snapshot__/old-typo3_test.yaml.snap index 1afbb74652..2e066d0952 100644 --- a/demo-targets/old-typo3/tests/__snapshot__/old-typo3_test.yaml.snap +++ b/demo-targets/old-typo3/tests/__snapshot__/old-typo3_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: 2: | apiVersion: apps/v1 diff --git a/demo-targets/old-wordpress/tests/__snapshot__/old-wordpress_test.yaml.snap b/demo-targets/old-wordpress/tests/__snapshot__/old-wordpress_test.yaml.snap index 40ce2b37bd..b7cc885edd 100644 --- a/demo-targets/old-wordpress/tests/__snapshot__/old-wordpress_test.yaml.snap +++ b/demo-targets/old-wordpress/tests/__snapshot__/old-wordpress_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Old Wordpress Instance deployed. Note this should used for demo and test purposes. diff --git a/demo-targets/swagger-petstore/tests/__snapshot__/swagger-petstore_test.yaml.snap b/demo-targets/swagger-petstore/tests/__snapshot__/swagger-petstore_test.yaml.snap index 4432cfedd5..d9eda818f4 100644 --- a/demo-targets/swagger-petstore/tests/__snapshot__/swagger-petstore_test.yaml.snap +++ b/demo-targets/swagger-petstore/tests/__snapshot__/swagger-petstore_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | 1. Get the application URL by running these commands: 2: | apiVersion: apps/v1 diff --git a/demo-targets/unsafe-https/tests/__snapshot__/unsafe-https_test.yaml.snap b/demo-targets/unsafe-https/tests/__snapshot__/unsafe-https_test.yaml.snap index 979ea466bd..175e11372a 100644 --- a/demo-targets/unsafe-https/tests/__snapshot__/unsafe-https_test.yaml.snap +++ b/demo-targets/unsafe-https/tests/__snapshot__/unsafe-https_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Demo Unsafe Https Server deployed. Note this should only be used for demo and test purposes. diff --git a/demo-targets/vulnerable-log4j/tests/__snapshot__/vulnerable-log4j_test.yaml.snap b/demo-targets/vulnerable-log4j/tests/__snapshot__/vulnerable-log4j_test.yaml.snap index 754289a782..9b15039fcf 100644 --- a/demo-targets/vulnerable-log4j/tests/__snapshot__/vulnerable-log4j_test.yaml.snap +++ b/demo-targets/vulnerable-log4j/tests/__snapshot__/vulnerable-log4j_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Vulnerable log4j Instance deployed. Note this should used for demo and test purposes. diff --git a/hooks/cascading-scans/tests/__snapshot__/cascading-scans_test.yaml.snap b/hooks/cascading-scans/tests/__snapshot__/cascading-scans_test.yaml.snap index 59c1494779..a91282dfb7 100644 --- a/hooks/cascading-scans/tests/__snapshot__/cascading-scans_test.yaml.snap +++ b/hooks/cascading-scans/tests/__snapshot__/cascading-scans_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Cascading Scan Hook deployed. This will allow you to start Scans based on previous findings. diff --git a/hooks/finding-post-processing/tests/__snapshot__/finding-post-processing_test.yaml.snap b/hooks/finding-post-processing/tests/__snapshot__/finding-post-processing_test.yaml.snap index 6491d79a3f..0d76f02841 100644 --- a/hooks/finding-post-processing/tests/__snapshot__/finding-post-processing_test.yaml.snap +++ b/hooks/finding-post-processing/tests/__snapshot__/finding-post-processing_test.yaml.snap @@ -1,7 +1,6 @@ matches the snapshot: 1: | - raw: |2 - + raw: | FindingPostProcessing Hook deployed. This will add postprocessing on every finding in this namespace matching these rules: [{"matches":[{"anyOf":[{"attributes":{"port":21,"state":"open"},"category":"Open Port"},{"attributes":{"port":389,"state":"open"},"category":"Open Port"}]}],"override":{"description":"Telnet is bad","severity":"high"}}]. 2: | diff --git a/hooks/generic-webhook/tests/__snapshot__/generic-webhook_test.yaml.snap b/hooks/generic-webhook/tests/__snapshot__/generic-webhook_test.yaml.snap index f6b7db66df..51b945b48c 100644 --- a/hooks/generic-webhook/tests/__snapshot__/generic-webhook_test.yaml.snap +++ b/hooks/generic-webhook/tests/__snapshot__/generic-webhook_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | GenericWebhook deployed. Will send requests to: POST http://example.com diff --git a/hooks/notification/tests/__snapshot__/notification_test.yaml.snap b/hooks/notification/tests/__snapshot__/notification_test.yaml.snap index 4887549b2b..8ff76dc93d 100644 --- a/hooks/notification/tests/__snapshot__/notification_test.yaml.snap +++ b/hooks/notification/tests/__snapshot__/notification_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Notification hook deployed. Will send requests to: - slack: SOME_ENV_KEY @@ -11,7 +11,7 @@ matches the snapshot: 2: | apiVersion: v1 data: - notification-channel.yaml: |2 + notification-channel.yaml: | - endPoint: SOME_ENV_KEY name: slack rules: diff --git a/hooks/persistence-azure-monitor/tests/__snapshot__/persistence-azure-monitor_test.yaml.snap b/hooks/persistence-azure-monitor/tests/__snapshot__/persistence-azure-monitor_test.yaml.snap index 75aefdeb7b..0194bfda50 100644 --- a/hooks/persistence-azure-monitor/tests/__snapshot__/persistence-azure-monitor_test.yaml.snap +++ b/hooks/persistence-azure-monitor/tests/__snapshot__/persistence-azure-monitor_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Azure Monitor PersistenceProvider deployed. 2: | apiVersion: execution.securecodebox.io/v1 diff --git a/hooks/persistence-defectdojo/tests/__snapshot__/persistence-defectdojo_test.yaml.snap b/hooks/persistence-defectdojo/tests/__snapshot__/persistence-defectdojo_test.yaml.snap index cdef1bfcc5..92d3a37bc8 100644 --- a/hooks/persistence-defectdojo/tests/__snapshot__/persistence-defectdojo_test.yaml.snap +++ b/hooks/persistence-defectdojo/tests/__snapshot__/persistence-defectdojo_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: "\nDefectDojo PersistenceProvider succesfully deployed \U0001F389.\n" + raw: "DefectDojo PersistenceProvider succesfully deployed \U0001F389.\n" 2: | apiVersion: execution.securecodebox.io/v1 kind: ScanCompletionHook diff --git a/hooks/persistence-elastic/tests/__snapshot__/persistence-elastic_test.yaml.snap b/hooks/persistence-elastic/tests/__snapshot__/persistence-elastic_test.yaml.snap index 8f851fd788..b4d93791b5 100644 --- a/hooks/persistence-elastic/tests/__snapshot__/persistence-elastic_test.yaml.snap +++ b/hooks/persistence-elastic/tests/__snapshot__/persistence-elastic_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | Elastic Stack PersistenceProvider deployed. 2: | apiVersion: batch/v1 diff --git a/hooks/update-field-hook/tests/__snapshot__/update-field-hook_test.yaml.snap b/hooks/update-field-hook/tests/__snapshot__/update-field-hook_test.yaml.snap index 8c46f4d71b..9aeee5375f 100644 --- a/hooks/update-field-hook/tests/__snapshot__/update-field-hook_test.yaml.snap +++ b/hooks/update-field-hook/tests/__snapshot__/update-field-hook_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: |2 + raw: | UpdateField Hook deployed. This will add or override "category: my-own-category" on every finding in this namespace. 2: | diff --git a/operator/tests/__snapshot__/operator_test.yaml.snap b/operator/tests/__snapshot__/operator_test.yaml.snap index adb9dcda10..5a129a3734 100644 --- a/operator/tests/__snapshot__/operator_test.yaml.snap +++ b/operator/tests/__snapshot__/operator_test.yaml.snap @@ -1,6 +1,6 @@ matches the snapshot: 1: | - raw: "\nsecureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n" + raw: "secureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n" 2: | apiVersion: v1 kind: Service @@ -134,6 +134,177 @@ matches the snapshot: name: foo name: ca-certificate 4: | + apiVersion: v1 + data: + root-password: dGVzdHBhc3N3b3Jk + root-user: dGVzdHVzZXI= + kind: Secret + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + type: Opaque + 5: | + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + spec: + ports: + - name: api + port: 9000 + protocol: TCP + targetPort: 9000 + - name: console + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + type: ClusterIP + 6: | + apiVersion: apps/v1 + kind: StatefulSet + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + serviceName: RELEASE-NAME-operator-minio + template: + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + spec: + automountServiceAccountToken: false + containers: + - args: + - | + set -e + echo "Starting minio server..." + minio server /data --console-address ":9001" & + MINIO_PID=$! + + echo "Waiting for minio to be ready..." + sleep 5 + + echo "Creating bucket: $MINIO_DEFAULT_BUCKETS" + mc alias set myminio http://localhost:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD + mc mb myminio/$MINIO_DEFAULT_BUCKETS --ignore-existing || true + echo "Bucket creation completed" + + wait $MINIO_PID + command: + - /bin/bash + - -c + env: + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + key: root-user + name: RELEASE-NAME-operator-minio + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + key: root-password + name: RELEASE-NAME-operator-minio + - name: MINIO_DEFAULT_BUCKETS + value: securecodebox + image: docker.io/minio/minio:RELEASE.2025-07-23T15-54-02Z + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /minio/health/live + port: api + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: minio + ports: + - containerPort: 9000 + name: api + protocol: TCP + - containerPort: 9001 + name: console + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /minio/health/ready + port: api + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + ephemeral-storage: 1Gi + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /data + name: data + imagePullSecrets: + - name: foo + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + 7: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -157,7 +328,7 @@ matches the snapshot: - cascadingrules/status verbs: - get - 5: | + 8: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -177,7 +348,7 @@ matches the snapshot: - cascadingrules/status verbs: - get - 6: | + 9: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -214,7 +385,7 @@ matches the snapshot: verbs: - create - patch - 7: | + 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -227,7 +398,7 @@ matches the snapshot: - kind: ServiceAccount name: securecodebox-operator namespace: NAMESPACE - 8: | + 11: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -251,7 +422,7 @@ matches the snapshot: - parsedefinitions/status verbs: - get - 9: | + 12: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -271,7 +442,7 @@ matches the snapshot: - parsedefinitions/status verbs: - get - 10: | + 13: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -370,7 +541,7 @@ matches the snapshot: - list - update - watch - 11: | + 14: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -383,7 +554,7 @@ matches the snapshot: - kind: ServiceAccount name: securecodebox-operator namespace: NAMESPACE - 12: | + 15: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -407,7 +578,7 @@ matches the snapshot: - scans/status verbs: - get - 13: | + 16: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -427,7 +598,7 @@ matches the snapshot: - scans/status verbs: - get - 14: | + 17: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -451,7 +622,7 @@ matches the snapshot: - scancompletionhooks/status verbs: - get - 15: | + 18: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -471,7 +642,7 @@ matches the snapshot: - scancompletionhooks/status verbs: - get - 16: | + 19: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -495,7 +666,7 @@ matches the snapshot: - scantypes/status verbs: - get - 17: | + 20: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -515,57 +686,6 @@ matches the snapshot: - scantypes/status verbs: - get - 18: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: scheduledscan-editor-role - rules: - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans/status - verbs: - - get - 19: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: scheduledscan-viewer-role - rules: - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans - verbs: - - get - - list - - watch - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans/status - verbs: - - get - 20: | - apiVersion: v1 - kind: ServiceAccount - metadata: - annotations: {} - labels: {} - name: securecodebox-operator 21: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -619,7 +739,7 @@ matches the snapshot: name: securecodebox-operator properly-renders-the-service-monitor-when-enabled: 1: | - raw: "\nsecureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n" + raw: "secureCodeBox Operator Deployed \U0001F680\n\nThe operator can orchestrate the execution of various security scanning tools inside of your cluster.\nYou can find a list of all officially supported scanners here: https://www.securecodebox.io/\nThe website also lists other integrations, like persisting scan results to DefectDojo or Elasticsearch.\n\nThe operator send out regular telemetry pings to a central service.\nThis lets us, the secureCodeBox team, get a grasp on how much the secureCodeBox is used.\nThe submitted data is chosen to be as anonymous as possible.\nYou can find a complete report of the data submitted and links to the source-code at: https://www.securecodebox.io/docs/telemetry\nThe first ping is send one hour after the install, you can prevent this by upgrading the chart and setting `telemetryEnabled` to `false`.\n" 2: | apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -766,6 +886,177 @@ properly-renders-the-service-monitor-when-enabled: name: foo name: ca-certificate 5: | + apiVersion: v1 + data: + root-password: dGVzdHBhc3N3b3Jk + root-user: dGVzdHVzZXI= + kind: Secret + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + type: Opaque + 6: | + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + spec: + ports: + - name: api + port: 9000 + protocol: TCP + targetPort: 9000 + - name: console + port: 9001 + protocol: TCP + targetPort: 9001 + selector: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + type: ClusterIP + 7: | + apiVersion: apps/v1 + kind: StatefulSet + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: operator + app.kubernetes.io/version: 0.0.0 + helm.sh/chart: operator-0.0.0 + name: RELEASE-NAME-operator-minio + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + serviceName: RELEASE-NAME-operator-minio + template: + metadata: + labels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: operator + spec: + automountServiceAccountToken: false + containers: + - args: + - | + set -e + echo "Starting minio server..." + minio server /data --console-address ":9001" & + MINIO_PID=$! + + echo "Waiting for minio to be ready..." + sleep 5 + + echo "Creating bucket: $MINIO_DEFAULT_BUCKETS" + mc alias set myminio http://localhost:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD + mc mb myminio/$MINIO_DEFAULT_BUCKETS --ignore-existing || true + echo "Bucket creation completed" + + wait $MINIO_PID + command: + - /bin/bash + - -c + env: + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + key: root-user + name: RELEASE-NAME-operator-minio + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + key: root-password + name: RELEASE-NAME-operator-minio + - name: MINIO_DEFAULT_BUCKETS + value: securecodebox + image: docker.io/minio/minio:RELEASE.2025-07-23T15-54-02Z + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /minio/health/live + port: api + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 10 + name: minio + ports: + - containerPort: 9000 + name: api + protocol: TCP + - containerPort: 9001 + name: console + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /minio/health/ready + port: api + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + ephemeral-storage: 1Gi + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /data + name: data + imagePullSecrets: + - name: foo + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + 8: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -789,7 +1080,7 @@ properly-renders-the-service-monitor-when-enabled: - cascadingrules/status verbs: - get - 6: | + 9: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -809,7 +1100,7 @@ properly-renders-the-service-monitor-when-enabled: - cascadingrules/status verbs: - get - 7: | + 10: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -846,7 +1137,7 @@ properly-renders-the-service-monitor-when-enabled: verbs: - create - patch - 8: | + 11: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -859,7 +1150,7 @@ properly-renders-the-service-monitor-when-enabled: - kind: ServiceAccount name: securecodebox-operator namespace: NAMESPACE - 9: | + 12: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -883,7 +1174,7 @@ properly-renders-the-service-monitor-when-enabled: - parsedefinitions/status verbs: - get - 10: | + 13: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -903,7 +1194,7 @@ properly-renders-the-service-monitor-when-enabled: - parsedefinitions/status verbs: - get - 11: | + 14: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1002,7 +1293,7 @@ properly-renders-the-service-monitor-when-enabled: - list - update - watch - 12: | + 15: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -1015,7 +1306,7 @@ properly-renders-the-service-monitor-when-enabled: - kind: ServiceAccount name: securecodebox-operator namespace: NAMESPACE - 13: | + 16: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1039,7 +1330,7 @@ properly-renders-the-service-monitor-when-enabled: - scans/status verbs: - get - 14: | + 17: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1059,7 +1350,7 @@ properly-renders-the-service-monitor-when-enabled: - scans/status verbs: - get - 15: | + 18: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1083,7 +1374,7 @@ properly-renders-the-service-monitor-when-enabled: - scancompletionhooks/status verbs: - get - 16: | + 19: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1103,7 +1394,7 @@ properly-renders-the-service-monitor-when-enabled: - scancompletionhooks/status verbs: - get - 17: | + 20: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1127,7 +1418,7 @@ properly-renders-the-service-monitor-when-enabled: - scantypes/status verbs: - get - 18: | + 21: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1147,57 +1438,6 @@ properly-renders-the-service-monitor-when-enabled: - scantypes/status verbs: - get - 19: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: scheduledscan-editor-role - rules: - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans/status - verbs: - - get - 20: | - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: scheduledscan-viewer-role - rules: - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans - verbs: - - get - - list - - watch - - apiGroups: - - execution.securecodebox.io - resources: - - scheduledscans/status - verbs: - - get - 21: | - apiVersion: v1 - kind: ServiceAccount - metadata: - annotations: {} - labels: {} - name: securecodebox-operator 22: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/operator/tests/operator_test.yaml b/operator/tests/operator_test.yaml index f27d9347b1..6c8dbc6380 100644 --- a/operator/tests/operator_test.yaml +++ b/operator/tests/operator_test.yaml @@ -18,6 +18,11 @@ tests: customCACertificate.existingCertificate: foo serviceaccount: {create: true, annotations: {foo: bar}, name: foo} podSecurityContext: {fsGroup: 1234} + minio: + enabled: true + auth: + rootUser: testuser + rootPassword: testpassword asserts: - matchSnapshot: {} - it: properly-renders-the-service-monitor-when-enabled @@ -32,6 +37,11 @@ tests: metrics: serviceMonitor: enabled: true + minio: + enabled: true + auth: + rootUser: testuser + rootPassword: testpassword asserts: - matchSnapshot: {} - it: renders minio resources when minio is enabled diff --git a/scanners/semgrep/tests/__snapshot__/scanner_test.yaml.snap b/scanners/semgrep/tests/__snapshot__/scanner_test.yaml.snap index ba0ebb78e5..965e552737 100644 --- a/scanners/semgrep/tests/__snapshot__/scanner_test.yaml.snap +++ b/scanners/semgrep/tests/__snapshot__/scanner_test.yaml.snap @@ -10,7 +10,7 @@ matches the snapshot: env: - name: foo value: bar - image: securecodebox/parser-semgrep:0.0.0 + image: docker.io/securecodebox/parser-semgrep:0.0.0 imagePullPolicy: IfNotPresent imagePullSecrets: - name: foo diff --git a/scanners/ssh-audit/tests/__snapshot__/scanner_test.yaml.snap b/scanners/ssh-audit/tests/__snapshot__/scanner_test.yaml.snap index d018204b51..6b282b25a4 100644 --- a/scanners/ssh-audit/tests/__snapshot__/scanner_test.yaml.snap +++ b/scanners/ssh-audit/tests/__snapshot__/scanner_test.yaml.snap @@ -49,6 +49,8 @@ matches the snapshot: suspend: false template: spec: + affinity: + foo: bar containers: - command: - sh @@ -71,5 +73,11 @@ matches the snapshot: volumeMounts: [] - image: bar name: foo - restartPolicy: Never + imagePullSecrets: + - name: foo + restartPolicy: OnFailure + securityContext: + fsGroup: 1234 + tolerations: + - foo: bar volumes: [] diff --git a/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap b/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap index 0b40b866dd..ce04f6b6d5 100644 --- a/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap +++ b/scanners/zap-automation-framework/tests/__snapshot__/scanner_test.yaml.snap @@ -97,7 +97,7 @@ matches the snapshot: 4: | apiVersion: v1 data: - zap-entrypoint.bash: |2 + zap-entrypoint.bash: | # ensures that zap still exits with a exit code of zero when the scan logged warnings: see https://www.zaproxy.org/docs/automate/automation-framework/ ./zap.sh -cmd $@ || [ $? -ne 1 ] kind: ConfigMap