Skip to content

Add a new AutoDiscovery Operator for automated Scans in Kubernetes Clusters #461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
J12934 merged 48 commits into from
Jul 12, 2021
Merged

Add a new AutoDiscovery Operator for automated Scans in Kubernetes Clusters #461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
48 commits
Select commit Hold shift + click to select a range
0d5c8ce
Add first stable(ish) kubernetes AutoDiscovery version to the main repo
J12934 May 31, 2021
34f74fc
Add ci for auto-discovery
J12934 May 31, 2021
bbde1d6
Change job name to better fit in to the parent name prefix
J12934 May 31, 2021
477eb7a
Remove temporary workaround to install crds from local folder
J12934 May 31, 2021
ada57c5
Update go pkg paths
J12934 May 31, 2021
bec1356
Update JuiceShop example
J12934 May 31, 2021
f013c0d
Fix default scan config in auto-discovery helm config
J12934 May 31, 2021
2bd5f0b
Update docs
J12934 May 31, 2021
1830393
Update docs
J12934 May 31, 2021
3321b99
Update chart meta infos
J12934 May 31, 2021
018c8b8
Remove unused cloud build config
J12934 May 31, 2021
bb3b352
Reorder install instructions
J12934 May 31, 2021
6a45988
Fix resource inclusion mode docs
J12934 Jun 1, 2021
629e321
Use working-dir attribute instead of cd'ing into the folder
J12934 Jun 1, 2021
7a530ba
Merge branch 'main' into auto-discovery
rfelber Jun 3, 2021
b795dee
Move default image used to docker hub
J12934 Jun 4, 2021
8245dc5
Acutally use mounted config file in auto-discovery
J12934 Jun 4, 2021
7b4c125
Fix config
J12934 Jun 4, 2021
d441d97
Move to v3.0.0-beta1
J12934 Jun 4, 2021
83fc931
Generate helm-docs
J12934 Jun 4, 2021
9e31165
Improve consistency in AutoDiscovery spelling
J12934 Jun 15, 2021
c15b9ea
Merge branch 'main' into auto-discovery
J12934 Jul 2, 2021
005a0db
Updating Helm Docs
J12934 Jul 2, 2021
ecb305d
Update golang style license headers
J12934 Jul 9, 2021
2d0149a
Fix code comment
J12934 Jul 9, 2021
ba4dcb8
Clear up comment
J12934 Jul 9, 2021
533cf5d
Add license headers
J12934 Jul 9, 2021
a2888a5
Fix typo in operator docs
J12934 Jul 9, 2021
a8d13d5
tmp
J12934 Jul 9, 2021
d54994d
Merge branch 'main' into auto-discovery
J12934 Jul 9, 2021
7038879
Regenerate readmes after typo fixes
J12934 Jul 9, 2021
d3f7d14
Split core helm-doc jobs
J12934 Jul 9, 2021
865fad4
Verify checksum of helm-docs installation
J12934 Jul 9, 2021
b0dc489
Move helm-docs to /usr/local/bin
J12934 Jul 9, 2021
1718513
Move with sudo
J12934 Jul 9, 2021
f8db10c
Use helm-docs from user path
J12934 Jul 9, 2021
3dc7d63
Updating Helm Docs
J12934 Jul 9, 2021
49d815d
Remove the word scanType from deployment section
J12934 Jul 9, 2021
a658d4a
Updating Helm Docs
J12934 Jul 9, 2021
c3083c3
Expose pod resources and securityContext settings via helm
J12934 Jul 9, 2021
e5c8cd9
Updating Helm Docs
J12934 Jul 9, 2021
4cc8630
Add small note on the checksum
J12934 Jul 9, 2021
de6f136
Move helm-docs to /usr/local/bin instead of /usr/bin
J12934 Jul 9, 2021
f63235a
Include Development section in new readme
J12934 Jul 9, 2021
0db3ad1
Remove old REAME gotmpl
J12934 Jul 9, 2021
bfdfc3d
Updating Helm Docs
J12934 Jul 9, 2021
808998d
Trigger CI
J12934 Jul 9, 2021
cd82b68
Merge branch 'main' into auto-discovery
J12934 Jul 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,58 @@ jobs:
repository: ${{ env.DOCKER_NAMESPACE }}/${{ matrix.component }}
readme-filepath: ./${{ matrix.component }}/docs/README.DockerHub-Core.md

# ---- Build Stage | AutoDiscovery ----

auto-discovery-kubernetes:
name: "AutoDiscovery | Kubernetes"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2

- name: Go Setup
uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}

- name: Lint Go Code
working-directory: ./auto-discovery/kubernetes
run: |
go fmt ./...
go vet ./...

- name: Test
working-directory: ./auto-discovery/kubernetes/
run: make test

- name: Docker Meta
id: docker_meta
uses: crazy-max/ghaction-docker-meta@v1
with:
images: ${{ env.DOCKER_NAMESPACE }}/auto-discovery-kubernetes
tag-sha: true
tag-semver: |
{{ version }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1

- name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}

- name: Build and Push
uses: docker/build-push-action@v2
with:
context: ./auto-discovery/kubernetes/
file: ./auto-discovery/kubernetes/Dockerfile
platforms: linux/amd64
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}

# ---- Build Stage | SDK Matrix ----

sdk:
Expand Down
40 changes: 28 additions & 12 deletions .github/workflows/helm-docs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,19 @@ jobs:
cd helm-docs

curl --output helm-docs.tar.gz --location https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
# Checksum must be extracted from the checksum file every time helm-docs gets updated.
echo "a352e13a8438045b8ed138b821cb757c177acd999c1af77345152d7a64b0ddb7 helm-docs.tar.gz" | shasum --check

tar -xvf helm-docs.tar.gz
# Verify installation
./helm-docs --version

sudo mv helm-docs /usr/local/bin/helm-docs

- name: Generate Helm Docs
run: |
# Generate README.md based on Chart.yaml and template
./helm-docs/helm-docs --template-files=./.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./.helm-docs/README.md.gotmpl
helm-docs --template-files=./.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./.helm-docs/README.md.gotmpl

- name: Generate Demo-Apps Docs
run: |
Expand All @@ -51,8 +56,8 @@ jobs:
cd "${dir}" || exit
if [ -d "docs" ]; then
echo "Docs Folder found at: ${dir}/docs"
./../../helm-docs/helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.DockerHub-Target.md.gotmpl --output-file=docs/README.DockerHub-Target.md
./../../helm-docs/helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.ArtifactHub.md.gotmpl --output-file=docs/README.ArtifactHub.md
helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.DockerHub-Target.md.gotmpl --output-file=docs/README.DockerHub-Target.md
helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.ArtifactHub.md.gotmpl --output-file=docs/README.ArtifactHub.md
else
echo "Ignoring Docs creation process for Chart $dir, because no `docs` folder found at: ${dir}/docs"
fi
Expand All @@ -71,8 +76,8 @@ jobs:
cd "${dir}" || exit
if [ -d "docs" ]; then
echo "Docs Folder found at: ${dir}/docs"
./../../helm-docs/helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.DockerHub-Hook.md.gotmpl --output-file=docs/README.DockerHub-Hook.md
./../../helm-docs/helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.ArtifactHub.md.gotmpl --output-file=docs/README.ArtifactHub.md
helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.DockerHub-Hook.md.gotmpl --output-file=docs/README.DockerHub-Hook.md
helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.ArtifactHub.md.gotmpl --output-file=docs/README.ArtifactHub.md
else
echo "Ignoring Docs creation process for Chart $dir, because no `docs` folder found at: ${dir}/docs"
fi
Expand All @@ -93,35 +98,46 @@ jobs:
echo "Docs Folder found at: ${dir}/docs"
if [ -d "parser" ]; then
echo "Parser found at: ${dir}/parser"
./../../helm-docs/helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.DockerHub-Parser.md.gotmpl --output-file=docs/README.DockerHub-Parser.md
helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.DockerHub-Parser.md.gotmpl --output-file=docs/README.DockerHub-Parser.md
fi
if [ -d "scanner" ]; then
echo "Scanner found at: ${dir}/parser"
./../../helm-docs/helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.DockerHub-Scanner.md.gotmpl --output-file=docs/README.DockerHub-Scanner.md
helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.DockerHub-Scanner.md.gotmpl --output-file=docs/README.DockerHub-Scanner.md
fi
./../../helm-docs/helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.ArtifactHub.md.gotmpl --output-file=docs/README.ArtifactHub.md
helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.ArtifactHub.md.gotmpl --output-file=docs/README.ArtifactHub.md
else
echo "Ignoring Docs creation process for Chart $dir, because no `docs` folder found at: ${dir}/docs"
fi
)
done

- name: Generate Core Docs
- name: Generate Core (Operator) Docs
run: |
# Start in the operator folder
cd operator
if [ -d "docs" ]; then
echo "Docs Folder found at: operator/docs"
./../helm-docs/helm-docs --template-files=./../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../.helm-docs/README.DockerHub-Core.md.gotmpl --output-file=docs/README.DockerHub-Core.md
./../helm-docs/helm-docs --template-files=./../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../.helm-docs/README.ArtifactHub.md.gotmpl --output-file=docs/README.ArtifactHub.md
helm-docs --template-files=./../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../.helm-docs/README.DockerHub-Core.md.gotmpl --output-file=docs/README.DockerHub-Core.md
helm-docs --template-files=./../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../.helm-docs/README.ArtifactHub.md.gotmpl --output-file=docs/README.ArtifactHub.md
else
echo "Ignoring Docs creation process for Chart $dir, because no `docs` folder found at: operator/docs"
fi
- name: Generate Core (AutoDiscovery Kubernetes) Docs
run: |
cd auto-discovery/kubernetes
if [ -d "docs" ]; then
echo "Docs Folder found at: auto-discovery/kubernetes/docs"
helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.DockerHub-Core.md.gotmpl --output-file=docs/README.DockerHub-Core.md
helm-docs --template-files=./../../.helm-docs/templates.gotmpl --template-files=.helm-docs.gotmpl --template-files=./../../.helm-docs/README.ArtifactHub.md.gotmpl --output-file=docs/README.ArtifactHub.md
else
echo "Ignoring Docs creation process for Chart $dir, because no `docs` folder found at: auto-discovery/kubernetes/docs"
fi

- name: Remove Helm Docs Files
run: |
# Remove helm-docs download to ensure they don't get commited back
# Remove helm-docs download to ensure they don't get committed back
rm -rf helm-docs

- uses: stefanzweifel/git-auto-commit-action@v4.11.0
with:
commit_message: Updating Helm Docs
Expand Down
2 changes: 1 addition & 1 deletion .helm-docs/README.DockerHub-Core.md.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ SPDX-License-Identifier: Apache-2.0
{{ template "extra.dockerDeploymentSection" . }}

## How to use this image
This `core` image is intended to work in combination with the OWASP secureCodeBox. For more informations details please take a look at the documentation page: {{ template "chart.homepage" . }}.
This `core` image is intended to work in combination with the OWASP secureCodeBox. For more information details please take a look at the documentation page: {{ template "chart.homepage" . }}.

```bash
docker pull securecodebox/{{ template "chart.name" . }}
Expand Down
2 changes: 1 addition & 1 deletion .helm-docs/README.DockerHub-Hook.md.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ SPDX-License-Identifier: Apache-2.0
{{ template "extra.dockerDeploymentSection" . }}

## How to use this image
This `hook` image is intended to work in combination with other `parser` images to read or manipulate `findings` results. For more informations details please take a look at the [project page][scb-docs] or [documentation page][{{ template "chart.homepage" . }}].
This `hook` image is intended to work in combination with other `parser` images to read or manipulate `findings` results. For more information details please take a look at the [project page][scb-docs] or [documentation page][{{ template "chart.homepage" . }}].

```bash
docker pull securecodebox/hook-{{ template "chart.name" . }}
Expand Down
2 changes: 1 addition & 1 deletion .helm-docs/README.DockerHub-Parser.md.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ SPDX-License-Identifier: Apache-2.0
{{ template "extra.dockerDeploymentSection" . }}

## How to use this image
This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more informations details please take a look at the documentation page: {{ template "chart.homepage" . }}.
This `parser` image is intended to work in combination with the corresponding security scanner docker image to parse the `findings` results. For more information details please take a look at the documentation page: {{ template "chart.homepage" . }}.

```bash
docker pull securecodebox/parser-{{ template "chart.name" . }}
Expand Down
2 changes: 1 addition & 1 deletion .helm-docs/README.DockerHub-Scanner.md.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ SPDX-License-Identifier: Apache-2.0
{{ template "extra.dockerDeploymentSection" . }}

## How to use this image
This `scanner` image is intended to work in combination with the corresponding `parser` image to parse the scanner `findings` to generic secureCodeBox results. For more informations details please take a look at the [project page][scb-docs] or [documentation page][{{ template "chart.homepage" . }}].
This `scanner` image is intended to work in combination with the corresponding `parser` image to parse the scanner `findings` to generic secureCodeBox results. For more information details please take a look at the [project page][scb-docs] or [documentation page][{{ template "chart.homepage" . }}].

```bash
docker pull securecodebox/scanner-{{ template "chart.name" . }}
Expand Down
2 changes: 1 addition & 1 deletion .helm-docs/README.DockerHub-Target.md.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ SPDX-License-Identifier: Apache-2.0
{{ template "extra.dockerDeploymentSection" . }}

## How to use this image
This image is an potentialy vulnerable service or application which is used for demo purposes, automated tests and trainings.
This image is a potentially vulnerable service or application which is used for demo purposes, automated tests and trainings.

```bash
docker pull securecodebox/{{ template "chart.name" . }}
Expand Down
6 changes: 3 additions & 3 deletions .helm-docs/templates.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@ SPDX-License-Identifier: Apache-2.0
<!--
.: IMPORTANT! :.
--------------------------
This file is generated automaticaly with `helm-docs` based on the following template files:
This file is generated automatically with `helm-docs` based on the following template files:
- ./.helm-docs/templates.gotmpl (general template data for all charts)
- ./chart-folder/.helm-docs.gotmpl (chart specific template data)

Please be aware of that and apply your changes only within those template files instead of this file.
Otherwise your changes will be reverted/overriden automaticaly due to the build process `./.github/workflows/helm-docs.yaml`
Otherwise your changes will be reverted/overwritten automatically due to the build process `./.github/workflows/helm-docs.yaml`
--------------------------
-->
{{- end }}
Expand All @@ -49,7 +49,7 @@ You can find resources to help you get started on our [documentation website](ht

{{- define "extra.chartDeploymentSection" -}}
## Deployment
The {{ template "chart.name" . }} `scanType` can be deployed via helm:
The {{ template "chart.name" . }} chart can be deployed via helm:

```bash
# Install HelmChart (use -n to configure another namespace)
Expand Down
10 changes: 10 additions & 0 deletions auto-discovery/kubernetes/.dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# SPDX-FileCopyrightText: 2021 iteratec GmbH
#
# SPDX-License-Identifier: Apache-2.0

# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
# Ignore all files which are not go type
!**/*.go
!**/*.mod
!**/*.sum
auto-discovery-config.yaml
28 changes: 28 additions & 0 deletions auto-discovery/kubernetes/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# SPDX-FileCopyrightText: 2021 iteratec GmbH
#
# SPDX-License-Identifier: Apache-2.0

# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib
bin
testbin/*

# Test binary, build with `go test -c`
*.test

# Output of the go coverage tool, specifically when used with LiteIDE
*.out

# Kubernetes Generated files - skip generated files, except for vendored files

!vendor/**/zz_generated.*

# editor and IDE paraphernalia
.idea
*.swp
*.swo
*~
131 changes: 131 additions & 0 deletions auto-discovery/kubernetes/.helm-docs.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
{{- /*
SPDX-FileCopyrightText: 2020 iteratec GmbH

SPDX-License-Identifier: Apache-2.0
*/ -}}

{{- define "extra.docsSection" -}}
---
title: "secreCodeBox AutoDiscovery for Kubernetes"
category: "core"
type: "AutoDiscovery"
state: "released"
appVersion: "{{ template "chart.appVersion" . }}"
usecase: "secureCodeBox AutoDiscovery for Kubernetes discovers and starts scans for apps running in the cluster."
---

![auto-discovery logo](https://docs.securecodebox.io/img/Logo_Color.svg)

The secureCodeBox _AutoDiscovery_ is running on kubernetes (K8S) and is an optional component of the complete secureCodeBox stack.
The Kubernetes AutoDiscovery needs to be deployed along side the secureCodeBox Operator. It monitors security relevant resources inside a K8S environment and automatically create scans to continuously monitor security aspects of the resources.

<!-- end -->

The AutoDiscovery controller will automatically detect these new resources (services) and start secureCodeBox _scans_ for them:

1. A ZAP Baseline Scan to detect basic web vulnerabilities in the service. (Using OWASP ZAP)
2. (WIP) A image scan scanning for vulnerable libraries in the docker / container image of the deployment. (Using trivy)
3. (WIP) A TLS Scan against the certificate of the ingress for the host. (Using SSLyze)

The AutoDiscovery automatically tracks the lifecycle of the kubernetes resources and will automatically start new scans for new application versions.
{{- end }}

{{- define "extra.dockerDeploymentSection" -}}
{{- end }}

{{- define "extra.chartAboutSection" -}}
## Example

<p align="center">
<img width="950" src="./auto-discovery-demo.svg" alt="AutoDiscovery CLI Example">
</p>

This example deploys [JuiceShop](https://owasp.org/www-project-juice-shop/) to a new Kubernetes Namespace.
(You can find the kubernetes manifests for the deployment [here](./demo/juice-shop.yaml))

The AutoDiscovery will automatically pick up this new deployment and then starts a OWASP ZAP Scan against it.
The scan created uses our `zap-advanced` ScanType by default, this can be changed with the `config.serviceAutoDiscovery.scanConfig.scanType` config on the autoDiscovery helm release.
{{- end }}

{{- define "extra.scannerConfigurationSection" -}}
{{- end }}

{{- define "extra.chartConfigurationSection" -}}
### In / Excluding Resources from the AutoDiscovery

The AutoDiscovery allows different modes to determine if a resource is supposed to be scanned.
These modes allow you to gradually roll out the AutoDiscovery in a cluster.
This allows to roll it out in cluster without a "big bang" where the AutoDiscovery starts a scan for every app in the cluster which would likely exhaust the clusters compute resources.

The three different modes are:

1. `enabled-per-namespace` (default): [See section](#enabled-per-namespace-mode-default)
2. `enabled-per-resource`: [See section](#enabled-per-resource-mode)
3. `scan-all`: [See section](#scan-all-mode)

#### Enabled per Namespace Mode (default)

Enable this by setting `config.resourceInclusion.mode=enable-per-namespace`.

This mode will start scans for resources in namespaces with the annotation `auto-discovery.securecodebox.io/enabled=true`.

```bash
# enable AutoDiscovery in namespace "juice-shop"
kubectl annotate namespace juice-shop auto-discovery.securecodebox.io/enabled=true
```

If you want to exclude a certain resource in a otherwise AutoDiscovery enabled namespace, you can exclude it by annotating it with `auto-discovery.securecodebox.io/ignore=true`.

```bash
# disable AutoDiscovery for service "foobar"
kubectl -n juice-shop annotate service foobar auto-discovery.securecodebox.io/ignore=true
```

#### Enabled per Resource Mode

Enable this by setting `config.resourceInclusion.mode=enabled-per-resource`.

This mode will start scans for every resources with the annotation `auto-discovery.securecodebox.io/enabled=true`.

```bash
# enable AutoDiscovery for service "juice-shop"
kubectl -n juice-shop annotate service juice-shop auto-discovery.securecodebox.io/enabled=true
```

#### Scan All Mode

Enable this by setting `config.resourceInclusion.mode=scan-all`.

This mode will start scans for **every** resources in the cluster **unless** it has the annotation `auto-discovery.securecodebox.io/ignore=true`.

> ⚠️ Using this setting in larger cluster will likely start a large number of scans in the cluster. This could block all available compute resource in your cluster and seriously affect your applications availability.

```bash
# *disable* AutoDiscovery for service "juice-shop"
kubectl -n juice-shop annotate service juice-shop auto-discovery.securecodebox.io/ignore=true
```

{{- end }}

{{- define "extra.scannerLinksSection" -}}
## Development

### Run the AutoDiscovery locally

To avoid having to build & deploy the AutoDiscovery every time you make a code change you can run it locally.
It automatically connects to your current cluster configured in your kube config.

```bash
make run
```

### Running the tests

```bash
# execute the tests locally
make test

# view the test coverage
go tool cover -html=cover.out
```
{{- end }}
Loading