Skip to content

Refactor scanner HelmCharts to introduce consistency in HelmChart Values #483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
J12934 merged 20 commits into from
Jun 9, 2021
Merged

Refactor scanner HelmCharts to introduce consistency in HelmChart Values #483

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
4bc22cf
Amass: refactor values according to new spec
EndPositive Jun 9, 2021
86ecccd
Angular CSTI: refactor values according to new spec
EndPositive Jun 9, 2021
dab7a37
Git Repo Scanner: refactor values according to new spec
EndPositive Jun 9, 2021
e24e88c
Gitleaks: refactor values according to new spec
EndPositive Jun 9, 2021
d613f2f
Kube Hunter: refactor values according to new spec
EndPositive Jun 9, 2021
d72ae27
Kubeaudit: refactor values according to new spec
EndPositive Jun 9, 2021
ff05fd5
Ncrack: refactor values according to new spec
EndPositive Jun 9, 2021
c8c72d2
Nikto: refactor values according to new spec
EndPositive Jun 9, 2021
2c52eeb
Nmap: refactor values according to new spec
EndPositive Jun 9, 2021
7b34166
Screenshooter: refactor values according to new spec & add chart.valu…
EndPositive Jun 9, 2021
2b7cd09
Ssh-scan: refactor values according to new spec
EndPositive Jun 9, 2021
f17f715
Sslyze: refactor values according to new spec
EndPositive Jun 9, 2021
241e54c
Test-scan: refactor values according to new spec
EndPositive Jun 9, 2021
5fca6e4
Trivy: refactor values according to new spec
EndPositive Jun 9, 2021
a54f88a
Wpscan: refactor values according to new spec
EndPositive Jun 9, 2021
ba94642
Zap: refactor values according to new spec
EndPositive Jun 9, 2021
58159f7
Zap-advanced: refactor values according to new spec
EndPositive Jun 9, 2021
640d8bd
Merge branch 'main' into maintanance/helmchart-values-consistency-sca…
EndPositive Jun 9, 2021
db6d53e
Docs: update docs where old spec is referenced
EndPositive Jun 9, 2021
ee6f6ea
CI: refactor scanner setting values
EndPositive Jun 9, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
130 changes: 65 additions & 65 deletions .github/workflows/ci.yaml
View file
Open in desktop

Large diffs are not rendered by default.

26 changes: 13 additions & 13 deletions scanners/amass/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,19 +39,19 @@ Special command line options:

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| image.repository | string | `"caffix/amass"` | Container Image to run the scan |
| image.tag | string | `nil` | defaults to the charts appVersion |
| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| parserImage.repository | string | `"docker.io/securecodebox/parser-amass"` | Parser image repository |
| parserImage.tag | string | defaults to the charts version | Parser image tag |
| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
| scannerJob.extraVolumeMounts | list | `[{"mountPath":"/amass/output/config.ini","name":"amass-config","subPath":"config.ini"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scannerJob.extraVolumes | list | `[{"configMap":{"name":"amass-config"},"name":"amass-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| parser.image.repository | string | `"docker.io/securecodebox/parser-amass"` | Parser image repository |
| parser.image.tag | string | defaults to the charts version | Parser image tag |
| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
| scanner.extraVolumeMounts | list | `[{"mountPath":"/amass/output/config.ini","name":"amass-config","subPath":"config.ini"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scanner.extraVolumes | list | `[{"configMap":{"name":"amass-config"},"name":"amass-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scanner.image.repository | string | `"caffix/amass"` | Container Image to run the scan |
| scanner.image.tag | string | `nil` | defaults to the charts appVersion |
| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |

[owasp_amass_project]: https://owasp.org/www-project-amass/
[amass github]: https://github.com/OWASP/Amass
Expand Down
4 changes: 2 additions & 2 deletions scanners/amass/templates/amass-parse-definition.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,5 @@ kind: ParseDefinition
metadata:
name: "amass-jsonl"
spec:
image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}"
ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }}
image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}"
ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }}
22 changes: 11 additions & 11 deletions scanners/amass/templates/amass-scan-type.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,34 +13,34 @@ spec:
location: "/home/securecodebox/amass-results.jsonl"
jobTemplate:
spec:
{{- if .Values.scannerJob.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }}
{{- if .Values.scanner.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }}
{{- end }}
backoffLimit: {{ .Values.scannerJob.backoffLimit }}
backoffLimit: {{ .Values.scanner.backoffLimit }}
template:
spec:
restartPolicy: OnFailure
containers:
- name: amass
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
command:
- "amass"
- "enum"
- "-json"
- "/home/securecodebox/amass-results.jsonl"
resources:
{{- toYaml .Values.scannerJob.resources | nindent 16 }}
{{- toYaml .Values.scanner.resources | nindent 16 }}
securityContext:
{{- toYaml .Values.scannerJob.securityContext | nindent 16 }}
{{- toYaml .Values.scanner.securityContext | nindent 16 }}
env:
{{- toYaml .Values.scannerJob.env | nindent 16 }}
{{- toYaml .Values.scanner.env | nindent 16 }}
volumeMounts:
{{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }}
{{- if .Values.scannerJob.extraContainers }}
{{- toYaml .Values.scannerJob.extraContainers | nindent 12 }}
{{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }}
{{- if .Values.scanner.extraContainers }}
{{- toYaml .Values.scanner.extraContainers | nindent 12 }}
{{- end }}
volumes:
{{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}
{{- toYaml .Values.scanner.extraVolumes | nindent 12 }}
---
apiVersion: v1
kind: ConfigMap
Expand Down
47 changes: 23 additions & 24 deletions scanners/amass/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,31 +2,30 @@
#
# SPDX-License-Identifier: Apache-2.0

image:
# image.repository -- Container Image to run the scan
repository: caffix/amass
# image.tag -- defaults to the charts appVersion
tag: null

parserImage:
# parserImage.repository -- Parser image repository
repository: docker.io/securecodebox/parser-amass
# parserImage.tag -- Parser image tag
# @default -- defaults to the charts version
tag: null

parseJob:
# parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
parser:
image:
# parser.image.repository -- Parser image repository
repository: docker.io/securecodebox/parser-amass
# parser.image.tag -- Parser image tag
# @default -- defaults to the charts version
tag: null

# parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
ttlSecondsAfterFinished: null

scannerJob:
# scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
scanner:
image:
# scanner.image.repository -- Container Image to run the scan
repository: caffix/amass
# scanner.image.tag -- defaults to the charts appVersion
tag: null
# scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
ttlSecondsAfterFinished: null
# scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy)
# scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy)
# @default -- 3
backoffLimit: 3

# scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
# scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
resources: {}
# resources:
# requests:
Expand All @@ -36,23 +35,23 @@ scannerJob:
# memory: "512Mi"
# cpu: "500m"

# scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
# scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
env: []

# scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
# scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumes:
- name: "amass-config"
configMap:
name: "amass-config"

# scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
# scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
extraVolumeMounts:
- name: "amass-config"
mountPath: "/amass/output/config.ini"
subPath: "config.ini"

# scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
# scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
extraContainers: []

# scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
# scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
securityContext: {}
24 changes: 12 additions & 12 deletions scanners/angularjs-csti-scanner/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,15 +134,15 @@ options.scope.request_methods = [

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| image.repository | string | `"docker.io/securecodebox/scanner-angularjs-csti-scanner"` | Container Image to run the scan |
| image.tag | string | `nil` | defaults to the charts version |
| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| parserImage.repository | string | `"docker.io/securecodebox/parser-angularjs-csti-scanner"` | Parser image repository |
| parserImage.tag | string | defaults to the charts version | Parser image tag |
| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| parser.image.repository | string | `"docker.io/securecodebox/parser-angularjs-csti-scanner"` | Parser image repository |
| parser.image.tag | string | defaults to the charts version | Parser image tag |
| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scanner.image.repository | string | `"docker.io/securecodebox/scanner-angularjs-csti-scanner"` | Container Image to run the scan |
| scanner.image.tag | string | `nil` | defaults to the charts version |
| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
4 changes: 2 additions & 2 deletions scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-parse-definition.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,5 @@ kind: ParseDefinition
metadata:
name: "acstis-log"
spec:
image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}"
ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }}
image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}"
ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }}
20 changes: 10 additions & 10 deletions scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-scan-type.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,31 +12,31 @@ spec:
location: "/home/securecodebox/findings.log"
jobTemplate:
spec:
{{- if .Values.scannerJob.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }}
{{- if .Values.scanner.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }}
{{- end }}
backoffLimit: 3
template:
spec:
restartPolicy: OnFailure
containers:
- name: acstis-scanner
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
command:
- "sh"
- "/wrapper.sh"
- "-vrl"
- "/home/securecodebox/findings.log"
resources:
{{- toYaml .Values.scannerJob.resources | nindent 16 }}
{{- toYaml .Values.scanner.resources | nindent 16 }}
securityContext:
{{- toYaml .Values.scannerJob.securityContext | nindent 16 }}
{{- toYaml .Values.scanner.securityContext | nindent 16 }}
env:
{{- toYaml .Values.scannerJob.env | nindent 16 }}
{{- toYaml .Values.scanner.env | nindent 16 }}
volumeMounts:
{{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }}
{{- if .Values.scannerJob.extraContainers }}
{{- toYaml .Values.scannerJob.extraContainers | nindent 12 }}
{{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }}
{{- if .Values.scanner.extraContainers }}
{{- toYaml .Values.scanner.extraContainers | nindent 12 }}
{{- end }}
volumes:
{{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }}
{{- toYaml .Values.scanner.extraVolumes | nindent 12 }}
Loading