From 076d3d84729d7aafcb3125ed17c8c68c2817ce4d Mon Sep 17 00:00:00 2001 From: Robert Seedorff Date: Mon, 28 Sep 2020 13:16:29 +0200 Subject: [PATCH 1/3] Trying to support helm2 in parallel to helm3 (WIP). --- .github/workflows/helm-charts.yaml | 29 ++++++++++++++++++++++++++--- operator/helm2.Chart.yaml | 8 ++++++++ operator/helm2.requirements.lock | 6 ++++++ operator/helm2.requirements.yaml | 5 +++++ 4 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 operator/helm2.Chart.yaml create mode 100644 operator/helm2.requirements.lock create mode 100644 operator/helm2.requirements.yaml diff --git a/.github/workflows/helm-charts.yaml b/.github/workflows/helm-charts.yaml index 655fa538..ca5f7805 100644 --- a/.github/workflows/helm-charts.yaml +++ b/.github/workflows/helm-charts.yaml @@ -13,19 +13,42 @@ jobs: sudo snap install yq - name: Parse Tag run: echo ::set-env name=RELEASE_VERSION::${GITHUB_REF#refs/*/} - - name: "Publish Helm Chart" + - name: "Publish Helm3 Charts" env: HELM_REGISTRY: https://charts.securecodebox.io USERNAME: ${{ secrets.HELM_REGISTRY_USERNAME }} PASSWORD: ${{ secrets.HELM_REGISTRY_PASSWORD }} run: | - # Publish charts in all folders containing a `Chart.yaml` file + # Publish all helm3 charts in all folders containing a `Chart.yaml` file # https://github.com/koalaman/shellcheck/wiki/SC2044 find . -type f -name Chart.yaml -print0 | while IFS= read -r -d '' chart; do ( dir="$(dirname "${chart}")" cd "${dir}" || exit - echo "Processing Chart in $dir" + echo "Processing Helm3 Chart in $dir" + helm package --version $RELEASE_VERSION . + NAME=$(yq read - name < Chart.yaml) + curl --silent --show-error --user "${USERNAME}:${PASSWORD}" --data-binary "@${NAME}-${RELEASE_VERSION}.tgz" "${HELM_REGISTRY}/api/charts" + ) + done + - name: "Publish Helm2 Charts" + env: + HELM_REGISTRY: https://charts.securecodebox.io + USERNAME: ${{ secrets.HELM_REGISTRY_USERNAME }} + PASSWORD: ${{ secrets.HELM_REGISTRY_PASSWORD }} + run: | + # Publish all helm2 charts in all folders containing a `helm2.Chart.yaml` file + # https://github.com/koalaman/shellcheck/wiki/SC2044 + find . -type f -name helm2.Chart.yaml -print0 | while IFS= read -r -d '' chart; do + ( + dir="$(dirname "${chart}")" + cd "${dir}" || exit + mv Chart.yaml helm3.Chart.yaml + echo "Restoring Helm2 Chart and replace Helm3 Chart temporary" + mv helm2.Chart.yaml Chart.yaml + [ ! -f helm2.requirements.lock ] || mv helm2.requirements.lock requirements.lock + [ ! -f helm2.requirements.yaml ] || mv helm2.requirements.yaml requirements.yaml + echo "Processing Helm2 Chart in $dir" helm package --version $RELEASE_VERSION . NAME=$(yq read - name < Chart.yaml) curl --silent --show-error --user "${USERNAME}:${PASSWORD}" --data-binary "@${NAME}-${RELEASE_VERSION}.tgz" "${HELM_REGISTRY}/api/charts" diff --git a/operator/helm2.Chart.yaml b/operator/helm2.Chart.yaml new file mode 100644 index 00000000..85d698a8 --- /dev/null +++ b/operator/helm2.Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +name: operator +description: secureCodeBox Operator to automate the execution of security scans on kubernetes + +type: application + +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest \ No newline at end of file diff --git a/operator/helm2.requirements.lock b/operator/helm2.requirements.lock new file mode 100644 index 00000000..19603208 --- /dev/null +++ b/operator/helm2.requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: minio + repository: https://kubernetes-charts.storage.googleapis.com/ + version: 5.0.19 +digest: sha256:13a3a902e7ac7dcc7124ab858344b5bebe9ab623d06ee9c8d5a1cc3f467a36bb +generated: "2020-08-10T13:09:59.053995+02:00" \ No newline at end of file diff --git a/operator/helm2.requirements.yaml b/operator/helm2.requirements.yaml new file mode 100644 index 00000000..332ba206 --- /dev/null +++ b/operator/helm2.requirements.yaml @@ -0,0 +1,5 @@ +dependencies: + - name: minio + version: 5.0.19 + repository: https://kubernetes-charts.storage.googleapis.com/ + condition: minio.enabled From 138a414ef0cb6cca1c29eb7393fc1e17eab5a860 Mon Sep 17 00:00:00 2001 From: Robert Seedorff Date: Mon, 28 Sep 2020 22:44:56 +0200 Subject: [PATCH 2/3] Extending GitHub Acions to publish HelmCharts v2 additionaly to Helm3 --- .github/workflows/helm-charts.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm-charts.yaml b/.github/workflows/helm-charts.yaml index ca5f7805..2c757f03 100644 --- a/.github/workflows/helm-charts.yaml +++ b/.github/workflows/helm-charts.yaml @@ -33,7 +33,7 @@ jobs: done - name: "Publish Helm2 Charts" env: - HELM_REGISTRY: https://charts.securecodebox.io + HELM_REGISTRY: https://charts-helm2.securecodebox.io USERNAME: ${{ secrets.HELM_REGISTRY_USERNAME }} PASSWORD: ${{ secrets.HELM_REGISTRY_PASSWORD }} run: | @@ -44,8 +44,12 @@ jobs: dir="$(dirname "${chart}")" cd "${dir}" || exit mv Chart.yaml helm3.Chart.yaml - echo "Restoring Helm2 Chart and replace Helm3 Chart temporary" mv helm2.Chart.yaml Chart.yaml + if [ ${dir} = "operator" ] + then + cp -R crds templates/crds + fi + echo "Restoring Helm2 Chart and replace Helm3 Chart temporary" [ ! -f helm2.requirements.lock ] || mv helm2.requirements.lock requirements.lock [ ! -f helm2.requirements.yaml ] || mv helm2.requirements.yaml requirements.yaml echo "Processing Helm2 Chart in $dir" From 5a1438075bafe8adfaebc90ca7c7640179daa4dc Mon Sep 17 00:00:00 2001 From: Robert Seedorff Date: Mon, 28 Sep 2020 22:55:41 +0200 Subject: [PATCH 3/3] Added Helm2 Chart version additional to helm3. --- .../helm2.Chart.yaml | 8 +++++++ hooks/generic-webhook/helm2.Chart.yaml | 8 +++++++ .../helm2.Chart.yaml | 8 +++++++ hooks/persistence-elastic/helm2.Chart.yaml | 10 +++++++++ .../helm2.requirements.lock | 9 ++++++++ .../helm2.requirements.yaml | 9 ++++++++ hooks/update-field/helm2.Chart.yaml | 8 +++++++ scanners/amass/helm2.Chart.yaml | 21 ++++++++++++++++++ scanners/kube-hunter/helm2.Chart.yaml | 21 ++++++++++++++++++ scanners/ncrack/helm2.Chart.yaml | 21 ++++++++++++++++++ scanners/nikto/helm2.Chart.yaml | 22 +++++++++++++++++++ scanners/nmap/helm2.Chart.yaml | 21 ++++++++++++++++++ scanners/ssh_scan/helm2.Chart.yaml | 21 ++++++++++++++++++ scanners/sslyze/helm2.Chart.yaml | 21 ++++++++++++++++++ scanners/test-scan/helm2.Chart.yaml | 19 ++++++++++++++++ scanners/trivy/helm2.Chart.yaml | 22 +++++++++++++++++++ scanners/wpscan/helm2.Chart.yaml | 22 +++++++++++++++++++ scanners/zap/helm2.Chart.yaml | 22 +++++++++++++++++++ 18 files changed, 293 insertions(+) create mode 100644 hooks/declarative-subsequent-scans/helm2.Chart.yaml create mode 100644 hooks/generic-webhook/helm2.Chart.yaml create mode 100644 hooks/imperative-subsequent-scans/helm2.Chart.yaml create mode 100644 hooks/persistence-elastic/helm2.Chart.yaml create mode 100644 hooks/persistence-elastic/helm2.requirements.lock create mode 100644 hooks/persistence-elastic/helm2.requirements.yaml create mode 100644 hooks/update-field/helm2.Chart.yaml create mode 100644 scanners/amass/helm2.Chart.yaml create mode 100644 scanners/kube-hunter/helm2.Chart.yaml create mode 100644 scanners/ncrack/helm2.Chart.yaml create mode 100644 scanners/nikto/helm2.Chart.yaml create mode 100644 scanners/nmap/helm2.Chart.yaml create mode 100644 scanners/ssh_scan/helm2.Chart.yaml create mode 100644 scanners/sslyze/helm2.Chart.yaml create mode 100644 scanners/test-scan/helm2.Chart.yaml create mode 100644 scanners/trivy/helm2.Chart.yaml create mode 100644 scanners/wpscan/helm2.Chart.yaml create mode 100644 scanners/zap/helm2.Chart.yaml diff --git a/hooks/declarative-subsequent-scans/helm2.Chart.yaml b/hooks/declarative-subsequent-scans/helm2.Chart.yaml new file mode 100644 index 00000000..7a26e4fe --- /dev/null +++ b/hooks/declarative-subsequent-scans/helm2.Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +name: declarative-subsequent-scans +description: Starts possible subsequent security scans based on findings (e.g. open ports found by NMAP or subdomains found by AMASS). + +type: application + +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest \ No newline at end of file diff --git a/hooks/generic-webhook/helm2.Chart.yaml b/hooks/generic-webhook/helm2.Chart.yaml new file mode 100644 index 00000000..c48efb7e --- /dev/null +++ b/hooks/generic-webhook/helm2.Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +name: generic-webhook +description: Lets you send http webhooks after scans are completed + +type: application + +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest \ No newline at end of file diff --git a/hooks/imperative-subsequent-scans/helm2.Chart.yaml b/hooks/imperative-subsequent-scans/helm2.Chart.yaml new file mode 100644 index 00000000..8b7d6cb3 --- /dev/null +++ b/hooks/imperative-subsequent-scans/helm2.Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +name: imperative-subsequent-scans +description: Starts possible subsequent security scans based on findings (e.g. open ports found by NMAP or subdomains found by AMASS). + +type: application + +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest \ No newline at end of file diff --git a/hooks/persistence-elastic/helm2.Chart.yaml b/hooks/persistence-elastic/helm2.Chart.yaml new file mode 100644 index 00000000..9b4c102e --- /dev/null +++ b/hooks/persistence-elastic/helm2.Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +name: persistence-elastic +description: The elastic persistence provider persists secureCodeBox findings into the elastic stack. + +type: application + +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest + +appVersion: 7.6.1 \ No newline at end of file diff --git a/hooks/persistence-elastic/helm2.requirements.lock b/hooks/persistence-elastic/helm2.requirements.lock new file mode 100644 index 00000000..f046652e --- /dev/null +++ b/hooks/persistence-elastic/helm2.requirements.lock @@ -0,0 +1,9 @@ +dependencies: +- name: elasticsearch + repository: https://helm.elastic.co + version: 7.6.1 +- name: kibana + repository: https://helm.elastic.co + version: 7.6.1 +digest: sha256:7d3461d986f620421f775f9ecaf73af2565ace9d909a8134c4259c5206f1f89c +generated: "2020-03-17T15:09:24.838784+01:00" diff --git a/hooks/persistence-elastic/helm2.requirements.yaml b/hooks/persistence-elastic/helm2.requirements.yaml new file mode 100644 index 00000000..23216808 --- /dev/null +++ b/hooks/persistence-elastic/helm2.requirements.yaml @@ -0,0 +1,9 @@ +dependencies: + - name: elasticsearch + version: 7.6.1 + repository: https://helm.elastic.co + condition: elasticsearch.enabled + - name: kibana + version: 7.6.1 + repository: https://helm.elastic.co + condition: kibana.enabled diff --git a/hooks/update-field/helm2.Chart.yaml b/hooks/update-field/helm2.Chart.yaml new file mode 100644 index 00000000..18476835 --- /dev/null +++ b/hooks/update-field/helm2.Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +name: update-field-hook +description: Lets you add or override a field to every finding + +type: application + +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest \ No newline at end of file diff --git a/scanners/amass/helm2.Chart.yaml b/scanners/amass/helm2.Chart.yaml new file mode 100644 index 00000000..2653ba04 --- /dev/null +++ b/scanners/amass/helm2.Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +name: amass +description: A Helm chart for the Amass security scanner that integrates with the secureCodeBox. + +type: application +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest +appVersion: 3.10.3 + +keywords: + - security + - amass + - scanner + - secureCodeBox +home: https://www.securecodebox.io/scanners/amass +icon: https://www.securecodebox.io/scannerIcons/Amass.svg +sources: + - https://github.com/secureCodeBox/secureCodeBox +maintainers: + - name: iteratec GmbH + email: security@iteratec.com diff --git a/scanners/kube-hunter/helm2.Chart.yaml b/scanners/kube-hunter/helm2.Chart.yaml new file mode 100644 index 00000000..69fc6601 --- /dev/null +++ b/scanners/kube-hunter/helm2.Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +name: kube-hunter +description: A Helm chart for the kube-hunter security scanner that integrates with the secureCodeBox. + +type: application +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest +appVersion: v0.3.0 + +keywords: + - security + - kube-hunter + - scanner + - secureCodeBox +home: https://www.securecodebox.io/scanners/kube-hunter +icon: https://www.securecodebox.io/scannerIcons/kube-hunter.svg +sources: + - https://github.com/secureCodeBox/secureCodeBox +maintainers: + - name: iteratec GmbH + email: security@iteratec.com diff --git a/scanners/ncrack/helm2.Chart.yaml b/scanners/ncrack/helm2.Chart.yaml new file mode 100644 index 00000000..98116391 --- /dev/null +++ b/scanners/ncrack/helm2.Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +name: ncrack +description: A Helm chart for the NCRACK security Scanner that integrates with the secureCodeBox. + +type: application +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest +appVersion: 0.7 + +keywords: + - security + - ncrack + - scanner + - secureCodeBox +home: https://www.securecodebox.io/scanners/ncrack +icon: https://www.securecodebox.io/scannerIcons/Ncrack.svg +sources: + - https://github.com/secureCodeBox/secureCodeBox +maintainers: + - name: iteratec GmbH + email: security@iteratec.com diff --git a/scanners/nikto/helm2.Chart.yaml b/scanners/nikto/helm2.Chart.yaml new file mode 100644 index 00000000..23c9ddd5 --- /dev/null +++ b/scanners/nikto/helm2.Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +name: nikto +description: A Helm chart for the Nikto security scanner that integrates with the secureCodeBox. + +type: application +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest +# appVersion - Nikto doesn't really version its releases +appVersion: latest + +keywords: + - security + - nikto + - scanner + - secureCodeBox +home: https://www.securecodebox.io/scanners/nikto +icon: https://www.securecodebox.io/scannerIcons/Nikto.svg +sources: + - https://github.com/secureCodeBox/secureCodeBox +maintainers: + - name: iteratec GmbH + email: security@iteratec.com diff --git a/scanners/nmap/helm2.Chart.yaml b/scanners/nmap/helm2.Chart.yaml new file mode 100644 index 00000000..e0cb91ea --- /dev/null +++ b/scanners/nmap/helm2.Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +name: nmap +description: A Helm chart for the NMAP security Scanner that integrates with the secureCodeBox. + +type: application +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest +appVersion: 7.80-r2 + +keywords: + - security + - nmap + - scanner + - secureCodeBox +home: https://www.securecodebox.io/scanners/nmap +icon: https://www.securecodebox.io/scannerIcons/Nmap.svg +sources: + - https://github.com/secureCodeBox/secureCodeBox +maintainers: + - name: iteratec GmbH + email: security@iteratec.com diff --git a/scanners/ssh_scan/helm2.Chart.yaml b/scanners/ssh_scan/helm2.Chart.yaml new file mode 100644 index 00000000..32e6e2b7 --- /dev/null +++ b/scanners/ssh_scan/helm2.Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +name: ssh-scan +description: A Helm chart for the SSH_Scan security scanner that integrates with the secureCodeBox. + +type: application +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest +appVersion: "0.0.43" + +keywords: + - security + - ssh + - scanner + - secureCodeBox +home: https://www.securecodebox.io/scanners/ssh +icon: https://www.securecodebox.io/scannerIcons/SSH.svg +sources: + - https://github.com/secureCodeBox/secureCodeBox +maintainers: + - name: iteratec GmbH + email: security@iteratec.com diff --git a/scanners/sslyze/helm2.Chart.yaml b/scanners/sslyze/helm2.Chart.yaml new file mode 100644 index 00000000..95cf7a69 --- /dev/null +++ b/scanners/sslyze/helm2.Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +name: sslyze +description: A Helm chart for the SSLyze security scanner that integrates with the secureCodeBox. + +type: application +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest +appVersion: v3.0.6 + +keywords: + - security + - ssl + - scanner + - secureCodeBox +home: https://www.securecodebox.io/scanners/sslyze +icon: https://www.securecodebox.io/scannerIcons/SSLyze.svg +sources: + - https://github.com/secureCodeBox/secureCodeBox +maintainers: + - name: iteratec GmbH + email: security@iteratec.com diff --git a/scanners/test-scan/helm2.Chart.yaml b/scanners/test-scan/helm2.Chart.yaml new file mode 100644 index 00000000..2203edf9 --- /dev/null +++ b/scanners/test-scan/helm2.Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +name: test-scan +description: A Helm chart to test the secureCodeBox operator + +type: application +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest + +keywords: + - security + - scanner + - secureCodeBox + - integrationTest + - test +sources: + - https://github.com/secureCodeBox/secureCodeBox +maintainers: + - name: iteratec GmbH + email: security@iteratec.com diff --git a/scanners/trivy/helm2.Chart.yaml b/scanners/trivy/helm2.Chart.yaml new file mode 100644 index 00000000..d8c4d8d0 --- /dev/null +++ b/scanners/trivy/helm2.Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +name: trivy +description: A Helm chart for the trivy security scanner that integrates with the secureCodeBox. + +type: application +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest +appVersion: v0.6.0 + +keywords: + - security + - trivy + - image-scanning + - scanner + - secureCodeBox +home: https://www.securecodebox.io/scanners/trivy +icon: https://github.com/aquasecurity/trivy/blob/master/imgs/logo.png +sources: + - https://github.com/secureCodeBox/secureCodeBox +maintainers: + - name: iteratec GmbH + email: security@iteratec.com diff --git a/scanners/wpscan/helm2.Chart.yaml b/scanners/wpscan/helm2.Chart.yaml new file mode 100644 index 00000000..c76e339e --- /dev/null +++ b/scanners/wpscan/helm2.Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +name: wpscan +description: A Helm chart for the WordPress security scanner that integrates with the secureCodeBox. + +type: application +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest +appVersion: latest + +keywords: + - security + - wpscan + - wordpress + - scanner + - secureCodeBox +home: https://www.securecodebox.io/scanners/wpscan +icon: https://www.securecodebox.io/scannerIcons/WPScan.svg +sources: + - https://github.com/secureCodeBox/scanner-infrastructure-wpscan +maintainers: + - name: iteratec GmbH + email: security@iteratec.com diff --git a/scanners/zap/helm2.Chart.yaml b/scanners/zap/helm2.Chart.yaml new file mode 100644 index 00000000..d3e24d33 --- /dev/null +++ b/scanners/zap/helm2.Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +name: zap +description: A Helm chart for the OWASP ZAP security scanner that integrates with the secureCodeBox. + +type: application +# version - gets automatically set to the secureCodeBox release version when the helm charts gets published +version: latest +appVersion: v2.9.0 + +keywords: + - security + - Zap + - OWASP + - scanner + - secureCodeBox +home: https://www.securecodebox.io/scanners/zap +icon: https://www.securecodebox.io/scannerIcons/ZAP.svg +sources: + - https://github.com/secureCodeBox/secureCodeBox +maintainers: + - name: iteratec GmbH + email: security@iteratec.com