Skip to content

Instantly share code, notes, and snippets.

@paraddise

paraddise/SecureCodeBox - Overview.md

Last active November 5, 2024 07:16
Show Gist options
  • Save paraddise/cbd970d3d46715a15a64a0d93958ca55 to your computer and use it in GitHub Desktop.
Save paraddise/cbd970d3d46715a15a64a0d93958ca55 to your computer and use it in GitHub Desktop.
Download ZIP
SecureCodeBox - Overview.md
Raw
SecureCodeBox - Overview.md

Installation

Deploy operator with scan types

helm -n securecodebox-system upgrade --install --create-namespace securecodebox-operator oci://ghcr.io/securecodebox/helm/operator --version 4.9.0
helm upgrade -n securecodebox-system --install persistence-defectdojo oci://ghcr.io/securecodebox/helm/persistence-defectdojo --version 4.6.0
helm upgrade -n securecodebox-system --install trivy oci://ghcr.io/securecodebox/helm/trivy --version 4.9.0

We will be using default namespace for our test application, so deploy needed scan types.

helm upgrade -n default --install zap-automation-framework oci://ghcr.io/securecodebox/helm/zap-automation-framework --version 4.9.0
helm upgrade -n default --install trivy oci://ghcr.io/securecodebox/helm/trivy --set kubeauditScope=namespace --set createAutoDiscoveryScanType=true --version 4.9.0

Install scbctl

go install github.com/secureCodeBox/secureCodeBox/scbctl@latest

Install DefectDojo hook

# create secret for defectdojo user
k create -n default secret generic --from-literal=apikey=<api_key> --from-literal=username=<username> defectdojo-credentials
# deploy hook
helm upgrade \
  -n default \
  --install persistence-defectdojo \
  oci://ghcr.io/securecodebox/helm/persistence-defectdojo \
  --version 4.6.0 \
  --set-string defectdojo.authentication.userId=4 \
  --set-string defectdojo.url=<defectdojo url>

repeate same for securecodebox-system namespace.

Deploy Auto-Discovery service

create values.yaml file with scan configuration

image:
  repository: securecodebox/auto-discovery-kubernetes

config:
  cluster:
    name: my-cluster
  resourceInclusion:
    mode: enabled-per-namespace
  serviceAutoDiscovery:
    enabled: true
    scanConfigs:
      - scanType: zap-automation-framework
        name: "zap"
        parameters:
          - "-quickurl"
          - "{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"
          - '-quickout'
          - '/home/securecodebox/zap-results.xml'
        repeatInterval: "168h"
        labels: {}
        annotations:
          defectdojo.securecodebox.io/product-type-name: "SecureCodeBox"
          defectdojo.securecodebox.io/product-name: "{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}"
          defectdojo.securecodebox.io/product-tags: "cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"
          defectdojo.securecodebox.io/engagement-name: "{{ .Target.Name }}"
          defectdojo.securecodebox.io/engagement-version: "{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}"

  containerAutoDiscovery:
    enabled: true
    scanConfigs:
      - scanType: trivy-image-autodiscovery
        name: "trivy"
        parameters:
          - "{{ .ImageID }}"
        repeatInterval: "768h"
        labels: {}
        annotations:
          defectdojo.securecodebox.io/product-type-name: "SecureCodeBox"
          defectdojo.securecodebox.io/product-name: "{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}"
          defectdojo.securecodebox.io/product-tags: "cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"
          defectdojo.securecodebox.io/engagement-name: "{{ .Target.Name }}"
          defectdojo.securecodebox.io/engagement-version: "{{ .Target.CreationTimestamp }}"

resources:
  limits:
    cpu: 500m
    memory: 256Mi
  requests:
    cpu: 100m
    memory: 20Mi

Deploy auto-discovery service

helm upgrade -n securecodebox-system --install oci://ghcr.io/securecodebox/helm/auto-discovery-kubernetes --version 4.9.0 -f values.yaml

Annotate default namespace

kubectl annotate namespace default auto-discovery.securecodebox.io/enabled=true

Add kubernetes service to the list of exceptions

kubectl -n default annotate service kubernetes auto-discovery.securecodebox.io/ignore=true

Scan cluster resources with trivy-k8s

Manually

With trivy cli

trivy k8s my-cluster \
  --format json \
  --report all \
  --output ./trivy-results.json \
  --debug \
  --include-namespaces default,kube-system \
  --skip-check-update \
  --severity=CRITICAL \
  --skip-images

and manually upload trivy-results.json to defectdojo.

Secure code box

One time scan with scbctl

scbctl scan trivy-k8s -- \
  --db-repository docker-public.registry.tages.ru/aquasecurity/trivy-db \
  --java-db-repository docker-public.registry.tages.ru/aquasecurity/trivy-java-db \
  --checks-bundle-repository docker-public.registry.tages.ru/aquasecurity/trivy-checks \
  --debug \
  --include-namespaces default,kube-system \
  --severity CRITICAL \
  --skip-images

Or use manifest to create scheduled scan.

cat > trivy-k8s-scheduled.yaml <<EOF
apiVersion: execution.securecodebox.io/v1
kind: ScheduledScan
metadata:
  name: trivy-k8s
  namespace: securecodebox-system
  annotations:
    defectdojo.securecodebox.io/product-type-name: "SecureCodeBox"
    defectdojo.securecodebox.io/product-name: "my-cluster-k8s"
    defectdojo.securecodebox.io/engagement-name: "secure-code-box"
spec:
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 1
  interval: 168h
  scanSpec:
    parameters:
    - --debug
    - --include-namespaces
    - kube-system,default
    - --severity
    - CRITICAL
    - --skip-images
    - --include-kinds
    - deployment
    resourceMode: namespaceLocal
    resources: {}
    scanType: trivy-k8s
EOF
kubectl apply -f trivy-k8s-scheduled.yaml

In examples above scan limited to default and kube-system namespaces, but you can scan whole cluster by omitting this parameter. Also we send to DefectDojo only CRITICAL findings. In case deploy of ScheduledScan didn't trigger scan, you can manually create it

scbctl -n securecodebox-system trigger trivy-k8s

Scan container images after deploy

Manually or in Pipeline

trivy image nginx:alpine3.17

SCB Auto-Descovery

Mark needed namespace to make service watching for new containers.

k annotate ns default auto-discovery.securecodebox.io/enabled=true

Run image to trigger scan

k run -n default --image nginx:alpine3.17 nginx-test-scan

You can view created scheduled scan with command

k get scheduledscans -n default

Scan application with DAST

Manually or in pipeline

You can start automated scan with Desktop ZAP Application. In Quick Start Window select Automated Scan and specify endpoint.

With docker image

docker run -v "$(pwd):/tmp/results/" -it --rm softwaresecurityproject/zap-stable:2.15.0 zap.sh -cmd -quickurl http://example.com -quickout /tmp/results/zap.xml
cat zap.xml

Upload zap.xml to your ASPM.

SCB AutoDiscovery

Deploy juice-shop to default namespace after that service and container scans will be started and scheduled scans will be created.

helm upgrade -n default --install juice-shop oci://ghcr.io/securecodebox/helm/juice-shop --set-json='annotations={"auto-discovery.securecodebox.io/enabled":"true"}'

You can view created scheduled scan ofr juice-shop

k get -n default scheduledscan juice-shop-service-zap-port-3000 -o yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment