Merge branch 'master' into contributing

Author: nigthknight

.github/workflows/ci.yaml

@@ -57,7 +57,7 @@ jobs:
       - uses: actions/checkout@master
       - uses: actions/setup-go@v2-beta
         with:
-          go-version: "1.13"
+          go-version: "1.15"
       - name: "Lint Operator Go Code"
         run: |
           cd operator/
@@ -79,7 +79,7 @@ jobs:
       - uses: actions/checkout@master
       - uses: actions/setup-go@v2-beta
         with:
-          go-version: "1.13"
+          go-version: "1.15"
       - name: "Lint Lurcher Go Code"
         run: |
           cd lurcher/
@@ -131,6 +131,16 @@ jobs:
           tag_with_ref: true
           tag_with_sha: true
           build_args: baseImageTag=ci-local
+      - uses: docker/build-push-action@v1
+        name: "Build & Push Ncrack Parser Image"
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          repository: scbexperimental/parser-ncrack
+          path: ./scanners/ncrack/parser/
+          tag_with_ref: true
+          tag_with_sha: true
+          build_args: baseImageTag=ci-local
       - uses: docker/build-push-action@v1
         name: "Build & Push Nikto Parser Image"
         with:
@@ -201,6 +211,17 @@ jobs:
           tag_with_ref: true
           tag_with_sha: true
           build_args: baseImageTag=ci-local
+      - uses: docker/build-push-action@v1
+        name: "Build & Push wpscan Parser Image"
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          repository: scbexperimental/parser-wpscan
+          path: ./scanners/wpscan/parser/
+          tag_with_ref: true
+          tag_with_sha: true
+          build_args: baseImageTag=ci-local
+
   hookImages:
     name: "Build / Hooks"
     runs-on: ubuntu-latest
@@ -278,6 +299,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@master
+      - uses: docker/build-push-action@v1
+        name: "Build & Push Ncrack Scanner Image"
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          repository: scbexperimental/ncrack
+          path: ./scanners/ncrack/scanner/
+          # Note: not prefixed with a "v" as this seems to match ncrack versioning standards
+          tags: "0.7,latest"
       - uses: docker/build-push-action@v1
         name: "Build & Push Nmap Scanner Image"
         with:
@@ -316,7 +346,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        k8sVersion: ["1.18.2", "1.17.5", "1.16.9", "1.15.11"]
+        k8sVersion: ["1.19.0", "1.18.8", "1.17.5", "1.16.9"]
     steps:
       - uses: actions/checkout@master
       - name: "Start kind cluster"
@@ -336,9 +366,7 @@ jobs:
           # Install Operator using the images of the current commit
           helm -n securecodebox-system install securecodebox-operator ./operator/ --wait \
             --set="image.tag=sha-$(git rev-parse --short HEAD)" \
-            --set="image.digest=null" \
             --set="lurcher.image.tag=sha-$(git rev-parse --short HEAD)" \
-            --set="lurcher.image.digest=null"
       - name: "Inspect Operator"
         run: |
           echo "Deployment in namespace 'securecodebox-system'"
@@ -380,11 +408,23 @@ jobs:
           cd tests/integration/
           npx jest --ci --color read-only-hook
           helm -n integration-tests uninstall test-scan http-webhook ro-hook
+      - name: "Install Demo Apps"
+        run: |
+          # Install dummy-ssh app
+          helm -n demo-apps install dummy-ssh ./demo-apps/dummy-ssh/ --wait
+          # Install plain nginx server
+          kubectl create deployment --image nginx:alpine nginx --namespace demo-apps
+          kubectl expose deployment nginx --port 80 --namespace demo-apps
       - name: "nmap Integration Tests"
         run: |
           helm -n integration-tests install nmap ./scanners/nmap/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"
           cd tests/integration/
           npx jest --ci --color nmap
+      - name: "ncrack Integration Tests"
+        run: |
+          helm -n integration-tests install ncrack ./scanners/ncrack/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"
+          cd tests/integration/
+          npx jest --ci --color ncrack
       - name: "kube-hunter Integration Tests"
         run: |
           helm -n integration-tests install kube-hunter ./scanners/kube-hunter/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"
@@ -393,10 +433,13 @@ jobs:
       - name: "ssh-scan Integration Tests"
         run: |
           helm -n integration-tests install ssh-scan ./scanners/ssh_scan/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"
-          # Install dummy-ssh app
-          helm -n demo-apps install dummy-ssh ./demo-apps/dummy-ssh/ --wait
           cd tests/integration/
           npx jest --ci --color ssh-scan
+      - name: "zap Integration Tests"
+        run: |
+          helm -n integration-tests install zap ./scanners/zap/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"
+          cd tests/integration/
+          npx jest --ci --color zap
       - name: Inspect Post Failure
         if: failure()
         run: |

.github/workflows/helm-charts.yaml

@@ -0,0 +1,33 @@
+on:
+  release:
+    types: [published]
+name: "Publish Helm Charts"
+jobs:
+  helm:
+    name: Package and Publish
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: "Install yq"
+        run: |
+          sudo snap install yq
+      - name: Parse Tag 
+        run: echo ::set-env name=RELEASE_VERSION::${GITHUB_REF#refs/*/}
+      - name: "Publish Helm Chart"
+        env:
+          HELM_REGISTRY: https://charts.securecodebox.io
+          USERNAME: ${{ secrets.HELM_REGISTRY_USERNAME }}
+          PASSWORD: ${{ secrets.HELM_REGISTRY_PASSWORD }}
+        run: |
+          # Publish charts in all folders containing a `Chart.yaml` file
+          # https://github.com/koalaman/shellcheck/wiki/SC2044
+          find . -type f -name Chart.yaml -print0 | while IFS= read -r -d '' chart; do
+          (
+            dir="$(dirname "${chart}")"
+            cd "${dir}" || exit
+            echo "Processing Chart in $dir"
+            helm package --version $RELEASE_VERSION .
+            NAME=$(yq read - name < Chart.yaml)
+            curl --silent --show-error --user "${USERNAME}:${PASSWORD}" --data-binary "@${NAME}-${RELEASE_VERSION}.tgz" "${HELM_REGISTRY}/api/charts"
+          )
+          done

README.md

@@ -1,4 +1,4 @@
-# secureCodeBox – v2 ALPHA
+# secureCodeBox – v2 Beta
 
 <p align="center">
   <img alt="secureCodeBox Logo" src="./docs/resources/securecodebox-logo.svg" width="500px">
@@ -7,25 +7,28 @@
 
 <p align="center">
   <a href="https://opensource.org/licenses/Apache-2.0"><img alt="License Apache-2.0" src="https://img.shields.io/badge/License-Apache%202.0-blue.svg"></a>
-  <a href="https://github.com/secureCodeBox/secureCodeBox/releases/latest"><img alt="Latest GitHub Release" src="https://img.shields.io/github/release/secureCodeBox/secureCodeBox.svg"></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox-v2/releases/tag/v2.0.0-rc.1"><img alt="Preview GitHub Release" src="https://img.shields.io/badge/release-v2.0.0%7Erc.1-blue.svg"></a>
   <a href="https://owasp.org/www-project-securecodebox/"><img alt="OWASP Incubator Project" src="https://img.shields.io/badge/OWASP-Incubator%20Project-365EAA"></a>
   <a href="https://twitter.com/securecodebox"><img alt="Twitter Follower" src="https://img.shields.io/twitter/follow/securecodebox?style=flat&color=blue&logo=twitter"></a>
 </p>
 <p align="center">
-  <a href="https://github.com/secureCodeBox/secureCodeBox-v2-alpha/actions?query=workflow%3ACI"><img alt="Build" src="https://github.com/secureCodeBox/secureCodeBox-v2-alpha/workflows/CI/badge.svg"></a>
-  <a href="https://codeclimate.com/github/secureCodeBox/secureCodeBox-v2-alpha/test_coverage"><img alt="Test Coverage" src="https://api.codeclimate.com/v1/badges/b6bf3af707671b5e5251/test_coverage" /></a>
-  <a href="https://snyk.io/test/github/secureCodeBox/secureCodeBox-v2-alpha/"><img alt="Known Vulnerabilities" src="https://snyk.io/test/github/secureCodeBox/secureCodeBox-v2-alpha/badge.svg"></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox-v2/actions?query=workflow%3ACI"><img alt="Build" src="https://github.com/secureCodeBox/secureCodeBox-v2/workflows/CI/badge.svg"></a>
+  <a href="https://codeclimate.com/github/secureCodeBox/secureCodeBox-v2/test_coverage"><img alt="Test Coverage" src="https://api.codeclimate.com/v1/badges/b6bf3af707671b5e5251/test_coverage" /></a>
+  <a href="https://snyk.io/test/github/secureCodeBox/secureCodeBox-v2/"><img alt="Known Vulnerabilities" src="https://snyk.io/test/github/secureCodeBox/secureCodeBox-v2/badge.svg"></a>
 </p>
 
-**NOTE**: This Repository contains a **work in progress** preview of the planned next major secureCodeBox Release. You can find the current **stable release** here [https://github.com/secureCodeBox/secureCodeBox](https://github.com/secureCodeBox/secureCodeBox). The release of version 2.0 is still at least some month away but you can already get a sneak peak here 😀. The release will contain a major architecture change which will not be backward compatible. More details will follow soon in a series of blog articles.
+**NOTE**: This Repository contains the stable beta preview of the next major secureCodeBox (SCB) Release v2.  
+You can find the current **stable release** here [https://github.com/secureCodeBox/secureCodeBox](https://github.com/secureCodeBox/secureCodeBox).
+
+_The major release of SCB version 2.0 will be available in the next weeks._ The release will contain a major architecture change which will not be backward compatible. More details will follow soon in a series of blog articles.
 
 > _secureCodeBox_ is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box.
 
 ## Overview
 
 <!-- toc -->
 
-- [secureCodeBox – v2 ALPHA](#securecodebox--v2-alpha)
+- [secureCodeBox – v2 Beta](#securecodebox--v2-beta)
   - [Overview](#overview)
   - [Purpose of this Project](#purpose-of-this-project)
   - [Quickstart](#quickstart)
@@ -35,6 +38,7 @@
       - [Local Scan Examples](#local-scan-examples)
       - [Public Scan Examples](#public-scan-examples)
       - [Then get the current State of the Scan by running:](#then-get-the-current-state-of-the-scan-by-running)
+      - [To delete a scan, use `kubectl delete`, e.g. for localhost nmap scan:](#to-delete-a-scan-use-kubectl-delete-eg-for-localhost-nmap-scan)
     - [Access Services](#access-services)
   - [How does it work?](#how-does-it-work)
   - [Architecture](#architecture)
@@ -55,11 +59,11 @@ For additional documentation aspects please have a look at our:
 The typical way to ensure application security is to hire a security specialist (aka penetration tester) at some point in your project to check the application for security bugs and vulnerabilities. Usually, this check is done at a later stage of the project and has two major drawbacks:
 
 1. Nowadays, a lot of projects do continuous delivery, which means the developers deploy new versions multiple times each day. The penetration tester is only able to check a single snapshot, but some further commits could introduce new security issues. To ensure ongoing application security, the penetration tester should also continuously test the application. Unfortunately, such an approach is rarely financially feasible.
-2. Due to a typically time boxed analysis, the penetration tester has to focus on trivial security issues (low-hanging fruits) and therefore will not address the serious, non-obvious ones.
+2. Due to a typically time boxed analysis, the penetration tester has to focus on trivial security issues (low-hanging fruit) and therefore will probably not address the serious, non-obvious ones.
 
 With the _secureCodeBox_ we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.
 
-The purpose of _secureCodeBox_ **is not** to replace the penetration testers or make them obsolete. We strongly recommend to run extensive tests by experienced penetration testers on all your applications.
+The purpose of _secureCodeBox_ **is not** to replace the penetration testers or make them obsolete. We strongly recommend running extensive tests by experienced penetration testers on all your applications.
 
 **Important note**: The _secureCodeBox_ is no simple one-button-click-solution! You must have a deep understanding of security and how to configure the scanners. Furthermore, an understanding of the scan results and how to interpret them is also necessary.
 
@@ -69,11 +73,12 @@ There is a German article about [Security DevOps – Angreifern (immer) einen Sc
 
 ### Prerequisites
 
-- kubernetes (last 4 major releases supported: `1.15`, `1.16`, `1.17` & `1.18`)
+- kubernetes (last 4 major releases supported: `1.16`, `1.17`, `1.18` & `1.19`)
 
 ### Deployment (based on Helm)
 
-There are shorthand scripts to un-/install everything in the `bin` directory.
+> The install instructions require you to have the repository cloned and to have your terminal located in the folder of repository.
+> There are shorthand scripts to un-/install everything in the `bin` directory.
 
 Deploy the secureCodeBox operator first:
 
@@ -109,9 +114,10 @@ helm upgrade --install swagger-petstore ./demo-apps/swagger-petstore/
 Deploy secureCodeBox Hooks:
 
 ```bash
-helm upgrade --install aah ./hooks/update-field/
+helm upgrade --install ufh ./hooks/update-field/
 helm upgrade --install gwh ./hooks/generic-webhook/
 helm upgrade --install issh ./hooks/imperative-subsequent-scans/
+helm upgrade --install dssh ./hooks/declarative-subsequent-scans/
 ```
 
 Persistence provider Elasticsearch:
@@ -144,7 +150,8 @@ kubectl apply -f scanners/nmap/examples/scan.nmap.org/scan.yaml
 kubectl get scans
 ```
 
-#### To delete a scan, use ```kubectl delete```, e.g. for localhost nmap scan:
+#### To delete a scan, use `kubectl delete`, e.g. for localhost nmap scan:
+
 ```
 kubectl delete -f scanners/nmap/examples/localhost/scan.yaml
 ```
@@ -193,5 +200,5 @@ Sponsored by [iteratec GmbH](https://www.iteratec.de/) - [secureCodeBox.io](http
 [scb-github]: https://github.com/secureCodeBox/
 [scb-engine]: https://github.com/secureCodeBox/engine
 [scb-twitter]: https://twitter.com/secureCodeBox
-[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTJiNzg3MmU2ZDY2NDFiMGI0Y2FkM2I5Mzc2ZmEzYTcyN2FlN2Y2NDFiZDE5NjAxMjg1M2IxNDViNzE3OTIxMGU
+[scb-slack]: https://join.slack.com/t/securecodebox/shared_invite/enQtNDU3MTUyOTM0NTMwLTBjOWRjNjVkNGEyMjQ0ZGMyNDdlYTQxYWQ4MzNiNGY3MDMxNThkZjJmMzY2NDRhMTk3ZWM3OWFkYmY1YzUxNTU
 [scb-license]: https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE