Added new readme files for Hooks and introduced more header informations.

Author: rfelber

README.md

@@ -85,15 +85,16 @@ helm -n securecodebox-system upgrade --install securecodebox-operator ./operator
 Optionally deploy SCB scanner charts for each security scanner you want to use. They should not be installed into the `securecodebox-system` like the operator so that different teams can use different kinds of scanners.
 
 ```bash
-helm upgrade --install amass ./scanners/amass/
-helm upgrade --install kube-hunter ./scanners/kube-hunter/
-helm upgrade --install nikto ./scanners/nikto
-helm upgrade --install nmap ./scanners/nmap/
-helm upgrade --install ssh-scan ./scanners/ssh_scan/
-helm upgrade --install sslyze ./scanners/sslyze/
-helm upgrade --install trivy ./scanners/trivy/
-helm upgrade --install zap ./scanners/zap/
-helm upgrade --install wpscan ./scanners/wpscan/
+kubectl create namespace scans
+helm upgrade --install -n scans amass ./scanners/amass/
+helm upgrade --install -n scans kube-hunter ./scanners/kube-hunter/
+helm upgrade --install -n scans nikto ./scanners/nikto
+helm upgrade --install -n scans nmap ./scanners/nmap/
+helm upgrade --install -n scans ssh-scan ./scanners/ssh_scan/
+helm upgrade --install -n scans sslyze ./scanners/sslyze/
+helm upgrade --install -n scans trivy ./scanners/trivy/
+helm upgrade --install -n scans zap ./scanners/zap/
+helm upgrade --install -n scans wpscan ./scanners/wpscan/
 ```
 
 Optional deploy some demo apps for scanning:
@@ -112,6 +113,7 @@ Deploy secureCodeBox Hooks:
 helm upgrade --install aah ./hooks/update-field/
 helm upgrade --install gwh ./hooks/generic-webhook/
 helm upgrade --install issh ./hooks/imperative-subsequent-scans/
+helm upgrade --install dssh ./hooks/declarative-subsequent-scans/
 ```
 
 Persistence provider Elasticsearch:

hooks/declarative-subsequent-scans/README.md

@@ -0,0 +1,116 @@
+---
+title: "Cascading Scans"
+path: "hooks/declarative-subsequent-scans"
+category: "hook"
+type: "processing"
+state: "released"
+usecase: "Enables cascading Scans based declarative _CascadingRules_."
+---
+
+<!-- end -->
+
+## Deployment
+
+Installing the Cascading Scans hook will add a ReadOnly Hook to your namespace which looks for matching _CascadingRules_ in the namespace and start the according scans. 
+
+```bash
+helm upgrade --install dssh ./hooks/declarative-subsequent-scans/
+```
+
+### Verification
+```bash
+$ kubectl get ScanCompletionHooks
+NAME   TYPE       IMAGE
+dssh   ReadOnly   docker.io/scbexperimental/hook-declarative-subsequent-scans:latest
+```
+
+## CascadingScan Rules
+The CascadingRules are included directly in each helm chart of the individual scanners. 
+
+```bash
+# Check your CascadingRules
+$ kubectl get CascadingRules
+NAME             STARTS         INVASIVENESS   INTENSIVENESS
+https-tls-scan   sslyze         non-invasive   light
+imaps-tls-scan   sslyze         non-invasive   light
+nikto-http       nikto          non-invasive   medium
+nmap-smb         nmap           non-invasive   light
+pop3s-tls-scan   sslyze         non-invasive   light
+smtps-tls-scan   sslyze         non-invasive   light
+ssh-scan         ssh-scan       non-invasive   light
+zap-http         zap-baseline   non-invasive   medium
+```
+
+## Starting a cascading Scan
+When you start a normal Scan, no CascadingRule will be applied. To use a _CascadingRule_ the scan must be marked to allow cascading rules.
+This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one.
+
+### Example
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: "execution.experimental.securecodebox.io/v1"
+kind: Scan
+metadata:
+  name: "example.com"
+spec:
+  scanType: nmap
+  parameters:
+    - -p22,80,443
+    - example.com
+  cascades:
+    matchLabels:
+      securecodebox.io/intensive: light
+EOF
+```
+
+This Scan will used all CascadingRules which are labeled with a "light" intensity.
+You can lookup which CascadingRules this selects by running:
+
+```bash
+$ kubectl get CascadingRules -l "securecodebox.io/intensive=light"
+NAME             STARTS     INVASIVENESS   INTENSIVENESS
+https-tls-scan   sslyze     non-invasive   light
+imaps-tls-scan   sslyze     non-invasive   light
+nmap-smb         nmap       non-invasive   light
+pop3s-tls-scan   sslyze     non-invasive   light
+smtps-tls-scan   sslyze     non-invasive   light
+ssh-scan         ssh-scan   non-invasive   light
+```
+
+The label selectors also allow the more powerful matchExpression selectors:
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: "execution.experimental.securecodebox.io/v1"
+kind: Scan
+metadata:
+  name: "example.com"
+spec:
+  scanType: nmap
+  parameters:
+    - -p22,80,443
+    - example.com
+  cascades:
+    # Using matchExpression instead of matchLabels
+    matchExpression:
+      key: "securecodebox.io/intensive"
+      operator: In
+      # This select both light and medium intensity rules
+      values: [light, medium]
+EOF
+```
+
+This selection can be replicated in kubectl using:
+
+```bash
+kubectl get CascadingRules -l "securecodebox.io/intensive in (light,medium)"
+NAME             STARTS         INVASIVENESS   INTENSIVENESS
+https-tls-scan   sslyze         non-invasive   light
+imaps-tls-scan   sslyze         non-invasive   light
+nikto-http       nikto          non-invasive   medium
+nmap-smb         nmap           non-invasive   light
+pop3s-tls-scan   sslyze         non-invasive   light
+smtps-tls-scan   sslyze         non-invasive   light
+ssh-scan         ssh-scan       non-invasive   light
+zap-http         zap-baseline   non-invasive   medium
+```

hooks/generic-webhook/README.md

@@ -0,0 +1,18 @@
+---
+title: "Generic WebHook"
+path: "hooks/generic-webhook"
+category: "hook"
+type: "integration"
+state: "released"
+usecase: "Publishes Scan Findings as WebHook."
+---
+
+<!-- end -->
+
+## Deployment
+
+Installing the Generic WebHook hook will add a ReadOnly Hook to your namespace. 
+
+```bash
+helm upgrade --install gwh ./hooks/generic-webhook/ --set webhookUrl="http://example.com/my/webhook/target"
+```

hooks/imperative-subsequent-scans/values.yaml

@@ -6,15 +6,15 @@ cascade:
   # Cascade nmap scans for each subdomain found by amass
   amassNmap: true
   # Cascade nmap SMB scans for each SMB Port found by nmap
-  nmapSmb: true
+  nmapSmb: false
   # Cascade SSH scans for each SSH Port found by nmap
   nmapSsh: true
   # Cascade SSL scans for each HTTP Port found by nmap
   nmapSsl: true
   # Cascade Nikto scans for each HTTP Port found by nmap
-  nmapNikto: true
+  nmapNikto: false
   # Cascade ZAP scans for each HTTP Port found by nmap
-  nmapZapBaseline: true
+  nmapZapBaseline: false
 
 image:
   registry: docker.io

hooks/persistence-elastic/README.md

@@ -0,0 +1,55 @@
+---
+title: "Elasticsearch"
+path: "hooks/persistence-elastic"
+category: "hook"
+type: "persistenceProvider"
+state: "released"
+usecase: "Publishes all Scan Findings to elasticsearch (ECK)."
+---
+
+<!-- end -->
+
+## About
+The ElasticSearch persistenceProvider hook saves all findings and reports into the configured ElasticSearch index. This allows for some easy searching and visualization of the findings. To learn more about Elasticsearch visit elastic.io.
+
+## Deployment
+
+Installing the Elasticsearch persistenceProvider hook will add a _ReadOnly Hook_ to your namespace. 
+
+```bash
+helm upgrade --install elkh ./hooks/persistence-elastic/
+```
+
+## Configuration
+see values.yaml
+
+```yaml
+# Define a specific index prefix
+indexPrefix: "scbv2"
+
+# Enable this when you already have an Elastic Stack running to which you want to send your results
+externalElasticStack:
+  enabled: false
+  elasticsearchAddress: "https://elasticsearch.example.com"
+  kibanaAddress: "https://kibana.example.com"
+
+# Configure authentication schema and credentials the persistence provider should use to connect to elasticsearch
+# user and apikey are mutually exclusive, only set one!
+authentication:
+  # Link a pre-existing generic secret with `username` and `password` key / value pairs
+  userSecret: null
+  # Link a pre-existing generic secret with `id` and `key` key / value pairs
+  apiKeySecret: null
+
+# Configures included Elasticsearch subchart
+elasticsearch:
+  enabled: true
+  replicas: 1
+  minimumMasterNodes: 1
+  # image: docker.elastic.co/elasticsearch/elasticsearch-oss
+
+# Configures included Elasticsearch subchart
+kibana:
+  enabled: true
+  # image: docker.elastic.co/kibana/kibana-oss
+```

hooks/persistence-elastic/values.yaml

@@ -8,6 +8,7 @@ image:
   tag: latest
   digest: null
 
+# Define a specific index prefix
 indexPrefix: "scbv2"
 
 # Enable this when you already have an Elastic Stack running to which you want to send your results

hooks/update-field/README.md

@@ -0,0 +1,18 @@
+---
+title: "Generic WebHook"
+path: "hooks/generic-webhook"
+category: "hook"
+type: "integration"
+state: "released"
+usecase: "Publishes Scan Findings as WebHook."
+---
+
+<!-- end -->
+
+## Deployment
+
+Installing the _Update Field_ hook will add a ReadOnly Hook to your namespace. 
+
+```bash
+helm upgrade --install gwh ./hooks/generic-webhook/ --set webhookUrl="http://example.com/my/webhook/target"
+```

scanners/amass/README.md

@@ -2,6 +2,9 @@
 title: "Amass"
 path: "scanners/amass"
 category: "scanner"
+type: "Network"
+state: "released"
+appVersion: 3.7.2
 usecase: "Subdomain Enumeration Scanner"
 ---
 

scanners/kube-hunter/README.md

@@ -2,6 +2,9 @@
 title: "kube-hunter"
 path: "scanners/kube-hunter"
 category: "scanner"
+type: "Kubernetes"
+state: "released"
+appVersion: 0.3.1
 usecase: "Kubernetes Vulnerability Scanner"
 ---
 

scanners/nikto/README.md

@@ -2,6 +2,9 @@
 title: "Nikto"
 path: "scanners/nikto"
 category: "scanner"
+type: "Webserver"
+state: "released"
+appVersion: 2.1.6
 usecase: "Webserver Vulnerability Scanner"
 ---