Skip to content

Bugfixing Defaults for Notification Hook and ZAP Advanced Config templates #1199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
J12934 merged 6 commits into from
May 31, 2022
Merged

Bugfixing Defaults for Notification Hook and ZAP Advanced Config templates #1199

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
379e0cb
Make notification config optional and use a better
rfelber May 30, 2022
18d164c
Remove default config because it can' be deleted by
rfelber May 30, 2022
6c5e13d
Updating Helm Docs
May 30, 2022
4ecb4a0
ZAP API Key is not required because ZAP
rfelber May 30, 2022
4018fcb
ZAP API Key is not required because ZAP
rfelber May 30, 2022
aafba0b
Config map is mandatory and not optional
rfelber May 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion hooks/notification/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,13 @@
#
# SPDX-License-Identifier: Apache-2.0

---
apiVersion: v1
kind: ConfigMap
metadata:
name: "{{ .Release.Name }}-config"
labels:
{{- include "notification-hook.labels" . | nindent 4 }}
data:
notification-channel.yaml: {{ .Values.notificationChannels | toYaml | quote }}
notification-channel.yaml: |
{{ .Values.notificationChannels | toYaml | nindent 4 }}
6 changes: 1 addition & 5 deletions scanners/zap-advanced/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -509,11 +509,7 @@ zapConfiguration:
| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user |
| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| zapConfiguration | object | `{"global":{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}}` | All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overriden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options. |
| zapConfiguration.global | object | `{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}` | Optional general ZAP Configurations settings. |
| zapConfiguration.global.addonInstall | list | `["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"]` | Installs additional ZAP AddOns on startup, listed by their name: |
| zapConfiguration.global.addonUpdate | bool | `true` | Updates all installed ZAP AddOns on startup if true, otherwise false. |
| zapConfiguration.global.sessionName | string | `"secureCodeBox"` | The ZAP internal Session name. Default: secureCodeBox |
| zapConfiguration | object | `{}` | All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overriden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options. |
| zapContainer.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| zapContainer.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) |
| zapContainer.extraVolumeMounts | list | `[{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/authentication/","name":"zap-scripts-authentication","readOnly":true},{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/session/","name":"zap-scripts-session","readOnly":true}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
Expand Down
6 changes: 1 addition & 5 deletions scanners/zap-advanced/docs/README.ArtifactHub.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -514,11 +514,7 @@ zapConfiguration:
| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user |
| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| zapConfiguration | object | `{"global":{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}}` | All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overriden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options. |
| zapConfiguration.global | object | `{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}` | Optional general ZAP Configurations settings. |
| zapConfiguration.global.addonInstall | list | `["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"]` | Installs additional ZAP AddOns on startup, listed by their name: |
| zapConfiguration.global.addonUpdate | bool | `true` | Updates all installed ZAP AddOns on startup if true, otherwise false. |
| zapConfiguration.global.sessionName | string | `"secureCodeBox"` | The ZAP internal Session name. Default: secureCodeBox |
| zapConfiguration | object | `{}` | All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overriden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options. |
| zapContainer.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| zapContainer.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) |
| zapContainer.extraVolumeMounts | list | `[{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/authentication/","name":"zap-scripts-authentication","readOnly":true},{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/session/","name":"zap-scripts-session","readOnly":true}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
Expand Down
4 changes: 1 addition & 3 deletions scanners/zap-advanced/templates/zap-advanced-scan-type.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,6 @@ spec:
- "XML"
- "--zap-url"
- "localhost:8080"
# - "--api-key"
# - "ertzukndtzuikbvcfjkmnbvcfghjklmnbvc"
- "--config-folder"
- "/home/securecodebox/configs/"
- "--output-folder"
Expand Down Expand Up @@ -101,7 +99,7 @@ spec:
- {{ . | quote }}
{{- end }}
- "-config"
- "api.disablekey=true" # Disble API Key. TODO: change with helm random value? -config api.key=change-me-9203935709
- "api.disablekey=true" # Disble API Key because not required. Only pod local access allowed (localhost binding).
resources:
{{- toYaml .Values.zapContainer.resources | nindent 16 }}
securityContext:
Expand Down
26 changes: 13 additions & 13 deletions scanners/zap-advanced/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,19 +155,19 @@ zapContainer:
- all

# -- All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overriden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options.
zapConfiguration:
# -- Optional general ZAP Configurations settings.
global:
# -- The ZAP internal Session name. Default: secureCodeBox
sessionName: secureCodeBox
# -- Updates all installed ZAP AddOns on startup if true, otherwise false.
addonUpdate: true
# -- Installs additional ZAP AddOns on startup, listed by their name:
addonInstall:
- pscanrulesBeta
- ascanrulesBeta
- pscanrulesAlpha
- ascanrulesAlpha
zapConfiguration: {}
# # -- Optional general ZAP Configurations settings.
# global:
# # -- The ZAP internal Session name. Default: secureCodeBox
# sessionName: secureCodeBox
# # -- Updates all installed ZAP AddOns on startup if true, otherwise false.
# addonUpdate: true
# # -- Installs additional ZAP AddOns on startup, listed by their name:
# addonInstall:
# - pscanrulesBeta
# - ascanrulesBeta
# - pscanrulesAlpha
# - ascanrulesAlpha

cascadingRules:
# cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner
Expand Down