secureCodeBox · J12934 · Aug 27, 2024 · Aug 23, 2024 · Aug 23, 2024 · Aug 23, 2024
diff --git a/auto-discovery/kubernetes/README.md b/auto-discovery/kubernetes/README.md
@@ -137,6 +137,7 @@ kubectl -n juice-shop annotate service juice-shop auto-discovery.securecodebox.i
 | config.containerAutoDiscovery.enabled | bool | `false` |  |
 | config.containerAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every pod is re-checked for updates, currently used to periodically check if the configured scantype is installed in the namespace of the pod |
 | config.containerAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating |
+| config.containerAutoDiscovery.scanConfigs[0].env | list | `[]` | allows to overwrite the env var list of the scan job. the value field supports templating. |
 | config.containerAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | hookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. |
 | config.containerAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating |
 | config.containerAutoDiscovery.scanConfigs[0].name | string | `"trivy"` | unique name to distinguish scans |
@@ -156,8 +157,9 @@ kubectl -n juice-shop annotate service juice-shop auto-discovery.securecodebox.i
 | config.resourceInclusion.mode | string | `"enabled-per-namespace"` |  |
 | config.serviceAutoDiscovery.enabled | bool | `true` |  |
 | config.serviceAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every service is re-checked for updated pods, if service object is updated directly this the service will get reconciled immediately |
-| config.serviceAutoDiscovery.scanConfigs[0] | object | `{"annotations":{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"},"hookSelector":{},"labels":{},"name":"zap","parameters":["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"],"repeatInterval":"168h","scanType":"zap-advanced-scan","volumeMounts":[],"volumes":[]}` | scanType used for the scans created by the serviceAutoDiscovery |
+| config.serviceAutoDiscovery.scanConfigs[0] | object | `{"annotations":{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"},"env":[],"hookSelector":{},"labels":{},"name":"zap","parameters":["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"],"repeatInterval":"168h","scanType":"zap-advanced-scan","volumeMounts":[],"volumes":[]}` | scanType used for the scans created by the serviceAutoDiscovery |
 | config.serviceAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating |
+| config.serviceAutoDiscovery.scanConfigs[0].env | list | `[]` | allows to overwrite the env var list of the scan job. the value field supports templating. |
 | config.serviceAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | HookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. |
 | config.serviceAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating |
 | config.serviceAutoDiscovery.scanConfigs[0].name | string | `"zap"` | unique name to distinguish scans |

diff --git a/auto-discovery/kubernetes/docs/README.ArtifactHub.md b/auto-discovery/kubernetes/docs/README.ArtifactHub.md
@@ -129,6 +129,7 @@ kubectl -n juice-shop annotate service juice-shop auto-discovery.securecodebox.i
 | config.containerAutoDiscovery.enabled | bool | `false` |  |
 | config.containerAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every pod is re-checked for updates, currently used to periodically check if the configured scantype is installed in the namespace of the pod |
 | config.containerAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating |
+| config.containerAutoDiscovery.scanConfigs[0].env | list | `[]` | allows to overwrite the env var list of the scan job. the value field supports templating. |
 | config.containerAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | hookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. |
 | config.containerAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating |
 | config.containerAutoDiscovery.scanConfigs[0].name | string | `"trivy"` | unique name to distinguish scans |
@@ -148,8 +149,9 @@ kubectl -n juice-shop annotate service juice-shop auto-discovery.securecodebox.i
 | config.resourceInclusion.mode | string | `"enabled-per-namespace"` |  |
 | config.serviceAutoDiscovery.enabled | bool | `true` |  |
 | config.serviceAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every service is re-checked for updated pods, if service object is updated directly this the service will get reconciled immediately |
-| config.serviceAutoDiscovery.scanConfigs[0] | object | `{"annotations":{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"},"hookSelector":{},"labels":{},"name":"zap","parameters":["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"],"repeatInterval":"168h","scanType":"zap-advanced-scan","volumeMounts":[],"volumes":[]}` | scanType used for the scans created by the serviceAutoDiscovery |
+| config.serviceAutoDiscovery.scanConfigs[0] | object | `{"annotations":{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"},"env":[],"hookSelector":{},"labels":{},"name":"zap","parameters":["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"],"repeatInterval":"168h","scanType":"zap-advanced-scan","volumeMounts":[],"volumes":[]}` | scanType used for the scans created by the serviceAutoDiscovery |
 | config.serviceAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating |
+| config.serviceAutoDiscovery.scanConfigs[0].env | list | `[]` | allows to overwrite the env var list of the scan job. the value field supports templating. |
 | config.serviceAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | HookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. |
 | config.serviceAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating |
 | config.serviceAutoDiscovery.scanConfigs[0].name | string | `"zap"` | unique name to distinguish scans |

diff --git a/auto-discovery/kubernetes/pkg/config/autodiscovery_config.go b/auto-discovery/kubernetes/pkg/config/autodiscovery_config.go
@@ -83,4 +83,5 @@ type ScanConfig struct {
 	Volumes        []corev1.Volume      `json:"volumes"`
 	VolumeMounts   []corev1.VolumeMount `json:"volumeMounts"`
 	HookSelector   metav1.LabelSelector `json:"hookSelector"`
+	Env            []corev1.EnvVar      `json:"env,omitempty"`
 }
diff --git a/auto-discovery/kubernetes/pkg/util/gotemplate.go b/auto-discovery/kubernetes/pkg/util/gotemplate.go
@@ -29,6 +29,9 @@ func templateOrPanic(templateString string, templateArgs interface{}) string {
 	var rawOutput bytes.Buffer
 	err = tmpl.Execute(&rawOutput, templateArgs)
 	output := rawOutput.String()
+	if err != nil {
+		panic(err)
+	}
 
 	if output != "" {
 		return output
@@ -128,6 +131,16 @@ func generateHookSelectors(scanConfig config.ScanConfig, templateArgs interface{
 	return hookSelector
 }
 
+func generateEnvVars(scanConfig config.ScanConfig, templateArgs interface{}) []corev1.EnvVar {
+	var envVars []corev1.EnvVar = []corev1.EnvVar{}
+	for _, envVar := range scanConfig.Env {
+		envVarCopy := envVar.DeepCopy()
+		envVarCopy.Value = templateOrPanic(envVarCopy.Value, templateArgs)
+		envVars = append(envVars, *envVarCopy)
+	}
+	return envVars
+}
+
 // GenerateScanSpec takes in both autoDiscoveryConfig and scanConfig as this function might be used by other controllers in the future, which can then pass in the their relevant scanConfig into this function
 func GenerateScanSpec(scanConfig config.ScanConfig, templateArgs interface{}) executionv1.ScheduledScanSpec {
 	parameters := scanConfig.Parameters
@@ -137,6 +150,7 @@ func GenerateScanSpec(scanConfig config.ScanConfig, templateArgs interface{}) ex
 	volumes := generateVolumes(scanConfig, templateArgs)
 	volumeMounts := generateVolumeMounts(scanConfig, templateArgs)
 	hookSelector := generateHookSelectors(scanConfig, templateArgs)
+	envVars := generateEnvVars(scanConfig, templateArgs)
 
 	scheduledScanSpec := executionv1.ScheduledScanSpec{
 		Interval: metav1.Duration{Duration: scanConfig.RepeatInterval},
@@ -146,6 +160,7 @@ func GenerateScanSpec(scanConfig config.ScanConfig, templateArgs interface{}) ex
 			Volumes:      volumes,
 			VolumeMounts: volumeMounts,
 			HookSelector: hookSelector,
+			Env:          envVars,
 		},
 		RetriggerOnScanTypeChange: true,
 	}

diff --git a/auto-discovery/kubernetes/pkg/util/gotemplate_test.go b/auto-discovery/kubernetes/pkg/util/gotemplate_test.go
@@ -233,6 +233,50 @@ var _ = Describe("gotemplate helper util", func() {
 					"bar": "foobar",
 				}))
 			})
+
+			It("should template with env vars", func() {
+				envVarConfig := []corev1.EnvVar{
+					{
+						Name:  "EXAMPLE_ENV_PLAIN",
+						Value: "foobar",
+					},
+					{
+						Name:  "EXAMPLE_ENV_TEMPLATED",
+						Value: "{{ .Target.Name }}",
+					},
+					{
+						Name: "EXAMPLE_ENV_VALUE_FROM",
+						ValueFrom: &corev1.EnvVarSource{
+							ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
+								LocalObjectReference: corev1.LocalObjectReference{
+									Name: "foobar-configmap",
+								},
+								Key: "key",
+							},
+						},
+					},
+				}
+				scanConfig := config.ScanConfig{
+					RepeatInterval: time.Hour,
+					Annotations:    map[string]string{},
+					Labels:         map[string]string{},
+					Parameters:     []string{"example.com"},
+					ScanType:       "nmap",
+					Env:            envVarConfig,
+				}
+
+				scanSpec := GenerateScanSpec(scanConfig, templateArgs)
+
+				Expect(scanSpec.ScanSpec.ScanType).To(Equal("nmap"))
+				Expect(scanSpec.ScanSpec.Env).To(BeEquivalentTo([]corev1.EnvVar{
+					envVarConfig[0],
+					{
+						Name:  "EXAMPLE_ENV_TEMPLATED",
+						Value: "foobar", // should be templated out
+					},
+					envVarConfig[2],
+				}))
+			})
 		})
 	})
 })

diff --git a/auto-discovery/kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap b/auto-discovery/kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap
@@ -19,6 +19,7 @@ matches the snapshot:
                   "defectdojo.securecodebox.io/product-name": "{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}",
                   "defectdojo.securecodebox.io/product-tags": "cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"
                 },
+                "env": [],
                 "hookSelector": {},
                 "labels": {},
                 "name": "trivy",
@@ -62,6 +63,7 @@ matches the snapshot:
                   "defectdojo.securecodebox.io/product-name": "{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}",
                   "defectdojo.securecodebox.io/product-tags": "cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"
                 },
+                "env": [],
                 "hookSelector": {},
                 "labels": {},
                 "name": "zap",

diff --git a/auto-discovery/kubernetes/values.yaml b/auto-discovery/kubernetes/values.yaml
@@ -55,6 +55,9 @@ config:
         # All values in the matchLabels map support templating.
         # MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list.
         hookSelector: {}
+        # -- allows to overwrite the env var list of the scan job.
+        # the value field supports templating.
+        env: []
 
   containerAutoDiscovery:
     enabled: false
@@ -88,6 +91,9 @@ config:
         # All values in the matchLabels map support templating.
         # MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list.
         hookSelector: {}
+        # -- allows to overwrite the env var list of the scan job.
+        # the value field supports templating.
+        env: []
   imagePullSecretConfig:
       mapImagePullSecretsToEnvironmentVariables: true
       usernameEnvironmentVariableName: "TRIVY_USERNAME"