secureCodeBox · J12934 · Jul 18, 2025 · Jun 20, 2025 · Jul 14, 2025 · Jul 14, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -431,6 +431,7 @@ jobs:
           - semgrep
           - ssh-audit
           - sslyze
+          - subfinder
           - trivy
           - trivy-sbom
           - whatweb

diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml
@@ -335,6 +335,7 @@ jobs:
           - semgrep
           - ssh-audit
           - sslyze
+          - subfinder
           - test-scan
           - trivy
           - trivy-sbom

diff --git a/.gitignore b/.gitignore
@@ -59,6 +59,7 @@ report
 
 # Documentation
 ## Documentation build files
+documentation/build/
 documentation/.docusaurus
 documentation/.cache-loader
 ## Documentation generated files
@@ -73,4 +74,5 @@ documentation/.author_meta
 **/node_modules/
 
 # we still use package-lock.json from node as we still use node for our acutal production containers
-bun.lock
+bun.lock
+
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
@@ -58,4 +58,5 @@ Committing with `git commit -s` will add the sign-off at the end of the commit m
 - Eline Henriksen <mains.moon.0x@icloud.com>
 - Michael Kruggel <michael.kruggel@defenseunicorns.com>
 - Ochi Daiki <lbfdeatq@gmail.com>
-- Kai Schäfer <kai.schaefer@claranet.com>
+- Kai Schäfer <kai.schaefer@claranet.com>
+- Joel Saß <joel.sass@iteratec.com>
diff --git a/documentation/src/integrations.js b/documentation/src/integrations.js
@@ -167,6 +167,13 @@ export const Scanners = [
     path: "docs/scanners/sslyze",
     imageUrl: "img/integrationIcons/SSLyze.svg",
   },
+  {
+    title: "subfinder",
+    type: "Network",
+    usecase: "Subdomain Enumeration Scanner",
+    path: "docs/scanners/subfinder",
+    imageUrl: "img/integrationIcons/Default.svg",
+  },
   {
     title: "Trivy SBOM",
     type: "Container",

diff --git a/scanners/subfinder/.gitignore b/scanners/subfinder/.gitignore
@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+*.tar
diff --git a/scanners/subfinder/.helm-docs.gotmpl b/scanners/subfinder/.helm-docs.gotmpl
@@ -0,0 +1,51 @@
+{{- /*
+SPDX-FileCopyrightText: the secureCodeBox authors
+
+SPDX-License-Identifier: Apache-2.0
+*/ -}}
+
+{{- define "extra.docsSection" -}}
+---
+title: "subfinder"
+category: "scanner"
+type: "Network"
+state: "released"
+appVersion: "{{ template "chart.appVersion" . }}"
+usecase: "Subdomain Enumeration Scanner"
+---
+
+![subfinder Logo.png](https://raw.githubusercontent.com/projectdiscovery/subfinder/refs/heads/dev/static/subfinder-logo.png)
+
+{{- end }}
+
+{{- define "extra.dockerDeploymentSection" -}}
+## Supported Tags
+- `latest`  (represents the latest stable release build)
+- tagged releases, e.g. `{{ template "chart.appVersion" . }}`
+{{- end }}
+
+{{- define "extra.chartAboutSection" -}}
+## What is subfinder?
+
+[Project Discovery's subfinder](https://github.com/projectdiscovery/subfinder) is a subdomain discovery tool that returns
+valid subdomains for websites, using passive online sources, while also providing the ability to actively validate found subdomains.
+{{- end }}
+
+{{- define "extra.scannerConfigurationSection" -}}
+## Scanner Configuration
+The following scan configuration examples are based on the official [documentation](https://docs.projectdiscovery.io/tools/subfinder/usage),
+please take a look at the original documentation for more configuration examples.
+
+- Passive scan for subdomains `subfinder -d example.com`
+- Active scan with ips of validated subdomains `subfinder -active -oI -d example.com`
+
+{{- end }}
+
+{{- define "extra.chartConfigurationSection" -}}
+{{- end }}
+
+{{- define "extra.scannerLinksSection" -}}
+[Subfinder Overview]: https://docs.projectdiscovery.io/tools/subfinder/overview
+[Subfinder Git]: https://github.com/projectdiscovery/subfinder
+{{- end }}
+
diff --git a/scanners/subfinder/.helmignore b/scanners/subfinder/.helmignore
@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# Node.js files
+node_modules/*
+package.json
+package-lock.json
+src/*
+config/*
+Dockerfile
+.dockerignore
+*.tar
+parser/*
+scanner/*
+integration-tests/*
+examples/*
+docs/*
+Makefile
diff --git a/scanners/subfinder/Chart.yaml b/scanners/subfinder/Chart.yaml
@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v2
+name: subfinder
+description: A Helm chart for the subfinder security Scanner that integrates with the secureCodeBox.
+
+type: application
+# version - gets automatically set to the secureCodeBox release version when the helm charts gets published
+version: v3.1.0-alpha1
+appVersion: "v2.7.0"
+kubeVersion: ">=v1.11.0-0"
+annotations:
+  versionApi: https://api.github.com/repos/projectdiscovery/subfinder/releases/latest
+  # supported cpu architectures for which docker images for the scanner should be build, e.g. "linux/amd64,linux/arm64"
+  supported-platforms: linux/amd64
+keywords:
+  - security
+  - subfinder
+  - scanner
+  - secureCodeBox
+  - subdomain
+  - discovery
+home: https://github.com/projectdiscovery/subfinder
+icon: https://www.securecodebox.io/img/integrationIcons/subfinder.svg
+sources:
+  - https://github.com/secureCodeBox/secureCodeBox
+maintainers:
+  - name: iteratec GmbH
+    email: secureCodeBox@iteratec.com
diff --git a/scanners/subfinder/README.md b/scanners/subfinder/README.md
@@ -0,0 +1,115 @@
+---
+title: "subfinder"
+category: "scanner"
+type: "Network"
+state: "released"
+appVersion: "v2.7.0"
+usecase: "Subdomain Enumeration Scanner"
+---
+
+![subfinder Logo.png](https://raw.githubusercontent.com/projectdiscovery/subfinder/refs/heads/dev/static/subfinder-logo.png)
+
+<!--
+SPDX-FileCopyrightText: the secureCodeBox authors
+
+SPDX-License-Identifier: Apache-2.0
+-->
+<!--
+.: IMPORTANT! :.
+--------------------------
+This file is generated automatically with `helm-docs` based on the following template files:
+- ./.helm-docs/templates.gotmpl (general template data for all charts)
+- ./chart-folder/.helm-docs.gotmpl (chart specific template data)
+
+Please be aware of that and apply your changes only within those template files instead of this file.
+Otherwise your changes will be reverted/overwritten automatically due to the build process `./.github/workflows/helm-docs.yaml`
+--------------------------
+-->
+
+<p align="center">
+  <a href="https://opensource.org/licenses/Apache-2.0"><img alt="License Apache-2.0" src="https://img.shields.io/badge/License-Apache%202.0-blue.svg"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/releases/latest"><img alt="GitHub release (latest SemVer)" src="https://img.shields.io/github/v/release/secureCodeBox/secureCodeBox?sort=semver"/></a>
+  <a href="https://owasp.org/www-project-securecodebox/"><img alt="OWASP Lab Project" src="https://img.shields.io/badge/OWASP-Lab%20Project-yellow"/></a>
+  <a href="https://artifacthub.io/packages/search?repo=securecodebox"><img alt="Artifact HUB" src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/securecodebox"/></a>
+  <a href="https://github.com/secureCodeBox/secureCodeBox/"><img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/secureCodeBox/secureCodeBox?logo=GitHub"/></a>
+  <a href="https://infosec.exchange/@secureCodeBox"><img alt="Mastodon Follower" src="https://img.shields.io/mastodon/follow/111902499714281911?domain=https%3A%2F%2Finfosec.exchange%2F"/></a>
+</p>
+
+## What is subfinder?
+
+[Project Discovery's subfinder](https://github.com/projectdiscovery/subfinder) is a subdomain discovery tool that returns
+valid subdomains for websites, using passive online sources, while also providing the ability to actively validate found subdomains.
+
+## Deployment
+The subfinder chart can be deployed via helm:
+
+```bash
+# Install HelmChart (use -n to configure another namespace)
+helm upgrade --install subfinder oci://ghcr.io/securecodebox/helm/subfinder
+```
+
+## Scanner Configuration
+The following scan configuration examples are based on the official [documentation](https://docs.projectdiscovery.io/tools/subfinder/usage),
+please take a look at the original documentation for more configuration examples.
+
+- Passive scan for subdomains `subfinder -d example.com`
+- Active scan with ips of validated subdomains `subfinder -active -oI -d example.com`
+
+## Requirements
+
+Kubernetes: `>=v1.11.0-0`
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| cascadingRules.enabled | bool | `false` | Enables or disables the installation of the default cascading rules for this scanner |
+| imagePullSecrets | list | `[]` | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
+| parser.affinity | object | `{}` | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
+| parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
+| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
+| parser.image.repository | string | `"docker.io/securecodebox/parser-subfinder"` | Parser image repository |
+| parser.image.tag | string | defaults to the charts version | Parser image tag |
+| parser.nodeSelector | object | `{}` |  |
+| parser.resources | object | `{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }` | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
+| parser.scopeLimiterAliases | object | `{}` | Optional finding aliases to be used in the scopeLimiter. |
+| parser.tolerations | list | `[]` | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
+| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
+| scanner.activeDeadlineSeconds | string | `nil` | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) |
+| scanner.affinity | object | `{}` | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
+| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
+| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
+| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
+| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
+| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
+| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
+| scanner.image.repository | string | `"docker.io/projectdiscovery/subfinder"` | Container Image to run the scan |
+| scanner.image.tag | string | `nil` | defaults to the charts appVersion |
+| scanner.nameAppend | string | `nil` | append a string to the default scantype name. |
+| scanner.nodeSelector | object | `{}` | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) |
+| scanner.podSecurityContext | object | `{}` | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
+| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
+| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
+| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated |
+| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. |
+| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode |
+| scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system |
+| scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user |
+| scanner.suspend | bool | `false` | if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume <jobname>` or using a job scheduler like kueue |
+| scanner.tolerations | list | `[]` | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
+| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
+
+## License
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+
+Code of secureCodeBox is licensed under the [Apache License 2.0][scb-license].
+
+[scb-owasp]:    https://www.owasp.org/index.php/OWASP_secureCodeBox
+[scb-docs]:     https://www.securecodebox.io/
+[scb-site]:     https://www.securecodebox.io/
+[scb-github]:   https://github.com/secureCodeBox/
+[scb-mastodon]: https://infosec.exchange/@secureCodeBox
+[scb-slack]:    https://owasp.org/slack/invite
+[scb-license]:  https://github.com/secureCodeBox/secureCodeBox/blob/master/LICENSE
+[Subfinder Overview]: https://docs.projectdiscovery.io/tools/subfinder/overview
+[Subfinder Git]: https://github.com/projectdiscovery/subfinder
diff --git a/scanners/subfinder/Taskfile.yaml b/scanners/subfinder/Taskfile.yaml
@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+version: "3.44.0"
+
+includes:
+  scanner:
+    taskfile: ../Taskfile.yaml
+    flatten: true
+    vars:
+      scannerName: subfinder
+
+tasks: {}
-Original file line number
+Diff line change
@@ Expand Up / @@ -431,6 +431,7 @@ jobs: @@
               - semgrep
               - ssh-audit
               - sslyze
+              - subfinder
               - trivy
               - trivy-sbom
               - whatweb
@@ Expand Down @@