secureCodeBox · Weltraumschaf · Nov 6, 2025 · Nov 5, 2025 · Nov 5, 2025 · Nov 5, 2025
diff --git a/scanners/sslyze/examples/untrusted-root/README.md b/scanners/sslyze/examples/untrusted-root/README.md
@@ -0,0 +1,15 @@
+<!--
+SPDX-FileCopyrightText: the secureCodeBox authors
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# SSLyze Scan with Custom CA Certificate
+
+This example demonstrates how to use SSLyze with a custom CA certificate file to validate certificates that are signed by an internal or private Certificate Authority (CA).
+
+## Overview
+
+When scanning internal services or applications that use certificates signed by a private/internal CA, SSLyze will typically report these certificates as untrusted because the CA is not in the standard trust stores (Mozilla, Apple, Windows, etc.).
+
+By providing a custom CA certificate file using the `--certinfo_ca_file` parameter, you can instruct SSLyze to trust certificates signed by your internal CA, preventing false positive "Untrusted Certificate Root" findings.
diff --git a/scanners/sslyze/examples/untrusted-root/scan.yaml b/scanners/sslyze/examples/untrusted-root/scan.yaml
@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: the secureCodeBox authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: custom-root-ca
+data:
+  # This is a mock root CA certificate for demonstration purposes
+  # In a real scenario, you would replace this with your actual internal/private CA certificate
+  root-ca.pem: |-
+    -----BEGIN CERTIFICATE-----
+    MIIDXTCCAkWgAwIBAgIJAKL0UG+mRKSzMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+    ...
+    9qS6wZ0yC2sL8nK5xR7tH0qS7wZ1yD3sL9nL6xR8tI1qS8w==
+    -----END CERTIFICATE-----
+
+---
+apiVersion: "execution.securecodebox.io/v1"
+kind: Scan
+metadata:
+  name: "sslyze-untrusted-root-with-ca"
+spec:
+  scanType: "sslyze"
+  parameters:
+    # Provide the custom CA file to validate certificates
+    - "--certinfo_ca_file"
+    - "/ca-certs/root-ca.pem"
+    # Target host with untrusted root certificate
+    - "untrusted-root.example.com"
+  volumeMounts:
+    - name: custom-root-ca
+      mountPath: /ca-certs
+      readOnly: true
+  volumes:
+    - name: custom-root-ca
+      configMap:
+        name: custom-root-ca
diff --git a/scanners/sslyze/parser/__testFiles__/expired.badssl.com.json b/scanners/sslyze/parser/__testFiles__/expired.badssl.com.json
diff --git a/scanners/sslyze/parser/__testFiles__/google.com.json b/scanners/sslyze/parser/__testFiles__/google.com.json
diff --git a/scanners/sslyze/parser/__testFiles__/regen-testfiles.sh b/scanners/sslyze/parser/__testFiles__/regen-testfiles.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: the secureCodeBox authors
+# SPDX-License-Identifier: Apache-2.0
+
+# Script to regenerate sslyze test files using Docker
+# This script runs sslyze against various test targets and saves the JSON output
+
+set -uo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CHART_FILE="${SCRIPT_DIR}/../../Chart.yaml"
+
+# Read sslyze version from Chart.yaml using yq
+SSLYZE_VERSION=$(yq eval '.appVersion' "${CHART_FILE}")
+
+echo "Regenerating sslyze test files using version ${SSLYZE_VERSION}..."
+
+# expired.badssl.com
+echo "Scanning expired.badssl.com..."
+docker run --rm -v "${SCRIPT_DIR}:/output" nablac0d3/sslyze:${SSLYZE_VERSION} \
+  --json_out /output/expired.badssl.com.json \
+  expired.badssl.com || true
+
+# google.com
+echo "Scanning google.com..."
+docker run --rm -v "${SCRIPT_DIR}:/output" nablac0d3/sslyze:${SSLYZE_VERSION} \
+  --json_out /output/google.com.json \
+  google.com || true
+
+# revoked.badssl.com
+echo "Scanning revoked.badssl.com..."
+docker run --rm -v "${SCRIPT_DIR}:/output" nablac0d3/sslyze:${SSLYZE_VERSION} \
+  --json_out /output/revoked.badssl.com.json \
+  revoked.badssl.com || true
+
+# self-signed.badssl.com
+echo "Scanning self-signed.badssl.com..."
+docker run --rm -v "${SCRIPT_DIR}:/output" nablac0d3/sslyze:${SSLYZE_VERSION} \
+  --json_out /output/self-signed.badssl.com.json \
+  self-signed.badssl.com || true
+
+# tls-v1-0.badssl.com:1010
+echo "Scanning tls-v1-0.badssl.com:1010..."
+docker run --rm -v "${SCRIPT_DIR}:/output" nablac0d3/sslyze:${SSLYZE_VERSION} \
+  --json_out /output/tls-v1-0.badssl.com_1010.json \
+  tls-v1-0.badssl.com:1010 || true
+
+# untrusted-root.badssl.com
+echo "Scanning untrusted-root.badssl.com..."
+docker run --rm -v "${SCRIPT_DIR}:/output" nablac0d3/sslyze:${SSLYZE_VERSION} \
+  --json_out /output/untrusted-root.badssl.com.json \
+  untrusted-root.badssl.com || true
+
+# wrong.host.badssl.com
+echo "Scanning wrong.host.badssl.com..."
+docker run --rm -v "${SCRIPT_DIR}:/output" nablac0d3/sslyze:${SSLYZE_VERSION} \
+  --json_out /output/wrong.host.badssl.com.json \
+  wrong.host.badssl.com || true
+
+# www.securecodebox.io
+echo "Scanning www.securecodebox.io..."
+docker run --rm -v "${SCRIPT_DIR}:/output" nablac0d3/sslyze:${SSLYZE_VERSION} \
+  --json_out /output/www.securecodebox.io.json \
+  www.securecodebox.io || true
+
+echo "Done! Test files regenerated."
+echo ""
+echo "Note: The following test files are special cases and not regenerated by this script:"
+echo "  - no-certificate_deployments.json (special test case)"
+echo "  - test-empty-report.json (special test case)"
+echo "  - unavailable-host.json (special test case)"