This repository was archived by the owner on Oct 14, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
490 lines (488 loc) · 19.4 KB
/
ci.yaml
File metadata and controls
490 lines (488 loc) · 19.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
on: push
name: "CI"
jobs:
unit:
name: "Test / Unit / Node.js Code"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: "list files and folders"
run: ls
- name: "Install npm dependencies in all parser sub projects"
run: |
for dir in scanners/*/parser/
do
cd $dir
if [ -f package.json ] && [ -f package-lock.json ]; then
echo "Installing dependencies for $dir"
npm ci
fi
# cd back
cd -
done
- name: "Install npm dependencies in all hook sub projects"
run: |
for dir in hooks/*/
do
cd $dir
if [ -f package.json ] && [ -f package-lock.json ]; then
echo "Installing dependencies for $dir"
npm ci
fi
# cd back
cd -
done
- name: "Install npm test dependencies"
run: |
npm ci
cd scanners/
npm ci
cd -
cd hooks/
npm ci
- name: "Compile Typescript"
run: |
cd hooks/declarative-subsequent-scans
npm run build
- name: "Run tests & publish code coverage"
uses: paambaati/codeclimate-action@v2.6.0
env:
CC_TEST_REPORTER_ID: 545b7af20f13dc58a3284275828532a26d89a8e90c8f276fb54a23d78bae7a19
with:
coverageCommand: npm test -- --ci --colors --coverage
operator:
name: "Build / Operator"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/setup-go@v2-beta
with:
go-version: "1.15"
- name: "Lint Operator Go Code"
run: |
cd operator/
go fmt ./...
go vet ./...
- name: "Build'n Push Operator"
uses: docker/build-push-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/operator
tag_with_ref: true
tag_with_sha: true
path: ./operator/
lurcher:
name: "Build / Lurcher"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/setup-go@v2-beta
with:
go-version: "1.15"
- name: "Lint Lurcher Go Code"
run: |
cd lurcher/
go fmt ./...
go vet ./...
- uses: docker/build-push-action@v1
name: "Build & Push Lurcher Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/lurcher
tag_with_ref: true
tag_with_sha: true
path: ./lurcher/
parserImages:
name: "Build / Parsers"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
# SDK
- uses: docker/build-push-action@v1
name: "Build & Push Parser SDK"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-sdk-nodejs
path: ./parser-sdk/nodejs/
tag_with_ref: true
tag_with_sha: true
tags: "ci-local"
# Actual Parsers
- uses: docker/build-push-action@v1
name: "Build & Push Amass Parser Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-amass
path: ./scanners/amass/parser/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push kube-hunter Parser Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-kube-hunter
path: ./scanners/kube-hunter/parser/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push Ncrack Parser Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-ncrack
path: ./scanners/ncrack/parser/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push Nikto Parser Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-nikto
path: ./scanners/nikto/parser/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push Nmap Parser Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-nmap
path: ./scanners/nmap/parser/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push ssh_scan Parser Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-ssh-scan
path: ./scanners/ssh_scan/parser/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push SSLyze Parser Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-sslyze
path: ./scanners/sslyze/parser/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push test-scan Parser Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-test-scan
path: ./scanners/test-scan/parser/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push Trivy Parser Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-trivy
path: ./scanners/trivy/parser/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push OWASP Zap Parser Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-zap
path: ./scanners/zap/parser/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push wpscan Parser Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/parser-wpscan
path: ./scanners/wpscan/parser/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
hookImages:
name: "Build / Hooks"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
# SDK
- uses: docker/build-push-action@v1
name: "Build & Push Hook SDK"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/hook-sdk-nodejs
path: ./hook-sdk/nodejs/
tag_with_ref: true
tags: "ci-local"
# Actual PersistenceProviders
- uses: docker/build-push-action@v1
name: "Build & Push Elastic PersistenceProvider Hook Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/persistence-elastic
path: ./hooks/persistence-elastic/
tag_with_ref: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push Elastic PersistenceProvider Dashboard Importer Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/persistence-elastic-dashboard-importer
path: ./hooks/persistence-elastic/dashboardImporter/
tag_with_ref: true
- uses: docker/build-push-action@v1
name: "Build & Push GenericWebhook Hook Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/generic-webhook
path: ./hooks/generic-webhook/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push DeclarativeSubsequentScans Hook Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/hook-declarative-subsequent-scans
path: ./hooks/declarative-subsequent-scans/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
- uses: docker/build-push-action@v1
name: "Build & Push UpdateField Hook Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/update-field
path: ./hooks/update-field/
tag_with_ref: true
tag_with_sha: true
build_args: baseImageTag=ci-local
scannerImages:
# Note we only build images for scanner that don't provider official public container images
name: "Build / Scanner"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: docker/build-push-action@v1
name: "Build & Push Ncrack Scanner Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/scanner-ncrack
path: ./scanners/ncrack/scanner/
# Note: not prefixed with a "v" as this seems to match ncrack versioning standards
tags: "0.7,latest"
- uses: docker/build-push-action@v1
name: "Build & Push Nmap Scanner Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/scanner-nmap
path: ./scanners/nmap/scanner/
# Note: not prefixed with a "v" as this seems to match nmap versioning standards
tags: "7.80,7.80-r2,latest"
- uses: docker/build-push-action@v1
name: "Build & Push kube-hunter Scanner Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/scanner-kube-hunter
path: ./scanners/kube-hunter/scanner/
# Note: not prefixed with a "v" as this matches the aquasec/kube-hunter tags
tags: "0.3.0,latest"
- uses: docker/build-push-action@v1
name: "Build & Push test-scan Scanner Image"
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: securecodebox/scanner-test-scan
path: ./scanners/test-scan/scanner/
# Note: not prefixed with a "v" as this seems to match nmap versioning standards
tag_with_ref: true
tag_with_sha: true
integrationTests:
name: "Test / Integration / k8s ${{ matrix.k8sVersion }}"
needs:
- scannerImages
- hookImages
- parserImages
- operator
- lurcher
runs-on: ubuntu-latest
strategy:
matrix:
k8sVersion: ["1.19.0", "1.18.8", "1.17.5", "1.16.9"]
steps:
- uses: actions/checkout@master
- name: "Start kind cluster"
run: |
kind create cluster --image kindest/node:v${{ matrix.k8sVersion }} --wait 3m
- name: "Inspect kind cluster"
run: |
kubectl config current-context
kubectl get node
- name: "Install Operator"
run: |
# Namespace in which the scans for the tests will be executed
kubectl create namespace integration-tests
# Operator Namespace
kubectl create namespace securecodebox-system
# Install Operator using the images of the current commit
helm -n securecodebox-system install securecodebox-operator ./operator/ --wait \
--set="image.tag=sha-$(git rev-parse --short HEAD)" \
--set="lurcher.image.tag=sha-$(git rev-parse --short HEAD)" \
- name: "Inspect Operator"
run: |
echo "Deployment in namespace 'securecodebox-system'"
kubectl -n securecodebox-system get deployments
echo "Pods in namespace 'securecodebox-system'"
kubectl -n securecodebox-system get pods
echo "Operator Startup Logs"
kubectl -n securecodebox-system logs deployment/securecodebox-controller-manager
- name: "Create 'demo-apps' namespace"
run: "kubectl create namespace demo-apps"
- name: "Install Test Dependencies"
run: |
cd tests/integration/
npm ci
# This steps should include Integration tests which are not related to a Specific Scanner
- name: "Throws NoScanDefiniton Error Integration Tests"
run: |
cd tests/integration/
npx jest --ci --color no-scan-definition-error
- name: "Hooks (ReadAndWrite) Integration Tests"
run: |
helm -n integration-tests install update-category ./hooks/update-field/ \
--set="image.tag=sha-$(git rev-parse --short HEAD)" \
--set="attribute.name=category" \
--set="attribute.value=fancy-category"
helm -n integration-tests install update-severity ./hooks/update-field/ \
--set="image.tag=sha-$(git rev-parse --short HEAD)" \
--set="attribute.name=severity" \
--set="attribute.value=high"
helm -n integration-tests install test-scan ./scanners/test-scan/ \
--set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \
--set="image.tag=sha-$(git rev-parse --short HEAD)"
cd tests/integration/
npx jest --ci --color read-write-hook
helm -n integration-tests uninstall test-scan update-category update-severity
- name: "Hooks (ReadOnly) Integration Tests"
run: |
helm -n integration-tests install test-scan ./scanners/test-scan/ \
--set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \
--set="image.tag=sha-$(git rev-parse --short HEAD)"
helm -n integration-tests install http-webhook ./demo-apps/http-webhook
helm -n integration-tests install ro-hook ./hooks/generic-webhook/ \
--set="webhookUrl=http://http-webhook/hallo-welt" \
--set="image.tag=sha-$(git rev-parse --short HEAD)"
cd tests/integration/
npx jest --ci --color read-only-hook
helm -n integration-tests uninstall test-scan http-webhook ro-hook
- name: "Install Demo Apps"
run: |
# Install dummy-ssh app
helm -n demo-apps install dummy-ssh ./demo-apps/dummy-ssh/ --wait
# Install plain nginx server
kubectl create deployment --image nginx:alpine nginx --namespace demo-apps
kubectl expose deployment nginx --port 80 --namespace demo-apps
- name: "nmap Integration Tests"
run: |
helm -n integration-tests install nmap ./scanners/nmap/ \
--set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \
--set="image.tag=7.80"
cd tests/integration/
npx jest --ci --color nmap
- name: "ncrack Integration Tests"
run: |
helm -n integration-tests install ncrack ./scanners/ncrack/ \
--set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \
--set="image.tag=0.7"
cd tests/integration/
npx jest --ci --color ncrack
- name: "kube-hunter Integration Tests"
run: |
helm -n integration-tests install kube-hunter ./scanners/kube-hunter/ \
--set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \
--set="image.tag=0.3.0"
cd tests/integration/
npx jest --ci --color kube-hunter
- name: "ssh-scan Integration Tests"
run: |
helm -n integration-tests install ssh-scan ./scanners/ssh_scan/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"
cd tests/integration/
npx jest --ci --color ssh-scan
- name: "zap Integration Tests"
run: |
helm -n integration-tests install zap ./scanners/zap/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"
cd tests/integration/
npx jest --ci --color zap
- name: "cascading Scans Integration Tests"
run: |
# We'll run these in a separate namespace so that only the cascadingRules we want to test will be used
kubectl create namespace cascading-tests
# Install declarative-subsequent-scans hook
helm upgrade --install dssh ./hooks/declarative-subsequent-scans/ -n cascading-tests
# Install nmap
helm -n cascading-tests install nmap ./scanners/nmap/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"
# Install ncrack
printf "root\nadmin\n" > users.txt
printf "THEPASSWORDYOUCREATED\n123456\npassword\n" > passwords.txt
kubectl create secret generic --from-file users.txt --from-file passwords.txt ncrack-lists -n cascading-tests
cat <<EOF | helm -n cascading-tests install ncrack ./scanners/ncrack --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" --values -
scannerJob:
extraVolumes:
- name: ncrack-lists
secret:
secretName: ncrack-lists
extraVolumeMounts:
- name: ncrack-lists
mountPath: "/ncrack/"
EOF
# Actually run the tests
cd tests/integration/
npx jest --ci --color cascade
- name: Inspect Post Failure
if: failure()
run: |
kubectl -n integration-tests get scan -o wide
kubectl -n integration-tests get jobs -o wide
kubectl -n integration-tests get pods -o wide
- name: "Inspect Operator"
if: failure()
run: |
echo "Deployment in namespace 'securecodebox-system'"
kubectl -n securecodebox-system get deployments
echo "Deployment in namespace 'securecodebox-system'"
kubectl -n securecodebox-system get pods
echo "Operator Startup Logs"
kubectl -n securecodebox-system logs deployment/securecodebox-controller-manager
- name: "Delete kind cluster"
run: |
kind delete cluster