Sign upLogin

secureCodeBox/secureCodeBox

View on GitHub
Star
auto-discovery/kubernetes/auto-discovery-config.yaml

Summary

Maintainability
Test Coverage
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0

# This is a config you can use to run / test / debug the auto-discovery locally while developing

apiVersion: config.securecodebox.io/v1
kind: AutoDiscoveryConfig

# kubebuilder config

metrics:
  bindAddress: 127.0.0.1:8081
# webhook:
#   port: 9443
leaderElection:
  leaderElect: false
  resourceName: 80807133.tutorial.kubebuilder.io

# secureCodeBox AutoDiscovery Config
cluster:
  name: docker-desktop

resourceInclusion:
  mode: enabled-per-namespace

serviceAutoDiscovery:
  enabled: true
  passiveReconcileInterval: 10s
  scanConfigs:
    - scanType: zap-advanced-scan
      # -- unique name to distinguish scans
      name: "zap"
      # -- parameters used for the scans created by the serviceAutoDiscovery
      parameters:
        - "-t"
        - "{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"
      # -- interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset.
      repeatInterval: "168h"
      # -- labels to be added to the scans started by the auto-discovery
      labels: {}
      # -- hookSelector allows to specify a LabelSelector with which the hooks are selected
      hookSelector: {}
      # -- annotations to be added to the scans started by the auto-discovery
      annotations:
        defectdojo.securecodebox.io/product-name: "{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}"
        defectdojo.securecodebox.io/product-tags: "cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"
        defectdojo.securecodebox.io/engagement-name: "{{ .Target.Name }}"
        defectdojo.securecodebox.io/engagement-version: "{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}"

containerAutoDiscovery:
  enabled: true
  passiveReconcileInterval: 10s
  scanConfigs:
    - scanType: trivy-image-autodiscovery
      # -- unique name to distinguish scans
      name: "trivy"
      # -- parameters used for the scans created by the containerAutoDiscovery
      parameters:
        - "{{ .ImageID }}"
      # -- interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset.
      repeatInterval: "168h"
      # -- labels to be added to the scans started by the auto-discovery
      labels: {}
      # -- annotations to be added to the scans started by the auto-discovery
      annotations:
        defectdojo.securecodebox.io/product-name: "{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}"
        defectdojo.securecodebox.io/product-tags: "cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"
        defectdojo.securecodebox.io/engagement-name: "{{ .Target.Name }}"
        defectdojo.securecodebox.io/engagement-version: "{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}"
      # -- hookSelector allows to specify a LabelSelector with which the hooks are selected
      hookSelector: {}
  imagePullSecretConfig:
    mapImagePullSecretsToEnvironmentVariables: true
    usernameEnvironmentVariableName: "TRIVY_USERNAME"
    passwordEnvironmentVariableName: "TRIVY_PASSWORD"