secureCodeBox/secureCodeBox

View on GitHub
scanners/zap/templates/zap-scan-type.yaml

Summary

Maintainability
Test Coverage
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0

apiVersion: "execution.securecodebox.io/v1"
kind: ScanType
metadata:
  name: "zap-baseline-scan{{ .Values.scanner.nameAppend | default ""}}"
spec:
  extractResults:
    type: zap-xml
    location: "/home/securecodebox/zap-results.xml"
  jobTemplate:
    spec:
      suspend: {{ .Values.scanner.suspend | default false }}
      {{- if .Values.scanner.ttlSecondsAfterFinished }}
      ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }}
      {{- end }}
      backoffLimit: {{ .Values.scanner.backoffLimit }}
      {{- if .Values.scanner.activeDeadlineSeconds }}
      activeDeadlineSeconds: {{ .Values.scanner.activeDeadlineSeconds }}
      {{- end }}
      template:
        spec:
          restartPolicy: Never
          affinity:
            {{- toYaml .Values.scanner.affinity | nindent 12 }}
          tolerations: 
            {{- toYaml .Values.scanner.tolerations | nindent 12 }}
          {{- with .Values.imagePullSecrets }}
          imagePullSecrets:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          securityContext:
            {{- toYaml .Values.scanner.podSecurityContext | nindent 12 }}
          containers:
            - name: zap-baseline-scan
              image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
              imagePullPolicy: {{ .Values.scanner.image.pullPolicy }}
              command:
                - "zap-baseline.py"
                # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap.
                - "-I"
                - "-x"
                # ZAP Baseline Script doesn't allow absolute paths...
                # Hacky workaround: specify a relative path to the `/zap/wrk` base dir.
                - "../../home/securecodebox/zap-results.xml"
              resources:
                {{- toYaml .Values.scanner.resources | nindent 16 }}
              securityContext:
                {{- toYaml .Values.scanner.securityContext | nindent 16 }}
              env:
                {{- toYaml .Values.scanner.env | nindent 16 }}
              envFrom:
                {{- toYaml .Values.scanner.envFrom | nindent 16 }}
              volumeMounts:
                {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }}
            {{- if .Values.scanner.extraContainers }}
            {{- toYaml .Values.scanner.extraContainers | nindent 12 }}
            {{- end }}
          volumes:
            {{- toYaml .Values.scanner.extraVolumes | nindent 12 }}
          {{- with .Values.scanner.nodeSelector }}
          nodeSelector:
            {{- toYaml . | nindent 12 }}
          {{- end }}
---
apiVersion: "execution.securecodebox.io/v1"
kind: ScanType
metadata:
  name: "zap-api-scan{{ .Values.scanner.nameAppend | default ""}}"
spec:
  extractResults:
    type: zap-xml
    location: "/home/securecodebox/zap-results.xml"
  jobTemplate:
    spec:
      suspend: {{ .Values.scanner.suspend | default false }}
      {{- if .Values.scanner.ttlSecondsAfterFinished }}
      ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }}
      {{- end }}
      template:
        spec:
          restartPolicy: Never
          affinity:
            {{- toYaml .Values.scanner.affinity | nindent 12 }}
          tolerations: 
            {{- toYaml .Values.scanner.tolerations | nindent 12 }}
          securityContext:
            {{- toYaml .Values.scanner.podSecurityContext | nindent 12 }}
          containers:
            - name: zap-api-scan
              image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
              command:
                - "zap-api-scan.py"
                # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap.
                - "-I"
                - "-x"
                # ZAP Baseline Script doesn't allow absolute paths...
                # Hacky workaround: specify a relative path to the `/zap/wrk` base dir.
                - "../../home/securecodebox/zap-results.xml"
              resources:
                {{- toYaml .Values.scanner.resources | nindent 16 }}
              securityContext:
                {{- toYaml .Values.scanner.securityContext | nindent 16 }}
              env:
                {{- toYaml .Values.scanner.env | nindent 16 }}
              envFrom:
                {{- toYaml .Values.scanner.envFrom | nindent 16 }}
              volumeMounts:
                {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }}
            {{- if .Values.scanner.extraContainers }}
            {{- toYaml .Values.scanner.extraContainers | nindent 12 }}
            {{- end }}
          volumes:
            {{- toYaml .Values.scanner.extraVolumes | nindent 12 }}
---
apiVersion: "execution.securecodebox.io/v1"
kind: ScanType
metadata:
  name: "zap-full-scan{{ .Values.scanner.nameAppend | default ""}}"
spec:
  extractResults:
    type: zap-xml
    location: "/home/securecodebox/zap-results.xml"
  jobTemplate:
    spec:
      suspend: {{ .Values.scanner.suspend | default false }}
      {{- if .Values.scanner.ttlSecondsAfterFinished }}
      ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }}
      {{- end }}
      template:
        spec:
          restartPolicy: Never
          affinity:
            {{- toYaml .Values.scanner.affinity | nindent 12 }}
          tolerations: 
            {{- toYaml .Values.scanner.tolerations | nindent 12 }}
          securityContext:
            {{- toYaml .Values.scanner.podSecurityContext | nindent 12 }}
          containers:
            - name: zap-full-scan
              image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
              imagePullPolicy: {{ .Values.scanner.image.pullPolicy }}
              command:
                - "zap-full-scan.py"
                # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap.
                - "-I"
                - "-x"
                # ZAP Baseline Script doesn't allow absolute paths...
                # Hacky workaround: specify a relative path to the `/zap/wrk` base dir.
                - "../../home/securecodebox/zap-results.xml"
              resources:
                {{- toYaml .Values.scanner.resources | nindent 16 }}
              securityContext:
                {{- toYaml .Values.scanner.securityContext | nindent 16 }}
              env:
                {{- toYaml .Values.scanner.env | nindent 16 }}
              envFrom:
                {{- toYaml .Values.scanner.envFrom | nindent 16 }}
              volumeMounts:
                {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }}
            {{- if .Values.scanner.extraContainers }}
            {{- toYaml .Values.scanner.extraContainers | nindent 12 }}
            {{- end }}
          volumes:
            {{- toYaml .Values.scanner.extraVolumes | nindent 12 }}
---
apiVersion: "execution.securecodebox.io/v1"
kind: ScanType
metadata:
  name: "zap-automation-scan{{ .Values.scanner.nameAppend | default ""}}"
spec:
  extractResults:
    type: zap-xml
    location: "/home/securecodebox/zap-results.xml"
  jobTemplate:
    spec:
      suspend: {{ .Values.scanner.suspend | default false }}
      {{- if .Values.scanner.ttlSecondsAfterFinished }}
      ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }}
      {{- end }}
      template:
        spec:
          restartPolicy: Never
          affinity:
            {{- toYaml .Values.scanner.affinity | nindent 12 }}
          tolerations: 
            {{- toYaml .Values.scanner.tolerations | nindent 12 }}
          containers:
            - name: zap-automation-scan
              image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
              imagePullPolicy: {{ .Values.scanner.image.pullPolicy }}
              command:
                - "zap.sh"
                - "-cmd"
              resources:
                {{- toYaml .Values.scanner.resources | nindent 16 }}
              securityContext:
                {{- toYaml .Values.scanner.securityContext | nindent 16 }}
              env:
                {{- toYaml .Values.scanner.env | nindent 16 }}
              envFrom:
                {{- toYaml .Values.scanner.envFrom | nindent 16 }}
              volumeMounts:
                {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }}
            {{- if .Values.scanner.extraContainers }}
            {{- toYaml .Values.scanner.extraContainers | nindent 12 }}
            {{- end }}
          volumes:
            {{- toYaml .Values.scanner.extraVolumes | nindent 12 }}