scanners/zap/templates/zap-scan-type.yaml
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"
kind: ScanType
metadata:
name: "zap-baseline-scan{{ .Values.scanner.nameAppend | default ""}}"
spec:
extractResults:
type: zap-xml
location: "/home/securecodebox/zap-results.xml"
jobTemplate:
spec:
suspend: {{ .Values.scanner.suspend | default false }}
{{- if .Values.scanner.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }}
{{- end }}
backoffLimit: {{ .Values.scanner.backoffLimit }}
{{- if .Values.scanner.activeDeadlineSeconds }}
activeDeadlineSeconds: {{ .Values.scanner.activeDeadlineSeconds }}
{{- end }}
template:
spec:
restartPolicy: Never
affinity:
{{- toYaml .Values.scanner.affinity | nindent 12 }}
tolerations:
{{- toYaml .Values.scanner.tolerations | nindent 12 }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 12 }}
{{- end }}
securityContext:
{{- toYaml .Values.scanner.podSecurityContext | nindent 12 }}
containers:
- name: zap-baseline-scan
image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.scanner.image.pullPolicy }}
command:
- "zap-baseline.py"
# Force Zap to always return a zero exit code. k8s would otherwise try to restart zap.
- "-I"
- "-x"
# ZAP Baseline Script doesn't allow absolute paths...
# Hacky workaround: specify a relative path to the `/zap/wrk` base dir.
- "../../home/securecodebox/zap-results.xml"
resources:
{{- toYaml .Values.scanner.resources | nindent 16 }}
securityContext:
{{- toYaml .Values.scanner.securityContext | nindent 16 }}
env:
{{- toYaml .Values.scanner.env | nindent 16 }}
envFrom:
{{- toYaml .Values.scanner.envFrom | nindent 16 }}
volumeMounts:
{{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }}
{{- if .Values.scanner.extraContainers }}
{{- toYaml .Values.scanner.extraContainers | nindent 12 }}
{{- end }}
volumes:
{{- toYaml .Values.scanner.extraVolumes | nindent 12 }}
{{- with .Values.scanner.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 12 }}
{{- end }}
---
apiVersion: "execution.securecodebox.io/v1"
kind: ScanType
metadata:
name: "zap-api-scan{{ .Values.scanner.nameAppend | default ""}}"
spec:
extractResults:
type: zap-xml
location: "/home/securecodebox/zap-results.xml"
jobTemplate:
spec:
suspend: {{ .Values.scanner.suspend | default false }}
{{- if .Values.scanner.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }}
{{- end }}
template:
spec:
restartPolicy: Never
affinity:
{{- toYaml .Values.scanner.affinity | nindent 12 }}
tolerations:
{{- toYaml .Values.scanner.tolerations | nindent 12 }}
securityContext:
{{- toYaml .Values.scanner.podSecurityContext | nindent 12 }}
containers:
- name: zap-api-scan
image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
command:
- "zap-api-scan.py"
# Force Zap to always return a zero exit code. k8s would otherwise try to restart zap.
- "-I"
- "-x"
# ZAP Baseline Script doesn't allow absolute paths...
# Hacky workaround: specify a relative path to the `/zap/wrk` base dir.
- "../../home/securecodebox/zap-results.xml"
resources:
{{- toYaml .Values.scanner.resources | nindent 16 }}
securityContext:
{{- toYaml .Values.scanner.securityContext | nindent 16 }}
env:
{{- toYaml .Values.scanner.env | nindent 16 }}
envFrom:
{{- toYaml .Values.scanner.envFrom | nindent 16 }}
volumeMounts:
{{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }}
{{- if .Values.scanner.extraContainers }}
{{- toYaml .Values.scanner.extraContainers | nindent 12 }}
{{- end }}
volumes:
{{- toYaml .Values.scanner.extraVolumes | nindent 12 }}
---
apiVersion: "execution.securecodebox.io/v1"
kind: ScanType
metadata:
name: "zap-full-scan{{ .Values.scanner.nameAppend | default ""}}"
spec:
extractResults:
type: zap-xml
location: "/home/securecodebox/zap-results.xml"
jobTemplate:
spec:
suspend: {{ .Values.scanner.suspend | default false }}
{{- if .Values.scanner.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }}
{{- end }}
template:
spec:
restartPolicy: Never
affinity:
{{- toYaml .Values.scanner.affinity | nindent 12 }}
tolerations:
{{- toYaml .Values.scanner.tolerations | nindent 12 }}
securityContext:
{{- toYaml .Values.scanner.podSecurityContext | nindent 12 }}
containers:
- name: zap-full-scan
image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.scanner.image.pullPolicy }}
command:
- "zap-full-scan.py"
# Force Zap to always return a zero exit code. k8s would otherwise try to restart zap.
- "-I"
- "-x"
# ZAP Baseline Script doesn't allow absolute paths...
# Hacky workaround: specify a relative path to the `/zap/wrk` base dir.
- "../../home/securecodebox/zap-results.xml"
resources:
{{- toYaml .Values.scanner.resources | nindent 16 }}
securityContext:
{{- toYaml .Values.scanner.securityContext | nindent 16 }}
env:
{{- toYaml .Values.scanner.env | nindent 16 }}
envFrom:
{{- toYaml .Values.scanner.envFrom | nindent 16 }}
volumeMounts:
{{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }}
{{- if .Values.scanner.extraContainers }}
{{- toYaml .Values.scanner.extraContainers | nindent 12 }}
{{- end }}
volumes:
{{- toYaml .Values.scanner.extraVolumes | nindent 12 }}
---
apiVersion: "execution.securecodebox.io/v1"
kind: ScanType
metadata:
name: "zap-automation-scan{{ .Values.scanner.nameAppend | default ""}}"
spec:
extractResults:
type: zap-xml
location: "/home/securecodebox/zap-results.xml"
jobTemplate:
spec:
suspend: {{ .Values.scanner.suspend | default false }}
{{- if .Values.scanner.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }}
{{- end }}
template:
spec:
restartPolicy: Never
affinity:
{{- toYaml .Values.scanner.affinity | nindent 12 }}
tolerations:
{{- toYaml .Values.scanner.tolerations | nindent 12 }}
containers:
- name: zap-automation-scan
image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.scanner.image.pullPolicy }}
command:
- "zap.sh"
- "-cmd"
resources:
{{- toYaml .Values.scanner.resources | nindent 16 }}
securityContext:
{{- toYaml .Values.scanner.securityContext | nindent 16 }}
env:
{{- toYaml .Values.scanner.env | nindent 16 }}
envFrom:
{{- toYaml .Values.scanner.envFrom | nindent 16 }}
volumeMounts:
{{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }}
{{- if .Values.scanner.extraContainers }}
{{- toYaml .Values.scanner.extraContainers | nindent 12 }}
{{- end }}
volumes:
{{- toYaml .Values.scanner.extraVolumes | nindent 12 }}