Skip to content

🚧 [Consistency] Making all values.yaml files consistent#714

Merged
J12934 merged 21 commits intomainfrom
consistency/value-files
Oct 15, 2021
Merged

🚧 [Consistency] Making all values.yaml files consistent#714
J12934 merged 21 commits intomainfrom
consistency/value-files

Conversation

@SebieF
Copy link
Contributor

@SebieF SebieF commented Oct 8, 2021
edited
Loading

Closes #693.

Once applied, all values.yaml files for all scanners will follow the same template. The following changes have been made:

  1. Replaced some unnecessary comments
  2. Added xy.xyz.zxy descriptions to all values
  3. Added security context to all scanners
  4. Added cascading rules to all scanners (when no cascading rules exist, they are set to false)
  5. Changed nuclei image tag from "latest" to "null"
  6. Set RunAsNonRoot for whatweb from "false" to "true"
  7. ncrack, zap/zap-advanced have some special settings that have not been touched

Note that in the amass values.yaml securityContext, runAsNonRoot had to be set to false, because their Dockerfile does not use a numeric value for their user.
Thus their user cannot be verified to be root or not:
Error: container has runAsNonRoot and image has non-numeric user (user), cannot verify user is non-root (pod: "scan-amass-scanner-dummy-scan, container: amass). (See #715)

Same unfortunately applies for even more scanners, see #723

Checklist

  • Test your changes as thoroughly as possible before you commit them. Preferably, automate your test by unit/integration tests.
  • Make codeclimate checks happy

SebieF and others added 7 commits September 29, 2021 11:35
@SebieF
Make all values.yaml files follow the same template structure
67ae740 
1. Replaced some unnecessary comments
2. Added xy.xyz.zxy descriptions to all values
3. Added security context to all scanners
4. Added cascading rules to all scanners (when no cascading rules exist, they are set to false)
5. Changed nuclei image tag from "latest" to "null"
6. Set RunAsNonRoot for whatweb from "false" to "true"
7. ncrack, zap/zap-advanced have some special settings that have not been touched

Signed-off-by: Sebastian <[email protected]>
@SebieF @secureCodeBoxBot
Updating Helm Docs
1d7f71f 
Signed-off-by: GitHub Actions <[email protected]>
@SebieF
Merge branch 'main' into consistency/value-files
bbbf510
@SebieF
Merge remote-tracking branch 'origin/consistency/value-files' into co…
c2547e2 
…nsistency/value-files
@SebieF
Merge branch 'main' into consistency/value-files
aca7adf
@SebieF
Switching security context privileges to root privileges
25ca91c 
This is necessary because the provided amass container has a non-numeric user that cannot be verified to be root or not:
Error: container has runAsNonRoot and image has non-numeric user (user), cannot verify user is non-root (pod: "scan-amass-scanner-dummy-scan, container: amass)

Signed-off-by: Sebastian <[email protected]>
@SebieF @secureCodeBoxBot
Updating Helm Docs
20bddce 
Signed-off-by: GitHub Actions <[email protected]>
@SebieF SebieF added this to the v3.3.0 milestone Oct 8, 2021
@SebieF SebieF self-assigned this Oct 8, 2021
SebieF and others added 9 commits October 11, 2021 14:38
@SebieF
Merge branch 'main' into consistency/value-files
81c4464
@SebieF
Changing test-scan to use non-numeric user
098e568 
A non-numeric user cannot be checked to be non-root by Kubernetes and causes an error if runAsNonRoot is (justifiably) activated.

Signed-off-by: Sebastian <[email protected]>
@SebieF
Gitleaks needs root rights in its scanner Dockerfile
fda7c6d 
Signed-off-by: Sebastian <[email protected]>
@SebieF
Changing Dockerfile to not require users
9249657 
Like Kubehunter Dockerfile, non-root user is not needed

Signed-off-by: Sebastian <[email protected]>
@SebieF
Merge branch 'main' into consistency/value-files
a406ec1
@SebieF
Resetting gitleaks Dockerfile to main branch
0d81d5a 
Changes to USER did not yield the desired effect

Signed-off-by: Sebastian <[email protected]>
@SebieF
Setting runAsNonRoot (and readOnlyRootFilesystem if necessary) to true
5ea532e 
For scanners: gitleaks, kube-hunter, ssh-scan, sslyze, trivy, wpscan, zap, zap-advanced

Signed-off-by: Sebastian <[email protected]>
@SebieF @secureCodeBoxBot
Updating Helm Docs
5f95e1b 
Signed-off-by: GitHub Actions <[email protected]>
@SebieF
Typo3Scan needs readOnlyRootFileSystem as false
5428a14 
Signed-off-by: Sebastian <[email protected]>
@SebieF SebieF mentioned this pull request Oct 13, 2021
Open
11 tasks
@SebieF SebieF requested a review from J12934 October 13, 2021 10:06
J12934
J12934 requested changes Oct 13, 2021
View reviewed changes
Copy link
Member

@J12934 J12934 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good changes 👍, but there were some cases where the differences are required, see below.

@SebieF
Copy link
Contributor Author

SebieF commented Oct 13, 2021

Well, since these are only comments I think it is debatable if this should be changed for every scanner individually or if the versioning system should be given another thought. (#716)

@SebieF SebieF requested a review from J12934 October 13, 2021 17:16
SebieF and others added 5 commits October 15, 2021 12:51
@SebieF
Setting scb scanners to default chart version
6818b0d 
This is because scb scanners use a different versioning system connected to the releases
@SebieF @secureCodeBoxBot
Updating Helm Docs
d1259aa 
Signed-off-by: GitHub Actions <[email protected]>
@SebieF
Setting scb scanners to default chart version
f9b539b 
This is because scb scanners use a different versioning system connected to the releases

Signed-off-by: Sebastian <[email protected]>
@SebieF
Updating Helm Docs
e6d0417 
Signed-off-by: GitHub Actions <[email protected]>
@SebieF
Merge remote-tracking branch 'origin/consistency/value-files' into co…
403c9d4 
…nsistency/value-files
@SebieF
Copy link
Contributor Author

SebieF commented Oct 15, 2021

We discussed the problem and it was concluded that the correct version should be used at the moment, but an issue for the inconsistent versioning has been created (#716).

@J12934 J12934 merged commit 06f3578 into main Oct 15, 2021
@J12934 J12934 deleted the consistency/value-files branch October 15, 2021 12:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@J12934 J12934 J12934 approved these changes

Assignees

@SebieF SebieF

Labels

maintenance

Projects

None yet

Milestone

v3.3.0

Development

Successfully merging this pull request may close these issues.

🚧 [Consistency] Make all values.yaml files follow the same template

2 participants

@SebieF @J12934