### Install Scanner from Repository vs. Local Source: https://www.securecodebox.io/docs/getting-started/troubleshooting Differentiate between installing a scanner from the Helm repository and a local path. Ensure you are using the correct method for your setup. ```bash # Local: helm upgrade --install nmap ./scanners/nmap/ # Repo: helm upgrade --install nmap secureCodeBox/nmap ``` -------------------------------- ### Basic Ncrack Scanner Installation Source: https://www.securecodebox.io/docs/scanners/ncrack Deploys the Ncrack scanner using Helm without mounting any custom files. This is the simplest setup. ```bash helm upgrade --install ncrack oci://ghcr.io/securecodebox/helm/ncrack ``` -------------------------------- ### Pod Execution Order Example Source: https://www.securecodebox.io/docs/how-tos/hooks Example output of `kubectl get pods` showing completed scan and hook pods. Observe the age to infer execution order, noting that Kubernetes sorts by name. ```text NAME READY STATUS RESTARTS AGE parse-nmap-example-lrtcl--1-57n9t 0/1 Completed 0 36s scan-nmap-example-7s2t8--1-gbr6b 0/2 Completed 0 39s ufh1-update-field-hook-nmap-example-cvzw2--1-x4rcz 0/1 Completed 0 30s ufh2-update-field-hook-nmap-example-mv57q--1-cvd4k 0/1 Completed 0 33s ``` -------------------------------- ### WPScan Scan Configuration for example.com Source: https://www.securecodebox.io/docs/scanners/wpscan This example demonstrates how to configure a WPScan scan for a generic example domain. It includes common parameters for vulnerability and plugin detection. Note that this specific example may fail as example.com is not a valid target. ```yaml # SPDX-FileCopyrightText: the secureCodeBox authors # # # SPDX-License-Identifier: Apache-2.0 apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "wpscan-www.example.com" spec: scanType: "wpscan" parameters: - "--url" - https://www.example.com - "-e" - "vp" - "--plugins-detection" - "mixed" - "--api-token" - "TODO" ``` -------------------------------- ### ZAP Automation Framework Configuration Example Source: https://www.securecodebox.io/docs/scanners/zap-automation-framework This is a comprehensive example of a ZAP Automation Framework configuration, including environment setup with context, authentication, session management, and a spider job. ```yaml env: contexts : - name: scb-bodgeit-context urls: [http://bodgeit.default.svc:8080/bodgeit/] includePaths: - "http://bodgeit.default.svc:8080/bodgeit.*" excludePaths: - "http://bodgeit.default.svc:8080/bodgeit/logout.jsp" - ".*\\.js" - ".*\\.css" - ".*\\.png" - ".*\\.jpeg" authentication: method: form parameters: loginRequestUrl: "http://bodgeit.default.svc:8080/bodgeit/login.jsp" loginRequestBody: "username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D" verification: method: response loggedInRegex: '\\Q\E' loggedOutRegex: '\\QGuest user\E' users: - name: bodgeit-user-1 credentials: username: test@thebodgeitstore.com password: password sessionManagement: method: cookie jobs: - type: spider parameters: context: scb-bodgeit-context user: bodgeit-user-1 url: http://bodgeit.default.svc:8080/bodgeit/ maxDuration: 3 maxDepth: 5 maxChildren: 10 userAgent: "secureCodeBox / ZAP Spider" ``` -------------------------------- ### Install WordPress Demo Target Source: https://www.securecodebox.io/docs/how-tos/automatically-repeating-scans Installs the old-WordPress demo target using Helm. This is useful if you need a target to scan. ```bash helm upgrade --install old-wordpress oci://ghcr.io/securecodebox/helm/old-wordpress ``` -------------------------------- ### Install and Initialize Juice Shop Source: https://www.securecodebox.io/docs/scanners/nikto This command installs and initializes the Juice Shop application, which is used for demonstrating security scans. Ensure Helm is configured and the cluster is accessible. ```bash helm upgrade --install juice-shop oci://ghcr.io/securecodebox/helm/juice-shop --wait ``` -------------------------------- ### Install bodgeit using Helm Source: https://www.securecodebox.io/docs/scanners/nikto Installs the bodgeit application using Helm for testing purposes. Ensure Helm is configured and the cluster is accessible. ```bash helm upgrade --install bodgeit oci://ghcr.io/securecodebox/helm/bodgeit --wait ``` -------------------------------- ### Install zap-automation-framework Source: https://www.securecodebox.io/docs/auto-discovery/service-auto-discovery Installs the zap-automation-framework in the default namespace. This is a prerequisite for the Service AutoDiscovery to create scans. ```bash helm upgrade --install zap-automation-framework oci://ghcr.io/securecodebox/helm/zap-automation-framework ``` -------------------------------- ### Install WPScan Scanner Source: https://www.securecodebox.io/docs/how-tos/automatically-repeating-scans Installs the WPScan scanner using Helm. This is a prerequisite for running WPScan scans. ```bash helm upgrade --install wpscan oci://ghcr.io/securecodebox/helm/wpscan ``` -------------------------------- ### Initialize old-wordpress Instance Source: https://www.securecodebox.io/docs/scanners/wpscan This command installs the old-wordpress Helm chart, which is a prerequisite for running a WPScan scan against an older WordPress instance. Ensure you have Helm installed and configured. ```bash helm upgrade --install old-wordpress oci://ghcr.io/securecodebox/helm/old-wordpress --wait ``` -------------------------------- ### Rule Configuration Example Source: https://www.securecodebox.io/docs/hooks/notification-webhook Example of a rule configuration that matches findings with an open port on a specific port number and state. ```yaml rules: - matches: anyOf: - category: "Open Port" attributes: port: 23 state: open ``` -------------------------------- ### ZAP Automation Framework Configuration Example Source: https://www.securecodebox.io/docs/scanners/zap-automation-framework Example configuration for ZAP Automation Framework, showing scan parameters and report generation settings. ```yaml - type: report parameters: template: traditional-xml reportDir: /home/securecodebox/ reportFile: zap-results risks: - high - medium - low ``` -------------------------------- ### FFUF Basic Usage Example Source: https://www.securecodebox.io/docs/scanners/ffuf This example demonstrates a basic FFUF scan using a target URL with the FUZZ keyword and a specified wordlist. Ensure the wordlist file exists at the provided path. ```bash ffuf -u https://securecodebox.io/FUZZ -w /path/to/wordlist.txt ``` -------------------------------- ### Install VirtualBox in Dockerfile Source: https://www.securecodebox.io/docs/community-features/windows-scanners This Dockerfile installs VirtualBox and its dependencies on a Debian-based system. It includes steps for updating package lists, installing necessary tools, adding VirtualBox repositories, and finally installing VirtualBox. ```dockerfile RUN apt-get update \ && apt-get -y install wget \ && apt-get -y install gnupg2 \ && apt-get -y install systemd \ && apt-get -y install python3 \ && apt-get -y install software-properties-common \ && apt-get -y install unzip \ && wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | apt-key add - \ && wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | apt-key add - \ && add-apt-repository "deb https://download.virtualbox.org/virtualbox/debian bionic contrib" \ && apt-get -y update \ && apt-get -y install linux-headers-generic \ && mkdir WindowsVM \ && apt-get -y install virtualbox ``` -------------------------------- ### Install Demo Target Charts Source: https://www.securecodebox.io/docs/getting-started/installation Install intentionally vulnerable demo targets to test security scanners. Ensure these are kept internal as they are not production-ready. ```bash helm upgrade --install dummy-ssh oci://ghcr.io/securecodebox/helm/dummy-ssh helm upgrade --install bodgeit oci://ghcr.io/securecodebox/helm/bodgeit helm upgrade --install juice-shop oci://ghcr.io/securecodebox/helm/juice-shop helm upgrade --install old-wordpress oci://ghcr.io/securecodebox/helm/old-wordpress helm upgrade --install swagger-petstore oci://ghcr.io/securecodebox/helm/swagger-petstore ``` -------------------------------- ### Install Nmap Scanner Source: https://www.securecodebox.io/docs/how-tos/scanning-networks Installs the Nmap scanner using Helm. Ensure you have Helm and a Kubernetes cluster configured. ```bash helm upgrade --install nmap oci://ghcr.io/securecodebox/helm/nmap ``` -------------------------------- ### Install Helm Chart using OCI Source: https://www.securecodebox.io/docs/getting-started/troubleshooting Use this command to correctly install Helm charts with OCI images, as older methods are deprecated. ```bash helm upgrade --install nmap oci://ghcr.io/securecodebox/helm/nmap ``` -------------------------------- ### Example Rule Configuration for Finding Post Processing Source: https://www.securecodebox.io/docs/hooks/finding-post-processing Define rules to match findings and override their attributes. This example matches findings with an open port on 23 and sets the severity to 'high' with a custom description. ```yaml rules: - matches: anyOf: - category: "Open Port" attributes: port: 23 state: open override: severity: "high" description: "Telnet is bad" ``` -------------------------------- ### Install SCB Scanner Charts Source: https://www.securecodebox.io/docs/getting-started/installation Use these Helm commands to install individual security scanner charts. You can specify a namespace using the `--namespace` flag. ```bash helm upgrade --install gitleaks oci://ghcr.io/securecodebox/helm/gitleaks helm upgrade --install kube-hunter oci://ghcr.io/securecodebox/helm/kube-hunter helm upgrade --install nikto oci://ghcr.io/securecodebox/helm/nikto helm upgrade --install nmap oci://ghcr.io/securecodebox/helm/nmap helm upgrade --install ssh-audit oci://ghcr.io/securecodebox/helm/ssh-audit helm upgrade --install sslyze oci://ghcr.io/securecodebox/helm/sslyze helm upgrade --install subfinder oci://ghcr.io/securecodebox/helm/subfinder helm upgrade --install trivy oci://ghcr.io/securecodebox/helm/trivy helm upgrade --install wpscan oci://ghcr.io/securecodebox/helm/wpscan helm upgrade --install zap-automation-framework oci://ghcr.io/securecodebox/helm/zap-automation-framework ``` -------------------------------- ### Example Command Line Usage Source: https://www.securecodebox.io/docs/architecture/architecture_decisions/adr_0002 Demonstrates how to execute the metadata processing script with different programming languages, providing URLs for downloading and uploading findings. ```bash node my-metadata.js "https://storage.googleapi.com/..." "https://storage.googleapi.com/..." ``` ```bash java my-metadata.jar "https://storage.googleapi.com/..." "https://storage.googleapi.com/..." ``` ```bash ./my-metadata "https://storage.googleapi.com/..." "https://storage.googleapi.com/..." ``` -------------------------------- ### Install Trivy with AutoDiscovery ScanType Source: https://www.securecodebox.io/docs/auto-discovery/container-auto-discovery Installs Trivy in the default namespace with the necessary ScanType for container auto-discovery. This command is used during the setup phase. ```bash helm upgrade --install trivy oci://ghcr.io/securecodebox/helm/trivy --set createAutoDiscoveryScanType=true ``` -------------------------------- ### Example Scan Findings with Hooks Applied Source: https://www.securecodebox.io/docs/how-tos/hooks Illustrates the structure of findings after hooks have been applied. In this example, the 'category' field is set to 'second-hook' due to the execution order of the installed hooks. ```json [ { "name": "Open Port: 80 (http)", "description": "Port 80 is open using tcp protocol.", "category": "second-hook", "location": "tcp://45.33.32.156:80", "osi_layer": "NETWORK", "severity": "INFORMATIONAL", "attributes": { ... }, "id": "9fbda429-478d-4ce0-9a8d-1c4aef4d9b58" } ] ``` -------------------------------- ### Install Helm Chart with Custom Dependency-Track URL Source: https://www.securecodebox.io/docs/hooks/dependency-track Upgrade or install the Helm chart, specifying the Dependency-Track backend service URL. This example uses 'dt' as the release name. ```bash helm upgrade --install dt oci://ghcr.io/securecodebox/helm/persistence-dependencytrack \ --set="dependencytrack.url=https://dependency-track-backend.default.svc" ``` -------------------------------- ### Apply Scan with MatchLabels Source: https://www.securecodebox.io/docs/hooks/cascading-scans This example demonstrates how to create a Kubernetes Scan resource that triggers other scans based on the 'light' label using matchLabels. ```yaml cat <> | | <> | | <> | | find all hosts |-- IP -->| find open ports |-- port 443 -->| check TLS | +----------------+ +-----------------+ | +-----------+ | | +-------------+ | | <> | +------->| check HTTPd | +-------------+ ``` -------------------------------- ### Scan Entire Kubernetes Cluster with Trivy Source: https://www.securecodebox.io/docs/scanners/trivy This example shows how to configure a secureCodeBox Scan object to scan an entire Kubernetes cluster using the Trivy k8s scanner. Ensure the Helm chart is installed with `k8sScanScope=cluster`. ```yaml # SPDX-FileCopyrightText: the secureCodeBox authors # # SPDX-License-Identifier: Apache-2.0 apiVersion: "execution.securecodebox.io/v1" kind: Scan metadata: name: "trivy-k8s" spec: scanType: "trivy-k8s" parameters: [] # to can the entire cluster you need no parameters ``` -------------------------------- ### Create Dummy User and Password Files Source: https://www.securecodebox.io/docs/how-tos/scanning-networks Creates dummy user and password files for Ncrack. Ensure an extra empty line at the end of each file. ```bash printf "root\nadmin\n" > users.txt printf "THEPASSWORDYOUCREATED\n123456\npassword\n" > passwords.txt ``` -------------------------------- ### List Installed ScanTypes Source: https://www.securecodebox.io/docs/getting-started/first-scans Verifies which ScanTypes are currently installed in your Kubernetes namespace. The output shows the name and image of each installed ScanType. ```bash kubectl get scantypes ``` -------------------------------- ### Install SSLyze Helm Chart Source: https://www.securecodebox.io/docs/scanners/sslyze Deploy the sslyze chart using Helm. Use the -n flag to specify a different namespace. ```bash helm upgrade --install sslyze oci://ghcr.io/securecodebox/helm/sslyze ``` -------------------------------- ### Install Nikto Helm Chart Source: https://www.securecodebox.io/docs/scanners/nikto Deploy the Nikto chart using Helm. Use the -n flag to specify a different namespace. ```bash helm upgrade --install nikto oci://ghcr.io/securecodebox/helm/nikto ``` -------------------------------- ### Install AutoDiscovery Kubernetes Helm Chart Source: https://www.securecodebox.io/docs/auto-discovery/installation Installs the AutoDiscovery Kubernetes Helm chart into the 'securecodebox-system' namespace. This command assumes the operator is already installed. ```bash helm install --namespace securecodebox-system auto-discovery-kubernetes oci://ghcr.io/securecodebox/helm/auto-discovery-kubernetes ``` -------------------------------- ### Example Findings Object Source: https://www.securecodebox.io/docs/api/finding A concrete example of a Findings object, illustrating the fields and their typical content. ```json { "id": "eef8dd78-5079-4d1d-8a4c-68e3268c439c", "name": "Vulnerability in Dependency apk-tools (2.10.4-r3)", "description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\0' terminator one byte too late.", "category": "Image Vulnerability", "location": "bkimminich/juice-shop:v10.2.0", "osi_layer": "NOT_APPLICABLE", "severity": "HIGH", "mitigation": "Update the affected package apk-tools to the fixed version: 2.10.7-r0 or remove the package from the image.", "references": [{ "type": "CVE", "value": "CVE-2021-36159" }, { "type": "URL", "value": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E" }] , "attributes": { "installedVersion": "2.10.4-r3", "fixedVersion": "2.10.7-r0", "packageName": "apk-tools", "vulnerabilityId": "CVE-2021-36159", "foundIn": "bkimminich/juice-shop:v10.2.0 (alpine 3.11.5)" }, "parsed_at": "2023-04-05T15:46:46.601Z" } ``` -------------------------------- ### Create ffuf Wordlist ConfigMap with Predefined Wordlist Source: https://www.securecodebox.io/docs/scanners/ffuf Create a Kubernetes ConfigMap using the secureCodeBox predefined wordlist. This is useful for quick setup or testing. ```bash kubectl create configmap --from-file examples/wordlist-config-map/wordlist.txt ffuf-config ``` -------------------------------- ### Prepare User and Password Lists for ncrack Source: https://www.securecodebox.io/docs/scanners/ncrack This snippet shows how to create user and password list files and store them in a Kubernetes secret for use with the ncrack scanner. ```bash # Create user & password list files, you can edit them later if you want printf "root\nadmin\n" > users.txt printf "THEPASSWORDYOUCREATED\n123456\npassword\n" > passwords.txt # Create a Kubernetes secret containing these files kubectl create secret generic --from-file users.txt --from-file passwords.txt ncrack-lists # Install dummy-ssh app. We'll use ncrack to enumerate its ssh username and password helm install dummy-ssh oci://ghcr.io/securecodebox/helm/dummy-ssh --wait # Install the ncrack scanType and set mount the files from the ncrack-lists Kubernetes secret cat <