SecureCodeBox — k8s based, toolchain for continuous security scans
SecureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box.
Architecture diagram
It has plugins to use more than 15 (Gitleaks, kubeadit, trivy, Semgrep, SSLyze, Zap Advanced, etc) open source scanning tools, ranging from Kubernetes vulnerabilities, over SSL misconfigurations, to network authentication bruteforcing and many more.
It has a lot of “hooks” plugins too, allowing to make cascading scans, udpates fields in finding results, persist data to Elasticsearch, publish scan summary to Slack, DefectDojo, MS Teams, and more.
If you want to try it out, you can use minikube on a virtual machine, so in a few steps, you’re ready to go
Here you have steps using Vagrant and Virtualbox:
#Create directory and go there!mkdir ~/vm/securecodebox -p
cd ~/vm/securecodebox
First, we need to create the new VM
vagrant init ubuntu/focal64Before start it, lets go to modify some vm settings (2GB RAM and 2 CPU cores)
#Edit file "Vagrantfile" and add the following text before the last endconfig.vm.provider "virtualbox" do |vb
vb.memory = "2048"
vb.cpus = 2
end vagrant up
vagrant ssh
Then, ssh into the machine and install all the required prerequisites (minikube, docker and helm)
#Minikube
curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube_latest_amd64.debsudo dpkg -i minikube_latest_amd64.deb#Then, install docker engine
sudo apt-get update
sudo apt-get -y install \
ca-certificates \
curl \
gnupg \
lsb-releasecurl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpgecho \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/nullsudo apt-get update
sudo apt-get -y install docker-ce docker-ce-cli containerd.iosudo usermod -aG docker $USER && newgrp dockersudo apt-get install -y conntrackminikube start --driver=nonealias k="minikube kubectl --"
alias kubectl="minikube kubectl --"#Install HELM
wget https://get.helm.sh/helm-v3.7.1-linux-amd64.tar.gztar -zxvf helm-v3.7.1-linux-amd64.tar.gzsudo mv linux-amd64/helm /usr/local/bin/#Now, it's time to install and play with SecureCodeBox
# Add the secureCodeBox Helm Repo
helm repo add secureCodeBox https://charts.securecodebox.io# Create a new namespace for the secureCodeBox Operator
kubectl create namespace securecodebox-system# Install the Operator & CRD's
helm --namespace securecodebox-system upgrade --install securecodebox-operator secureCodeBox/operator#Now, its time install the nmap scantype
helm install nmap secureCodeBox/nmap#Create a scan jobcat > nmap-scan.yml <<EOF
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "nmap-scanme.nmap.org"
spec:
scanType: "nmap"
parameters:
- scanme.nmap.org
EOFkubectl apply -f nmap-scan.yaml#After a few seconds, the scanning result could be found here:k get jobs | grep scan-nmap | awk '{ print $1 }' | xargs -I% minikube kubectl -- logs job/% nmap
To conclude, imagine a scenario where you are a security specialist in a company and you read that some popular JavaScript library has been breached by attackers. You would probably need to know if any of the programs in our code repositories are actually using the affected version of the library.
Well, you could achieve that in only three steps using this amazing tool:
1. Identify all Git repositories in your organization.
2. Clone each repository and check if they are using an affected version of the library.
3. Make the results available for inspection.
Want to read the step-by-step?
Then be sure to read this awesome article!
I hope you enjoy it!
References
https://github.com/OWASP/www-project-securecodebox/blob/master/index.md
