If it is not possible to use the official Docker Image of your scanner (e.g. there is no official repository) you will need to create a
scanner directory containing a Dockerfile and maybe a
The Dockerfile should be minimal and based on the official alpine baseimage.
Please make sure to add a new user for your scanner.
Please change the user using
UID. This enables the Image to run in clusters which have a strict
runAsNonRoot policy (See Pod Security Policies | Kubernetes).
Use the Docker build argument
scannerVersion to retrieve a specific version of your scanner.
scannerVersion should be populated by your scanner's chart
AppVersion field (see Local Deployment).
A Docker image for nmap would look the following:
FROM alpine:3.12ARG scannerVersion=latestRUN apk add --no-cache nmap=$scannerVersion nmap-scripts=$scannerVersionRUN addgroup --system --gid 1001 nmap && adduser nmap --system --uid 1001 --ingroup nmapUSER 1001CMD [nmap]
See Local Deployment for instructions on how to build and deploy your scanner.
Sometimes it will be necessary to wrap the scanner e.g. the scanner returns bad exit codes when they identify findings.
This would cause the Kubernetes jobs to fail even thought the scanner has actually run successfully, after all it's "their job" to identify findings.
Please provide this script as
wrapper.sh and use it as
CMD value in your Dockerfile.
Furthermore, note that the scanner should output the findings to
/home/securecodebox/<your_scanner>.<filetype>. This should be the same as in
Spec.ExtractResults.Location. Please take a look at ScanType | secureCodeBox on how to configure your
ScanType. Outputting results to a file is usually specified as a command line option to your scanner (e.g.
nmap -oX file.xml), but in the case that the scanner does not provide such an options, you could write the wrapper as follows:
python scanner.py "$@" 1> /home/securecodebox/<your_scanner>.<filetype>