Skip to main content

Cascading Scans

License Apache-2.0GitHub release (latest SemVer)OWASP Lab ProjectArtifact HUBGitHub Repo starsMastodon Follower

What is "Cascading Scans" Hook about?

The Cascading Scans Hook can be used to orchestrate security scanners based on defined rule sets. The so called CascadingRules consist of a matches section which contains one or multiple rules which are compared against findings. When a finding matches a rule the scanSpec section will then be used to create a new scan. To customize the scan to match the finding, the mustache templating language can be used to reference fields of the finding.

This Hook is based on the ADR https://www.securecodebox.io/docs/architecture/architecture_decisions/adr_0003/

More information about how to use cascading scans can be found here:

Deployment

The cascading-scans chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)
helm upgrade --install cascading-scans oci://ghcr.io/securecodebox/helm/cascading-scans

Requirements

Kubernetes: >=v1.11.0-0

Additional Chart Configurations

Installing the Cascading Scans hook will add a ReadOnly Hook to your namespace which looks for matching CascadingRules in the namespace and start the according scans.

Verification

kubectl get ScanCompletionHooks
NAME TYPE IMAGE
dssh ReadOnly docker.io/securecodebox/hook-cascading-scans:latest

CascadingScan Rules

The CascadingRules are included directly in each helm chart of the individual scanners. There is a configuration option cascadingRules.enabled for each scanner to prevent this inclusion.

# Check your CascadingRules
kubectl get CascadingRules
NAME STARTS INVASIVENESS INTENSIVENESS
https-tls-scan sslyze non-invasive light
imaps-tls-scan sslyze non-invasive light
nikto-http nikto non-invasive medium
nmap-smb nmap non-invasive light
pop3s-tls-scan sslyze non-invasive light
smtps-tls-scan sslyze non-invasive light
ssh-scan ssh-scan non-invasive light
zap-http zap-baseline-scan non-invasive medium

Starting a cascading Scan

When you start a normal Scan, no CascadingRule will be applied. To use a CascadingRule the scan must be marked to allow cascading rules. This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one.

Example

cat <<EOF | kubectl apply -f -
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "example.com"
spec:
scanType: nmap
parameters:
- -p22,80,443
- example.com
cascades:
matchLabels:
securecodebox.io/intensive: light
EOF

This Scan will use all CascadingRules which are labeled with a "light" intensity. You can lookup which CascadingRules this selects by running:

kubectl get CascadingRules -l "securecodebox.io/intensive=light"
NAME STARTS INVASIVENESS INTENSIVENESS
https-tls-scan sslyze non-invasive light
imaps-tls-scan sslyze non-invasive light
nmap-smb nmap non-invasive light
pop3s-tls-scan sslyze non-invasive light
smtps-tls-scan sslyze non-invasive light
ssh-scan ssh-scan non-invasive light

The label selectors also allow the more powerful matchExpressions selectors:

cat <<EOF | kubectl apply -f -
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "example.com"
spec:
scanType: nmap
parameters:
- -p22,80,443
- example.com
cascades:
# Using matchExpressions instead of matchLabels
matchExpressions:
- key: "securecodebox.io/intensive"
operator: In
# This select both light and medium intensity rules
values: [light, medium]
EOF

This selection can be replicated in kubectl using:

kubectl get CascadingRules -l "securecodebox.io/intensive in (light,medium)"
NAME STARTS INVASIVENESS INTENSIVENESS
https-tls-scan sslyze non-invasive light
imaps-tls-scan sslyze non-invasive light
nikto-http nikto non-invasive medium
nmap-smb nmap non-invasive light
pop3s-tls-scan sslyze non-invasive light
smtps-tls-scan sslyze non-invasive light
ssh-scan ssh-scan non-invasive light
zap-http zap-baseline-scan non-invasive medium

Values

KeyTypeDefaultDescription
hook.affinityobject{}Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)
hook.envlist[]Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
hook.extraVolumeMountslist[]Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
hook.extraVolumeslist[]Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/)
hook.image.repositorystring"docker.io/securecodebox/hook-cascading-scans"Hook image repository
hook.image.tagstringdefaults to the charts versionThe image Tag defaults to the charts version if not defined.
hook.labelsobject{}Add Kubernetes Labels to the hook definition
hook.priorityint0Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks.
hook.resourcesobject{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
hook.tolerationslist[]Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
hook.ttlSecondsAfterFinishedstringnilSeconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
imagePullSecretslist[]Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)

License

License

Code of secureCodeBox is licensed under the Apache License 2.0.