Finding Post Processing
What is "Finding Post Processing" Hook about?
Installing the Finding Post Processing hook will add a ReadAndWrite Hook to your namespace, which can be used to add or update fields from your findings meeting specified conditions.
Deployment
The finding-post-processing chart can be deployed via helm:
# Install HelmChart (use -n to configure another namespace)
helm upgrade --install finding-post-processing oci://ghcr.io/securecodebox/helm/finding-post-processing
Requirements
Kubernetes: >=v1.11.0-0
Additional Chart Configurations
Rule Configuration
The rules can be defined in the values
of the HelmChart.
The syntax and semantic for these rules are quite similar to CascadingRules (See: secureCodeBox | CascadingRules)
To define rules you will have to provide the rules
field with one or more matches
elements.
Each machtes
defines one Rule.
For example:
rules:
- matches:
anyOf:
- category: "Open Port"
attributes:
port: 23
state: open
override:
severity: "high"
description: "Telnet is bad"
This rule will match all findings with an open port on 23 and override the severity for this finding with high
as well as providing a new description Telnet is bad!
.
matches
Within the matches
you will have to provide anyOf
and override
.
In the anyOf
contains one or more conditions to be met by the finding to match the rule.
Notice that only one of these elements needs to match the finding for the rule to match.
override
The override
field specifies the desired fields and values that need to be updated or added if the rule is matching.
Values
Key | Type | Default | Description |
---|---|---|---|
hook.affinity | object | {} | Optional affinity settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
hook.env | list | [] | Optional environment variables mapped into the hook (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
hook.extraVolumeMounts | list | [] | Optional VolumeMounts mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
hook.extraVolumes | list | [] | Optional Volumes mapped into the hook (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
hook.image.repository | string | "docker.io/securecodebox/hook-finding-post-processing" | Hook image repository |
hook.image.tag | string | defaults to the charts version | The image Tag defaults to the charts version if not defined. |
hook.labels | object | {} | Add Kubernetes Labels to the hook definition |
hook.priority | int | 0 | Hook priority. Higher priority Hooks are guaranteed to execute before low priority Hooks. |
hook.resources | object | { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } } | Optional resources lets you control resource limits and requests for the hook container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
hook.tolerations | list | [] | Optional tolerations settings that control how the hook job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
hook.ttlSecondsAfterFinished | string | nil | Seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
imagePullSecrets | list | [] | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
rules | list | [] |
License
Code of secureCodeBox is licensed under the Apache License 2.0.