From b0956993bc6425f203dfb67fc97d6321caa87d74 Mon Sep 17 00:00:00 2001 From: Sergio Arroutbi Date: Wed, 30 Aug 2023 15:13:55 +0200 Subject: [PATCH 1/2] Include sample scan configuration with endpoint Signed-off-by: Sergio Arroutbi --- tools/scan_tools/scan_tang_endpoint.yaml | 53 ++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 tools/scan_tools/scan_tang_endpoint.yaml diff --git a/tools/scan_tools/scan_tang_endpoint.yaml b/tools/scan_tools/scan_tang_endpoint.yaml new file mode 100644 index 00000000..d7a27e9d --- /dev/null +++ b/tools/scan_tools/scan_tang_endpoint.yaml @@ -0,0 +1,53 @@ +--- +config: + # WARNING: `configVersion` indicates the schema version of the config file + # This value tells RapiDAST what schema should be used to read this + # configuration. + # Therefore you should only change it if you update the configuration + # to a newer schema + # It is intended to keep backward compatibility + # (newer RapiDAST running an older config) + configVersion: 4 + +# `application` contains data related to the application, not to the scans +application: + shortName: "tangservers" + url: "https://1.2.3.4:6443" + +# `general` is a section that will be applied to all scanners +general: + authentication: + type: "http_header" + parameters: + name: "Authorization" + value: "Bearer " + # Normally, token to be used can be extracted with: + # oc -n "${NAMESPACE}" get secret "${SECRET}" -o json + # | jq -Mr '.data.token' | base64 -d + container: + # currently supported: `podman` and `none` + type: "none" + +scanners: + zap: + # define a scan through the ZAP scanner + apiScan: + apis: + apiUrl: "https://1.2.3.4:6443/openapi/v3/apis/daemons.redhat.com/v1alpha1/namespaces/nbde/tangservers" + # Replace previous line to scan other APi groups/version + passiveScan: + # optional list of passive rules to disable + disabledRules: "2,10015,10027,10096,10024,10054" + # Remove comment symbols to enable activeScan once it is made sure + # that scanning with 'passiveScan' runs successfully. + # activeScan: + # # If no policy is chosen, a default ("API-scan-minimal") + # will be selected + # # The list of policies can be found in scanners/zap/policies/ + # policy: "API-scan-minimal" + miscOptions: + # enableUI (default: false), requires a compatible runtime + # (e.g.: flatpak or no containment) + enableUI: false + # Defaults to True, set False to prevent auto update of ZAP plugins + updateAddons: false From 67d967f85b5c798b4eab8398c9fdb9c212ad1c3a Mon Sep 17 00:00:00 2001 From: Sergio Arroutbi Date: Wed, 20 Sep 2023 12:53:06 +0200 Subject: [PATCH 2/2] Add rapidast configuration for tang operator Signed-off-by: Sergio Arroutbi --- tools/scan_tools/scan_tang.yaml | 53 ------------------------ tools/scan_tools/scan_tang_endpoint.yaml | 53 ------------------------ tools/scan_tools/tang_operator.yaml | 53 ++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 106 deletions(-) delete mode 100644 tools/scan_tools/scan_tang.yaml delete mode 100644 tools/scan_tools/scan_tang_endpoint.yaml create mode 100644 tools/scan_tools/tang_operator.yaml diff --git a/tools/scan_tools/scan_tang.yaml b/tools/scan_tools/scan_tang.yaml deleted file mode 100644 index 638988d0..00000000 --- a/tools/scan_tools/scan_tang.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -config: - # WARNING: `configVersion` indicates the schema version of the config file - # This value tells RapiDAST what schema should be used to read this - # configuration. - # Therefore you should only change it if you update the configuration - # to a newer schema - # It is intended to keep backward compatibility - # (newer RapiDAST running an older config) - configVersion: 4 - -# `application` contains data related to the application, not to the scans -application: - shortName: "tangserver" - url: "https://kubernetes.default.svc" - -# `general` is a section that will be applied to all scanners -general: - authentication: - type: "http_header" - parameters: - name: "Authorization" - value: "Bearer " - # Normally, token to be used can be extracted with: - # ${K8SC} -n "${NAMESPACE}" get secret "${SECRET}" -o json - # | jq -Mr '.data.token' | base64 -d - container: - # currently supported: `podman` and `none` - type: "none" - -scanners: - zap: - # define a scan through the ZAP scanner - apiScan: - apis: - apiUrl: "https://kubernetes.default.svc/openapi/v3/apis/performance.openshift.io/v2" - # Replace previous line to scan other APi groups/version - passiveScan: - # optional list of passive rules to disable - disabledRules: "2,10015,10027,10096,10024,10054" - # Remove comment symbols to enable activeScan once it is made sure - # that scanning with 'passiveScan' runs successfully. - # activeScan: - # # If no policy is chosen, a default ("API-scan-minimal") - # will be selected - # # The list of policies can be found in scanners/zap/policies/ - # policy: "API-scan-minimal" - miscOptions: - # enableUI (default: false), requires a compatible runtime - # (e.g.: flatpak or no containment) - enableUI: false - # Defaults to True, set False to prevent auto update of ZAP plugins - updateAddons: false diff --git a/tools/scan_tools/scan_tang_endpoint.yaml b/tools/scan_tools/scan_tang_endpoint.yaml deleted file mode 100644 index d7a27e9d..00000000 --- a/tools/scan_tools/scan_tang_endpoint.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -config: - # WARNING: `configVersion` indicates the schema version of the config file - # This value tells RapiDAST what schema should be used to read this - # configuration. - # Therefore you should only change it if you update the configuration - # to a newer schema - # It is intended to keep backward compatibility - # (newer RapiDAST running an older config) - configVersion: 4 - -# `application` contains data related to the application, not to the scans -application: - shortName: "tangservers" - url: "https://1.2.3.4:6443" - -# `general` is a section that will be applied to all scanners -general: - authentication: - type: "http_header" - parameters: - name: "Authorization" - value: "Bearer " - # Normally, token to be used can be extracted with: - # oc -n "${NAMESPACE}" get secret "${SECRET}" -o json - # | jq -Mr '.data.token' | base64 -d - container: - # currently supported: `podman` and `none` - type: "none" - -scanners: - zap: - # define a scan through the ZAP scanner - apiScan: - apis: - apiUrl: "https://1.2.3.4:6443/openapi/v3/apis/daemons.redhat.com/v1alpha1/namespaces/nbde/tangservers" - # Replace previous line to scan other APi groups/version - passiveScan: - # optional list of passive rules to disable - disabledRules: "2,10015,10027,10096,10024,10054" - # Remove comment symbols to enable activeScan once it is made sure - # that scanning with 'passiveScan' runs successfully. - # activeScan: - # # If no policy is chosen, a default ("API-scan-minimal") - # will be selected - # # The list of policies can be found in scanners/zap/policies/ - # policy: "API-scan-minimal" - miscOptions: - # enableUI (default: false), requires a compatible runtime - # (e.g.: flatpak or no containment) - enableUI: false - # Defaults to True, set False to prevent auto update of ZAP plugins - updateAddons: false diff --git a/tools/scan_tools/tang_operator.yaml b/tools/scan_tools/tang_operator.yaml new file mode 100644 index 00000000..d879531d --- /dev/null +++ b/tools/scan_tools/tang_operator.yaml @@ -0,0 +1,53 @@ +--- +config: + # WARNING: `configVersion` indicates the schema version of the config file. + # This value tells RapiDAST what schema should be used to read this configuration. + # Therefore you should only change it if you update the configuration to a newer schema + # It is intended to keep backward compatibility (newer RapiDAST running an older config) + configVersion: 4 + + # `application` contains data related to the application, not to the scans. +application: + shortName: "tangservers" + url: "https://api.ci-ln-ml9pxxk-76ef8.aws-2.ci.openshift.org:6443/apis/daemons.redhat.com/v1alpha1" + +# `general` is a section that will be applied to all scanners. +general: + + authentication: + type: "http_header" + parameters: + name: "Authorization" + # Ways to obtain token: + # oc get secret $(oc get secret | grep ^default-token | awk '{print $1}') -o json | jq -Mr '.data.token' | base64 -d + # oc whoami -t + value: "Bearer AUTH_TOKEN_HERE" + + container: + # currently supported: `podman` and `none` + type: "none" + +scanners: + zap: + # parameters: + # executable: "ZAP_2.13.0/zap.sh" + # define a scan through the ZAP scanner + apiScan: + apis: + apiUrl: "https://api.ci-ln-ml9pxxk-76ef8.aws-2.ci.openshift.org:6443/openapi/v3/apis/daemons.redhat.com/v1alpha1" + + passiveScan: + # optional list of passive rules to disable + disabledRules: "2,10015,10027,10096,10024,10054" + +# activeScan: +# # If no policy is chosen, a default ("API-scan-minimal") will be selected +# # The list of policies can be found in scanners/zap/policies/ +# policy: "API-scan-minimal" + + miscOptions: + # enableUI (default: false), requires a compatible runtime (e.g.: flatpak or no containment) + enableUI: False + # Defaults to True, set False to prevent auto update of ZAP plugins + updateAddons: False +