Skip to main content

CascadingRule

Specification (Spec)#

CascadingRules are Custom Resource Definitions (CRD's) used to define how scans can be started automatically based on the results of previous scans. This lets you run large exploratory scans and automatically start more in depth scans on the targets found by the initial scans.

You can find a more concrete example on how this works in the network scanning how-to.

Matches (Required)#

Matches.AnyOf (Required)#

The matches.anyOf fields consists of a list of objects / hashes. These objects are compared using a partial deep comparison, meaning that all field of the object must exactly match the finding.

If multiple anyOf rules are specified at least one must match the finding. If multiple rules are matching, the CascadingRule will still only create one scan.

ScanLabels & ScanAnnotations (Optional)#

Configures additional labels/annotations/ added to each subsequent scan (child). These labels/annotations overwrite any existing labels/annotations. You can use a simple templating scheme to gather details about the parent scan or finding (use {{variable}}, see example below). The following variables are available:

  • The parent scan (e.g. metadata.name).
  • The related finding (e.g. category, attributes.hostname).
  • Custom variables (prepended with $.):
    • hostOrIP: finding.hostname || finding.ip_address

If you need more custom variables, please don't hesitate to create an issue!

ScanSpec (Required)#

Contains the spec of the scan which is supposed to be started of the a finding matches the CascadingRule.

The scanType and the entries in the parameters list can use mustache templates to refer to fields of the finding the CascadingRule has been applied to. The finding is passed in directly into the mustache templating call, so that fields of the findings can be directly referenced. E.g. the location can be directly referred to by: {{location}}.

For convenience a helper object has been added to the mustache call under the $ shorthand.

This helper object has the following attributes:

  • $.hostOrIP returns either the hostname (if available) or the hostname of the current finding.

Example#

apiVersion: "cascading.securecodebox.io/v1"kind: CascadingRulemetadata:  name: "zap-http"  labels:    securecodebox.io/invasive: non-invasive    securecodebox.io/intensive: mediumspec:  matches:    anyOf:      - category: "Open Port"        attributes:          service: http          state: open      - category: "Open Port"        attributes:          service: https          state: open  scanLabels:    mynewlabel: {{metadata.name}}  scanAnnotations:    defectdojo.securecodebox.io/product-name: "{{$.hostOrIP}}"    defectdojo.securecodebox.io/product-type-name: "{{metadata.labels.organization}}"    defectdojo.securecodebox.io/engagement-name: "{{metadata.name}}"    mynewannotation: "{{category}}"  scanSpec:    scanType: "zap-baseline"    parameters: ["-t", "{{attributes.service}}://{{$.hostOrIP}}"]