Skip to main content

Cascading Scans

Deployment

Installing the Cascading Scans hook will add a ReadOnly Hook to your namespace which looks for matching CascadingRules in the namespace and start the according scans.

helm upgrade --install dssh secureCodeBox/declarative-subsequent-scans

Verification

kubectl get ScanCompletionHooks
NAME   TYPE       IMAGE
dssh   ReadOnly   docker.io/securecodebox/hook-declarative-subsequent-scans:latest

CascadingScan Rules

The CascadingRules are included directly in each helm chart of the individual scanners. There is a configuration option cascadingRules.enabled for each scanner to prevent this inclusion.

# Check your CascadingRules
kubectl get CascadingRules
NAME             STARTS         INVASIVENESS   INTENSIVENESS
https-tls-scan   sslyze         non-invasive   light
imaps-tls-scan   sslyze         non-invasive   light
nikto-http       nikto          non-invasive   medium
nmap-smb         nmap           non-invasive   light
pop3s-tls-scan   sslyze         non-invasive   light
smtps-tls-scan   sslyze         non-invasive   light
ssh-scan         ssh-scan       non-invasive   light
zap-http         zap-baseline   non-invasive   medium

Starting a cascading Scan

When you start a normal Scan, no CascadingRule will be applied. To use a CascadingRule the scan must be marked to allow cascading rules. This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one.

Example

cat <<EOF | kubectl apply -f -
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "example.com"
spec:
  scanType: nmap
  parameters:
    - -p22,80,443
    - example.com
  cascades:
    matchLabels:
      securecodebox.io/intensive: light
EOF

This Scan will use all CascadingRules which are labeled with a "light" intensity. You can lookup which CascadingRules this selects by running:

kubectl get CascadingRules -l "securecodebox.io/intensive=light"
NAME             STARTS     INVASIVENESS   INTENSIVENESS
https-tls-scan   sslyze     non-invasive   light
imaps-tls-scan   sslyze     non-invasive   light
nmap-smb         nmap       non-invasive   light
pop3s-tls-scan   sslyze     non-invasive   light
smtps-tls-scan   sslyze     non-invasive   light
ssh-scan         ssh-scan   non-invasive   light

The label selectors also allow the more powerful matchExpression selectors:

cat <<EOF | kubectl apply -f -
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "example.com"
spec:
  scanType: nmap
  parameters:
    - -p22,80,443
    - example.com
  cascades:
    # Using matchExpression instead of matchLabels
    matchExpression:
      key: "securecodebox.io/intensive"
      operator: In
      # This select both light and medium intensity rules
      values: [light, medium]
EOF

This selection can be replicated in kubectl using:

kubectl get CascadingRules -l "securecodebox.io/intensive in (light,medium)"
NAME             STARTS         INVASIVENESS   INTENSIVENESS
https-tls-scan   sslyze         non-invasive   light
imaps-tls-scan   sslyze         non-invasive   light
nikto-http       nikto          non-invasive   medium
nmap-smb         nmap           non-invasive   light
pop3s-tls-scan   sslyze         non-invasive   light
smtps-tls-scan   sslyze         non-invasive   light
ssh-scan         ssh-scan       non-invasive   light
zap-http         zap-baseline   non-invasive   medium

Chart Configuration

KeyTypeDefaultDescription
hookJob.ttlSecondsAfterFinishedstringnilSeconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
image.repositorystring"docker.io/securecodebox/declarative-subsequent-scans"Hook image repository
image.tagstringdefaults to the charts versionThe image Tag defaults to the charts version if not defined.