Cascading Scans
Deployment
Installing the Cascading Scans hook will add a ReadOnly Hook to your namespace which looks for matching CascadingRules in the namespace and start the according scans.
Verification
CascadingScan Rules
The CascadingRules are included directly in each helm chart of the individual scanners.
Starting a cascading Scan
When you start a normal Scan, no CascadingRule will be applied. To use a CascadingRule the scan must be marked to allow cascading rules. This is implemented using kubernetes label selectors, meaning that scans mark the classes of scans which are allowed to be cascaded by the current one.
Example
This Scan will use all CascadingRules which are labeled with a "light" intensity. You can lookup which CascadingRules this selects by running:
The label selectors also allow the more powerful matchExpression selectors:
This selection can be replicated in kubectl using:
Chart Configuration
Key | Type | Default | Description |
---|---|---|---|
hookJob.ttlSecondsAfterFinished | string | nil | seconds after which the kubernetes job for the hook will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
image.repository | string | "docker.io/securecodebox/hook-declarative-subsequent-scans" | Hook image repository |
image.tag | string | nil |