Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ add kubeaudit, #9384 #9392

Merged
merged 5 commits into from
Jan 30, 2024
Merged

✨ add kubeaudit, #9384 #9392

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8642b4f
:sparkles: add kubeaudit, #9384
manuel-sommer Jan 23, 2024
e8ab5c1
add documentation
manuel-sommer Jan 23, 2024
4e293ed
:bug: fix kubeaudit
manuel-sommer Jan 23, 2024
83c6963
:bug: fix unittest
manuel-sommer Jan 23, 2024
2496662
advance unittests
manuel-sommer Jan 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions docs/content/en/integrations/parsers/file/kubeaudit.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---

Check warning on line 1 in docs/content/en/integrations/parsers/file/kubeaudit.md

View check run for this annotation

DryRunSecurity / AI-powered Sensitive Function Check

Possible Sensitive Function 


                        Our AI-Powered Sensitive Function checker believes it has discovered
                        a sensitive function being modified in this PR. The name of the function
                        is `none`. Extra care must be taken when modifying a 
                        function that is potentially security-sensitive. The following reason was
                        provided for why this function was flagged as sensitive:
    
                        The size of the files being changed in this pull request is too large. We are working on increasing that limit. Stay tuned for more...

Check warning on line 1 in docs/content/en/integrations/parsers/file/kubeaudit.md

View check run for this annotation

DryRunSecurity / AI-powered Sensitive Files Check

Possible Sensitive File 


                    Our AI-Powered Sensitive File checker believes it has discovered
                    a sensitive file being modified in this PR. Extra care must be taken
                    when modifying a file that is potentially security-sensitive.
                    
                    The following reason was provided: Documentation file for kubeaudit integration
title: "Kubeaudit Scan"
toc_hide: true
---
Kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns. The output of of Kubeaudit which is supported within this parser is JSON. The tool can be found [here](https://github.com/Shopify/kubeaudit)

### Sample Scan Data
Sample Kubeaudit scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/kubeaudit).
1 change: 1 addition & 0 deletions dojo/tools/kubeaudit/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
__author__ = "manuel_sommer"

Check warning on line 1 in dojo/tools/kubeaudit/__init__.py

View check run for this annotation

DryRunSecurity / AI-powered Sensitive Files Check

Possible Sensitive File 


                    Our AI-Powered Sensitive File checker believes it has discovered
                    a sensitive file being modified in this PR. Extra care must be taken
                    when modifying a file that is potentially security-sensitive.
                    
                    The following reason was provided: Sensitive code file for kubeaudit tool
84 changes: 84 additions & 0 deletions dojo/tools/kubeaudit/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
import json

Check warning on line 1 in dojo/tools/kubeaudit/parser.py

View check run for this annotation

DryRunSecurity / AI-powered Sensitive Files Check

Possible Sensitive File 


                    Our AI-Powered Sensitive File checker believes it has discovered
                    a sensitive file being modified in this PR. Extra care must be taken
                    when modifying a file that is potentially security-sensitive.
                    
                    The following reason was provided: Sensitive code file for kubeaudit tool
from dojo.models import Finding


class KubeAuditParser(object):
def get_scan_types(self):
return ["Kubeaudit Scan"]

def get_label_for_scan_types(self, scan_type):
return scan_type # no custom label for now

def get_description_for_scan_types(self, scan_type):
return "Import JSON reports of Kubeaudit Scans."

def severity_mapping(self, input):
if input == "warning":
severity = "Medium"
elif input == "error":
severity = "High"
elif input == "info":
severity = "Info"
else:
severity = "Low"
return severity

def get_findings(self, filename, test):
lines = filename.readlines()
findings = list()
for line in lines:
try:
tree = json.loads(str(line, "utf-8"))
except BaseException:
tree = json.loads(line)
AuditResultName = tree.get('AuditResultName', None)
DeprecatedMajor = tree.get('DeprecatedMajor', None)
DeprecatedMinor = tree.get('DeprecatedMinor', None)
IntroducedMajor = tree.get('IntroducedMajor', None)
IntroducedMinor = tree.get('IntroducedMinor', None)
ResourceApiVersion = tree.get('ResourceApiVersion', None)
ResourceKind = tree.get('ResourceKind', None)
ResourceName = tree.get('ResourceName', None)
level = tree.get('level', None)
msg = tree.get('msg', None)
Container = tree.get('Container', None)
MissingAnnotation = tree.get('MissingAnnotation', None)
ResourceNamespace = tree.get('ResourceNamespace', None)
description = ""
if AuditResultName:
description += "AuditResultName: " + AuditResultName + "\n"
if DeprecatedMajor:
description += "DeprecatedMajor: " + DeprecatedMajor + "\n"
if DeprecatedMinor:
description += "DeprecatedMinor: " + DeprecatedMinor + "\n"
if IntroducedMajor:
description += "IntroducedMajor: " + IntroducedMajor + "\n"
if IntroducedMinor:
description += "IntroducedMinor: " + IntroducedMinor + "\n"
if ResourceApiVersion:
description += "ResourceApiVersion: " + ResourceApiVersion + "\n"
if ResourceKind:
description += "ResourceKind: " + ResourceKind + "\n"
if ResourceName:
description += "ResourceName: " + ResourceName + "\n"
if level:
description += "level: " + level + "\n"
if msg:
description += "msg: " + msg + "\n"
if Container:
description += "Container: " + Container + "\n"
if MissingAnnotation:
description += "MissingAnnotation: " + MissingAnnotation + "\n"
if ResourceNamespace:
description += "ResourceNamespace: " + ResourceNamespace + "\n"
finding = Finding(
title=AuditResultName + "_" + ResourceName,
test=test,
description=description,
severity=self.severity_mapping(level),
mitigation=msg,
static_finding=True,
dynamic_finding=False,
)
findings.append(finding)
return findings
Loading