https://github.com/gharbiyasmine/securecodebox-penetration-testing
Automated penetration testing pipeline using SecureCodeBox, Kubernetes, Helm, and GitHub Actions for streamlined security scanning.
https://github.com/gharbiyasmine/securecodebox-penetration-testing
helm kind-cluster kubernetes proof-of-concept regression-testing securecodebox
Last synced: 6 months ago
JSON representation
Automated penetration testing pipeline using SecureCodeBox, Kubernetes, Helm, and GitHub Actions for streamlined security scanning.
- Host: GitHub
- URL: https://github.com/gharbiyasmine/securecodebox-penetration-testing
- Owner: GHARBIyasmine
- Created: 2024-11-06T16:14:09.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2024-12-06T22:23:03.000Z (about 1 year ago)
- Last Synced: 2024-12-06T23:21:03.433Z (about 1 year ago)
- Topics: helm, kind-cluster, kubernetes, proof-of-concept, regression-testing, securecodebox
- Homepage:
- Size: 141 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# SecureCodeBox Penetration Testing Pipeline
This repository contains a GitHub Actions workflow designed as a proof of concept (POC) for automating penetration tests using [SecureCodeBox](https://www.securecodebox.io/). The pipeline demonstrates the practical application of Kubernetes, Helm, and SecureCodeBox scanners to conduct authenticated scans (advanced ZAP scan) on the Juice-Shop demo application.
## Features
- **Automated Deployment**: Deploys a Kubernetes Kind cluster, SecureCodeBox operator, and Juice-Shop target.
- **Penetration Testing**: Uses the ZAP-Advanced scanner to perform a full authenticated scan.
- **Scan Monitoring**: Monitors scan status and retrieves detailed findings.
- **Baseline Comparison**: Compares scan results with a baseline to detect regressions or improvements.
- **Continuous Integration**: Saves findings and updates reports directly to the repository.
## Workflow Overview
The workflow is triggered on:
- **Push Events**: When changes are pushed to the `main` branch.
- **Manual Dispatch**: Using the `workflow_dispatch` event.
### Jobs and Steps
1. **Set Up Kubernetes Cluster**: Deploys a Kind cluster and configures `kubectl`.
2. **Install Helm**: Installs Helm for managing SecureCodeBox components.
3. **Deploy SecureCodeBox**: Installs the SecureCodeBox operator.
4. **Deploy Juice-Shop**: Sets up the Juice-Shop demo target application.
5. **Deploy ZAP-Advanced Scanner**: Installs the ZAP-Advanced scanner.
6. **Initiate Scan**: Runs a ZAP scan against the Juice-Shop target.
7. **Monitor Scan Progress**: Waits for the scan to complete.
8. **Retrieve Results**: Downloads scan findings and generates summary reports.
9. **Baseline Comparison**: Compares the findings with a baseline to track issues and improvements.
10. **Save Reports**: Commits findings and updates baseline reports in the repository.
### Pipeline logic
The following figure depicts the underlying logic of the pipeline, highlighting how it handles various scenarios it may encounter.
## Environment Variables
The workflow uses the following environment variables:
- `TARGET_APP`: Name of the target application (e.g., `juice-shop`).
- `TARGET_APP_HELM`: Helm chart location for the target app.
- `SCANNER`: Name of the scanner (e.g., `zap-advanced`).
- `SCANNER_HELM`: Helm chart location for the scanner.
- `SCAN_NAME`: Name of the scan to be initiated.
## Prerequisites
- A GitHub repository with the workflow file added in `.github/workflows/`.
- Kubernetes and Helm installed locally (for testing purposes).
- A configured `scan.yaml` file describing the scan parameters.
## Usage
1. Clone this repository:
```bash
git clone https://github.com/GHARBIyasmine/SecureCodeBox-Penetration-testing.git
cd SecureCodeBox-Penetration-testing
2. Push changes to the `main` branch to trigger the pipeline:
```bash
git add .
git commit -m "Add workflow"
git push origin main
3. Monitor the workflow runs under the **Actions** tab in your GitHub repository.
## Scan Results
- Findings are saved in the repository as `findings.json`.
- Summary reports are generated and stored in `report-summary.json`.
## Notes
- Ensure the `GITHUB_TOKEN` secret is configured in your repository for report commits.
- Findings and baseline reports are committed to the repository with [skip ci] to avoid triggering redundant workflows.