Add WIP kube-hunter integration

Author: J12934

.github/workflows/ci.yaml

@@ -109,6 +109,15 @@ jobs:
           path: ./integrations/amass/parser/
           tag_with_ref: true
           tag_with_sha: true
+      - uses: docker/build-push-action@v1
+        name: "Build & Push kube-hunter Parser Image"
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          repository: scbexperimental/parser-kube-hunter
+          path: ./integrations/kube-hunter/parser/
+          tag_with_ref: true
+          tag_with_sha: true
       - uses: docker/build-push-action@v1
         name: "Build & Push Nikto Parser Image"
         with:
@@ -200,6 +209,15 @@ jobs:
           path: ./integrations/nmap/scanner/
           # Note: not prefixed with a "v" as this seems to match nmap versioning standards
           tags: "7.80,7.80-1,latest"
+      - uses: docker/build-push-action@v1
+        name: "Build & Push kube-hunter Scanner Image"
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          repository: scbexperimental/kube-hunter
+          path: ./integrations/kube-hunter/scanner/
+          # Note: not prefixed with a "v" as this matches the aquasec/kube-hunter tags
+          tags: "0.3.0,latest"
   integrationTests:
     name: "Test / Integration / k8s ${{ matrix.k8sVersion }}"
     needs:

integrations/kube-hunter/.helmignore

@@ -0,0 +1,4 @@
+.DS_Store
+
+parser/
+scanner/

integrations/kube-hunter/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: kube-hunter
+description: A Helm chart for the kube-hunter security Scanner that integrates with the secureCodeBox.
+
+type: application
+version: 0.1.0
+appVersion: 0.1.0
+
+keywords:
+- security
+- kube-hunter
+- scanner
+- secureCodeBox
+home: https://www.securecodebox.io/scanner/kube-hunter
+icon: https://www.securecodebox.io/integrationIcons/kube-hunter.svg
+sources:
+- https://github.com/secureCodeBox/secureCodeBox
+maintainers:
+- name: iteratec GmbH
+  email: security@iteratec.com

integrations/kube-hunter/parser/Dockerfile

@@ -0,0 +1,3 @@
+FROM scbexperimental/parser-sdk-nodejs:latest
+WORKDIR /home/app/parser-wrapper/parser/
+COPY --chown=app:app ./parser.js ./parser.js

integrations/kube-hunter/parser/parser.js

@@ -0,0 +1,5 @@
+async function parse() {
+  return [];
+}
+
+module.exports.parse = parse;

integrations/kube-hunter/parser/parser.test.js

@@ -0,0 +1,3 @@
+test('passes', async () => {
+  expect(true).toBe(true);
+});

integrations/kube-hunter/scanner/Dockerfile

@@ -0,0 +1,3 @@
+FROM aquasec/kube-hunter:0.3.0
+COPY wrapper.sh /wrapper.sh
+ENTRYPOINT [ "sh", "/wrapper.sh" ]

integrations/kube-hunter/scanner/wrapper.sh

@@ -0,0 +1,2 @@
+kube-hunter $@ 2> /home/securecodebox/kube-hunter-results.json
+exit $?

integrations/kube-hunter/templates/kube-hunter-parse-definition.yaml

@@ -0,0 +1,7 @@
+apiVersion: "execution.experimental.securecodebox.io/v1"
+kind: ParseDefinition
+metadata:
+  name: "kube-hunter"
+spec:
+  handlesResultsType: kube-hunter
+  image: "{{ .Values.parserImage.registry }}/{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag }}"

integrations/kube-hunter/templates/kubehunter-scan-type.yaml

@@ -0,0 +1,22 @@
+apiVersion: 'execution.experimental.securecodebox.io/v1'
+kind: ScanType
+metadata:
+  name: 'kube-hunter'
+spec:
+  extractResults:
+    type: kube-hunter-json
+    location: '/home/securecodebox/kube-hunter-results.json'
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 10
+      template:
+        spec:
+          restartPolicy: Never
+          containers:
+            - name: kube-hunter
+              image: scbexperimental/kube-hunter:latest
+              command:
+                - 'sh'
+                - '/wrapper.sh'
+                - '--report'
+                - 'json'