SovereignCloudStack / issues

This repository is used for issues that are cross-repository or not bound to a specific repository.
https://github.com/orgs/SovereignCloudStack/projects/6
2 stars 1 forks source link

Security vulnerability scanner pipeline in Zuul #525

Open bitkeks opened 9 months ago

bitkeks commented 9 months ago

As a CSP, I want to continuously scan my running infrastructure so that I discover security issues in a timely manner.

The implementation is based on a pipeline of security tools that are executed periodically. These tools scan the running infrastructure, similar to a DAST (dynamic app sec testing). The pipeline can be triggered when a new deployment is rolled out or via defined points in time.

bitkeks commented 9 months ago

@90n20 and @Seykotron created a proposal for the pipeline consisting of six tools:

  1. Naabu: port scanning tool used for identifying open ports
  2. HTTPx: HTTP toolkit for web server fingerprinting
  3. Nuclei: template-based vulnerability scanner
  4. Greenbone Community Edition (OpenVAS): vulnerability scanner for comprehensive assessments of networks, hosts, and applications
  5. ZAP Proxy: intercepting HTTP proxy for DAST
  6. Defect Dojo: security program and vulnerability management tool (needs to have a dedicated instance).

This proposal was discussed and approved.

The current work consists of containerizing the applications. Further work will deploy the pipeline in Zuul.

bitkeks commented 3 months ago

Goals for R7: