securecodebox/hook-persistence-defectdojo

Sponsored OSS

By iteratec GmbH

Updated 23 days ago

Image

1M+

License Apache-2.0GitHub release (latest SemVer)OWASP Lab ProjectArtifact HUBGitHub Repo starsMastodon Follower

What is OWASP secureCodeBox?

secureCodeBox Logo

OWASP secureCodeBox is an automated and scalable open source solution that can be used to integrate various security vulnerability scanners with a simple and lightweight interface. The secureCodeBox mission is to support DevSecOps Teams to make it easy to automate security vulnerability testing in different scenarios.

With the secureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.

The secureCodeBox project is running on Kubernetes. To install it you need Helm, a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure.

Quickstart with secureCodeBox on Kubernetes

You can find resources to help you get started on our documentation website including instruction on how to install the secureCodeBox project and guides to help you run your first scans with it.

Supported Tags

  • latest (represents the latest stable release build)
  • tagged releases, e.g. 3.0.0, 2.9.0, 2.8.0, 2.7.0

How to use this image

This hook image is intended to work in combination with other parser images to read or manipulate findings results. For more information details please take a look at the project page or [documentation page][https://www.securecodebox.io/docs/hooks/defectdojo].

docker pull securecodebox/hook-persistence-defectdojo

What is "Persistence DefectDojo" Hook about?

The DefectDojo hook imports the reports from scans automatically into OWASP DefectDojo. The hook uses the import scan API v2 from DefectDojo to import the scan results.

Scan types which are both supported by the secureCodeBox and DefectDojo benefit from the full feature set of DefectDojo, like deduplication. These scan types are (see up-to-date list in Java source):

  • Nmap
  • Nikto
  • ZAP (Baseline, API Scan and Full Scan)
  • ZAP Advanced
  • SSLyze
  • Trivy
  • Gitleaks
  • Semgrep

After uploading the results to DefectDojo, it will use the findings parsed by DefectDojo to overwrite the original secureCodeBox findings identified by the parser. This lets you access the finding metadata like the false positive and duplicate status from DefectDojo in further ReadOnly hooks, e.g. send out Slack notification for non-duplicate & non-false positive findings only.

:::warning This hook reads only from raw findings and not from secureCodeBox findings. Because DefectDojo does a way better job on parsing the findings itself, instead of parsing our secureCodeBox finding format with the generic scan type. If you want to modify a finding before it is imported into DefectDojo you can write a custom post-processing hook which operates on the raw findings. :::

For scan types which are not supported by DefectDojo, the generic importer is used, which will result in a less sophisticated display of the results and fewer features inside DefectDojo. In the worst case, it can lead to some findings being lost - see the note below.

:::caution Be careful when using the DefectDojo Hook in combination with other ReadAndWrite Hooks. By default, the secureCodeBox makes no guarantees about the execution order of multiple ReadAndWrite hooks, they can be executed in any order. This can lead to "lost update" problems as the DefectDojo hook will overwrite all findings, which disregards the results of previously run ReadAndWrite hooks. ReadOnly hooks work fine with the DefectDojo hook as they are always executed after ReadAndWrite Hooks. If you want to control the order of execution of the different hooks, take a look at the hook priority documentation (supported with secureCodeBox 3.4.0 and later). :::

:::caution The DefectDojo hook will send all scan results to DefectDojo, including those for which DefectDojo does not have native support. In this case, DefectDojo may incorrectly deduplicate findings, which can in some cases lead to incomplete imports and even data loss. You can set the hook to read-only mode, which will prevent it from writing the results back to secureCodeBox (--set defectdojo.syncFindingsBack=false during installation of the hook) if you want to rule out any data loss inside secureCodeBox, but this will not prevent the incorrect deduplication from affecting the data you see inside DefectDojo (for this, you will need to contribute a parser to DefectDojo). You can also selectively disable the DefectDojo hook for certain scans using the hook selector feature (supported with secureCodeBox 3.4.0 and later). :::

Community

You are welcome, please join us on... 👋

secureCodeBox is an official OWASP project.

License

License

As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.

Docker Pull Command

docker pull securecodebox/hook-persistence-defectdojo