Title: RFC: Add Scanner Capability Flag to enhance Scanner Worker Selection · Issue #89 · secureCodeBox/engine · GitHub
Open Graph Title: RFC: Add Scanner Capability Flag to enhance Scanner Worker Selection · Issue #89 · secureCodeBox/engine
X Title: RFC: Add Scanner Capability Flag to enhance Scanner Worker Selection · Issue #89 · secureCodeBox/engine
Description: Is your feature request related to a problem? Please describe. When it comes to Multi Tenancy there are two main axis we'd like two support with the secureCodeBox Engine: Team Separation This allows the association of scanners operated b...
Open Graph Description: Is your feature request related to a problem? Please describe. When it comes to Multi Tenancy there are two main axis we'd like two support with the secureCodeBox Engine: Team Separation This allow...
X Description: Is your feature request related to a problem? Please describe. When it comes to Multi Tenancy there are two main axis we'd like two support with the secureCodeBox Engine: Team Separation This a...
Opengraph URL: https://github.com/secureCodeBox/engine/issues/89
X: @github
Domain: patch-diff.githubusercontent.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"RFC: Add Scanner Capability Flag to enhance Scanner Worker Selection","articleBody":"## Is your feature request related to a problem? Please describe.\r\n\r\nWhen it comes to Multi Tenancy there are two main axis we'd like two support with the secureCodeBox Engine:\r\n\r\n### Team Separation\r\n\r\nThis allows the association of scanners operated by the teams with that team. The scanners will then only work on scan jobs created by that team. This was implemented in #79.\r\n\r\n\r\n## Capability Separation\r\n\r\nNot every worker deployment in a team has to be the same. \r\n\r\nSome scanners might...\r\n\r\n - be deployed in certain network situation which enable different scans.\r\n - have files mounted onto their filesystem which are required to perform certain scans.\r\n - have certain configuration / deployment requirements by the scanner to run certain kinds of scans. E.g. nmap requiring root rights / linux capabilities to run OS detection scans (See: https://github.com/secureCodeBox/scanner-infrastructure-nmap/issues/2)\r\n\r\nThis problem can be solved by using the team separation feature by creating a new team for every team / capability combination, but that is quite tedious. These teams could look something like this:\r\n\r\n- team42\r\n- team42_nmap_privileged\r\n- team42_zap_behindwaf\r\n\r\nCreating new teams requires to assign all team members to every of their related teams, which is a big organisational overhead. \r\n\r\n\r\n\r\n## Describe the solution you'd like\r\n\r\nI'd like to introduce capabilities into the `StartSecurityTest` and the `LockScanJob` APIs. \r\n\r\nThe addition to the startSecurity Test API would be a new optional `requiredCapabilities` attribute which allows the user to express which capabilities are required for the scan job. \r\n\r\nThe addition to the `LockScanJob` API would allow the scanners to communicate to the engine which capabilities the have.\r\n\r\n`POST https://engine.securecodebox.demo/box/securityTests`\r\n\r\n```json\r\n[\r\n {\r\n \"context\": \"Feature Team 1\",\r\n \"metaData\": {},\r\n \"name\": \"nmap\",\r\n \"target\": {\r\n \"attributes\": {\r\n \"NMAP_PARAMETER\": \"-Pn\"\r\n },\r\n \"location\": \"127.0.0.1\",\r\n \"name\": \"SecureCodeBox Demo Website\"\r\n },\r\n \"tenant\": \"team-1\",\r\n\t\"requiredCapabilities\": [\r\n\t\t\"behind-firewall\",\r\n \t\t\"privileged-deployment\"\r\n\t]\r\n }\r\n]\r\n```\r\n\r\nThe relevant new attribute here is `requiredCapabilities`.\r\n\r\nFor a scanner to be able to work on this task it would need to be configured that:\r\n\r\n- The engine user of the scanner worker, set by the env vars: `ENGINE_SCANNERSERVICES_USER` and `ENGINE_BASIC_AUTH_PASSWORD` need to be a member of `team-1`\r\n- The worker need to have the (new) environment var `SCANNER_CAPABILITIES` to be set to: `behind-firewall,privileged-deployment` (or `privileged-deployment,behind-firewall`, the order should not matter)\r\n\r\nScanner without the `SCANNER_CAPABILITIES` env var will only be able to work on scan jobs without requiredCapabilities.\r\n\r\nExample deployment (`docker-compose` for readability):\r\n\r\n```yml\r\nnmap-team42:\r\n image: securecodebox/nmap:latest\r\n environment:\r\n - ENGINE_ADDRESS=http://engine:8080\r\n - ENGINE_BASIC_AUTH_USER=team42-tu-nmap\r\n - ENGINE_BASIC_AUTH_PASSWORD=foobar\r\n - SCANNER_CAPABILITIES=behind-firewall,privileged-deployment\r\n```\r\n\r\n## Describe alternatives you've considered\r\n\r\n- Multiple teams (see problem descriptions)\r\n- Using camunda custom permissions, to prevent scanner without capabilities to access scan jobs.","author":{"url":"https://github.com/J12934","@type":"Person","name":"J12934"},"datePublished":"2019-07-03T10:10:21.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/89/engine/issues/89"}| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:0e78f1cd-7cba-58fd-036c-d3666ffdcbfb |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | C52A:177022:AF8BFC:BBA55A:698FAD24 |
| html-safe-nonce | c33e10f8f1d97efb935a4f5b09aa315786029be6a5cef48b119aead953512355 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDNTJBOjE3NzAyMjpBRjhCRkM6QkJBNTVBOjY5OEZBRDI0IiwidmlzaXRvcl9pZCI6Ijc4MjQ3MDk2NzY2MjEwODE4OTIiLCJyZWdpb25fZWRnZSI6InNlYSIsInJlZ2lvbl9yZW5kZXIiOiJzZWEifQ== |
| visitor-hmac | 405c16ba592b424bc811906cfb8ea446ed582744d80eaf78abd4912ba6c10aed |
| hovercard-subject-tag | issue:463665210 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/secureCodeBox/engine/89/issue_layout |
| twitter:image | https://opengraph.githubassets.com/85d167b8a20b6d2eed7a53735c728db6e3406459b71539e2416b65435550c027/secureCodeBox/engine/issues/89 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/85d167b8a20b6d2eed7a53735c728db6e3406459b71539e2416b65435550c027/secureCodeBox/engine/issues/89 |
| og:image:alt | Is your feature request related to a problem? Please describe. When it comes to Multi Tenancy there are two main axis we'd like two support with the secureCodeBox Engine: Team Separation This allow... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | J12934 |
| hostname | github.com |
| expected-hostname | github.com |
| None | a413d5841601ce811368a757abafd33518c11d9f1b18db7de60f7e4e0da278ae |
| turbo-cache-control | no-preview |
| go-import | github.com/secureCodeBox/engine git https://github.com/secureCodeBox/engine.git |
| octolytics-dimension-user_id | 34573705 |
| octolytics-dimension-user_login | secureCodeBox |
| octolytics-dimension-repository_id | 123422137 |
| octolytics-dimension-repository_nwo | secureCodeBox/engine |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 123422137 |
| octolytics-dimension-repository_network_root_nwo | secureCodeBox/engine |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | ce13de8048c6fca942478f24a897da4faab6f24d |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width
