Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 8,372 Commits
.github		.github
.helm-docs		.helm-docs
.reuse		.reuse
.templates/new-scanner		.templates/new-scanner
LICENSES		LICENSES
auto-discovery		auto-discovery
bin		bin
demo-targets		demo-targets
documentation		documentation
hook-sdk/nodejs		hook-sdk/nodejs
hooks		hooks
lurker		lurker
operator		operator
parser-sdk/nodejs		parser-sdk/nodejs
resources		resources
scanners		scanners
scbctl		scbctl
tests/integration		tests/integration
.cspell.json		.cspell.json
.cspell.json.license		.cspell.json.license
.editorconfig		.editorconfig
.envrc		.envrc
.eslintignore		.eslintignore
.eslintrc.json		.eslintrc.json
.eslintrc.json.license		.eslintrc.json.license
.git-blame-ignore-revs		.git-blame-ignore-revs
.gitignore		.gitignore
.mega-linter.yml		.mega-linter.yml
.nvmrc		.nvmrc
.nvmrc.license		.nvmrc.license
.prettierrc.yaml		.prettierrc.yaml
.python-version		.python-version
.python-version.license		.python-version.license
.yamllint.yaml		.yamllint.yaml
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
CONTRIBUTORS.md		CONTRIBUTORS.md
DCO		DCO
DCO.license		DCO.license
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
SECURITY.md		SECURITY.md
Taskfile.yaml		Taskfile.yaml
env-paths.mk		env-paths.mk
hooks.mk		hooks.mk
prerequisites.mk		prerequisites.mk
scanners.mk		scanners.mk
sdk.mk		sdk.mk
test-base.mk		test-base.mk

Repository files navigation

OWASP secureCodeBox

secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box.

Overview

OWASP secureCodeBox

For additional documentation aspects please have a look at ourdocumentation website:

Purpose of this Project

The typical way to ensure application security is to hire a security specialist (aka penetration tester) at some point in your project to check the application for security bugs and vulnerabilities. Usually, this check is done at a later stage of the project and has two major drawbacks:

Nowadays, a lot of projects do continuous delivery, which means the developers deploy new versions multiple times each day. The penetration tester is only able to check a single snapshot, but some further commits could introduce new security issues. To ensure ongoing application security, the penetration tester should also continuously test the application. Unfortunately, such an approach is rarely financially feasible.
Due to a typically time boxed analysis, the penetration tester has to focus on trivial security issues (low-hanging fruit) and therefore will probably not address the serious, non-obvious ones.

With thesecureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.

The purpose ofsecureCodeBoxis not to replace the penetration testers or make them obsolete. We strongly recommend to run extensive tests by experienced penetration testers on all your applications.

Important note: ThesecureCodeBox is no simple one-button-click-solution! You must have a deep understanding of security and how to configure the scanners. Furthermore, an understanding of the scan results and how to interpret them is also necessary.

There is a German article aboutSecurity DevOps – Angreifern (immer) einen Schritt voraus in the software engineering journalOBJEKTSpektrum.

Quickstart

You can find resources to help you get started on ourdocumentation website including instruction on how toinstall the secureCodeBox and guides to help yourun your first scans with it.