secureCodeBox#2940 Update zap-scantyoe in the auto-discovery documentation

Signed-off-by: Samreet Singh <[email protected]>

Author: Reet00

auto-discovery/kubernetes/README.md

@@ -16,7 +16,7 @@ The Kubernetes AutoDiscovery needs to be deployed along side the secureCodeBox O
 
 The AutoDiscovery controller will automatically detect these new resources (services and containers) and start secureCodeBox _scans_ for them:
 
-1. A ZAP Baseline Scan to detect basic web vulnerabilities in the service. (Using ZAP)
+1. A ZAP Baseline Scan to detect basic web vulnerabilities in the service. (Using ZAP-automation-framework)
 2. An image scan scanning for vulnerable libraries in the docker / container image of the deployment. (Using trivy)
 3. (WIP) A TLS Scan against the certificate of the ingress for the host. (Using SSLyze)
 
@@ -60,7 +60,7 @@ This example deploys [JuiceShop](https://owasp.org/www-project-juice-shop/) to a
 The AutoDiscovery will automatically pick up this new deployment and then starts a ZAP Scan against it.
 The scan created uses our `zap-automation-framework` ScanType by default, this can be changed with the `config.serviceAutoDiscovery.scanConfig.scanType` config on the autoDiscovery helm release.
 
-When the ContainerAutoDiscovery is enabled, the AutoDiscovery can also create a trivy scan for each unique container image (having multiple pods with the same container will only create one scan). The scan type can be defined with `config.containerAutoDiscovery.scanConfig.scanType`.
+When the ContainerAutoDiscovery is enabled, the AutoDiscovery can also create a trivy scan for each unique container image (having multiple pods with the same container will only create one scan). The ScanType can be defined with `config.containerAutoDiscovery.scanConfig.scanType`.
 
 ## Deployment
 The auto-discovery-kubernetes chart can be deployed via helm:
@@ -157,16 +157,15 @@ kubectl -n juice-shop annotate service juice-shop auto-discovery.securecodebox.i
 | config.resourceInclusion.mode | string | `"enabled-per-namespace"` |  |
 | config.serviceAutoDiscovery.enabled | bool | `true` |  |
 | config.serviceAutoDiscovery.passiveReconcileInterval | string | `"1m"` | interval in which every service is re-checked for updated pods, if service object is updated directly this the service will get reconciled immediately |
-| config.serviceAutoDiscovery.scanConfigs[0] | object | `{"annotations":{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"},"env":[],"hookSelector":{},"labels":{},"name":"zap","parameters":["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"],"repeatInterval":"168h","scanType":"zap-advanced-scan","volumeMounts":[],"volumes":[]}` | scanType used for the scans created by the serviceAutoDiscovery |
+| config.serviceAutoDiscovery.scanConfigs[0] | object | `{"annotations":{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"},"env":[{"name":"TARGET_URL","value":"{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"}],"hookSelector":{},"labels":{},"name":"zap","parameters":["-autorun","/home/securecodebox/scb-automation/automation.yaml"],"repeatInterval":"168h","scanType":"zap-automation-framework","volumeMounts":[{"mountPath":"/home/securecodebox/scb-automation/automation.yaml","name":"zap-automation-framework-baseline-config","subPath":"automation.yaml"}],"volumes":[{"configMap":{"name":"zap-automation-framework-baseline-config"},"name":"zap-automation-framework-baseline-config"}]}` | scanType used for the scans created by the serviceAutoDiscovery |
 | config.serviceAutoDiscovery.scanConfigs[0].annotations | object | `{"defectdojo.securecodebox.io/engagement-name":"{{ .Target.Name }}","defectdojo.securecodebox.io/engagement-version":"{{if (index .Target.Labels `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version` }}{{end}}","defectdojo.securecodebox.io/product-name":"{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}","defectdojo.securecodebox.io/product-tags":"cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}"}` | annotations to be added to the scans started by the auto-discovery, all annotation values support templating |
-| config.serviceAutoDiscovery.scanConfigs[0].env | list | `[]` | allows to overwrite the env var list of the scan job. the value field supports templating. |
+| config.serviceAutoDiscovery.scanConfigs[0].env | list | `[{"name":"TARGET_URL","value":"{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"}]` | allows to overwrite the env var list of the scan job. the value field supports templating. |
 | config.serviceAutoDiscovery.scanConfigs[0].hookSelector | object | `{}` | HookSelector allows to specify a LabelSelector with which the hooks are selected, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors Both matchLabels and matchExpressions are supported. All values in the matchLabels map support templating. MatchExpressions support templating in the `key` field and in every entry in the `values` list. If a value in the list renders to an empty string it is removed from the list. |
 | config.serviceAutoDiscovery.scanConfigs[0].labels | object | `{}` | labels to be added to the scans started by the auto-discovery, all label values support templating |
 | config.serviceAutoDiscovery.scanConfigs[0].name | string | `"zap"` | unique name to distinguish scans |
-| config.serviceAutoDiscovery.scanConfigs[0].parameters | list | `["-t","{{ .Host.Type }}://{{ .Service.Name }}.{{ .Service.Namespace }}.svc:{{ .Host.Port }}"]` | parameters used for the scans created by the serviceAutoDiscovery, all parameters support templating |
-| config.serviceAutoDiscovery.scanConfigs[0].repeatInterval | string | `"168h"` | interval in which scans are automatically repeated. If the target is updated (meaning a new image revision is deployed) the scan will repeated beforehand and the interval is reset. |
-| config.serviceAutoDiscovery.scanConfigs[0].volumeMounts | list | `[]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating |
-| config.serviceAutoDiscovery.scanConfigs[0].volumes | list | `[]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating |
+| config.serviceAutoDiscovery.scanConfigs[0].parameters | list | `["-autorun","/home/securecodebox/scb-automation/automation.yaml"]` | parameters used for the scans created by the serviceAutoDiscovery, all parameters support templating |
+| config.serviceAutoDiscovery.scanConfigs[0].volumeMounts | list | `[{"mountPath":"/home/securecodebox/scb-automation/automation.yaml","name":"zap-automation-framework-baseline-config","subPath":"automation.yaml"}]` | volumeMounts to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1 the fields: `name`, `mountPath`, `subPath`, `subPathExpr` of each volumeMount support templating |
+| config.serviceAutoDiscovery.scanConfigs[0].volumes | list | `[{"configMap":{"name":"zap-automation-framework-baseline-config"},"name":"zap-automation-framework-baseline-config"}]` | volumes to add to the scan job, see: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes the fields: `name`, `secret.secretName`, `configMap.name` of each volume support templating |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
 | image.repository | string | `"securecodebox/auto-discovery-kubernetes"` |  |
 | image.tag | string | `nil` |  |

documentation/docs/auto-discovery/installation.md

@@ -32,9 +32,9 @@ To ease the rollout of the auto-discovery in already existing clusters the auto-
 This behavior can be configured using one of the following `resourceInclusion` modes:
 
 - enabled-per-namespace (default) : scans discovered resources in namespaces marked as enabled by an annotation
-- enabled-per-resource :  only scans resources marked as enabled by an annotation
+- enabled-per-resource : only scans resources marked as enabled by an annotation
 - all (scans every resource in the whole cluster!)
-  
+
 These modes can be set via the `config.resourceInclusion` parameter in the helm chart:
 
 ```bash
@@ -52,6 +52,7 @@ Annotating a namespace can be done as follows. Here the default namespace is ann
 ```bash
 kubectl annotate namespace default auto-discovery.securecodebox.io/enabled=true
 ```
+
 Annotating a individual resource is done as follows. Here the deployment `juice-shop` in the namespace `default` is annotated.
 
 It is done by adding the annotation to the chart values, which is then passed to the deployment template. This results into the pod containing the service/deployment always having the annotation. The process may be different in your case:
@@ -60,10 +61,10 @@ It is done by adding the annotation to the chart values, which is then passed to
 helm upgrade --install juice-shop oci://ghcr.io/securecodebox/helm/juice-shop  --set-json='annotations={"auto-discovery.securecodebox.io/enabled":"true"}'
 ```
 
-You should now see a ZAP-advanced [ScheduledScan](/docs/api/crds/scheduled-scan) created for juice-shop or any other service that you have annotated.
+You should now see a ZAP Automation Framework [ScheduledScan](/docs/api/crds/scheduled-scan) created for juice-shop or any other service that you have annotated.
 
 ```bash
-$ kubectl get scheduledscans.execution.securecodebox.io 
+$ kubectl get scheduledscans.execution.securecodebox.io
 NAME                                                             TYPE                INTERVAL   FINDINGS
-juice-shop-service-port-3000                                     zap-advanced-scan   168h0m0s   5
+juice-shop-service-port-3000                                     zap-automation-framework   168h0m0s   5
 ```

documentation/docs/auto-discovery/service-auto-discovery.md

@@ -14,14 +14,14 @@ The Service AutoDiscovery will create a `ScheduledScan` with the given parameter
 The Service AutoDiscovery will ignore services where the underlying pods do not serve http(s). It does this by checking for open ports `80, 443, 3000, 5000, 8000, 8443, 8080`. It is also sufficient to name the ports `http` or `https` when a different port is used than the ports specified above.
 Services without a matching port number or name are currently ignored.
 
-By default the Service AutoDiscovery creates [ZAP Advanced](../scanners/zap-advanced.md) for each service. These scans are relatively generic and don't include any configuration regarding authentication / authorization. As the setup and configuration of the ZAP-Advanced Chart is located in each namespace it is possible to tweak the default configuration to support authenticated and more highly configured scans. For guides on how to configure ZAP Advanced refer to the [ZAP Advanced Documentation](../scanners/zap-advanced.md).
+By default the Service AutoDiscovery creates [ZAP Automation Framework](../scanners/zap-automation-framework.md) for each service. These scans are relatively generic and don't include any configuration regarding authentication / authorization. As the setup and configuration of the zap-automation-framework Chart is located in each namespace it is possible to tweak the default configuration to support authenticated and more highly configured scans. For guides on how to configure ZAP Automation Framework refer to the [ZAP Automation Framework Documentation](../scanners/zap-automation-framework.md).
 
 ### Setup
 
-By default the Service AutoDiscovery creates ScheduledScans using the [ZAP Advanced](/docs/scanners/zap-advanced) `ScanType`. It must be installed in the same namespace as the containers you wish to scan. The following steps will install `zap-advanced` in the `default` namespace:
+By default the Service AutoDiscovery creates ScheduledScans using the [ZAP Automation Framework](/docs/scanners/zap-automation-framework) `ScanType`. It must be installed in the same namespace as the containers you wish to scan. The following steps will install `zap-automation-framework` in the `default` namespace:
 
 ```bash
-helm upgrade --install zap-advanced oci://ghcr.io/securecodebox/helm/zap-advanced
+helm upgrade --install zap-automation-framework oci://ghcr.io/securecodebox/helm/zap-automation-framework
 ```
 
 #### Deactivation

documentation/docs/how-tos/autodiscovery.md

@@ -29,7 +29,7 @@ If a pod consists of multiple containers, the above described logic will be appl
 
 ### Service AutoDiscovery
 
-The Service AutoDiscovery will create a scheduled scan with the given parameters (see [readme](https://github.com/secureCodeBox/secureCodeBox/blob/main/auto-discovery/kubernetes/README.md) for config options) for each Kubernetes service it detects. (It is possible to scan APIs that require authentication, see the [ZAP Advanced](../scanners/zap-advanced.md) documentation).
+The Service AutoDiscovery will create a scheduled scan with the given parameters (see [readme](https://github.com/secureCodeBox/secureCodeBox/blob/main/auto-discovery/kubernetes/README.md) for config options) for each Kubernetes service it detects. (It is possible to scan APIs that require authentication, see the [ZAP Automation Framework ](../scanners/zap-automation-framework.md) documentation).
 The Service AutoDiscovery is enabled by default but can be disabled manually.
 
 The Service AutoDiscovery will ignore services where the underlying pods do not serve http(s). It does this by checking for open ports `80, 443, 3000, 5000, 8000, 8443, 8080`. It is also sufficient to name the ports `http` or `https` when a different port is used than the ports specified above.
@@ -40,10 +40,10 @@ Services without a matching port number or name are currently ignored.
 For the sake of the tutorial, it will be assumed that a Kubernetes cluster and the SCB operator is already up and running. If not, check out the [installation](/docs/getting-started/installation/) tutorial for more information.
 This tutorial will use the `default` and `securecodebox-system` namespaces.
 
-First install the `zap-advanced` (for service AutoDiscovery) and `trivy` (for Container AutoDiscovery) scan types:
+First install the `zap-automation-framework` (for service AutoDiscovery) and `trivy` (for Container AutoDiscovery) scan types:
 
 ```bash
-helm upgrade --install zap-advanced oci://ghcr.io/securecodebox/helm/zap-advanced
+helm upgrade --install zap-automation-framework oci://ghcr.io/securecodebox/helm/zap-automation-framework
 helm upgrade --install trivy oci://ghcr.io/securecodebox/helm/trivy
 ```
 
@@ -73,13 +73,13 @@ Then install juice-shop as a demo target:
 helm upgrade --install juice-shop oci://ghcr.io/securecodebox/helm/juice-shop
 ```
 
-The AutoDiscovery will create two scheduled scans after some time. One for the juice-shop service using `zap`, and one for the juice-shop container using `trivy`:
+The AutoDiscovery will create two scheduled scans after some time. One for the juice-shop service using `zap-automation-framework`, and one for the juice-shop container using `trivy`:
 
 ```bash
 $ kubectl get scheduledscans
-NAME                                                             TYPE                INTERVAL   FINDINGS
-juice-shop-service-port-3000                                     zap-advanced-scan   168h0m0s
-scan-juice-shop-at-350cf9a6ea37138b987a3968d046e61bcd3bb18d2ec   trivy               168h0m0s
+NAME                                                             TYPE                       INTERVAL   FINDINGS
+juice-shop-service-port-3000                                     zap-automation-framework   168h0m0s
+scan-juice-shop-at-350cf9a6ea37138b987a3968d046e61bcd3bb18d2ec   trivy                      168h0m0s
 ```
 
 Install a second juice-shop into the namespace:
@@ -88,14 +88,14 @@ Install a second juice-shop into the namespace:
 helm upgrade --install juice-shop2 oci://ghcr.io/securecodebox/helm/juice-shop
 ```
 
-The AutoDiscovery will then create a second `zap` scan for the service, but no additional `trivy` container scan, as the juice-shop container is already being scanned.
+The AutoDiscovery will then create a second `zap-automation-framework` scan for the service, but no additional `trivy` container scan, as the juice-shop container is already being scanned.
 
 ```bash
 $ kubectl get scheduledscans
-NAME                                                             TYPE                INTERVAL   FINDINGS
-juice-shop-service-port-3000                                     zap-advanced-scan   168h0m0s
-juice-shop2-service-port-3000                                    zap-advanced-scan   168h0m0s
-scan-juice-shop-at-350cf9a6ea37138b987a3968d046e61bcd3bb18d2ec   trivy               168h0m0s
+NAME                                                             TYPE                       INTERVAL   FINDINGS
+juice-shop-service-port-3000                                     zap-automation-framework   168h0m0s
+juice-shop2-service-port-3000                                    zap-automation-framework   168h0m0s
+scan-juice-shop-at-350cf9a6ea37138b987a3968d046e61bcd3bb18d2ec   trivy                      168h0m0s
 ```
 
 Delete both juice-shop deployments.