What's Changed

This release brings some long awaited improvements and optimizations.
Some of this required breaking changes, these are listed below.

💣 Breaking

Removed / Replaced ScanTypes

• zap-baseline-scan and zap-advanced in favor of the zap-automation-framework. The zap-automation-framework ScanTpye includes all functionalities of the removed ScanTypes and can be customized easily. The default ScanType for the AutoDiscovery has been changed to the zap-automation-framework as well. For migrating to the zap-automation-framework please refer to migration to zap-automation framework guide.
• amass has been replaced with subfinder. Amass is still an amzing tool, but with its focus on becoming more of a standalone platform / database for attack surfaces keeping it integrated and updated in the secureCodeBox was getting harder and harder. subfinder is a very good replacement for subdomain discovery, thats also generally quicker and produces a similar result.
• kubeaudit was removed as the scanner itself isn't maintaned anymore. As a replacement you can use the trivy with it's k8s scanning mode, see trivy ScanType k8s example.
• typo3scan was removed as the scanner itself isn't maintaned anymore. Most security aspects of typo3 are now hard to verify from the outside as it requires authentication (which is really good). Some typo3 security aspects (e.g. a incomplete installation) can be verified by nuclei.
• doggo was removed. Doggo was added primarily as an experimentation to be used to deduplicate duplicate scan target from cascading rules based on DNS entries. That approach hasn't worked out unfortunately. The doggo integration has been non-functional for a while (see: #2853). As an alternative, nuclei already includes some DNS record based checks, if checks for specific records are required custom nuclei rules could be used to fulfil those requirements.
• cmseek was removed. cmseek has seen little updates in the last years. Our secureCodeBox integration with cmseek was always pretty basic, only supporting joomla (a specfifc CMS) results, which hasn't been a big focus for us. As a replacement we recommend using nuclei which has joomla rules which will likely receive more updates in the future.

➡️ Reference: #2670

Renamed ClusterRole and ClusterRoleBinding

To avoid naming collisions with other cluster‑scoped resources, the operator's ClusterRole formerly called manager-role has been renamed to securecodebox‑manager-role, and the corresponding ClusterRoleBinding manager-rolebinding is now securecodebox‑manager-rolebinding. The official Helm chart will automatically create and reference these new names when you update the operator.

If you maintain a custom deployment that directly references manager-role or manager-rolebinding, be sure to update those references to securecodebox‑manager-role and securecodebox‑manager-rolebinding respectively.

➡️ Reference: #3002

Changes to trivy k8s scope (namespace / cluster)

The kubeauditScope on the trivy ScanType chart was renamed to k8sScanScope Scope. The previous name was used for consistency with the kubeaudit ScanType, but it never really made sense and was confusing.
The default k8sScanScope scope was also changed from cluster to namespace, The cluster mode needs cluster wide permissions, which makes the trivy chart hard to install in properly locked down RBAC setups.

➡️ Reference: #3025

Removed Integrated Elasticsearch and Kibana Helm Charts

The integrated Elasticsearch and Kibana Helm charts have been dropped from the Persistence ElasticSearch Hook. These charts were intended as a quick-start option, but since Elastic no longer provides their own Helm charts, they have been removed. The documentation has been updated with guidance on setting up an Elasticsearch cluster using the ECK operator.

➡️ Reference: #2892

Changed Default Elasticsearch Index

The default Elasticsearch index has been updated from scbv2 to scb. The inclusion of v2 was a confusing oversight that has been outdated since the release of secureCodeBox v3.
If you had previously ingested finding using the scbv2 index prefix you can keep using it by setting the indexPrefix helm value back to scbv2 or by migrating your existing indexes to match the new naming scheme.

➡️ Reference: #2892

Replaced Bitnami MinIO Subchart with Direct MinIO Deployment

Due to upcoming deprecations in Bitnami Helm charts, the operator's MinIO integration has been changed from using the Bitnami MinIO subchart to a direct MinIO deployment using the official docker.io/minio/minio image.

⚠️ Important Migration Notes:

• Data will NOT be migrated automatically from the old Bitnami MinIO deployment to the new direct MinIO deployment
• If you have important scan data stored in the old MinIO instance, you must manually backup and restore it before upgrading
• The new MinIO deployment uses different naming conventions and storage configurations

For Production Environments:
The included MinIO deployment is intended only for quickstart and development setups. For production environments, you should:

• Use an external S3-compatible storage service (AWS S3, Google Cloud Storage, etc.)
• Set minio.enabled=false and configure the s3 section in your values
• Refer to the installation documentation for external storage configuration

If you need to continue using the embedded MinIO for development, the new deployment will create a fresh MinIO instance with the same default bucket configuration.

🚀 Features

• Add subfinder scanner by @joel-sass in #3122
• Speed up parser & hook execution time by up to 2x & reduce cpu load by up to 5x by bundling parser & hook sdk by @J12934 in #3137 & #3141
• Add resource & security context config options for trivy db cache by @J12934 in #3037
• Add default RuntimeDefault SecComp Profile to Luker and change Capability to Uppercase to better match Security Policies by @Reet00 in #3116
• Migrate Kubernetes Service AutoDiscovery to use Zap Automation Framework by default by @Reet00 in #3049
• Improve container security by ensuring that the executed code can't be modified by the container user by @J12934 in #3035

🚓 Security Scanner

• Upgraded gitleaks from v8.24.3 to v8.28.0 @secureCodeBoxBot (#3009, #3012, #3032, #3058, #3068, #3145)

• Upgraded nmap 7.97-r0 by @J12934 in #3133

• Upgraded nuclei from v3.4.2 to v3.4.7 @secureCodeBoxBot (#3027, #3041, #3089, #3107, #3109)
• Upgraded semgrep from 1.120.0 to 1.131.0 @secureCodeBoxBot (#3017, #3038, #3054, #3066, #3076, #3094, #3100, #3112, #3158, #3163)
• Upgraded sslyze from 6.1.0 to 6.2.0 @secureCodeBoxBot (#3166)
• Upgraded subfinder from v2.7.0 to v2.8.0 @secureCodeBoxBot (#3155)
• Upgraded trivy from 0.61.1 to 0.65.0 @secureCodeBoxBot (#3011, #3016, #3055, #3108, #3110, #3164)
• Upgraded trivy-sbom from 0.61.1 to 0.65.0 @secureCodeBoxBot (#3010, #3015, #3056, #3106,...

Third Release Candidate of the secureCodeBox v5 release. ☺️
This now also includes an alternative minio stack to prepare for the upcoming bitnami depracations.

For a preview of the upcoming changes, see the upgrading notes and/or the v5 milestone

Second Release Candidate of the secureCodeBox v5 release. ☺️
Release builds for the rc.1 didn't trigger correctly, so here we go again 🤞

Full release notes will be coming with the proper v5 release.
For a preview of the upcoming changes, see the upgrading notes and/or the v5 milestone

Initial Release Candidate of the secureCodeBox v5 release. ☺️
Depending on how this goes there might be more coming before the actual v5.0.0 release. 🤞

Full release notes will be coming with the proper v5 release.
For a preview of the upcoming changes, see the upgrading notes and/or the v5 milestone

What's Changed

Note: This is planned to be the last planned feature release before secureCodeBox v5.0.0.
In case of important bugs, we will still publish bug fix releases under 4.16.x :)

🚓 Security Scanner

• Upgraded gitleaks from v8.24.2 to v8.24.3 @secureCodeBoxBot (#2981)
• Upgraded kubeaudit from 0.22.1 to 0.22.2 @secureCodeBoxBot (#3001)
• Upgraded semgrep from 1.117.0 to 1.120.0 @secureCodeBoxBot (#2974, #2985, #2994)
• Upgraded trivy from 0.61.0 to 0.61.1 @secureCodeBoxBot (#2988)
• Upgraded trivy-sbom from 0.61.0 to 0.61.1 @secureCodeBoxBot (#2987)
• Add ARM support to Ncrack by @J12934 in #2996

⛩️ DefectDojo

• Use native DefectDojo Importer for SSH Audit results by @J12934 in #3004

🐛 Bug Fixes

• Fix Issue with nested Kubernetes Native Objects not being properly configurable in the Kubernetes AutoDiscovery Config by @BorisShek in #2982
• Fix Invalid ARM Image for DefectDojo hook by @J12934 in #2993

📚 Documentation

• Reorder sections in upgrading.md to list the newest first by @BorisShek in #3000
• Update supported Kubernetes versions by @J12934 in #3003
• Add Link to OWASP Stammtisch Hamburg Talk by @J12934 in #3005
• Fix ncrack config in network scanning how-to by @J12934 in #2995

🔧 Maintenance

• Update Gradle Version used for DefectDojo Hook by @Weltraumschaf in #2975

📌 Dependencies

• Update to Go to 1.24 & Update Go Libraries by @Weltraumschaf in #2978
• Bump golang.org/x/net from 0.37.0 to 0.38.0 in /auto-discovery/cloud-aws by @dependabot in #2986
• Bump http-proxy-middleware from 2.0.7 to 2.0.9 in /documentation in the npm-security-updates group by @dependabot in #2992

Full Changelog: v4.15.0...v4.16.0

What's Changed

🚓 Security Scanner

• Upgraded gitleaks from v8.24.0 to v8.24.2 @secureCodeBoxBot (#2951)
• Upgraded nuclei from v3.3.8 to v3.4.2 @secureCodeBoxBot (#2972)
• Upgraded semgrep from 1.113.0 to 1.117.0 @secureCodeBoxBot (#2950, #2960, #2967)
• Upgraded trivy from 0.60.0 to 0.61.0 @secureCodeBoxBot (#2957)
• Upgraded trivy-sbom from 0.60.0 to 0.61.0 @secureCodeBoxBot (#2959)

📌 Dependencies

• Bump @types/node from 22.13.8 to 22.13.10 in /documentation in the npm-version-updates group by @dependabot in #2934
• Bump the npm-version-updates group in /documentation with 3 updates by @dependabot in #2952
• Bump the npm-version-updates group in /documentation with 3 updates by @dependabot in #2962
• Bump image-size from 1.2.0 to 1.2.1 in /documentation in the npm-security-updates group by @dependabot in #2966
• Bump the npm-version-updates group in /documentation with 4 updates by @dependabot in #2969
• Bump estree-util-value-to-estree from 3.2.1 to 3.3.3 in /documentation in the npm-security-updates group by @dependabot in #2971

📚 Documentation

• #2964 Update findings for example scans of 'zap-automation-framework' by @BorisShek in #2968

Full Changelog: v4.14.0...v4.15.0

What's Changed

🚀 Features

• Added Scan Metadata to Findings by @Ilyesbdlala in #2909

🚓 Security Scanner

• Upgraded gitleaks from v8.23.3 to v8.24.0 @secureCodeBoxBot (#2914)
• Upgraded semgrep from 1.106.0 to 1.113.0 @secureCodeBoxBot (#2889, #2902, #2913, #2923, #2928, #2948)
• Upgraded trivy from 0.59.0 to 0.60.0 @secureCodeBoxBot (#2888, #2930)
• Upgraded trivy-sbom from 0.59.0 to 0.60.0 @secureCodeBoxBot (#2887, #2931)
• Upgraded wpscan from v3.8.27 to v3.8.28 @secureCodeBoxBot (#2922)

⚓️ Hooks

• Improve Error Handling in DefectDojo Persistence Provider by @Weltraumschaf in #2833

🐛 Bug Fixes

• Fix http-webhook chart by @muffl0n in #2878
• Remove vagrant by @Weltraumschaf in #2894
• Handle conflict errors when updating Scan status by @Ilyesbdlala in #2901
• Remove underscore in container name by @Reet00 in #2903
• Allow configuration of imagePullSecret for all trivy components by @K4iM4k3r in #2929
• Adjust logs for Container AutoDiscovery by @BorisShek in #2932

📚 Documentation

• Clarify Container AutoDiscovery being disable by default @BorisShek in #2924

🔧 Maintenance

• Insert missing link in hook documentation by @Ilyesbdlala in #2911
• Handle conflict with ScheduledScan status updates with retry logic by @Ilyesbdlala in #2910
• Moved Upgrading.md to the documentation website by @Ilyesbdlala in #2915

📌 Dependencies

• Update version of minio chart used by default operator install by @J12934 in #2891
• Bump the gradle-version-updates group across 1 directory with 3 updates by @dependabot in #2868
• Update operators to latest kubebuilder versions by @J12934 in #2890
• Bump the npm-version-updates group in /documentation with 2 updates by @dependabot in #2899
• Bump io.freefair.lombok from 8.12 to 8.12.1 in /hooks/persistence-defectdojo/hook in the gradle-version-updates group by @dependabot in #2898
• Bump the npm-version-updates group in /documentation with 4 updates by @dependabot in #2907
• Bump org.springframework:spring-web from 6.2.2 to 6.2.3 in /hooks/persistence-defectdojo/hook in the gradle-version-updates group by @dependabot in #2906
• Bump serialize-javascript from 6.0.1 to 6.0.2 in /documentation in the npm-security-updates group by @dependabot in #2908
• Bump jsonpath-plus from 10.2.0 to 10.3.0 in /hooks by @dependabot in #2912
• Bump @types/node from 22.13.4 to 22.13.5 in /documentation in the npm-version-updates group by @dependabot in #2917
• Bump the npm-version-updates group in /documentation with 3 updates by @dependabot in #2925
• Bump prismjs from 1.29.0 to 1.30.0 in /documentation in the npm-security-updates group by @dependabot in #2937
• Bump golang.org/x/net from 0.30.0 to 0.36.0 in /lurker by @dependabot in #2941
• Bump @babel/helpers from 7.26.0 to 7.26.10 in /hooks by @dependabot in #2943
• Bump the npm-security-updates group in /documentation with 2 updates by @dependabot in #2944

New Contributors

• @muffl0n made their first contribution in #2878
• @K4iM4k3r made their first contribution in #2929

Full Changelog: v4.13.0...v4.14.0

🚀 Features

• Add ARM support for SSH-Audit and SSLyze by @J12934 in #2884

🐛 Bug Fixes

• Grant delete permissions for ScheduledScans in AutoDiscovery by @BorisShek in #2871

🚓 Security Scanner

• Upgraded gitleaks from v8.22.1 to v8.23.3 @secureCodeBoxBot (#2846, #2855, #2865, #2872)
• Upgraded semgrep from 1.101.0 to 1.106.0 @secureCodeBoxBot (#2835, #2854, #2863, #2873)
• Upgraded sslyze from 6.0.0 to 6.1.0 @secureCodeBoxBot (#2829)
• Upgraded trivy from 0.58.1 to 0.59.0 @secureCodeBoxBot (#2847, #2875)
• Upgraded trivy-sbom from 0.58.1 to 0.59.0 @secureCodeBoxBot (#2845, #2876)
• Upgraded zap from 2.15.0 to 2.16.0 @secureCodeBoxBot (#2840)
• Upgraded zap-advanced from 2.15.0 to 2.16.0 @secureCodeBoxBot (#2839)
• Upgraded zap-automation-framework from 2.15.0 to 2.16.0 @secureCodeBoxBot (#2838)

📚 Documentation

• Improve cascading scans docs by @J12934 in #2837

📌 Dependencies

• Bump mikefarah/yq from 4.44.6 to 4.45.1 in /.github/workflows in the github-actions-version-updates group across 1 directory by @dependabot in #2841
• Bump the npm-version-updates group across 1 directory with 12 updates by @dependabot in #2842
• Bump the npm-version-updates group across 1 directory with 3 updates by @dependabot in #2880
• Bump golang.org/x/net from 0.25.0 to 0.33.0 in /auto-discovery/cloud-aws by @dependabot in #2879
• Bump @types/node from 22.12.0 to 22.13.0 in /documentation in the npm-version-updates group by @dependabot in #2881
• Bump golang.org/x/net from 0.23.0 to 0.33.0 in /auto-discovery/kubernetes by @dependabot in #2883

🔧 Maintanance

• Revert "Replace SCB-token with github token" by @Reet00 in #2856

Full Changelog: v4.12.0...v4.13.0

🚓 Security Scanner

• Upgraded gitleaks from v8.21.2 to v8.22.1 by @secureCodeBoxBot in #2813, #2826
• Upgraded nuclei from v3.3.6 to v3.3.8 by @secureCodeBoxBot in #2834
• Upgraded semgrep from 1.95.0 to 1.101.0 by @Reet00 in #2828
• Upgraded ssh-audit from v3.2.0 to v3.3.0 by @Reet00 in #2802
• Upgraded trivy from 0.58.0 to 0.58.1 by @secureCodeBoxBot in #2816
• Upgraded trivy-sbom from 0.58.0 to 0.58.1 by @secureCodeBoxBot in #2817

📚 Documentation

• Add Talk From Bulat Gafurov from Ufadevconf #2810
• Add Sergios talk at Ekoparty 2024 #2818
• Add Blog Post announcing OWASP secureCodeBox and Friends Assembly at 38C3 by @Weltraumschaf in #2820
• Restructure and Cleanup DefectDojo Hook Docs by @J12934 in #2822
• Fix Markdown Causing a Broken Link On The Nmap Docs Page by @Weltraumschaf in #2821

🔧 Maintenance

• Adjust release note grouper for release notes generated by the native github feature by @J12934 in #2795
• Fix Docker Build Warnings by @J12934 in #2824
• Remove Comment to Prevent REUSE Check Failing to interpret License Tags by @Weltraumschaf in #2812
• Bugfix Corrected branches keyword trigger workflow correctly by @Reet00 in #2794
• Avoid run fail for dependabot PRs by @Reet00 in #2827

📌 Dependencies

• Bump the npm-security-updates group in /documentation with 2 updates by @dependabot in #2796
• Bump the npm-version-updates group in /documentation with 5 updates by @dependabot in #2807
• Bump the npm-version-updates group across 5 directories with 3 updates by @dependabot in #2806
• Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /auto-discovery/cloud-aws by @dependabot in #2808
• Bump nanoid from 3.3.7 to 3.3.8 in /documentation in the npm-security-updates group by @dependabot in #2803
• Bump org.springframework:spring-web from 6.2.0 to 6.2.1 in /hooks/persistence-defectdojo/hook in the gradle-version-updates group by @dependabot in #2805
• Bump org.junit:junit-bom from 5.11.3 to 5.11.4 in /hooks/persistence-defectdojo/hook in the gradle-version-updates group by @dependabot in #2814
• Bump the github-actions-version-updates group across 1 directory with 2 updates by @dependabot in #2800
• Use Latest Temurin 17.0.13 in SDKMAN Config by @Weltraumschaf in #2823
• Bump the gradle-version-updates group in /hooks/persistence-defectdojo/hook with 2 updates by @dependabot in #2832

Full Changelog: v4.11.0...v4.12.0

What's Changed

🚓 Security Scanner

• Upgraded nuclei from v3.3.5 to v3.3.6 @secureCodeBoxBot (#2778)
• Upgraded trivy from 0.57.0 to 0.58.0 @secureCodeBoxBot (#2765, #2791)
• Upgraded trivy-sbom from 0.57.0 to 0.58.0 @secureCodeBoxBot (#2764, #2790)

🐛 Bug Fixes

• Handle 'Packages' attribute in Trivy parser by @BorisShek in #2727
• Fix Duplicate Env Vars Added To Hook Kubernetes Job by @J12934 in #2779

📚 Documentation

• Adapt 'location' attribute in Trivy parser to match a URL format by @BorisShek in https://github.com/secureCodeBox/
  /pull/2725

🔧 Maintenance

• Replace release drafter config with build in github config by @J12934 in #2792
• Added workflow that adds bot PRs directly into To Review column by @Reet00 in #2758

📌 Dependencies

Full Changelog: v4.10.0...v4.11.0