-
Notifications
You must be signed in to change notification settings - Fork 71
/
cfg.yaml
165 lines (148 loc) · 8.07 KB
/
cfg.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# The configuration file contains a general settings section,
# routes, templates and actions sections.
name: tenant # The tenant name
aqua-server: # URL of Aqua Server for links. E.g. https://myserver.aquasec.com
max-db-size: 1000MB # Max size of DB. <numbers><unit suffix> pattern is used, such as "300MB" or "1GB". If empty or 0 then unlimited
db-verify-interval: 1 # How often to check the DB size. By default, Postee checks every 1 hour
# Routes are used to define how to handle an incoming message
routes:
- name: stdout
actions: [ stdout ]
template: raw-json
#- name: route1 # Route name. Must be unique
# input: contains(input.image, "alpine") # REGO rule to match input message against route
# input-files: # Array filePaths to files with REGO rules
# - Allow-Image-Name.rego
# - Ignore-Image-Name.rego
# - Allow-Registry.rego
# - Ignore-Registry.rego
# - Policy-Only-Fix-Available.rego
# - Policy-Min-Vulnerability.rego
# - Policy-Related-Features.rego
# actions: [my-slack] # Action name (needs to be defined under "actions") which will receive the message
# template: slack-template # Template name (needs to be defined under "templates") which will be used to process the message output format
# plugins: # Optional plugins
# aggregate-message-number: # Number of same messages to aggregate into one output message
# aggregate-message-timeout: # Number of seconds/minutes/hours to aggregate same messages into one output. Maximum is 24 hours. Use Xs or Xm or Xh
# unique-message-props: ["digest","image","registry", "vulnerability_summary.high", "vulnerability_summary.medium", "vulnerability_summary.low"] # Optional: Comma separated list of top level properties which uniqult identifies an event message. If message with same property values is received more than once it will be ignored
# unique-message-timeout: # Number of seconds/minutes/hours/days before expiring of a message. Expired messages are removed from db. If option is empty message is never deleted
# Templates are used to format a message
templates:
- name: vuls-slack # Out of the box template for slack
rego-package: postee.vuls.slack # Slack template REGO package (available out of the box)
- name: vuls-html # Out of the box HTML template
rego-package: postee.vuls.html # HTML template REGO package (available out of the box)
- name: raw-html # Raw message json
rego-package: postee.rawmessage.html # HTML template REGO package (available out of the box)
- name: legacy # Out of the box legacy Golang template
legacy-scan-renderer: html
- name: legacy-slack # Legacy slack template implemented in Golang
legacy-scan-renderer: slack
- name: legacy-jira # Legacy jira template implemented in Golang
legacy-scan-renderer: jira
- name: custom-email # Example of how to use a template from a Web URL
url: # URL to custom REGO file
- name: raw-json # route message "As Is" to external webhook
rego-package: postee.rawmessage.json
- name: vuls-cyclonedx # export vulnerabilities to CycloneDX XML
rego-package: postee.vuls.cyclondx
- name: trivy-operator-jira
rego-package: postee.trivyoperator.jira
- name: trivy-operator-slack
rego-package: postee.trivyoperator.slack
- name: trivy-operator-dependencytrack
rego-package: postee.trivyoperator.dependencytrack
- name: trivy-jira
rego-package: postee.trivy.jira
# Rules are predefined rego policies that can be used to trigger routes
rules:
- name: Initial Access
- name: Credential Access
- name: Privilege Escalation
- name: Defense Evasion
- name: Persistence
# Actions are target services that should consume the messages
actions:
- name: stdout
type: stdout
enable: true
- name: my-jira # name must be unique
type: jira # supported types: jira, email
enable: false
url: # Mandatory. E.g "https://johndoe.atlassian.net"
user: # Mandatory. E.g :[email protected]"
password: # Optional. Specify Jira user API key. Used only for Jira Cloud
token: # Optional. Specify Jira user Personal Access Token. Used only for Jira Server/Data Center
project-key: # Mandatory. Specify the JIRA product key
tls-verify: false
board: # Optional. Specify the Jira board name to open tickets on
labels: # Optional, specify array of labels to add to Ticket, for example: ["label1", "label2"]
issuetype: # Optional. Specifty the issue type to open (Bug, Task, etc.). Default is "Task"
priority: # Optional. Specify the issues severity. Default is "High"
assignee: # Optional. Specify the assigned user. Default is the user that opened the ticket
- name: my-email
type: email
enable: false
user: # Optional (if auth supported): SMTP user name (e.g. [email protected])
password: # Optional (if auth supported): SMTP password
host: # Mandatory: SMTP host name (e.g. smtp.gmail.com)
port: # Mandatory: SMTP server port (e.g. 587)
sender: # Mandatory: The email address to use as a sender
client-host-name: # Optional: setting the local client name instead of `localhost`
recipients: ["", ""] # Mandatory: comma separated list of recipients
- name: my-email-smtp-server
type: email
enable: false
use-mx: true
sender: # Mandatory: The email address to use as a sender
recipients: ["", ""] # Mandatory: comma separated list of recipients
- name: my-slack
type: slack
enable: false
url: https://hooks.slack.com/services/TAAAA/BBB/<key>
- name: ms-team
type: teams
enable: false
url: https://outlook.office.com/webhook/.... # Webhook's url
- name: webhook
type: webhook
enable: false
url: https://..../webhook/ # Webhook's url
timeout: # Webhook's timeout. <numbers><unit suffix> pattern is used, such as "300ms" or "2h45m". Default: 120s
- name: splunk
type: splunk
enable: false
url: http://localhost:8088 # Mandatory. Url of a Splunk server
token: <token> # Mandatory. a HTTP Event Collector Token
size-limit: 10000 # Optional. Maximum scan length, in bytes. Default: 10000
tls-verify: false # Enable skip TLS Verification. Default: false.
- name: my-servicenow
type: serviceNow
enable: false
user: # Mandatory. E.g :[email protected]"
password: # Mandatory. Specify user API key
instance: # Mandatory. Name of ServiceN ow Instance
board: # Specify the ServiceNow board name to open tickets on. Default is "incident"
- name: my-nexus-iq
type: nexusIq
enable: false
user: # Mandatory. User name
password: # Mandatory. User password
url: # Mandatory. Url of Nexus IQ server
organization-id: # Mandatory. Organization UID like "222de33e8005408a844c12eab952c9b0"
- name: my-dependencytrack
type: dependencytrack
enable: false
url: http://localhost:8080/ # Mandatory. Url of Dependency Track server
dependency-track-api-key: # Mandatory. API key of Dependency Track server
- name: my-opsgenie
type: opsgenie
enable: false
token: <API Key> # Mandatory. an API key from an API integration
user: # Optional. Display name of the request owner.
assignee: # Optional. Comma separated list of users that the alert will be routed to send notifications
recipients: [""] # Optional. Comma separated list of users that the alert will become visible to without sending any notification
tags: # Optional. Comma separated list of the alert tags.
priority: # Optional. Specify the alert priority. Default is "P3"
alias: # Optional. Client-defined identifier of the alert.
entity: # Optional. Entity field of the alert that is generally used to specify which domain alert is related to.