What's Changed

🚓 Security Scanner

• Upgraded nuclei from v3.6.1 to v3.6.2 @secureCodeBoxBot (#3447)
• Upgraded semgrep from 1.146.0 to 1.147.0 @secureCodeBoxBot (#3453)
• Upgraded sslyze from 6.2.0 to 6.3.0 @secureCodeBoxBot (#3446)
• Upgraded subfinder from v2.10.1 to v2.12.0 @secureCodeBoxBot (#3440, #3454)

🚀 Features

• Add option to include target domain in subfinder findings by @p4trickweiss in #3452

🐛 Bug Fixes

• Ensure Host findings still have a valid location even when they are not named by @J12934 in #3451

📌 Dependencies

Full Changelog: v5.4.0...v5.5.0

What's Changed

🚀 Features

• Rewrite git-repo-scanner in Go, optimizing rate-limits to fetch repo data much faster than before by @p4trickweiss in #3392

🐛 Bug Fixes

• Fix critical DefectDojo Hook crash in v5.3.0 by @Reet00 in #3431

🚓 Security Scanner

• Upgraded nuclei from v3.6.0 to v3.6.1 @secureCodeBoxBot (#3425)
• Upgraded semgrep from 1.145.0 to 1.146.0 @secureCodeBoxBot (#3430)
• Upgraded trivy from 0.68.1 to 0.68.2 @secureCodeBoxBot (#3427)
• Upgraded trivy-sbom from 0.68.1 to 0.68.2 @secureCodeBoxBot (#3426)
• Upgraded zap-automation-framework from 2.16.1 to 2.17.0 @secureCodeBoxBot (#3424)

📌 Dependencies

Full Changelog: v5.3.0...v5.4.0

What's Changed

🚓 Security Scanner

• Upgraded gitleaks from v8.29.0 to v8.30.0 @secureCodeBoxBot (#3383, #3394)
• Upgraded nuclei from v3.5.1 to v3.6.0 @secureCodeBoxBot (#3405)
• Upgraded semgrep from 1.143.0 to 1.145.0 @secureCodeBoxBot (#3382, #3404)
• Upgraded subfinder from v2.10.0 to v2.10.1 @secureCodeBoxBot (#3386)
• Upgraded trivy from 0.67.2 to 0.68.1 @secureCodeBoxBot (#3402)
• Upgraded trivy-sbom from 0.67.2 to 0.68.1 @secureCodeBoxBot (#3403)

🐛 Bug Fixes

• Fixes Incompatability with newer Elasticsearch Systems by @conleth in #3391
• Fix secret name in helm template by @yyvfuruta in #3340

📚 Documentation

• Add Link to Blog Post "Automating Penetration Testing with SecureCodeBox on Kubernetes Kind Clusters Using GitHub Actions" by Yasmine Gharbi in #3395

📌 Dependencies

New Contributors

• @yyvfuruta made their first contribution in #3340
• @conleth made their first contribution in #3391

Full Changelog: v5.2.0...v5.3.0

What's Changed

🚓 Security Scanner

• Upgraded gitleaks from v8.28.0 to v8.29.0 @secureCodeBoxBot (#3349)
• Upgraded nuclei from v3.4.10 to v3.5.1 @secureCodeBoxBot (#3365)
• Upgraded semgrep from 1.138.0 to 1.143.0 @secureCodeBoxBot (#3306, #3331, #3339, #3347, #3364)
• Upgraded subfinder from v2.9.0 to v2.10.0 @secureCodeBoxBot (#3379)
• Upgraded trivy from 0.67.0 to 0.67.2 @secureCodeBoxBot (#3321)
• Upgraded trivy-sbom from 0.67.0 to 0.67.2 @secureCodeBoxBot (#3320)
• Upgraded whatweb from v0.6.2 to v0.6.3 @secureCodeBoxBot (#3332)
• Avoid confusion in cascading scans between http on port 443 by @Reet00 in #3271

🐛 Bug Fixes

• Fix missing sslyze findings with sslyze 6.x by @J12934 in #3351

📚 Documentation

• Improve AWS Pod Identity / IRSA Docs by @J12934 in #3314
• Add SCBaaS button by @p4trickweiss in #3350
• Add proposed ADR to use CEL in CascadingRules by @J12934 in #3328

🔧 Maintenance

• Update semgrep parser image to explicitly define docker.io prefix by @J12934 in #3330

📌 Dependencies

Full Changelog: v5.1.0...v5.2.0

🚀 Features

• Make the healthchecks for the operator configurable via helm values by @J12934 in #3223
• Switch ncrack password encryption from RSA to age-encryption by @p4trickweiss in #3247
• Improve operator and auto-discovery log consistency and switch to json logs by @J12934 in #3227

🚓 Security Scanner

• Upgraded nuclei from v3.4.7 to v3.4.10 @secureCodeBoxBot (#3228, #3232)
• Upgraded semgrep from 1.131.0 to 1.138.0 @secureCodeBoxBot (#3211, #3231, #3248, #3258, #3269, #3283, #3296)
• Upgraded subfinder from v2.8.0 to v2.9.0 @secureCodeBoxBot (#3298)
• Upgraded trivy from 0.65.0 to 0.67.0 @secureCodeBoxBot (#3252, #3303)
• Upgraded trivy-sbom from 0.65.0 to 0.67.0 @secureCodeBoxBot (#3253, #3304)
• Upgraded whatweb from v6.0.1 to v0.6.2 @secureCodeBoxBot (#3236)

🐛 Bug Fixes

• Fix Dependency Track Hook by @p4trickweiss in #3290
• Added affinity and tolerations fields to ssh-audit-scan-type.yaml by @DevikHaruko in #3297
• Migrate scan kubernetes finalizers to avoid warnings about non-recommended finalizer url structure by @J12934 in #3226

📚 Documentation

• Fix minor documentation issues by @J12934 in #3221
• Replace Snyk badge with OpenSSF Scorecard Badge by @J12934 in #3233
• Update supported k8s versions to include new Kubernetes 1.34 release. by @J12934 in #3255
• Update Security Policy with new supported Versions and Update Advisory Publishing Process by @J12934 in #3235

🔧 Maintenance

• Automatically set labels for renovate PRs by @J12934 in #3203
• Renovate for ci.yaml dependencies by @J12934 in #3204
• Optimize Go Docker builds with native cross-compilation by @J12934 in #3206
• Migrate docker repository for petstore by @Reet00 in #3213
• Remove unnecessary create-blog-post script by @Weltraumschaf in #3244
• Migrate parser-sdk to typescript by @J12934 in #3254
• Changes the comments behind pinned actions to include their full version by @J12934 in #3264
• Rewrite pull-secret-extractor in Go by @p4trickweiss in #3267
• Pin GitHub Pipeline Action Dependencies and specify reduced pipeline permissions by @J12934 in #3229

📌 Dependencies

What's Changed

This release brings some long awaited improvements and optimizations.
Some of this required breaking changes, these are listed below.

💣 Breaking

Removed / Replaced ScanTypes

• zap-baseline-scan and zap-advanced in favor of the zap-automation-framework. The zap-automation-framework ScanTpye includes all functionalities of the removed ScanTypes and can be customized easily. The default ScanType for the AutoDiscovery has been changed to the zap-automation-framework as well. For migrating to the zap-automation-framework please refer to migration to zap-automation framework guide.
• amass has been replaced with subfinder. Amass is still an amzing tool, but with its focus on becoming more of a standalone platform / database for attack surfaces keeping it integrated and updated in the secureCodeBox was getting harder and harder. subfinder is a very good replacement for subdomain discovery, thats also generally quicker and produces a similar result.
• kubeaudit was removed as the scanner itself isn't maintaned anymore. As a replacement you can use the trivy with it's k8s scanning mode, see trivy ScanType k8s example.
• typo3scan was removed as the scanner itself isn't maintaned anymore. Most security aspects of typo3 are now hard to verify from the outside as it requires authentication (which is really good). Some typo3 security aspects (e.g. a incomplete installation) can be verified by nuclei.
• doggo was removed. Doggo was added primarily as an experimentation to be used to deduplicate duplicate scan target from cascading rules based on DNS entries. That approach hasn't worked out unfortunately. The doggo integration has been non-functional for a while (see: #2853). As an alternative, nuclei already includes some DNS record based checks, if checks for specific records are required custom nuclei rules could be used to fulfil those requirements.
• cmseek was removed. cmseek has seen little updates in the last years. Our secureCodeBox integration with cmseek was always pretty basic, only supporting joomla (a specfifc CMS) results, which hasn't been a big focus for us. As a replacement we recommend using nuclei which has joomla rules which will likely receive more updates in the future.

➡️ Reference: #2670

Renamed ClusterRole and ClusterRoleBinding

To avoid naming collisions with other cluster‑scoped resources, the operator's ClusterRole formerly called manager-role has been renamed to securecodebox‑manager-role, and the corresponding ClusterRoleBinding manager-rolebinding is now securecodebox‑manager-rolebinding. The official Helm chart will automatically create and reference these new names when you update the operator.

If you maintain a custom deployment that directly references manager-role or manager-rolebinding, be sure to update those references to securecodebox‑manager-role and securecodebox‑manager-rolebinding respectively.

➡️ Reference: #3002

Changes to trivy k8s scope (namespace / cluster)

The kubeauditScope on the trivy ScanType chart was renamed to k8sScanScope Scope. The previous name was used for consistency with the kubeaudit ScanType, but it never really made sense and was confusing.
The default k8sScanScope scope was also changed from cluster to namespace, The cluster mode needs cluster wide permissions, which makes the trivy chart hard to install in properly locked down RBAC setups.

➡️ Reference: #3025

Removed Integrated Elasticsearch and Kibana Helm Charts

The integrated Elasticsearch and Kibana Helm charts have been dropped from the Persistence ElasticSearch Hook. These charts were intended as a quick-start option, but since Elastic no longer provides their own Helm charts, they have been removed. The documentation has been updated with guidance on setting up an Elasticsearch cluster using the ECK operator.

➡️ Reference: #2892

Changed Default Elasticsearch Index

The default Elasticsearch index has been updated from scbv2 to scb. The inclusion of v2 was a confusing oversight that has been outdated since the release of secureCodeBox v3.
If you had previously ingested finding using the scbv2 index prefix you can keep using it by setting the indexPrefix helm value back to scbv2 or by migrating your existing indexes to match the new naming scheme.

➡️ Reference: #2892

Replaced Bitnami MinIO Subchart with Direct MinIO Deployment

Due to upcoming deprecations in Bitnami Helm charts, the operator's MinIO integration has been changed from using the Bitnami MinIO subchart to a direct MinIO deployment using the official docker.io/minio/minio image.

⚠️ Important Migration Notes:

• Data will NOT be migrated automatically from the old Bitnami MinIO deployment to the new direct MinIO deployment
• If you have important scan data stored in the old MinIO instance, you must manually backup and restore it before upgrading
• The new MinIO deployment uses different naming conventions and storage configurations

For Production Environments:
The included MinIO deployment is intended only for quickstart and development setups. For production environments, you should:

• Use an external S3-compatible storage service (AWS S3, Google Cloud Storage, etc.)
• Set minio.enabled=false and configure the s3 section in your values
• Refer to the installation documentation for external storage configuration

If you need to continue using the embedded MinIO for development, the new deployment will create a fresh MinIO instance with the same default bucket configuration.

🚀 Features

• Add subfinder scanner by @joel-sass in #3122
• Speed up parser & hook execution time by up to 2x & reduce cpu load by up to 5x by bundling parser & hook sdk by @J12934 in #3137 & #3141
• Add resource & security context config options for trivy db cache by @J12934 in #3037
• Add default RuntimeDefault SecComp Profile to Luker and change Capability to Uppercase to better match Security Policies by @Reet00 in #3116
• Migrate Kubernetes Service AutoDiscovery to use Zap Automation Framework by default by @Reet00 in #3049
• Improve container security by ensuring that the executed code can't be modified by the container user by @J12934 in #3035

🚓 Security Scanner

• Upgraded gitleaks from v8.24.3 to v8.28.0 @secureCodeBoxBot (#3009, #3012, #3032, #3058, #3068, #3145)

• Upgraded nmap 7.97-r0 by @J12934 in #3133

• Upgraded nuclei from v3.4.2 to v3.4.7 @secureCodeBoxBot (#3027, #3041, #3089, #3107, #3109)
• Upgraded semgrep from 1.120.0 to 1.131.0 @secureCodeBoxBot (#3017, #3038, #3054, #3066, #3076, #3094, #3100, #3112, #3158, #3163)
• Upgraded sslyze from 6.1.0 to 6.2.0 @secureCodeBoxBot (#3166)
• Upgraded subfinder from v2.7.0 to v2.8.0 @secureCodeBoxBot (#3155)
• Upgraded trivy from 0.61.1 to 0.65.0 @secureCodeBoxBot (#3011, #3016, #3055, #3108, #3110, #3164)
• Upgraded trivy-sbom from 0.61.1 to 0.65.0 @secureCodeBoxBot (#3010, #3015, #3056, #3106,...

Third Release Candidate of the secureCodeBox v5 release. ☺️
This now also includes an alternative minio stack to prepare for the upcoming bitnami depracations.

For a preview of the upcoming changes, see the upgrading notes and/or the v5 milestone

Second Release Candidate of the secureCodeBox v5 release. ☺️
Release builds for the rc.1 didn't trigger correctly, so here we go again 🤞

Full release notes will be coming with the proper v5 release.
For a preview of the upcoming changes, see the upgrading notes and/or the v5 milestone

Initial Release Candidate of the secureCodeBox v5 release. ☺️
Depending on how this goes there might be more coming before the actual v5.0.0 release. 🤞

Full release notes will be coming with the proper v5 release.
For a preview of the upcoming changes, see the upgrading notes and/or the v5 milestone

What's Changed

Note: This is planned to be the last planned feature release before secureCodeBox v5.0.0.
In case of important bugs, we will still publish bug fix releases under 4.16.x :)

🚓 Security Scanner

• Upgraded gitleaks from v8.24.2 to v8.24.3 @secureCodeBoxBot (#2981)
• Upgraded kubeaudit from 0.22.1 to 0.22.2 @secureCodeBoxBot (#3001)
• Upgraded semgrep from 1.117.0 to 1.120.0 @secureCodeBoxBot (#2974, #2985, #2994)
• Upgraded trivy from 0.61.0 to 0.61.1 @secureCodeBoxBot (#2988)
• Upgraded trivy-sbom from 0.61.0 to 0.61.1 @secureCodeBoxBot (#2987)
• Add ARM support to Ncrack by @J12934 in #2996

⛩️ DefectDojo

• Use native DefectDojo Importer for SSH Audit results by @J12934 in #3004

🐛 Bug Fixes

• Fix Issue with nested Kubernetes Native Objects not being properly configurable in the Kubernetes AutoDiscovery Config by @BorisShek in #2982
• Fix Invalid ARM Image for DefectDojo hook by @J12934 in #2993

📚 Documentation

• Reorder sections in upgrading.md to list the newest first by @BorisShek in #3000
• Update supported Kubernetes versions by @J12934 in #3003
• Add Link to OWASP Stammtisch Hamburg Talk by @J12934 in #3005
• Fix ncrack config in network scanning how-to by @J12934 in #2995

🔧 Maintenance

• Update Gradle Version used for DefectDojo Hook by @Weltraumschaf in #2975

📌 Dependencies

• Update to Go to 1.24 & Update Go Libraries by @Weltraumschaf in #2978
• Bump golang.org/x/net from 0.37.0 to 0.38.0 in /auto-discovery/cloud-aws by @dependabot in #2986
• Bump http-proxy-middleware from 2.0.7 to 2.0.9 in /documentation in the npm-security-updates group by @dependabot in #2992

Full Changelog: v4.15.0...v4.16.0