Feature/lab8#8
Open
ellilin wants to merge 10 commits into
Open
Conversation
Complete triage report for OWASP Juice Shop deployment including: - Scope & Asset information (v19.0.0) - Environment details (macOS, Docker 28.3.3) - Deployment verification with health checks - Surface snapshot analysis - Top 3 security risks identified - PR template setup documentation - GitHub community engagement section
- Generate SBOMs with Syft and Trivy for OWASP Juice Shop v19.0.0 - Perform SCA with Grype and Trivy vulnerability scanning - Compare toolchain capabilities: accuracy, coverage, features - Analyze 1139 packages, 146 vulnerabilities, 32 license types - Document critical vulnerabilities and remediation strategies Co-Authored-By: Claude (glm-5) <noreply@anthropic.com>
- SAST analysis with Semgrep (25 code-level findings) - DAST analysis with ZAP, Nuclei, Nuclei, SQLmap - Authenticated vs unauthenticated scan comparison - Tool comparison matrix and recommendations - SAST/DAST correlation analysis
…lysis - Scanned Terraform with tfsec, Checkov, and Terrascan (45, 78, 22 findings) - Scanned Pulumi with KICS (6 findings: 1 CRITICAL, 2 HIGH, 1 MEDIUM) - Scanned Ansible with KICS (10 findings: 9 HIGH, 1 LOW) - Created comprehensive tool comparison matrix - Identified 161 total security vulnerabilities across all frameworks - Documented top 5 critical findings with remediation code examples - Provided CI/CD integration strategy with quality gates
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
Complete Lab 8 by implementing a local software supply chain security workflow for
bkimminich/juice-shop:v19.0.0, including image signing, tamper verification, SBOM and provenance attestations, and non-container artifact signing, then documenting the results inlabs/submission8.md.Changes
labs/submission8.mdwith the full Lab 8 report, including signing/verification evidence and required analysis.labs/lab8/for image signing, tamper demonstration, SBOM attestation, provenance attestation, and blob signing.jq.Testing
bkimminich/juice-shop:v19.0.0, pushed it tolocalhost:5000, signed the digest with Cosign, and verified it successfully with the public key.busybox:latest, verified that the new digest failed signature verification, and confirmed that the original digest still verified successfully.jq, and verified a signedsample.tar.gzblob with Cosign.Artifacts & Screenshots
labs/submission8.mdlabs/lab8/signing/verify-image.txtlabs/lab8/analysis/verify-tampered.txtlabs/lab8/analysis/verify-original-after-tamper.txtlabs/lab8/attest/verify-sbom-attestation.txtlabs/lab8/attest/inspect-sbom.jsonlabs/lab8/attest/verify-provenance.txtlabs/lab8/attest/inspect-provenance.jsonlabs/lab8/artifacts/verify-blob.txtlabs/lab8/analysis/cosign-tree.txtChecklist
feat:,fix:,docs:)