Feature/lab8

[fayz131]

Goal

The purpose of this pull request is to complete Lab 8 — Software Supply Chain Security.
The lab demonstrates container image signing, verification, attestations (SBOM and provenance), and artifact (blob) signing using Cosign and a local container registry.

Changes

This PR adds the Lab 8 artifacts and analysis:

• Local registry setup and image push
• Cosign key generation
• Container image signing and verification
• Tamper demonstration with tag overwrite
• SBOM attestation (CycloneDX)
• Provenance attestation (SLSA)
• Blob (tarball) signing and verification
• Lab analysis and documentation in labs/submission8.md

New files added under:

labs/lab8/
labs/submission8.md

Testing

The following steps were executed to test the changes:

1. Pulled and pushed Juice Shop image to local registry.
2. Generated Cosign key pair.
3. Signed the image using Cosign.
4. Verified the signature using the public key.
5. Demonstrated tampering by overwriting the image tag with a different image.
6. Verified that the tampered digest failed verification.
7. Generated SBOM using Syft and attached it as an attestation.
8. Created and attached provenance attestation.
9. Signed a non-container artifact (tar.gz) using Cosign.
10. Verified the blob signature.

All verification outputs and logs are stored under labs/lab8/.

Artifacts & Screenshots

Evidence files included in this PR:

• Image signing and verification logs
• Tamper verification results
• SBOM attestation and verification output
• Provenance attestation and verification output
• Blob signing and verification logs
• Analysis report: labs/submission8.md

---

Checklist

• PR title is clear and descriptive
• Documentation updated if needed
• No secrets, temporary files, or large binaries included