lab9: DevSecOps — Trivy + ZAP + security headers + govulncheck CI#1330
Open
1r444444 wants to merge 7 commits into
Open
lab9: DevSecOps — Trivy + ZAP + security headers + govulncheck CI#13301r444444 wants to merge 7 commits into
1r444444 wants to merge 7 commits into
Conversation
Signed-off-by: Irina <irina.bychkova06@mail.ru>
Signed-off-by: Irina <irina.bychkova06@mail.ru>
Multi-stage build: golang:1.24-alpine builder + distroless/static:nonroot runtime. Static binary with -ldflags='-s -w' -trimpath, runs as nonroot. Healthcheck via compiled Go binary (no shell in distroless). Named volume at /data for persistence. Terminal outputs to be filled after Docker run.
Add /data dir with nonroot ownership (chown 65532:65532) so named volume initializes writable by the container user. Fill submission with real docker images (21.6 MB), inspect config, and persistence test outputs.
…ulncheck CI - Run Trivy image/fs/config scans and generate CycloneDX SBOM; triage all HIGH/CRITICAL findings with FIX/WATCH/ACCEPT/FALSE POSITIVE dispositions - Add securityHeaders middleware wrapping the router; sets X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, X-XSS-Protection on all routes - Add middleware_test.go: asserts headers present on all routes; second test proves absence without middleware so the guard fails if middleware is removed - Run ZAP 2.16.1 baseline against running app; triage all findings in table - Add govulncheck@v1.1.4 as a separate CI job blocking PR merges (bonus) - Add submissions/lab9.md with full scan outputs, triage tables, design questions
- Go 1.24 → 1.26 in Dockerfile builder + go.mod (closes 10 reachable CVEs in crypto/tls, crypto/x509, net caught by govulncheck) - SHA-pin actions/checkout and actions/setup-go - Trigger CI on feature/** not just feature/lab9 - Add cache-dependency-path: app/go.mod to fix Go cache warning
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
quicknotes:lab6. All 10 HIGH stdlib CVEs triaged (WATCH — unreachable call paths); Vagrant private key marked FALSE POSITIVE; Dockerfile DS-0002 marked FALSE POSITIVE (distroless nonroot base sets UID 65532 without aUSERdirective).app/middleware.go, wrapping the router and applyingX-Content-Type-Options,X-Frame-Options,CSP,Referrer-Policy,X-XSS-Protectionto every route. Before/after curl evidence included. Unit tests inmiddleware_test.goguard the fix.govulncheck@v1.1.4added as a separate CI job in.github/workflows/ci.yml; blocks PRs if a reachable vulnerability is found.Test plan
go test ./...inapp/passes (all existing tests + new middleware tests)curl -sI http://localhost:8080/healthshows security headers afterdocker compose upsubmissions/lab9-artifacts/submissions/lab9-artifacts/zap-after.txtsubmissions/lab9.mdcovers all tasks + design questions a–j