Skip to content

lab9: DevSecOps — Trivy + ZAP + security headers + govulncheck CI#1330

Open
1r444444 wants to merge 7 commits into
inno-devops-labs:mainfrom
1r444444:feature/lab9
Open

lab9: DevSecOps — Trivy + ZAP + security headers + govulncheck CI#1330
1r444444 wants to merge 7 commits into
inno-devops-labs:mainfrom
1r444444:feature/lab9

Conversation

@1r444444

@1r444444 1r444444 commented Jul 4, 2026

Copy link
Copy Markdown

Summary

  • Task 1 (6 pts): Trivy image, filesystem, config scans + CycloneDX SBOM on quicknotes:lab6. All 10 HIGH stdlib CVEs triaged (WATCH — unreachable call paths); Vagrant private key marked FALSE POSITIVE; Dockerfile DS-0002 marked FALSE POSITIVE (distroless nonroot base sets UID 65532 without a USER directive).
  • Task 2 (4 pts): ZAP 2.16.1 baseline against running app — 65 PASS, 2 informational WARNs (10049 cacheable 404, 10116 ZAP version). Security headers middleware added in app/middleware.go, wrapping the router and applying X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, X-XSS-Protection to every route. Before/after curl evidence included. Unit tests in middleware_test.go guard the fix.
  • Bonus (2 pts): govulncheck@v1.1.4 added as a separate CI job in .github/workflows/ci.yml; blocks PRs if a reachable vulnerability is found.

Test plan

  • go test ./... in app/ passes (all existing tests + new middleware tests)
  • curl -sI http://localhost:8080/health shows security headers after docker compose up
  • Trivy scan artifacts in submissions/lab9-artifacts/
  • ZAP after-fix report in submissions/lab9-artifacts/zap-after.txt
  • submissions/lab9.md covers all tasks + design questions a–j

1r444444 added 7 commits June 9, 2026 09:25
Signed-off-by: Irina <irina.bychkova06@mail.ru>
Signed-off-by: Irina <irina.bychkova06@mail.ru>
Multi-stage build: golang:1.24-alpine builder + distroless/static:nonroot
runtime. Static binary with -ldflags='-s -w' -trimpath, runs as nonroot.
Healthcheck via compiled Go binary (no shell in distroless). Named volume
at /data for persistence. Terminal outputs to be filled after Docker run.
Add /data dir with nonroot ownership (chown 65532:65532) so named volume
initializes writable by the container user. Fill submission with real
docker images (21.6 MB), inspect config, and persistence test outputs.
…ulncheck CI

- Run Trivy image/fs/config scans and generate CycloneDX SBOM; triage all
  HIGH/CRITICAL findings with FIX/WATCH/ACCEPT/FALSE POSITIVE dispositions
- Add securityHeaders middleware wrapping the router; sets X-Content-Type-Options,
  X-Frame-Options, CSP, Referrer-Policy, X-XSS-Protection on all routes
- Add middleware_test.go: asserts headers present on all routes; second test
  proves absence without middleware so the guard fails if middleware is removed
- Run ZAP 2.16.1 baseline against running app; triage all findings in table
- Add govulncheck@v1.1.4 as a separate CI job blocking PR merges (bonus)
- Add submissions/lab9.md with full scan outputs, triage tables, design questions
- Go 1.24 → 1.26 in Dockerfile builder + go.mod (closes 10 reachable CVEs
  in crypto/tls, crypto/x509, net caught by govulncheck)
- SHA-pin actions/checkout and actions/setup-go
- Trigger CI on feature/** not just feature/lab9
- Add cache-dependency-path: app/go.mod to fix Go cache warning
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant