Skip to content

Feature/lab7#1403

Open
raylduk8 wants to merge 2 commits into
inno-devops-labs:mainfrom
raylduk8:feature/lab7
Open

Feature/lab7#1403
raylduk8 wants to merge 2 commits into
inno-devops-labs:mainfrom
raylduk8:feature/lab7

Conversation

@raylduk8

@raylduk8 raylduk8 commented Jul 3, 2026

Copy link
Copy Markdown

Goal

Scan Juice Shop image with Trivy (CVE + misconfig + secrets), harden a Kubernetes deployment of it with Pod Security Standards + NetworkPolicy + securityContext

Changes

  • labs/lab7/k8s/

  • submissions/lab7.md

Testing

Trivy Image Vulnerability Scan


trivy image bkimminich/juice-shop:v20.0.0 \

  --severity HIGH,CRITICAL \

  --format json --output labs/lab7/results/trivy-image.json

trivy image bkimminich/juice-shop:v20.0.0 \

  --severity HIGH,CRITICAL \

  --format table | tee labs/lab7/results/trivy-image.txt

Docker Misconfig Scan


cat > /tmp/Dockerfile-bad <<'EOF'

FROM node:latest                      # CKV_DOCKER_3: avoid :latest

USER root                             # CKV_DOCKER_8: USER non-root

EXPOSE 22                             # CKV_DOCKER_1: don't expose SSH

ADD https://example.com/app.tar /     # CKV_DOCKER_4: ADD URL is risky

EOF

trivy config /tmp/Dockerfile-bad --severity HIGH,CRITICAL --format table

Top 10 CVEs with Fixes


jq '[.Results[].Vulnerabilities[]? | select(.FixedVersion != null) |

    {cve: .VulnerabilityID, severity: .Severity, pkg: .PkgName, fix: .FixedVersion}] |

    sort_by(.severity) | .[:10]' \

  labs/lab7/results/trivy-image.json

Kubernetes Hardening


kubectl apply -f labs/lab7/k8s/

# Wait for the pod

kubectl -n juice-shop wait --for=condition=ready pod -l app=juice-shop --timeout=120s

# Capture full pod spec for proof

kubectl -n juice-shop get pod -l app=juice-shop -o yaml > labs/lab7/results/pod-spec.yaml

# Quick PSS compliance check

kubectl -n juice-shop describe pod -l app=juice-shop | grep -A 3 -i "security context"

Trivy K8s Scan


trivy k8s --include-namespaces juice-shop \

  --severity HIGH,CRITICAL \

  --format json --output labs/lab7/results/trivy-k8s.json

trivy k8s --include-namespaces juice-shop \

  --severity HIGH,CRITICAL \

  --report=summary

Checklist

  • Task 1 — Trivy image + config scans + Grype comparison

  • Task 2 — Hardened K8s deployment with PSS restricted + NetworkPolicy

  • Bonus — Conftest policy passing on hardened + failing on bad manifest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant