Skip to content

feat(lab7): trivy scans + PSS restricted hardening + conftest gate#1422

Open
karmihkr wants to merge 1 commit into
inno-devops-labs:mainfrom
karmihkr:feature/lab7
Open

feat(lab7): trivy scans + PSS restricted hardening + conftest gate#1422
karmihkr wants to merge 1 commit into
inno-devops-labs:mainfrom
karmihkr:feature/lab7

Conversation

@karmihkr

@karmihkr karmihkr commented Jul 4, 2026

Copy link
Copy Markdown

Goal

Harden a Juice Shop Kubernetes deployment to PSS restricted compliance and gate it with Trivy + Conftest scans.

Changes

  • Trivy image + config scans of bkimminich/juice-shop:v20.0.0 (submissions/lab7.md)
  • Hardened K8s manifests: namespace.yaml, serviceaccount.yaml, deployment.yaml, networkpolicy.yaml
  • Conftest Rego policy gating non-compliant pods (labs/lab7/policies/pod-hardening.rego)

Testing

trivy image bkimminich/juice-shop:v20.0.0 --severity HIGH,CRITICAL --format json --output ...
kubectl apply -f labs/lab7/k8s
kubectl get pod -n juice-shop -l app=juice-shop # 1/1 Running, 0 restarts
trivy k8s --include-namespaces juice-shop --severity HIGH,CRITICAL --report=summary
conftest test labs/lab7/k8s/deployment.yaml --policy labs/lab7/policies # 4 passed
conftest test labs/lab7/bad-test/bad-pod.yaml --policy labs/lab7/policies # 4 failed as expected
Full output and analysis in submissions/lab7.md.

Artifacts & Screenshots

  • submissions/lab7.md
  • labs/lab7/k8s/*.yaml
  • labs/lab7/policies/pod-hardening.rego

Checklist

  • Title is clear (feat(labN): <topic> style)
  • No secrets/large temp files committed
  • Submission file at submissions/lab7.md exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant