Skip to content

feat(lab7): trivy + PSS restricted + conftest gate#7

Open
raylduk8 wants to merge 1 commit into
mainfrom
feature/lab7
Open

feat(lab7): trivy + PSS restricted + conftest gate#7
raylduk8 wants to merge 1 commit into
mainfrom
feature/lab7

Conversation

@raylduk8

@raylduk8 raylduk8 commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Goal

Scan Juice Shop image with Trivy (CVE + misconfig + secrets), harden a Kubernetes deployment of it with Pod Security Standards + NetworkPolicy + securityContext

Changes

  • labs/lab7/k8s/

  • submissions/lab7.md

Testing

Trivy Image Vulnerability Scan


trivy image bkimminich/juice-shop:v20.0.0 \

  --severity HIGH,CRITICAL \

  --format json --output labs/lab7/results/trivy-image.json

trivy image bkimminich/juice-shop:v20.0.0 \

  --severity HIGH,CRITICAL \

  --format table | tee labs/lab7/results/trivy-image.txt

Docker Misconfig Scan


cat > /tmp/Dockerfile-bad <<'EOF'

FROM node:latest                      # CKV_DOCKER_3: avoid :latest

USER root                             # CKV_DOCKER_8: USER non-root

EXPOSE 22                             # CKV_DOCKER_1: don't expose SSH

ADD https://example.com/app.tar /     # CKV_DOCKER_4: ADD URL is risky

EOF

trivy config /tmp/Dockerfile-bad --severity HIGH,CRITICAL --format table

Top 10 CVEs with Fixes


jq '[.Results[].Vulnerabilities[]? | select(.FixedVersion != null) |

    {cve: .VulnerabilityID, severity: .Severity, pkg: .PkgName, fix: .FixedVersion}] |

    sort_by(.severity) | .[:10]' \

  labs/lab7/results/trivy-image.json

Kubernetes Hardening


kubectl apply -f labs/lab7/k8s/

# Wait for the pod

kubectl -n juice-shop wait --for=condition=ready pod -l app=juice-shop --timeout=120s

# Capture full pod spec for proof

kubectl -n juice-shop get pod -l app=juice-shop -o yaml > labs/lab7/results/pod-spec.yaml

# Quick PSS compliance check

kubectl -n juice-shop describe pod -l app=juice-shop | grep -A 3 -i "security context"

Trivy K8s Scan


trivy k8s --include-namespaces juice-shop \

  --severity HIGH,CRITICAL \

  --format json --output labs/lab7/results/trivy-k8s.json

trivy k8s --include-namespaces juice-shop \

  --severity HIGH,CRITICAL \

  --report=summary

Checklist

  • Task 1 — Trivy image + config scans + Grype comparison

  • Task 2 — Hardened K8s deployment with PSS restricted + NetworkPolicy

  • Bonus — Conftest policy passing on hardened + failing on bad manifest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant