Skip to content

feat(lab7): trivy + PSS restricted + conftest gate#7

Merged
RII6 merged 2 commits into
mainfrom
submit/lab7
Jun 29, 2026
Merged

feat(lab7): trivy + PSS restricted + conftest gate#7
RII6 merged 2 commits into
mainfrom
submit/lab7

Conversation

@RII6

@RII6 RII6 commented Jun 28, 2026

Copy link
Copy Markdown
Owner

Goal

This PR adds the submission for Lab 7, including vulnerability scanning with Trivy, deploying a hardened Kubernetes workload compliant with the PSS restricted profile, and implementing a Conftest policy gate for shift-left validation.

Changes

  • Performed Trivy image and config scans and documented the results alongside a comparison with Grype (Lab 4).
  • Created Kubernetes manifests (namespace.yaml, serviceaccount.yaml, deployment.yaml, networkpolicy.yaml) for deploying Juice Shop with strict security contexts.
  • Mounted emptyDir volumes at /tmp and /juice-shop/logs to allow the pod to start despite having readOnlyRootFilesystem: true.
  • Wrote a Rego policy (pod-hardening.rego) using OPA v1 strict syntax to validate compliance with basic hardening requirements (runAsNonRoot, readOnlyRootFilesystem, drop ALL capabilities, etc.) natively at CI time.

Testing

  • Verified that the Juice Shop pod successfully applies the restricted security context and starts before hitting a CrashLoopBackOff (expected behavior due to application SQLite constraints).
  • Scanned the deployed resources using the trivy k8s command.
  • Verified the pod-hardening.rego policy using conftest test to ensure it passes the hardened deployment and correctly fails and reports intentionally vulnerable manifests.

Artifacts & Screenshots

  • Documentation available in submissions/lab7.md.

Checklist

  • Task 1 — Trivy image + config scans + Grype comparison
  • Task 2 — Hardened K8s deployment with PSS restricted + NetworkPolicy
  • Bonus — Conftest policy passing on hardened + failing on bad manifest

Cre-eD and others added 2 commits June 27, 2026 01:29
…EADME

Task 1 jq broke on real Checkov output: a directory scan runs multiple
frameworks (terraform + secrets), so results_json.json is a JSON array and
.results.failed_checks[] errored with 'Cannot index array with string'. Use
.[] to iterate frameworks. Open-source Checkov assigns no severities (a Prisma
Cloud feature), so the severity breakdown is replaced with passed/failed and
triage is framed around rule frequency.

Pulumi was referenced in Task 1's report, acceptance criteria, and rubric but
Checkov never scanned it (no pulumi framework; the 'shipped' rendered-state
file never existed). Pulumi is scanned by KICS in Task 2 — moved its severity
table there and fixed the Task 2 jq paths (kics-ansible/, kics-pulumi/ instead
of a kics/ dir that is never created). Closed the 6.3 numbering gap.

README aligned to the actual lab (Checkov + KICS + custom Checkov policy):
dropped tfsec/Terrascan/OPA references, corrected Pulumi as AWS (not GCP), and
removed the nonexistent EKS resource from the Terraform description.

Reported by Albert Khechoyan.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@RII6 RII6 changed the title Submit/lab7 feat(lab7): trivy + PSS restricted + conftest gate Jun 28, 2026
@RII6 RII6 merged commit 4f0ecc0 into main Jun 29, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants