feat(lab7): trivy + PSS restricted + conftest gate#7
Merged
Merged
Conversation
…EADME Task 1 jq broke on real Checkov output: a directory scan runs multiple frameworks (terraform + secrets), so results_json.json is a JSON array and .results.failed_checks[] errored with 'Cannot index array with string'. Use .[] to iterate frameworks. Open-source Checkov assigns no severities (a Prisma Cloud feature), so the severity breakdown is replaced with passed/failed and triage is framed around rule frequency. Pulumi was referenced in Task 1's report, acceptance criteria, and rubric but Checkov never scanned it (no pulumi framework; the 'shipped' rendered-state file never existed). Pulumi is scanned by KICS in Task 2 — moved its severity table there and fixed the Task 2 jq paths (kics-ansible/, kics-pulumi/ instead of a kics/ dir that is never created). Closed the 6.3 numbering gap. README aligned to the actual lab (Checkov + KICS + custom Checkov policy): dropped tfsec/Terrascan/OPA references, corrected Pulumi as AWS (not GCP), and removed the nonexistent EKS resource from the Terraform description. Reported by Albert Khechoyan. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
This PR adds the submission for Lab 7, including vulnerability scanning with Trivy, deploying a hardened Kubernetes workload compliant with the PSS
restrictedprofile, and implementing a Conftest policy gate for shift-left validation.Changes
namespace.yaml,serviceaccount.yaml,deployment.yaml,networkpolicy.yaml) for deploying Juice Shop with strict security contexts.emptyDirvolumes at/tmpand/juice-shop/logsto allow the pod to start despite havingreadOnlyRootFilesystem: true.pod-hardening.rego) using OPA v1 strict syntax to validate compliance with basic hardening requirements (runAsNonRoot, readOnlyRootFilesystem, drop ALL capabilities, etc.) natively at CI time.Testing
trivy k8scommand.pod-hardening.regopolicy usingconftest testto ensure it passes the hardened deployment and correctly fails and reports intentionally vulnerable manifests.Artifacts & Screenshots
submissions/lab7.md.Checklist