Skip to content

Lab 9: Trivy/ZAP scans, security headers middleware, govulncheck CI#1223

Open
selysecr332 wants to merge 12 commits into
inno-devops-labs:mainfrom
selysecr332:feature/lab9
Open

Lab 9: Trivy/ZAP scans, security headers middleware, govulncheck CI#1223
selysecr332 wants to merge 12 commits into
inno-devops-labs:mainfrom
selysecr332:feature/lab9

Conversation

@selysecr332

@selysecr332 selysecr332 commented Jun 26, 2026

Copy link
Copy Markdown

Summary

Lab 9 — DevSecOps (Mahmoud Hassan, selysecr332)

  • Task 1: Trivy image/fs/config scans + CycloneDX SBOM (aquasec/trivy:0.59.1); triage of all HIGH/CRITICAL findings in submissions/lab9.md
  • Task 2: OWASP ZAP baseline (ghcr.io/zaproxy/zaproxy:2.16.1); security headers middleware on all routes + unit tests; before/after ZAP evidence (finding 10021 resolved)
  • Bonus: govulncheck@v1.1.4 job added to .github/workflows/ci.yml with red/green demo logs
  • Upgraded builder image to golang:1.24.13-alpine to address stdlib CVEs

Key files

  • app/middleware.go — security headers middleware
  • security/scripts/run-trivy.sh, run-zap-baseline.sh
  • security/reports/ — scan artifacts + SBOM
  • submissions/lab9.md — triage tables + design questions

Test plan

  • go test ./... passes
  • Trivy scans captured in security/reports/
  • ZAP before/after: 10021 (X-Content-Type-Options) gone after rebuild
  • govulncheck ./... green on final branch

selysecr332 added 12 commits June 23, 2026 07:46
@selysecr332
feat(lab6): add multi-stage Dockerfile, compose.yaml, and submission …
080af36 
…template
@selysecr332
fix(lab6): volume init for nonroot user and complete submission outputs
0ff2e05
@selysecr332
docs(lab6): add PR URLs to submission
87adf8e
@selysecr332
docs(lab6): mark Moodle submission complete
4778514
@selysecr332
feat(lab8): add Prometheus, Grafana, alert runbook, and submission
9c57624
@selysecr332
docs(lab8): add PR URLs to submission
49b8da6
@selysecr332
docs(lab8): mark Moodle submission complete
23baf8a
@selysecr332
Lab 9: Trivy/ZAP scans, security headers middleware, Go 1.24.13 bump
bebff78 
Add DevSecOps scanning artifacts, HTTP security headers with tests, and triage documentation for Trivy and ZAP findings.
@selysecr332
Lab 9 bonus: add pinned govulncheck CI gate
c297dbd 
Extend Lab 3 CI with govulncheck@v1.1.4 job, red/green demo logs, and bonus documentation.
@selysecr332
docs(lab9): add PR URLs and mark Moodle submission complete
d929bba
@selysecr332
fix(ci): use Go 1.26 for govulncheck to avoid stdlib false positives
222df39 
setup-go 1.24 installed an early patch with reachable net/http CVEs; pin govulncheck job to Go 1.26 and invoke via GOPATH/bin.
@selysecr332
fix(ci): pin govulncheck to Go 1.26.4 (1.26.0 still has stdlib CVEs)
1112949
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@selysecr332