Skip to content

Feature/lab8#1325

Open
wyroxx wants to merge 5 commits into
inno-devops-labs:mainfrom
wyroxx:feature/lab8
Open

Feature/lab8#1325
wyroxx wants to merge 5 commits into
inno-devops-labs:mainfrom
wyroxx:feature/lab8

Conversation

@wyroxx

@wyroxx wyroxx commented Jul 2, 2026

Copy link
Copy Markdown

Goal

Complete Lab 8 supply-chain security work with Cosign image signing, tamper verification, SBOM/provenance attestations, and blob signing bonus.

Changes

  • Added Cosign public key at labs/lab8/keys/cosign.pub
  • Signed Juice Shop image digest in a local OCI registry
  • Verified original image signature and demonstrated tampered digest verification failure
  • Attached and verified CycloneDX SBOM attestation
  • Attached and verified minimal provenance attestation
  • Completed bonus blob signing and tamper verification
  • Added Lab 8 submission report at submissions/lab8.md

Testing

  • cosign verify passed on original Juice Shop digest
  • cosign verify failed correctly on tampered Alpine digest
  • cosign verify-attestation --type cyclonedx passed
  • cosign verify-attestation --type slsaprovenance passed
  • cosign verify-blob passed on original tarball
  • cosign verify-blob failed correctly after tarball tampering

Artifacts & Screenshots

  • Submission: submissions/lab8.md
  • Screenshots or links: N/A

Checklist

  • Title is clear (feat(labN): <topic> style)
  • No secrets/large temp files committed
  • Submission file at submissions/lab8.md exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant