Skip to content

feat(lab7): trivy + PSS restricted + conftest gate#1337

Open
alileeeek wants to merge 7 commits into
inno-devops-labs:mainfrom
alileeeek:feature/lab7
Open

feat(lab7): trivy + PSS restricted + conftest gate#1337
alileeeek wants to merge 7 commits into
inno-devops-labs:mainfrom
alileeeek:feature/lab7

Conversation

@alileeeek

Copy link
Copy Markdown

Goal

Lab 7 submission: Juice Shop scanned with Trivy (image + k8s), hardened K8s deployment with PSS restricted + NetworkPolicy, and Conftest policy gate.

Changes

  • Added submissions/lab7.md with full triage report (Trivy image/k8s scans, Grype comparison, PSS hardening details).
  • Added labs/lab7/k8s/ β€” hardened Kubernetes manifests (namespace with PSS labels, ServiceAccount, Deployment, NetworkPolicy).
  • Added labs/lab7/k8s/deployment-conftest.yaml β€” compliant manifest for Conftest validation.
  • Added labs/lab7/policies/pod-hardening.rego β€” Conftest policy enforcing PSS restricted controls.

Testing

  • Trivy image scan: 48 vulnerabilities (5 CRITICAL, 43 HIGH) on bkimminich/juice-shop:v20.0.0.
  • Trivy k8s scan: 5 CRITICAL, 43 HIGH vulnerabilities, 0 misconfigurations (PSS restricted working).
  • Juice Shop pod running 1/1 with PSS restricted compliance.
  • Conftest policy: PASS on compliant manifest (4/4), FAIL on bad manifest (3 failures detected).

Artifacts

  • Scanner outputs excluded per lab spec (regeneratable).
  • All evidence pasted in submissions/lab7.md.

Task Checklist

  • Task 1 β€” Trivy image + config scans + Grype comparison
  • Task 2 β€” Hardened K8s deployment with PSS restricted + NetworkPolicy (pod Running 1/1)
  • Bonus β€” Conftest policy PASS on compliant + FAIL on bad manifest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant