Skip to content

lab(lab9): Trivy + ZAP + securityHeaders middleware#1397

Open
GrandAdmiralBee wants to merge 4 commits into
inno-devops-labs:mainfrom
GrandAdmiralBee:feature/lab9
Open

lab(lab9): Trivy + ZAP + securityHeaders middleware#1397
GrandAdmiralBee wants to merge 4 commits into
inno-devops-labs:mainfrom
GrandAdmiralBee:feature/lab9

Conversation

@GrandAdmiralBee

Copy link
Copy Markdown

Goal

Lab 9 submission β€” Trivy scans (image/fs/config/SBOM) with per-finding triage, plus OWASP ZAP baseline with a security-headers middleware fix landed in code, guarded by a table-driven test.

Changes

  • app/middleware.go β€” new securityHeaders(next http.Handler) http.Handler middleware. Sets X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Content-Security-Policy: default-src 'none' (safe strict because API returns only JSON), and Referrer-Policy: no-referrer on every response.
  • app/handlers.go β€” Routes() signature changes from *http.ServeMux to http.Handler; returns securityHeaders(mux) so headers land on all routes including future ones and error paths.
  • app/middleware_test.go β€” new table-driven test asserts the four headers are present on /health, /notes, /notes/{id}, and /metrics. Fails immediately if securityHeaders(mux) is dropped from Routes().
  • submissions/lab9.md β€” full submission: four Trivy scan output heads, HIGH/CRITICAL triage table with disposition per unique CVE + Vagrant private-key false-positive, SBOM head + component count, ZAP triage + before/after run consoles, code diff, design questions a–g, pitfalls (rootless podman UID mapping, ZAP spider seed URL, addon-update hangs, Trivy config subcommand flag differences).
  • submissions/lab9/trivy/ β€” raw scan outputs + CycloneDX SBOM.
  • submissions/lab9/zap/ β€” baseline HTML + JSON + console before and after the fix.

Testing

  • go vet ./... clean; go test -race -count=1 ./... passes with the new middleware test.
  • Baseline ZAP scan against the running Lab 6 container: 1 WARN-NEW (X-Content-Type-Options missing on /notes).
  • After rebuilding + redeploying the image: FAIL-NEW: 0 WARN-NEW: 0 PASS: 58. The previously-firing rule now PASSes.
  • Live-container smoke check: curl -sSI http://127.0.0.1:8080/notes shows all four headers set.

Skipped

  • Bonus (govulncheck CI PR gate) β€” opted out.

Checklist

  • Title ≀ 70 chars
  • Commits signed
  • Every HIGH/CRITICAL Trivy finding has a disposition
  • ZAP finding fixed as middleware (not per-handler), guarded by a unit test that fails if the middleware is removed
  • Before/after ZAP evidence present

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant