Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
c01d92a
feat(lab1): add smoke-test workflow and auth model outputs
IamdLite Jun 10, 2026
472430f
chore(lab1): remove lab2 files so Lab1 and Lab2 PRs are separate
IamdLite Jun 10, 2026
52494d2
chore(lab2): remove lab1 files so PR contains only lab2 work
IamdLite Jun 10, 2026
04ef93f
chore(lab1): remove PR template to keep PR minimal
IamdLite Jun 10, 2026
19ec7ef
feat(lab1): add PR template required for lab submissions
IamdLite Jun 10, 2026
96aa2e3
bonus task verification
IamdLite Jun 10, 2026
a1b474c
chore: add PR template to main branch
IamdLite Jun 10, 2026
df73171
chore(lab1): remove PR template from lab1 branch
IamdLite Jun 10, 2026
e6e5447
updated PR template
IamdLite Jun 10, 2026
0410765
chore(lab1): finalize lab1 submission content
IamdLite Jun 10, 2026
e37c7f4
Add pull request template to feature/lab1 branch
IamdLite Jun 10, 2026
b2b840a
Remove pull request template from main branch
IamdLite Jun 10, 2026
26c7396
Merge branch 'main' into feature/lab1
IamdLite Jun 10, 2026
b6f69eb
feat(lab1): juice shop deploy + PR template + triage report
IamdLite Jun 10, 2026
30cd7c0
feat(lab1): juice shop deploy + PR template + triage report
IamdLite Jun 10, 2026
4cb1122
Merge pull request #1 from IamdLite/feature/lab1
IamdLite Jun 10, 2026
6cb7858
feat(lab1): juice shop deploy + PR template + triage report
IamdLite Jun 10, 2026
a9141ad
Merge pull request #2 from IamdLite/feature/lab1
IamdLite Jun 10, 2026
c8eb829
feat(lab2): Threagile threat model + secure variant + auth flow
IamdLite Jun 10, 2026
7d66e64
feat(lab2): Threagile threat model + secure variant + auth flow
IamdLite Jun 10, 2026
97c486b
chore(lab2): resolve merge conflicts with main
IamdLite Jun 10, 2026
affa5e8
Merge pull request #3 from IamdLite/feature/lab2
IamdLite Jun 10, 2026
9136ec4
feat(lab2): Threagile threat model + secure variant + auth flow
IamdLite Jun 10, 2026
fad8bf5
Merge pull request #4 from IamdLite/feature/lab2
IamdLite Jun 10, 2026
be4fa4b
test: first signed commit
IamdLite Jun 19, 2026
cc0de71
feat(lab3): SSH signing + gitleaks pre-commit + history rewrite practice
IamdLite Jun 19, 2026
065403b
feat(lab3): SSH signing + gitleaks pre-commit + history rewrite practice
IamdLite Jun 19, 2026
5f2aa4f
Merge pull request #5 from IamdLite/feature/lab3
IamdLite Jun 19, 2026
552487b
feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready att…
IamdLite Jun 19, 2026
2624a2f
Merge pull request #6 from IamdLite/feature/lab4
IamdLite Jun 19, 2026
d045d6d
Merge branch 'inno-devops-labs:main' into main
IamdLite Jun 26, 2026
595866b
feat(lab5): ZAP baseline + auth + Semgrep + correlation
IamdLite Jun 26, 2026
1031a04
Merge pull request #7 from IamdLite/feature/lab5
IamdLite Jun 26, 2026
8c2cb01
feat(lab6): Checkov + KICS scans + custom policy
IamdLite Jun 26, 2026
a8f46f4
Merge pull request #8 from IamdLite/feature/lab6
IamdLite Jun 26, 2026
79984f1
Merge branch 'inno-devops-labs:main' into main
IamdLite Jul 3, 2026
8306ae9
feat(lab6): Checkov + KICS scans + custom policy
IamdLite Jul 3, 2026
2117f63
Merge pull request #9 from IamdLite/feature/lab6
IamdLite Jul 3, 2026
7e1cd35
feat(lab7): trivy + PSS restricted + conftest gate
IamdLite Jul 3, 2026
93e6ad2
Merge pull request #10 from IamdLite/feature/lab7
IamdLite Jul 3, 2026
51f8986
feat(lab8): cosign sign + SBOM/provenance attestations + blob signing
IamdLite Jul 3, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
## Pull Request Template

## Goal
One-sentence description of what this PR delivers.

## Changes
- List files added or modified

## Testing
- Commands run and observed output

## Artifacts & Screenshots
- Links to submission files and images

- [ ] Title uses `feat(labN): <topic>` style
- [ ] No secrets/large temp files committed
- [ ] `submissions/labN.md` present
39 changes: 39 additions & 0 deletions .github/workflows/lab1-smoke.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: Lab1 Smoke Test

on:
pull_request:
branches: [ main ]

permissions:
contents: read

jobs:
smoke:
name: Smoke-test Juice Shop
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Run Juice Shop container
run: |
docker run -d --name juice-shop -p 3000:3000 bkimminich/juice-shop:v20.0.0

- name: Wait for Juice Shop to respond
run: |
for i in $(seq 1 30); do
if curl --silent --fail http://localhost:3000/rest/admin/application-version >/dev/null 2>&1; then
echo "juice-shop healthy"; exit 0
fi
sleep 2
done
echo "juice-shop did not become healthy"; docker logs juice-shop || true; exit 1

- name: Curl homepage
run: |
curl --silent --fail -I http://localhost:3000 | head -n 20

- name: Stop container
if: always()
run: |
docker stop juice-shop || true
12 changes: 12 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0 # Use the latest stable version
hooks:
- id: detect-private-key
- id: check-added-large-files
args: ['--maxkb=4000'] # Blocks files larger than 1000 KB

- repo: https://github.com/gitleaks/gitleaks
rev: v8.30.1 # Check for the latest v8.x release tag (v8.30.1 is recent as of 2026)[citation:2]
hooks:
- id: gitleaks
228 changes: 228 additions & 0 deletions labs/lab2/threagile-model-auth.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,228 @@
threagile_version: 1.0.0
title: Juice Shop Auth Focused Model
date: 2026-06-10
management_summary_comment: >
Focused model for authentication flow used in Lab 2 bonus task.

business_criticality: important

data_assets:
credentials:
id: credentials
description: "Username and password credentials submitted by users."
usage: business
owner: Lab Student
quantity: few
confidentiality: restricted
integrity: operational
availability: operational
justification_cia_rating: "Credentials are sensitive and need protection."
jwt-token:
id: jwt-token
description: "JWT issued by the auth service and used for API calls."
usage: business
owner: Lab Student
quantity: few
confidentiality: internal
integrity: operational
availability: operational
justification_cia_rating: "Tokens grant access and must be protected."
user-session:
id: user-session
description: "Session state stored by the auth/API for logged-in users."
usage: business
owner: Lab Student
quantity: many
confidentiality: internal
integrity: operational
availability: operational
justification_cia_rating: "Session state is needed for authentication continuity."

refresh-token:
id: refresh-token
description: "Long-lived refresh tokens used to obtain new JWTs without re-authentication."
usage: business
owner: Lab Student
quantity: few
confidentiality: restricted
integrity: important
availability: operational
justification_cia_rating: "Refresh tokens allow session continuation and must be protected and stored securely."

technical_assets:

User Browser:
id: user-browser
description: "End-user web browser (client)."
type: external-entity
usage: business
used_as_client_by_human: true
out_of_scope: false
size: system
technology: browser
tags: []
internet: true
machine: virtual
encryption: none
owner: Lab Student
confidentiality: public
integrity: operational
availability: operational
justification_cia_rating: "Client controlled by end user."
data_assets_processed:
- credentials
communication_links:
Browser->Auth:
target: auth-api
description: "User submits credentials to Auth API (login/register)."
protocol: https
authentication: none
authorization: none
usage: business
data_assets_sent:
- credentials
data_assets_received:
- jwt-token

Auth API:
id: auth-api
description: "Authentication API endpoint (issues JWTs)."
type: process
usage: business
used_as_client_by_human: false
out_of_scope: false
size: application
technology: web-service-rest
tags: []
internet: false
machine: container
encryption: none
owner: Lab Student
confidentiality: internal
integrity: important
availability: important
justification_cia_rating: "Auth API handles authentication flows."
data_assets_processed:
- credentials
- jwt-token
communication_links:
Auth->TokenSigner:
target: token-signer
description: "Requests JWT signing from the token service."
protocol: https
authentication: none
authorization: technical-user
usage: business
data_assets_sent:
- jwt-token
Auth->UserDB:
target: user-db
description: "Verify credentials against user database using parameterized queries."
protocol: jdbc-encrypted
authentication: credentials
authorization: technical-user
usage: business
data_assets_sent:
- credentials

Token Signer:
id: token-signer
description: "Service that issues and verifies JWTs (holds signing keys)."
type: process
usage: business
used_as_client_by_human: false
out_of_scope: false
size: component
technology: web-service-rest
tags: []
internet: false
machine: container
encryption: none
owner: Lab Student
confidentiality: confidential
integrity: critical
availability: operational
justification_cia_rating: "Holds signing keys; high integrity requirement."
data_assets_processed:
- jwt-token
- refresh-token

User DB:
id: user-db
description: "Database storing user credential hashes and profile data."
type: datastore
usage: devops
used_as_client_by_human: false
out_of_scope: false
size: component
technology: database
tags: []
internet: false
machine: virtual
encryption: data-with-symmetric-shared-key
owner: Lab Student
confidentiality: restricted
integrity: important
availability: important
justification_cia_rating: "Contains credential hashes and PII."
data_assets_stored:
- credentials
- refresh-token

Admin Endpoint:
id: admin-endpoint
description: "Admin UI/API that requires admin-role via JWT."
type: process
usage: business
used_as_client_by_human: false
out_of_scope: false
size: application
technology: web-service-rest
tags: []
internet: false
machine: container
encryption: none
owner: Lab Student
confidentiality: restricted
integrity: important
availability: important
justification_cia_rating: "Admin functions require elevated protection."
communication_links:
Admin->TokenSigner:
target: token-signer
description: "Token verification requests."
protocol: https
authentication: token
authorization: enduser-identity-propagation
usage: business
Admin->UserDB:
target: user-db
description: "Admin queries to inspect or manage user records."
protocol: jdbc-encrypted
authentication: token
authorization: admin-role
usage: business

trust_boundaries:
Internet:
id: internet
description: "Untrusted public network."
type: network-dedicated-hoster
technical_assets_inside:
- user-browser

Container Network:
id: container-network
description: "Container network hosting services."
type: network-dedicated-hoster
technical_assets_inside:
- auth-api
- token-signer
- user-db
- admin-endpoint

shared_runtimes: {}

# Minimal metadata
name: Juice Shop Auth Flow (focused)
version: 1.0
Loading