From 85969b736b3972ce3d56ffd240b444af8662ae82 Mon Sep 17 00:00:00 2001 From: PollyS6 Date: Fri, 19 Jun 2026 17:44:09 +0300 Subject: [PATCH 1/3] add PR template to main from lab1 --- .github/PULL_REQUEST_TEMPLATE.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/PULL_REQUEST_TEMPLATE.md diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 000000000..5df8c356f --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,21 @@ +## Goal + + +## Changes + +- + +## Testing + +- Commands: +- Observed output: + + +## Artifacts & Screenshots + +- + +## Checklist +- [ ] Title is clear (feat(labN): style) +- [ ] No secrets/large temp files committed +- [ ] Submission file at `submissions/labN.md` exists From 57fe79e4ecaa91b74c384571571be9d2bb821ffc Mon Sep 17 00:00:00 2001 From: PollyS6 Date: Fri, 26 Jun 2026 22:28:16 +0300 Subject: [PATCH 2/3] feat: add pre-commit-config.yaml --- .pre-commit-config.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..4fc23dcdf --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,12 @@ +repos: + - repo: https://github.com/gitleaks/gitleaks + rev: v8.30.1 + hooks: + - id: gitleaks + + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 + hooks: + - id: detect-private-key + - id: check-added-large-files + args: ['--maxkb=5120'] From 9a230db69767aac386465ef3c7abbb202de17356 Mon Sep 17 00:00:00 2001 From: PollyS6 Date: Fri, 3 Jul 2026 22:42:52 +0300 Subject: [PATCH 3/3] feat(lab7): trivy + PSS restricted + conftest gate --- submissions/lab7.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 submissions/lab7.md diff --git a/submissions/lab7.md b/submissions/lab7.md new file mode 100644 index 000000000..b33e39f7e --- /dev/null +++ b/submissions/lab7.md @@ -0,0 +1,36 @@ +# Lab 7 — Submission + +## Task 1: Trivy Image + Config Scan + +### Image scan severity breakdown +| Severity | Total | With fix available | +|----------|------:|------------------:| +| Critical | 4 | 4 | +| High | 6 | 6 | +| **Total** | 10 | 10 | + +### Top 10 CVEs with fixes +| CVE | Severity | Package | Installed | Fix | +|-----|----------|---------|-----------|-----| +| CVE-2023-46233 | CRITICAL | crypto-js | 3.3.0 | 4.2.0 | +| CVE-2015-9235 | CRITICAL | jsonwebtoken | 0.1.0 | 4.2.2 | +| CVE-2015-9235 | CRITICAL | jsonwebtoken | 0.4.0 | 4.2.2 | +| CVE-2019-10744 | CRITICAL | lodash | 2.4.2 | 4.17.12 | +| CVE-2026-45447 | HIGH | libssl3t64 | 3.5.5-1~deb13u2 | 3.5.6-1~deb13u2 | +| NSWG-ECO-428 | HIGH | base64url | 0.0.6 | >=3.0.0 | +| CVE-2020-15084 | HIGH | express-jwt | 0.1.3 | 6.0.0 | +| CVE-2022-25881 | HIGH | http-cache-semantics | 3.8.1 | 4.1.1 | +| CVE-2022-23539 | HIGH | jsonwebtoken | 0.1.0 | 9.0.0 | +| NSWG-ECO-17 | HIGH | jsonwebtoken | 0.1.0 | >=4.2.2 | + +### Compared to Lab 4's Grype scan +Look back at your Lab 4 Grype results on the same image. Pick **two CVEs**: +1. One that BOTH Grype and Trivy found : CVE-2019-10744, CRITICAL, lodash, installed 2.4.2 and fix 4.17.12 +2. One that ONE tool found and the OTHER missed +For each: explain why the tools differ (DB freshness? Different package matching? +EPSS scoring? Lecture 7 + Lecture 4 give context.) (2-3 sentences per CVE.): +**Grype found, Trivy missed** +GHSA-5mrr-rgp6-x4gr, Critical, marsdb, installed 0.6.11 with no fix. Trivy and Grype use different databaseses. This vulnerability is maybe only present in GitHub security advisory database. + +**Trivy found, Grype missed** +CVE-2026-45447, High, libssl3t64 v3.5.5-1~deb13u2, fix 3.5.6-1~deb13u2. In Grype results, this vulnerability was maybe not in the latest update of databases Grype uses. And Trivy may have had already updated databasese.