Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
7ca0224
feat/lab1: establish core PR template structure
kvakz Jun 12, 2026
a074b4d
Merge pull request #1 from kvakz/feature/lab1
kvakz Jun 12, 2026
67ce584
feat/lab1: secure GitHub Actions smoke test workflow
kvakz Jun 12, 2026
5d5236f
feat(lab1): juice shop deploy + PR template + triage report
kvakz Jun 12, 2026
d922672
Merge pull request #2 from kvakz/feature/lab1
kvakz Jun 12, 2026
d758285
feat(lab2): Threagile threat model + secure variant + auth flow
kvakz Jun 12, 2026
b34aabf
Merge pull request #3 from kvakz/feature/lab2
kvakz Jun 12, 2026
77d8df8
test: first signed commit
kvakz Jun 19, 2026
da0c8c4
feat(lab3): SSH signing + gitleaks pre-commit + history rewrite practice
kvakz Jun 19, 2026
6c83e6a
docs(lab3): update submission file with GitHub verification details
kvakz Jun 19, 2026
460ff27
Merge pull request #4 from kvakz/feature/lab3
kvakz Jun 19, 2026
bd76303
feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready att…
kvakz Jun 19, 2026
96f79a0
Merge pull request #5 from kvakz/feature/lab4
kvakz Jun 19, 2026
a7f595f
Merge upstream/main and keep local title in threagile-model.yaml
kvakz Jun 23, 2026
259b54e
feat(lab5): ZAP baseline + auth + Semgrep + correlation
kvakz Jun 23, 2026
b77256e
Merge pull request #6 from kvakz/feature/lab5
kvakz Jun 26, 2026
fa3599b
feat(lab6): Checkov + KICS scans + custom policy
kvakz Jun 26, 2026
889137f
Merge pull request #7 from kvakz/feature/lab6
kvakz Jun 26, 2026
f402fd4
Merge remote-tracking branch 'upstream/main'
kvakz Jul 3, 2026
41e1232
Merge branch 'main' of https://github.com/kvakz/DevSecOps-Intro
kvakz Jul 3, 2026
f892ec1
feat(lab7): trivy + PSS restricted + conftest gate
kvakz Jul 3, 2026
bf5f953
feat(lab8): cosign sign + SBOM/provenance attestations + blob signing
kvakz Jul 3, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
**Goal:** [One sentence explaining what this PR delivers]

**Changes:**
- Artifact 1
- Artifact 2

**Testing:**
[Commands used and output observed]

**Artifacts & Screenshots:**
[Links or images]

- [ ] Title is clear (`feat(labN): <topic>` style)
- [ ] No secrets/large temp files committed
- [ ] Submission file at `submissions/labN.md` exists
34 changes: 34 additions & 0 deletions .github/workflows/lab1-smoke.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Lab 1 Smoke Test

on:
pull_request:
branches: [ main ]

permissions:
contents: read

jobs:
smoke-test:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository Code
uses: actions/checkout@v4

- name: Deploy Juice Shop Container
run: |
docker run -d --name juice-shop -p 3000:3000 bkimminich/juice-shop:v20.0.0

- name: Poll Application Health
run: |
echo "Starting health check loop..."
for i in $(seq 1 30); do
if curl --silent --fail http://localhost:3000/rest/admin/application-version >/dev/null; then
echo "Juice Shop v20.0.0 is successfully up and healthy!"
curl -I http://localhost:3000/rest/admin/application-version
exit 0
fi
echo "Attempt $i: Juice Shop is initializing, waiting 2 seconds..."
sleep 2
done
echo "Error: Juice Shop failed to respond within 60 seconds."
exit 1
10 changes: 10 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.21.0
hooks:
- id: gitleaks
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
hooks:
- id: detect-private-key
- id: check-added-large-files
318 changes: 318 additions & 0 deletions labs/lab2/threagile-model-auth.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,318 @@
threagile_version: 1.0.0
title: Juice Shop Auth Flow
date: 2026-06-12
author:
name: DevSecOps Student
business_criticality: important

business_overview:
description: "Focused threat model on the authentication and authorization flow of OWASP Juice Shop."
images: []
technical_overview:
description: "Models login, JWT generation, and protected admin endpoints to identify Spoofing and Elevation of Privilege risks."
images: []
questions: {}
abuse_cases: {}
security_requirements: {}
tags_available: ["auth", "web", "db", "jwt"]

# =========================
# DATA ASSETS
# =========================
data_assets:
credentials:
id: credentials
description: "User login credentials"
usage: business
tags: ["auth"]
origin: user-supplied
owner: User
quantity: many
confidentiality: strictly-confidential
integrity: critical
availability: important
justification_cia_rating: "High risk of account takeover."

jwt-token:
id: jwt-token
description: "Issued JSON Web Token"
usage: business
tags: ["jwt"]
origin: application
owner: Application
quantity: many
confidentiality: strictly-confidential
integrity: critical
availability: important
justification_cia_rating: "Used for authentication bypass."

session-state:
id: session-state
description: "User session metadata and roles"
usage: business
tags: []
origin: application
owner: Application
quantity: many
confidentiality: confidential
integrity: important
availability: important
justification_cia_rating: "Required for state tracking."

admin-ops:
id: admin-ops
description: "Requests to admin endpoints"
usage: business
tags: []
origin: user-supplied
owner: Admin
quantity: few
confidentiality: confidential
integrity: critical
availability: important
justification_cia_rating: "Privileged operations."

jwt-signing-key:
id: jwt-signing-key
description: "Cryptographic key used to sign and verify JWTs"
usage: business
tags: ["jwt"]
origin: application
owner: Application
quantity: very-few
confidentiality: strictly-confidential
integrity: critical
availability: critical
justification_cia_rating: "If compromised, attackers forge admin tokens."

# =========================
# TECHNICAL ASSETS
# =========================
technical_assets:
browser:
id: browser
description: "User web browser"
type: external-entity
usage: business
used_as_client_by_human: true
out_of_scope: false
size: system
technology: browser
tags: ["web"]
internet: true
machine: virtual
encryption: none
owner: User
confidentiality: public
integrity: operational
availability: operational
justification_cia_rating: "Untrusted Client"
multi_tenant: false
redundant: false
custom_developed_parts: false
data_assets_processed: ["credentials", "jwt-token", "admin-ops"]
data_assets_stored: ["jwt-token"]
data_formats_accepted: ["json"]
communication_links:
login-request:
target: auth-api
description: "Sends credentials to login"
protocol: https
authentication: session-id
authorization: none
tags: []
vpn: false
ip_filtered: false
readonly: false
usage: business
data_assets_sent: ["credentials"]
data_assets_received: ["jwt-token"]
protected-api-request:
target: auth-api
description: "Access regular API with JWT"
protocol: https
authentication: session-id
authorization: none
tags: []
vpn: false
ip_filtered: false
readonly: false
usage: business
data_assets_sent: ["jwt-token"]
data_assets_received: ["session-state"]
admin-request:
target: admin-endpoint
description: "Access admin functions"
protocol: https
authentication: session-id
authorization: none
tags: []
vpn: false
ip_filtered: false
readonly: false
usage: business
data_assets_sent: ["jwt-token", "admin-ops"]
data_assets_received: ["admin-ops"]

auth-api:
id: auth-api
description: "Authentication API Endpoint"
type: process
usage: business
used_as_client_by_human: false
out_of_scope: false
size: component
technology: web-server
tags: ["auth"]
internet: false
machine: container
encryption: none
owner: Application
confidentiality: internal
integrity: critical
availability: critical
justification_cia_rating: "Core auth logic"
multi_tenant: false
redundant: false
custom_developed_parts: true
data_assets_processed: ["credentials", "jwt-token", "session-state"]
data_assets_stored: []
data_formats_accepted: ["json"]
communication_links:
request-jwt:
target: token-signer
description: "Request JWT generation"
protocol: in-process-library-call
authentication: none
authorization: none
tags: []
vpn: false
ip_filtered: false
readonly: false
usage: business
data_assets_sent: ["session-state"]
data_assets_received: ["jwt-token"]
db-query:
target: user-db
description: "Validate user credentials"
protocol: jdbc
authentication: none
authorization: none
tags: []
vpn: false
ip_filtered: false
readonly: false
usage: business
data_assets_sent: ["credentials"]
data_assets_received: ["credentials", "session-state"]

token-signer:
id: token-signer
description: "Component handling JWT signing"
type: process
usage: business
used_as_client_by_human: false
out_of_scope: false
size: component
technology: library
tags: ["jwt"]
internet: false
machine: container
encryption: none
owner: Application
confidentiality: internal
integrity: critical
availability: critical
justification_cia_rating: "Cryptographic core"
multi_tenant: false
redundant: false
custom_developed_parts: true
data_assets_processed: ["jwt-token", "session-state", "jwt-signing-key"]
data_assets_stored: ["jwt-signing-key"]
data_formats_accepted: ["json"]
communication_links: {}

user-db:
id: user-db
description: "Database storing credentials"
type: datastore
usage: business
used_as_client_by_human: false
out_of_scope: false
size: component
technology: database
tags: ["db"]
internet: false
machine: container
encryption: none
owner: Application
confidentiality: internal
integrity: critical
availability: important
justification_cia_rating: "Stores credentials"
multi_tenant: false
redundant: false
custom_developed_parts: false
data_assets_processed: ["credentials"]
data_assets_stored: ["credentials"]
data_formats_accepted: ["json"]
communication_links: {}

admin-endpoint:
id: admin-endpoint
description: "Administrative API functions"
type: process
usage: business
used_as_client_by_human: false
out_of_scope: false
size: component
technology: web-server
tags: ["web"]
internet: false
machine: container
encryption: none
owner: Admin
confidentiality: strictly-confidential
integrity: critical
availability: critical
justification_cia_rating: "Privileged"
multi_tenant: false
redundant: false
custom_developed_parts: true
data_assets_processed: ["jwt-token", "admin-ops"]
data_assets_stored: []
data_formats_accepted: ["json"]
communication_links:
verify-token:
target: token-signer
description: "Verify JWT signature"
protocol: in-process-library-call
authentication: none
authorization: none
tags: []
vpn: false
ip_filtered: false
readonly: false
usage: business
data_assets_sent: ["jwt-token"]
data_assets_received: ["session-state"]

# =========================
# TRUST BOUNDARIES
# =========================
trust_boundaries:
internet:
id: internet
description: "Public Internet"
type: network-dedicated-hoster
tags: []
technical_assets_inside: ["browser"]
trust_boundaries_nested: []

container:
id: container
description: "Application Container"
type: network-dedicated-hoster
tags: []
technical_assets_inside: ["auth-api", "token-signer", "user-db", "admin-endpoint"]
trust_boundaries_nested: []
Loading