Skip to content

feat(lab10): DefectDojo capstone — 390 findings, SLA matrix, governance report + interview walkthrough#1419

Open
Meliman1000-7 wants to merge 28 commits into
inno-devops-labs:mainfrom
Meliman1000-7:feature/lab10
Open

feat(lab10): DefectDojo capstone — 390 findings, SLA matrix, governance report + interview walkthrough#1419
Meliman1000-7 wants to merge 28 commits into
inno-devops-labs:mainfrom
Meliman1000-7:feature/lab10

Conversation

@Meliman1000-7

Copy link
Copy Markdown

Goal

Spin up DefectDojo locally, import all scan reports from Labs 4-9 (8 scan types), apply the SLA matrix from Lecture 9/10, compute program metrics, and produce a governance report + 5-minute interview walkthrough script.

Changes

  • submissions/lab10.md — governance report: product/engagement setup, imports table (390 findings), cross-tool dedup example, SLA matrix, severity/tool breakdown, risk-accepted items with expiry, SAMM next-quarter goal
  • submissions/lab10-walkthrough.md — 5-minute interview walkthrough script with all 6 timed sections + 2 Q&A answers

Testing

DefectDojo setup:
cd ~/defectdojo && docker compose up -d
docker compose logs initializer | grep -i password
→ Admin password retrieved, API token obtained via Profile → API v2 Key

Product + Engagement created via API:
→ Product ID: 1 "OWASP Juice Shop"
→ Engagement ID: 1 "Labs 4-9 Capstone"

Imports (8 scan types):
curl -X POST .../api/v2/import-scan/ -F "scan_type=Trivy Scan" -F "file=@trivy.json" ...
→ test=1 findings=112 (Trivy Lab4)
→ test=2 findings=22 (Semgrep)
→ test=4 findings=80 (Checkov)
→ test=5 findings=10 (KICS)
→ test=6 findings=50 (Trivy image Lab7)
→ test=7 findings=3 (Trivy k8s Lab7)
→ test=10 findings=103 (Anchore Grype)
→ test=11 findings=10 (ZAP XML)
Total: 390 findings

Severity breakdown:
Critical: 17 | High: 160 | Medium: 169 | Low: 34 | Info: 10

SLA matrix applied via API:
curl -X POST .../api/v2/sla_configurations/ -d '{"critical":1,"high":7,"medium":30,"low":90}'
→ SLA config ID: 3

Cross-tool dedup confirmed:
GHSA-5mrr-rgp6-x4gr (marsdb) — Trivy finding id=60 + Grype finding id=372
GHSA-xwcq-pm8m-c4vf (crypto-js) — Trivy id=35 + Grype id=299

Artifacts & Screenshots

Checklist

  • Title is clear (feat(lab10): style)
  • No secrets or large temp files committed (admin password redacted, logs not committed)
  • Submission file at submissions/lab10.md exists

Meliman1000-7 and others added 28 commits June 11, 2026 17:16
feat(lab1): juice shop deploy + PR template + triage report
feat(lab2): Threagile threat model + secure variant + auth flow bonus
feat(lab3): SSH commit signing + gitleaks pre-commit + history rewrite
feat(lab4): SBOM generation + SCA with Syft/Grype + Trivy comparison + sign-ready attestation
feat(lab5): ZAP baseline + authenticated DAST + Semgrep SAST + SQL injection correlation
feat(lab6): Checkov + KICS comparison across Terraform/Ansible/Pulumi + custom policy
feat(lab7): add Trivy security scanning and Kubernetes hardening
feat(lab8): cosign image signing, sbom, provenance and blob verification
feat(lab9): falco custom rules + conftest hardening policies + cryptominer detection
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant