feat(lab10): DefectDojo capstone — 390 findings, SLA matrix, governance report + interview walkthrough#1419
Open
Meliman1000-7 wants to merge 28 commits into
Open
feat(lab10): DefectDojo capstone — 390 findings, SLA matrix, governance report + interview walkthrough#1419Meliman1000-7 wants to merge 28 commits into
Meliman1000-7 wants to merge 28 commits into
Conversation
feat(lab1): juice shop deploy + PR template + triage report
feat(lab2): Threagile threat model + secure variant + auth flow bonus
feat(lab3): SSH commit signing + gitleaks pre-commit + history rewrite
feat(lab4): SBOM generation + SCA with Syft/Grype + Trivy comparison + sign-ready attestation
feat(lab5): ZAP baseline + authenticated DAST + Semgrep SAST + SQL injection correlation
feat(lab6): Checkov + KICS comparison across Terraform/Ansible/Pulumi + custom policy
feat(lab7): add Trivy security scanning and Kubernetes hardening
feat(lab8): cosign image signing, sbom, provenance and blob verification
feat(lab9): falco custom rules + conftest hardening policies + cryptominer detection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
Spin up DefectDojo locally, import all scan reports from Labs 4-9 (8 scan types), apply the SLA matrix from Lecture 9/10, compute program metrics, and produce a governance report + 5-minute interview walkthrough script.
Changes
Testing
DefectDojo setup:
cd ~/defectdojo && docker compose up -d
docker compose logs initializer | grep -i password
→ Admin password retrieved, API token obtained via Profile → API v2 Key
Product + Engagement created via API:
→ Product ID: 1 "OWASP Juice Shop"
→ Engagement ID: 1 "Labs 4-9 Capstone"
Imports (8 scan types):
curl -X POST .../api/v2/import-scan/ -F "scan_type=Trivy Scan" -F "file=@trivy.json" ...
→ test=1 findings=112 (Trivy Lab4)
→ test=2 findings=22 (Semgrep)
→ test=4 findings=80 (Checkov)
→ test=5 findings=10 (KICS)
→ test=6 findings=50 (Trivy image Lab7)
→ test=7 findings=3 (Trivy k8s Lab7)
→ test=10 findings=103 (Anchore Grype)
→ test=11 findings=10 (ZAP XML)
Total: 390 findings
Severity breakdown:
Critical: 17 | High: 160 | Medium: 169 | Low: 34 | Info: 10
SLA matrix applied via API:
curl -X POST .../api/v2/sla_configurations/ -d '{"critical":1,"high":7,"medium":30,"low":90}'
→ SLA config ID: 3
Cross-tool dedup confirmed:
GHSA-5mrr-rgp6-x4gr (marsdb) — Trivy finding id=60 + Grype finding id=372
GHSA-xwcq-pm8m-c4vf (crypto-js) — Trivy id=35 + Grype id=299
Artifacts & Screenshots
Checklist