Feature/lab8

.gitignore

@@ -0,0 +1,3 @@
+
+# Lab 8 cosign private key
+labs/lab8/signing/cosign.key

labs/lab7/analysis/deployment-comparison.txt

@@ -0,0 +1,39 @@
+=== Functionality Test ===
+Default: HTTP 200
+Hardened: HTTP 200
+Production: HTTP 200
+
+=== Resource Usage ===
+NAME               CPU %     MEM USAGE / LIMIT     MEM %
+juice-default      0.74%     99.86MiB / 5.786GiB   1.69%
+juice-hardened     0.54%     92.77MiB / 512MiB     18.12%
+juice-production   0.64%     91.29MiB / 512MiB     17.83%
+
+=== Security Configurations ===
+
+Container: juice-default
+CapDrop: <no value>
+CapAdd: <no value>
+SecurityOpt: <no value>
+Memory: 0
+CPU: 0
+PIDs: <no value>
+Restart: no
+
+Container: juice-hardened
+CapDrop: [ALL]
+CapAdd: <no value>
+SecurityOpt: [no-new-privileges]
+Memory: 536870912
+CPU: 0
+PIDs: <no value>
+Restart: no
+
+Container: juice-production
+CapDrop: [ALL]
+CapAdd: [CAP_NET_BIND_SERVICE]
+SecurityOpt: [no-new-privileges]
+Memory: 536870912
+CPU: 0
+PIDs: 100
+Restart: on-failure

labs/lab7/analysis/docker-bench-summary.txt

@@ -0,0 +1,5 @@
+Docker Bench Summary
+PASS: 40
+WARN: 82
+FAIL: 0
+INFO: 88

labs/lab7/scanning/dockle-results.txt

@@ -0,0 +1,9 @@
+SKIP	- DKL-LI-0001: Avoid empty password
+	* failed to detect etc/shadow,etc/master.passwd
+INFO	- CIS-DI-0005: Enable Content trust for Docker
+	* export DOCKER_CONTENT_TRUST=1 before docker pull/build
+INFO	- CIS-DI-0006: Add HEALTHCHECK instruction to the container image
+	* not found HEALTHCHECK statement
+INFO	- DKL-LI-0003: Only put necessary files
+	* unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store 
+	* unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store 

labs/lab8/analysis/ref-after-tamper.txt

@@ -0,0 +1 @@
+localhost:5000/juice-shop@sha256:11f85134f388cff5f4c66f9bb4c5942249c1f6f7eb8b3889948d953487b5f7a8

labs/lab8/analysis/ref.txt

@@ -0,0 +1 @@
+localhost:5000/juice-shop@sha256:b029fa83327aa8a3bbcaf161af6269c18c80134942437cb90794233502554e48

labs/lab8/artifacts/sample.tar.gz.bundle

@@ -0,0 +1 @@
+{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial":{"publicKey":{"hint":"6/aIRG9Lgz5vpVN146ydJkdZLEbvWcBbnYAsnjyBKeE="}, "timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIICyDADAgEAMIICvwYJKoZIhvcNAQcCoIICsDCCAqwCAQMxDTALBglghkgBZQMEAgEwgbcGCyqGSIb3DQEJEAEEoIGnBIGkMIGhAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgHaB2yUaPeP5Fu6C1PidMdOPYZ1gy+z8Odmbdsolj8bsCFFIyt9yeGwglqJoxzfpvc69x5joSGA8yMDI2MDMyOTIwMDUxOVowAwIBAaAypDAwLjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MRUwEwYDVQQDEwxzaWdzdG9yZS10c2GgADGCAdowggHWAgEBMFEwOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZAIUOhNULwyQYe68wUMvy4qOiyojiwwwCwYJYIZIAWUDBAIBoIH8MBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjYwMzI5MjAwNTE5WjAvBgkqhkiG9w0BCQQxIgQgPtjaN1WaGraWyxwHiuqfn0EDUPCzGgCWBM60PdDhxWswgY4GCyqGSIb3DQEJEAIvMX8wfTB7MHkEIIX5J7wHq2LKw7RDVsEO/IGyxog/2nq55thw2dE6zQW3MFUwPaQ7MDkxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEgMB4GA1UEAxMXc2lnc3RvcmUtdHNhLXNlbGZzaWduZWQCFDoTVC8MkGHuvMFDL8uKjosqI4sMMAoGCCqGSM49BAMCBGYwZAIwQZ16lcWoTapduNu6TJoSGLO5+o2pAhLGZG+ZwX2dNPsKeOiWkYdKk+NWg8CGXIjAAjB6Ow8lxLBqAVUPEt4yNp9Ir1P0XD+3kpGzz1Z06xIwvgsgKC1IXX1JuxbXVsybgGg="}]}}, "messageSignature":{"messageDigest":{"algorithm":"SHA2_256", "digest":"DkoBQuDsOzZY1a5rtsNsxKWA2KSOxSc5zo3zqN5XjQ0="}, "signature":"MEUCIBsOKlzw8aVs3ls53fNlFj5VMUV2sG3P434QuFK+5DEUAiEAlZlkAX8dSklMj79s1McVSDRuW/+iGja1sDvmBqFIZJ8="}}

labs/lab8/artifacts/sample.txt

@@ -0,0 +1 @@
+sample content Sun Mar 29 08:03:28 PM UTC 2026

labs/lab8/attest/provenance.json

@@ -0,0 +1,7 @@
+{
+  "_type": "https://slsa.dev/provenance/v1",
+  "buildType": "manual-local-demo",
+  "builder": {"id": "student@local"},
+  "invocation": {"parameters": {"image": "localhost:5000/juice-shop@sha256:b029fa83327aa8a3bbcaf161af6269c18c80134942437cb90794233502554e48"}},
+  "metadata": {"buildStartedOn": "2026-03-29T20:00:45Z", "completeness": {"parameters": true}}
+}

labs/lab8/attest/verify-provenance.pretty.json

@@ -0,0 +1,9 @@
+{
+  "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJsb2NhbGhvc3Q6NTAwMC9qdWljZS1zaG9wIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImIwMjlmYTgzMzI3YWE4YTNiYmNhZjE2MWFmNjI2OWMxOGM4MDEzNDk0MjQzN2NiOTA3OTQyMzM1MDI1NTRlNDgifX1dLCJwcmVkaWNhdGUiOnsiYnVpbGRlciI6eyJpZCI6InN0dWRlbnRAbG9jYWwifSwiYnVpbGRUeXBlIjoibWFudWFsLWxvY2FsLWRlbW8iLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6e30sInBhcmFtZXRlcnMiOnsiaW1hZ2UiOiJsb2NhbGhvc3Q6NTAwMC9qdWljZS1zaG9wQHNoYTI1NjpiMDI5ZmE4MzMyN2FhOGEzYmJjYWYxNjFhZjYyNjljMThjODAxMzQ5NDI0MzdjYjkwNzk0MjMzNTAyNTU0ZTQ4In19LCJtZXRhZGF0YSI6eyJidWlsZFN0YXJ0ZWRPbiI6IjIwMjYtMDMtMjlUMjA6MDA6NDVaIiwiY29tcGxldGVuZXNzIjp7InBhcmFtZXRlcnMiOnRydWUsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9fX0=",
+  "payloadType": "application/vnd.in-toto+json",
+  "signatures": [
+    {
+      "sig": "MEYCIQC9kXLXeU7bgavENWmGdI/OvLu+VbjVATRoNQgh/W7lowIhANdvrK+d6FhXNkLgTONA7QiSRCttqBHSM5JV1qyv2Qv8"
+    }
+  ]
+}

labs/lab8/attest/verify-provenance.txt

@@ -0,0 +1 @@
+{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJsb2NhbGhvc3Q6NTAwMC9qdWljZS1zaG9wIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImIwMjlmYTgzMzI3YWE4YTNiYmNhZjE2MWFmNjI2OWMxOGM4MDEzNDk0MjQzN2NiOTA3OTQyMzM1MDI1NTRlNDgifX1dLCJwcmVkaWNhdGUiOnsiYnVpbGRlciI6eyJpZCI6InN0dWRlbnRAbG9jYWwifSwiYnVpbGRUeXBlIjoibWFudWFsLWxvY2FsLWRlbW8iLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6e30sInBhcmFtZXRlcnMiOnsiaW1hZ2UiOiJsb2NhbGhvc3Q6NTAwMC9qdWljZS1zaG9wQHNoYTI1NjpiMDI5ZmE4MzMyN2FhOGEzYmJjYWYxNjFhZjYyNjljMThjODAxMzQ5NDI0MzdjYjkwNzk0MjMzNTAyNTU0ZTQ4In19LCJtZXRhZGF0YSI6eyJidWlsZFN0YXJ0ZWRPbiI6IjIwMjYtMDMtMjlUMjA6MDA6NDVaIiwiY29tcGxldGVuZXNzIjp7InBhcmFtZXRlcnMiOnRydWUsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9fX0=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQC9kXLXeU7bgavENWmGdI/OvLu+VbjVATRoNQgh/W7lowIhANdvrK+d6FhXNkLgTONA7QiSRCttqBHSM5JV1qyv2Qv8"}]}

labs/lab8/signing/cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsMVVmYJL19BHc4AcM3pLYRASvp/j
+HsWd4pZxCgOYUnkNzC0KMhSmJsLJy1kQhIyZNbYaL+8vx39xqo9kzA5UFw==
+-----END PUBLIC KEY-----

labs/lab8/signing/signing-config.no-tlog.json

@@ -0,0 +1,39 @@
+{
+  "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
+  "caUrls": [
+    {
+      "url": "https://fulcio.sigstore.dev",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2022-04-13T20:06:15.000Z"
+      },
+      "operator": "sigstore.dev"
+    }
+  ],
+  "oidcUrls": [
+    {
+      "url": "https://oauth2.sigstore.dev/auth",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2022-04-13T20:06:15.000Z"
+      },
+      "operator": "sigstore.dev"
+    }
+  ],
+  "tsaUrls": [
+    {
+      "url": "https://timestamp.sigstore.dev/api/v1/timestamp",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2025-07-04T00:00:00Z"
+      },
+      "operator": "sigstore.dev"
+    }
+  ],
+  "rekorTlogConfig": {
+    "selector": "ANY"
+  },
+  "tsaConfig": {
+    "selector": "ANY"
+  }
+}

labs/lab8/signing/verify-after-tamper.txt

@@ -0,0 +1,3 @@
+WARNING: Skipping tlog verification is an insecure practice that lacks transparency and auditability verification for the signature.
+Error: no signatures found
+error during command execution: no signatures found

labs/lab8/signing/verify-image.txt

@@ -0,0 +1,2 @@
+
+[{"critical":{"identity":{"docker-reference":"localhost:5000/juice-shop@sha256:b029fa83327aa8a3bbcaf161af6269c18c80134942437cb90794233502554e48"},"image":{"docker-manifest-digest":"sha256:b029fa83327aa8a3bbcaf161af6269c18c80134942437cb90794233502554e48"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}}]

labs/lab8/signing/verify-original-after-tamper.txt

@@ -0,0 +1,2 @@
+
+[{"critical":{"identity":{"docker-reference":"localhost:5000/juice-shop@sha256:b029fa83327aa8a3bbcaf161af6269c18c80134942437cb90794233502554e48"},"image":{"docker-manifest-digest":"sha256:b029fa83327aa8a3bbcaf161af6269c18c80134942437cb90794233502554e48"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}}]