Skip to content

feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready att…#11

Merged
MikeNovikoff merged 1 commit into
mainfrom
feature/lab4
Jun 19, 2026
Merged

feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready att…#11
MikeNovikoff merged 1 commit into
mainfrom
feature/lab4

Conversation

@MikeNovikoff

Copy link
Copy Markdown
Owner

Goal

Generate an SBOM of the Juice Shop image with Syft, scan it with Grype, compare against Trivy's all-in-one approach, and produce a signed-ready CycloneDX SBOM for Lab 8.


Changes

  • Generated juice-shop.cdx.json (CycloneDX 1.5) and juice-shop.spdx.json using Syft.
  • Created juice-shop-attestation.json wrapped in an in-toto v1 envelope for future Cosign attestation.
  • Added submissions/lab4.md with vulnerability analysis and Trivy vs Grype tool comparison.

Testing

  • Grype: Successfully scanned the SBOM, identifying 105 total vulnerabilities (7 Critical, 52 High).
  • Trivy: Successfully scanned the image directly, identifying 109 vulnerabilities, allowing for a side-by-side comparison of scanning engines.
  • Bonus: Verified the CycloneDX schema version is 1.5 and successfully extracted the SHA256 digest (fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0) for the in-toto subject block.

Checklist

  • Task 1 — Syft SBOMs + Grype scan + top-10 CVE analysis
  • Task 2 — Trivy comparison + when-to-pick-each tradeoff
  • Bonus — sign-ready CycloneDX attestation for Lab 8

@MikeNovikoff MikeNovikoff merged commit f1359d2 into main Jun 19, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant