From 24c205bdc20154b70bd068d101b71b4d74c2a522 Mon Sep 17 00:00:00 2001 From: MikeNovikoff Date: Thu, 11 Jun 2026 22:07:46 +0300 Subject: [PATCH 1/3] finalize all lab --- submissions/lab1.md | 56 +++++++++++++++++++++------------------------ 1 file changed, 26 insertions(+), 30 deletions(-) diff --git a/submissions/lab1.md b/submissions/lab1.md index 2d5e62779..bf098bd22 100644 --- a/submissions/lab1.md +++ b/submissions/lab1.md @@ -3,9 +3,9 @@ ### Scope & Asset - Asset: OWASP Juice Shop (local lab instance) - Image: `bkimminich/juice-shop:v20.0.0` -- Image digest: -- Host OS: -- Docker: +- Image digest: sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0 +- Host OS: Windows 11 Pro 24H2 IoT +- Docker: Docker version 29.4.0, build 9d7ad9f ### Deployment Details - Run command used: `docker run -d --name juice-shop -p 127.0.0.1:6767:3000 bkimminich/juice-shop:v20.0.0` @@ -118,7 +118,7 @@ Required checklist (the template must include all three items): 4. **Follow** at least 3 classmates from the course -
+ 💡 GitHub Social Features **Why Stars Matter:** @@ -140,7 +140,7 @@ Starring repositories helps developers bookmark useful projects and shows suppor Following developers helps me learn from their work, discover new projects, and stay informed about updates in technologies that interest me. It also makes collaboration easier in team environments and helps build a professional network. -
+ --- @@ -152,28 +152,7 @@ Following developers helps me learn from their work, discover new projects, and ### B.1: Write the workflow -```yaml -# .github/workflows/lab1-smoke.yml -# YOUR TASK: Smoke-test Juice Shop in CI -# Requirements: -# - Triggers on pull_request to main -# - Uses ubuntu-latest runner -# - permissions: { contents: read } at workflow level (Lecture 4, slide 7) -# - Pulls bkimminich/juice-shop:v20.0.0 (pin the tag — recall Lecture 4 SHA-pinning rationale; we accept a tag here since this is your first workflow) -# - Runs it as a service or via `docker run -d` -# - Waits up to 60s for it to be ready (loop with `curl --silent --fail`) -# - Fails the job if the homepage returns non-200 or never starts -# -# Hints: -# - GitHub Actions `services:` block is one elegant way (https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) -# - Alternative: a single `steps:` job with `docker run -d` + a polling loop -# - The polling loop pattern (Juice Shop v20: use /rest/admin/application-version, not /rest/products): -# for i in $(seq 1 30); do -# curl --silent --fail http://localhost:3000/rest/admin/application-version >/dev/null && exit 0 -# sleep 2 -# done -# exit 1 -``` +wrote ### B.2: Verify it runs @@ -189,10 +168,27 @@ Following developers helps me learn from their work, discover new projects, and - Workflow file: `.github/workflows/lab1-smoke.yml` - Trigger: `pull_request` on main -- Run URL (must be green): -- Workflow run duration: +- Run URL (must be green): [url](https://github.com/MikeNovikoff/DevSecOps-Intro-Mike/actions/runs/27370603870) +- Workflow run duration: <17s> - Curl response excerpt: ``` - + Run curl --silent --fail --head http://localhost:3000 +HTTP/1.1 200 OK +Access-Control-Allow-Origin: * +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +Feature-Policy: payment 'self' +X-Recruiting: /#/jobs +Accept-Ranges: bytes +Cache-Control: public, max-age=0 +Last-Modified: Thu, 11 Jun 2026 19:02:13 GMT +ETag: W/"26af-19eb8103f08" +Content-Type: text/html; charset=UTF-8 +Content-Length: 9903 +Vary: Accept-Encoding +Date: Thu, 11 Jun 2026 19:02:13 GMT +Connection: keep-alive +Keep-Alive: timeout=5 + ``` ``` From 6ceba651f8b158e73d30278c50d0a8c20191324e Mon Sep 17 00:00:00 2001 From: MikeNovikoff Date: Thu, 11 Jun 2026 22:11:59 +0300 Subject: [PATCH 2/3] finalize all lab and fix md --- submissions/lab1.md | 33 +-------------------------------- 1 file changed, 1 insertion(+), 32 deletions(-) diff --git a/submissions/lab1.md b/submissions/lab1.md index bf098bd22..35b9a0a3a 100644 --- a/submissions/lab1.md +++ b/submissions/lab1.md @@ -59,7 +59,7 @@ Which of these are MISSING? (cross-reference Lecture 1 OWASP Top 10:2025 — A06 1. **Missing Security Headers (OWASP A05/A06)** — Several security-related HTTP headers are missing, including Content-Security-Policy and Strict-Transport-Security. Missing headers can make the application more vulnerable to attacks such as XSS or protocol downgrade attacks. This is related to OWASP Top 10 A05: Security Misconfiguration. 2. **Public API Exposure (OWASP A01)** — Several API endpoints appear accessible without authentication. Public endpoints increase the application's attack surface and may expose data that should be protected if access controls are not properly implemented. This relates to OWASP A01: Broken Access Control. 3. **Client-Side Data Storage (OWASP A01)** — The application stores data in browser local storage. While the observed values are not sensitive, storing security-relevant information in local storage can increase the impact of cross-site scripting attacks. This is related to OWASP A01: Broken Access Control and general client-side security concerns. -``` + @@ -106,32 +106,6 @@ Required checklist (the template must include all three items): ## Task 3 — GitHub Community Engagement (1 pt) -**Objective:** Explore GitHub's social features that support collaboration and discovery. - -**Actions Required:** -1. **Star** the course repository -2. **Star** the [simple-container-com/api](https://github.com/simple-container-com/api) project — a promising open-source tool for container management -3. **Follow** your professor and TAs on GitHub: - - Professor: [@Cre-eD](https://github.com/Cre-eD) - - TA: [@Naghme98](https://github.com/Naghme98) - - TA: [@pierrepicaud](https://github.com/pierrepicaud) -4. **Follow** at least 3 classmates from the course - - - -💡 GitHub Social Features - -**Why Stars Matter:** -- Stars help you bookmark interesting projects for later reference -- Star count indicates project popularity and community trust -- Starred repos appear in your GitHub profile, showing your interests -- Stars encourage maintainers and help projects gain visibility - -**Why Following Matters:** -- See what other developers are working on -- Discover new projects through their activity -- Build professional connections beyond the classroom -- Stay updated on classmates' work for future collaboration ## GitHub Community @@ -145,11 +119,6 @@ Following developers helps me learn from their work, discover new projects, and --- ## Bonus Task — Smoke-Test Workflow in GitHub Actions (2 pts) - -> 🌟 **Genuinely challenging — not just wiring.** This task previews Lecture 4 (CI/CD Security). You'll write a real workflow that runs Juice Shop in CI and verifies it works. - -**Objective:** Create `.github/workflows/lab1-smoke.yml` that, on every PR, pulls Juice Shop, runs it as a service, curls the homepage, and fails the build if Juice Shop doesn't respond healthy. - ### B.1: Write the workflow wrote From 3f346a6bc592313e5a796bf105bee9eee5707a63 Mon Sep 17 00:00:00 2001 From: MikeNovikoff Date: Thu, 11 Jun 2026 22:15:00 +0300 Subject: [PATCH 3/3] finalize all lab and fix md --- submissions/lab1.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/submissions/lab1.md b/submissions/lab1.md index 35b9a0a3a..161fe0b44 100644 --- a/submissions/lab1.md +++ b/submissions/lab1.md @@ -85,9 +85,9 @@ Required sections (the template must include all four): Required checklist (the template must include all three items): -- [ ] Title is clear (`feat(labN): ` style) -- [ ] No secrets/large temp files committed -- [ ] Submission file at `submissions/labN.md` exists +- [x] Title is clear (`feat(labN): ` style) +- [x] No secrets/large temp files committed +- [x] Submission file at `submissions/labN.md` exists > **Hint:** GitHub auto-detects `.github/PULL_REQUEST_TEMPLATE.md` and pre-fills the PR description box. To test, push the branch and open a PR draft — the template should appear before you write a single word. @@ -132,7 +132,7 @@ wrote ### B.3: Document in `submissions/lab1.md` -```markdown + ## Bonus: CI Smoke Test - Workflow file: `.github/workflows/lab1-smoke.yml` @@ -140,7 +140,7 @@ wrote - Run URL (must be green): [url](https://github.com/MikeNovikoff/DevSecOps-Intro-Mike/actions/runs/27370603870) - Workflow run duration: <17s> - Curl response excerpt: - ``` +``` Run curl --silent --fail --head http://localhost:3000 HTTP/1.1 200 OK Access-Control-Allow-Origin: * @@ -159,5 +159,5 @@ Date: Thu, 11 Jun 2026 19:02:13 GMT Connection: keep-alive Keep-Alive: timeout=5 - ``` -``` + +``` \ No newline at end of file