inno-devops-labs · examplefirstaccount · Feb 9, 2026 · Mar 22, 2026
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,18 @@
+# Goal
+<!-- What is the purpose of this PR? Which lab does it complete? -->
+
+# Changes
+<!-- List the main changes or additions in this PR -->
+
+# Testing
+<!-- Describe how you verified your changes work correctly -->
+
+# Artifacts & Screenshots
+<!-- Link to or embed screenshots, outputs, or other evidence -->
+
+---
+
+### Checklist
+- [ ] PR has a clear, descriptive title
+- [ ] Documentation updated if needed
+- [ ] No secrets, credentials, or large temporary files committed
diff --git a/labs/lab7/analysis/deployment-comparison.txt b/labs/lab7/analysis/deployment-comparison.txt
@@ -0,0 +1,36 @@
+=== Functionality Test ===
+Default: HTTP 200
+Hardened: HTTP 200
+Production: HTTP 200
+
+=== Resource Usage ===
+NAME               CPU %     MEM USAGE / LIMIT   MEM %
+juice-default      0.95%     105MiB / 14.95GiB   0.69%
+juice-hardened     2.06%     90.35MiB / 512MiB   17.65%
+juice-production   0.96%     90.25MiB / 512MiB   17.63%
+
+=== Security Configurations ===
+
+Container: juice-default
+CapDrop: <no value>
+SecurityOpt: <no value>
+Memory: 0
+CPU: 0
+PIDs: <no value>
+Restart: no
+
+Container: juice-hardened
+CapDrop: [ALL]
+SecurityOpt: [no-new-privileges]
+Memory: 536870912
+CPU: 0
+PIDs: <no value>
+Restart: no
+
+Container: juice-production
+CapDrop: [ALL]
+SecurityOpt: [no-new-privileges]
+Memory: 536870912
+CPU: 0
+PIDs: 100
+Restart: on-failure
diff --git a/labs/lab7/hardening/docker-bench-results.txt b/labs/lab7/hardening/docker-bench-results.txt
diff --git a/labs/lab7/scanning/dockle-results.txt b/labs/lab7/scanning/dockle-results.txt
@@ -0,0 +1,9 @@
+[34mSKIP[0m	- [36mDKL-LI-0001[0m: Avoid empty password
+	* failed to detect etc/shadow,etc/master.passwd
+[35mINFO[0m	- [36mCIS-DI-0005[0m: Enable Content trust for Docker
+	* export DOCKER_CONTENT_TRUST=1 before docker pull/build
+[35mINFO[0m	- [36mCIS-DI-0006[0m: Add HEALTHCHECK instruction to the container image
+	* not found HEALTHCHECK statement
+[35mINFO[0m	- [36mDKL-LI-0003[0m: Only put necessary files
+	* unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store 
+	* unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store 
diff --git a/labs/lab7/scanning/scout-cves.txt b/labs/lab7/scanning/scout-cves.txt
diff --git a/labs/lab7/scanning/snyk-results.txt b/labs/lab7/scanning/snyk-results.txt
@@ -0,0 +1,255 @@
+
+Testing bkimminich/juice-shop:v19.0.0...
+
+✗ High severity vulnerability found in openssl/libssl3
+  Description: CVE-2025-69421
+  Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-15123192
+  Introduced through: openssl/libssl3@3.0.17-1~deb12u2
+  From: openssl/libssl3@3.0.17-1~deb12u2
+  Fixed in: 3.0.18-1~deb12u2
+
+------------ Detected 5 vulnerabilities for node@22.18.0 ------------ 
+
+
+✗ High severity vulnerability found in node
+  Description: UNIX Symbolic Link (Symlink) Following
+  Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928586
+  Introduced through: node@22.18.0
+  From: node@22.18.0
+  Fixed in: 22.22.0
+
+✗ High severity vulnerability found in node
+  Description: Uncaught Exception
+  Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14929624
+  Introduced through: node@22.18.0
+  From: node@22.18.0
+  Fixed in: 22.22.0
+
+✗ High severity vulnerability found in node
+  Description: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
+  Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14975915
+  Introduced through: node@22.18.0
+  From: node@22.18.0
+  Fixed in: 22.22.0
+
+✗ High severity vulnerability found in node
+  Description: Uncaught Exception
+  Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14982196
+  Introduced through: node@22.18.0
+  From: node@22.18.0
+  Fixed in: 22.22.0
+
+✗ Critical severity vulnerability found in node
+  Description: Race Condition
+  Info: https://security.snyk.io/vuln/SNYK-UPSTREAM-NODE-14928492
+  Introduced through: node@22.18.0
+  From: node@22.18.0
+  Fixed in: 22.22.0
+
+Organization:      anr2024
+Package manager:   deb
+Project name:      docker-image|bkimminich/juice-shop
+Docker image:      bkimminich/juice-shop:v19.0.0
+Platform:          linux/amd64
+Target OS:         Distroless
+Licenses:          enabled
+
+Tested 10 dependencies for known issues, found 6 issues.
+
+-------------------------------------------------------
+
+Testing bkimminich/juice-shop:v19.0.0...
+
+Tested 975 dependencies for known issues, found 47 issues.
+
+
+Issues to fix by upgrading:
+
+  Upgrade body-parser@1.20.3 to body-parser@1.20.4 to fix
+  ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0
+    introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s)
+  ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0
+    introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s)
+
+  Upgrade check-dependencies@1.1.1 to check-dependencies@2.0.0 to fix
+  ✗ Excessive Platform Resource Consumption within a Loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@2.3.2
+    introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > braces@2.3.2
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0
+    introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0 and 4 other path(s)
+
+  Upgrade express@4.21.2 to express@4.22.0 to fix
+  ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-14724253] in qs@6.13.0
+    introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s)
+  ✗ Allocation of Resources Without Limits or Throttling [High Severity][https://security.snyk.io/vuln/SNYK-JS-QS-15268416] in qs@6.13.0
+    introduced by body-parser@1.20.3 > qs@6.13.0 and 2 other path(s)
+
+  Upgrade express-ipfilter@1.3.2 to express-ipfilter@1.4.0 to fix
+  ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12704893] in ip@2.0.1
+    introduced by express-ipfilter@1.3.2 > ip@2.0.1
+  ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12761655] in ip@2.0.1
+    introduced by express-ipfilter@1.3.2 > ip@2.0.1
+
+  Upgrade express-jwt@0.1.3 to express-jwt@6.0.0 to fix
+  ✗ Authorization Bypass [High Severity][https://security.snyk.io/vuln/SNYK-JS-EXPRESSJWT-575022] in express-jwt@0.1.3
+    introduced by express-jwt@0.1.3
+  ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s)
+  ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s)
+  ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-MOMENT-2440688] in moment@2.0.0
+    introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 > moment@2.0.0
+  ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s)
+  ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0
+    introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s)
+
+  Upgrade glob@10.4.5 to glob@12.0.0 to fix
+  ✗ Command Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-GLOB-14040952] in glob@10.4.5
+    introduced by glob@10.4.5 and 1 other path(s)
+  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+  ✗ Regular Expression Denial of Service (ReDoS) (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353387] in minimatch@9.0.5
+    introduced by glob@10.4.5 > minimatch@9.0.5 and 1 other path(s)
+  ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+
+  Upgrade grunt-contrib-compress@1.6.0 to grunt-contrib-compress@2.0.0 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+  ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+
+  Upgrade jsonwebtoken@0.4.0 to jsonwebtoken@5.0.0 to fix
+  ✗ Improper Verification of Cryptographic Signature [High Severity][https://security.snyk.io/vuln/SNYK-JS-JWS-14188253] in jws@0.2.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s)
+  ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s)
+  ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6
+    introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s)
+  ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0
+    introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s)
+
+  Upgrade multer@1.4.5-lts.2 to multer@2.1.1 to fix
+  ✗ Uncontrolled Recursion (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15417528] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Missing Release of Resource after Effective Lifetime (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365916] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Incomplete Cleanup (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-15365918] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10773732] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185673] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Missing Release of Memory after Effective Lifetime [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185675] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+  ✗ Uncaught Exception [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10299078] in multer@1.4.5-lts.2
+    introduced by multer@1.4.5-lts.2
+
+  Upgrade node-pre-gyp@0.15.0 to node-pre-gyp@0.17.0 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+  ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+
+  Upgrade pdfkit@0.11.0 to pdfkit@0.12.2 to fix
+  ✗ Use of Weak Hash [High Severity][https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-6028119] in crypto-js@3.3.0
+    introduced by pdfkit@0.11.0 > crypto-js@3.3.0
+
+  Upgrade sanitize-html@1.4.2 to sanitize-html@1.7.1 to fix
+  ✗ Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724] in lodash@2.4.2
+    introduced by sanitize-html@1.4.2 > lodash@2.4.2
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-450202] in lodash@2.4.2
+    introduced by sanitize-html@1.4.2 > lodash@2.4.2
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-608086] in lodash@2.4.2
+    introduced by sanitize-html@1.4.2 > lodash@2.4.2
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-6139239] in lodash@2.4.2
+    introduced by sanitize-html@1.4.2 > lodash@2.4.2
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-73638] in lodash@2.4.2
+    introduced by sanitize-html@1.4.2 > lodash@2.4.2
+
+  Upgrade sequelize@6.37.7 to sequelize@6.37.8 to fix
+  ✗ SQL Injection (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEQUELIZE-15456219] in sequelize@6.37.7
+    introduced by sequelize@6.37.7
+
+  Upgrade socket.io@3.1.2 to socket.io@4.7.0 to fix
+  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-WS-7266574] in ws@7.4.6
+    introduced by socket.io@3.1.2 > engine.io@4.1.2 > ws@7.4.6
+  ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIO-7278048] in socket.io@3.1.2
+    introduced by socket.io@3.1.2
+  ✗ Allocation of Resources Without Limits or Throttling (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-15680278] in socket.io-parser@4.0.5
+    introduced by socket.io@3.1.2 > socket.io-parser@4.0.5
+  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-5596892] in socket.io-parser@4.0.5
+    introduced by socket.io@3.1.2 > socket.io-parser@4.0.5
+  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ENGINEIO-3136336] in engine.io@4.1.2
+    introduced by socket.io@3.1.2 > engine.io@4.1.2
+
+  Upgrade sqlite3@5.1.7 to sqlite3@6.0.1 to fix
+  ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15307072] in tar@7.4.3
+    introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s)
+  ✗ Symlink Attack (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15416075] in tar@7.4.3
+    introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s)
+  ✗ Symlink Attack (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-TAR-15456201] in tar@7.4.3
+    introduced by libxmljs2@0.37.0 > node-gyp@11.4.2 > tar@7.4.3 and 5 other path(s)
+
+  Upgrade unzipper@0.9.15 to unzipper@0.12.1 to fix
+  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15309438] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+  ✗ Inefficient Algorithmic Complexity (new) [High Severity][https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-15353389] in minimatch@3.1.2
+    introduced by filesniffer@1.0.3 > filehound@1.17.6 > file-js@0.3.0 > minimatch@3.1.2 and 18 other path(s)
+
+
+Issues with no direct upgrade or patch:
+  ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808810] in libxmljs2@0.37.0
+    introduced by libxmljs2@0.37.0
+  No upgrade or patch available
+  ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808816] in libxmljs2@0.37.0
+    introduced by libxmljs2@0.37.0
+  No upgrade or patch available
+  ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032] in lodash.set@4.3.2
+    introduced by grunt-replace-json@0.1.0 > lodash.set@4.3.2
+  No upgrade or patch available
+  ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MARSDB-480405] in marsdb@0.6.11
+    introduced by marsdb@0.6.11
+  No upgrade or patch available
+  ✗ Incomplete Filtering of One or More Instances of Special Elements [High Severity][https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476] in validator@13.15.15
+    introduced by sequelize@6.37.7 > validator@13.15.15
+  This issue was fixed in versions: 13.15.22
+  ✗ Improper Control of Dynamically-Managed Code Resources [High Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-15116160] in vm2@3.9.17
+    introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17
+  This issue was fixed in versions: 3.10.2
+  ✗ Sandbox Bypass [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5537100] in vm2@3.9.17
+    introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17
+  This issue was fixed in versions: 3.9.18
+  ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772823] in vm2@3.9.17
+    introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17
+  This issue was fixed in versions: 3.10.0
+  ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772825] in vm2@3.9.17
+    introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17
+  This issue was fixed in versions: 3.10.0
+
+
+
+Organization:      anr2024
+Package manager:   npm
+Target file:       /juice-shop/package.json
+Project name:      juice-shop
+Docker image:      bkimminich/juice-shop:v19.0.0
+Licenses:          enabled
+
+
+Tested 2 projects, 2 contained vulnerable paths.
+
+
+
+
+ ERROR   Forbidden (SNYK-CLI-0000)
+         The encountered error only provides basic information, please take a look at   
+         the given details. If they do not help to resolve the issue, consider          
+         debugging or consulting support.                                               
+
+           Forbidden                                                                    
+
+Status:  403 Forbidden 
+Docs:    https://docs.snyk.io/scan-with-snyk/error-catalog#snyk-cli-0000 
+
+ID:      urn:snyk:interaction:21c1571c-2f0d-4fd6-b7d9-356978a19578