Feature/lab7

.github/pull_request_template.md

@@ -0,0 +1,12 @@
+## Goal
+
+## Changes
+
+## Testing
+
+## Artifacts & Screenshots
+
+## Checklist
+- [ ] PR has a clear, descriptive title
+- [ ] Documentation is updated
+- [ ] No secrets or sensitive data

labs/lab7/analysis/deployment-comparison.txt

@@ -0,0 +1,36 @@
+=== Functionality Test ===
+Default: HTTP 200
+Hardened: HTTP 200
+Production: HTTP 200
+
+=== Resource Usage ===
+NAME               CPU %     MEM USAGE / LIMIT     MEM %
+juice-default      0.44%     100.7MiB / 15.35GiB   0.64%
+juice-hardened     0.32%     92.3MiB / 512MiB      18.03%
+juice-production   0.38%     91.45MiB / 512MiB     17.86%
+
+=== Security Configurations ===
+
+Container: juice-default
+CapDrop: <no value>
+SecurityOpt: <no value>
+Memory: 0
+CPU: 0
+PIDs: <no value>
+Restart: no
+
+Container: juice-hardened
+CapDrop: [ALL]
+SecurityOpt: [seccomp=unconfined]
+Memory: 536870912
+CPU: 0
+PIDs: <no value>
+Restart: no
+
+Container: juice-production
+CapDrop: [ALL]
+SecurityOpt: <no value>
+Memory: 536870912
+CPU: 0
+PIDs: 100
+Restart: on-failure

labs/lab7/hardening/docker-bench-results.txt

@@ -0,0 +1,216 @@
+Unable to find image 'docker/docker-bench-security:latest' locally
+latest: Pulling from docker/docker-bench-security
+cd784148e348: Pulling fs layer
+48fe0d48816d: Pulling fs layer
+164e5e0f48c5: Pulling fs layer
+378ed37ea5ff: Pulling fs layer
+378ed37ea5ff: Waiting
+164e5e0f48c5: Download complete
+378ed37ea5ff: Verifying Checksum
+378ed37ea5ff: Download complete
+cd784148e348: Download complete
+cd784148e348: Pull complete
+48fe0d48816d: Verifying Checksum
+48fe0d48816d: Download complete
+48fe0d48816d: Pull complete
+164e5e0f48c5: Pull complete
+378ed37ea5ff: Pull complete
+Digest: sha256:ddbdf4f86af4405da4a8a7b7cc62bb63bfeb75e85bf22d2ece70c204d7cfabb8
+Status: Downloaded newer image for docker/docker-bench-security:latest
+# ------------------------------------------------------------------------------
+# Docker Bench for Security v1.3.4
+#
+# Docker, Inc. (c) 2015-
+#
+# Checks for dozens of common best-practices around deploying Docker containers in production.
+# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
+# ------------------------------------------------------------------------------
+
+Initializing Mon Mar 23 15:37:10 UTC 2026
+
+
+[INFO] 1 - Host Configuration
+[WARN] 1.1  - Ensure a separate partition for containers has been created
+[NOTE] 1.2  - Ensure the container host has been Hardened
+[PASS] 1.3  - Ensure Docker is up to date
+[INFO]      * Using 28.4.0 which is current
+[INFO]      * Check with your operating system vendor for support and security maintenance for Docker
+[INFO] 1.4  - Ensure only trusted users are allowed to control Docker daemon
+[INFO]      * docker:x:139
+[WARN] 1.5  - Ensure auditing is configured for the Docker daemon
+[INFO] 1.6  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
+[INFO]      * Directory not found
+[WARN] 1.7  - Ensure auditing is configured for Docker files and directories - /etc/docker
+[INFO] 1.8  - Ensure auditing is configured for Docker files and directories - docker.service
+[INFO]      * File not found
+[INFO] 1.9  - Ensure auditing is configured for Docker files and directories - docker.socket
+[INFO]      * File not found
+[WARN] 1.10  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
+[INFO] 1.11  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
+[INFO]      * File not found
+[INFO] 1.12  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
+[INFO]      * File not found
+[INFO] 1.13  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
+[INFO]      * File not found
+
+
+[INFO] 2 - Docker daemon configuration
+[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
+[PASS] 2.2  - Ensure the logging level is set to 'info'
+[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
+[PASS] 2.4  - Ensure insecure registries are not used
+[PASS] 2.5  - Ensure aufs storage driver is not used
+[INFO] 2.6  - Ensure TLS authentication for Docker daemon is configured
+[INFO]      * Docker daemon not listening on TCP
+[INFO] 2.7  - Ensure the default ulimit is configured appropriately
+[INFO]      * Default ulimit doesn't appear to be set
+[WARN] 2.8  - Enable user namespace support
+[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
+[PASS] 2.10  - Ensure base device size is not changed until needed
+[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
+[WARN] 2.12  - Ensure centralized and remote logging is configured
+[INFO] 2.13  - Ensure operations on legacy registry (v1) are Disabled (Deprecated)
+[WARN] 2.14  - Ensure live restore is Enabled
+[WARN] 2.15  - Ensure Userland Proxy is Disabled
+[INFO] 2.16  - Ensure daemon-wide custom seccomp profile is applied, if needed
+[PASS] 2.17  - Ensure experimental features are avoided in production
+[WARN] 2.18  - Ensure containers are restricted from acquiring new privileges
+
+
+[INFO] 3 - Docker daemon configuration files
+[INFO] 3.1  - Ensure that docker.service file ownership is set to root:root
+[INFO]      * File not found
+[INFO] 3.2  - Ensure that docker.service file permissions are set to 644 or more restrictive
+[INFO]      * File not found
+[INFO] 3.3  - Ensure that docker.socket file ownership is set to root:root
+[INFO]      * File not found
+[INFO] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
+[INFO]      * File not found
+[PASS] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
+[PASS] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
+[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
+[INFO]      * Directory not found
+[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
+[INFO]      * Directory not found
+[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
+[INFO]      * No TLS CA certificate found
+[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
+[INFO]      * No TLS CA certificate found
+[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
+[INFO]      * No TLS Server certificate found
+[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
+[INFO]      * No TLS Server certificate found
+[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
+[INFO]      * No TLS Key found
+[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
+[INFO]      * No TLS Key found
+[PASS] 3.15  - Ensure that Docker socket file ownership is set to root:docker
+[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
+[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
+[INFO]      * File not found
+[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
+[INFO]      * File not found
+[PASS] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
+[PASS] 3.20  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
+
+
+[INFO] 4 - Container Images and Build File
+[WARN] 4.1  - Ensure a user for the container has been created
+[WARN]      * Running as root: ml-app
+[NOTE] 4.2  - Ensure that containers use trusted base images
+[NOTE] 4.3  - Ensure unnecessary packages are not installed in the container
+[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
+[WARN] 4.5  - Ensure Content trust for Docker is Enabled
+[WARN] 4.6  - Ensure HEALTHCHECK instructions have been added to the container image
+[WARN]      * No Healthcheck found: [snyk/snyk:docker]
+[WARN]      * No Healthcheck found: [scylladb/scylla:2025.4.5 scylladb/scylla:latest]
+[WARN]      * No Healthcheck found: [scylladb/scylla:2025.4.5 scylladb/scylla:latest]
+[WARN]      * No Healthcheck found: [mongo:7.0]
+[WARN]      * No Healthcheck found: [mongo:latest]
+[WARN]      * No Healthcheck found: [deployment-api:latest]
+[WARN]      * No Healthcheck found: [deployment-app:latest]
+[WARN]      * No Healthcheck found: [bkimminich/juice-shop:v19.0.0]
+[WARN]      * No Healthcheck found: [goodwithtech/dockle:latest]
+[INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
+[INFO]      * Update instruction found: [snyk/snyk:docker]
+[INFO]      * Update instruction found: [citusdata/citus:latest]
+[INFO]      * Update instruction found: [mongo:7.0]
+[INFO]      * Update instruction found: [mongo:latest]
+[INFO]      * Update instruction found: [deployment-api:latest]
+[INFO]      * Update instruction found: [deployment-app:latest]
+[NOTE] 4.8  - Ensure setuid and setgid permissions are removed in the images
+[INFO] 4.9  - Ensure COPY is used instead of ADD in Dockerfile
+[INFO]      * ADD in image history: [snyk/snyk:docker]
+[INFO]      * ADD in image history: [mongo:7.0]
+[INFO]      * ADD in image history: [mongo:latest]
+[INFO]      * ADD in image history: [goodwithtech/dockle:latest]
+[INFO]      * ADD in image history: [docker/docker-bench-security:latest]
+[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
+[NOTE] 4.11  - Ensure verified packages are only Installed
+
+
+[INFO] 5 - Container Runtime
+[PASS] 5.1  - Ensure AppArmor Profile is Enabled
+[WARN] 5.2  - Ensure SELinux security options are set, if applicable
+[WARN]      * No SecurityOptions Found: ml-app
+[PASS] 5.3  - Ensure Linux Kernel Capabilities are restricted within containers
+[PASS] 5.4  - Ensure privileged containers are not used
+[PASS] 5.5  - Ensure sensitive host system directories are not mounted on containers
+[PASS] 5.6  - Ensure ssh is not run within containers
+[PASS] 5.7  - Ensure privileged ports are not mapped within containers
+[NOTE] 5.8  - Ensure only needed ports are open on the container
+[PASS] 5.9  - Ensure the host's network namespace is not shared
+[WARN] 5.10  - Ensure memory usage for container is limited
+[WARN]      * Container running without memory restrictions: ml-app
+[WARN] 5.11  - Ensure CPU priority is set appropriately on the container
+[WARN]      * Container running without CPU restrictions: ml-app
+[WARN] 5.12  - Ensure the container's root filesystem is mounted as read only
+[WARN]      * Container running with root FS mounted R/W: ml-app
+[WARN] 5.13  - Ensure incoming container traffic is binded to a specific host interface
+[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in ml-app
+[WARN] 5.14  - Ensure 'on-failure' container restart policy is set to '5'
+[WARN]      * MaximumRetryCount is not set to 5: ml-app
+[PASS] 5.15  - Ensure the host's process namespace is not shared
+[PASS] 5.16  - Ensure the host's IPC namespace is not shared
+[PASS] 5.17  - Ensure host devices are not directly exposed to containers
+[INFO] 5.18  - Ensure the default ulimit is overwritten at runtime, only if needed
+[INFO]      * Container no default ulimit override: ml-app
+[PASS] 5.19  - Ensure mount propagation mode is not set to shared
+[PASS] 5.20  - Ensure the host's UTS namespace is not shared
+[PASS] 5.21  - Ensure the default seccomp profile is not Disabled
+[NOTE] 5.22  - Ensure docker exec commands are not used with privileged option
+[NOTE] 5.23  - Ensure docker exec commands are not used with user option
+[PASS] 5.24  - Ensure cgroup usage is confirmed
+[WARN] 5.25  - Ensure the container is restricted from acquiring additional privileges
+[WARN]      * Privileges not restricted: ml-app
+[WARN] 5.26  - Ensure container health is checked at runtime
+[WARN]      * Health check not set: ml-app
+[INFO] 5.27  - Ensure docker commands always get the latest version of the image
+[WARN] 5.28  - Ensure PIDs cgroup limit is used
+[WARN]      * PIDs limit not set: ml-app
+[PASS] 5.29  - Ensure Docker's default bridge docker0 is not used
+[PASS] 5.30  - Ensure the host's user namespaces is not shared
+[PASS] 5.31  - Ensure the Docker socket is not mounted inside any containers
+
+
+[INFO] 6 - Docker Security Operations
+[INFO] 6.1  - Avoid image sprawl
+[INFO]      * There are currently: 16 images
+[INFO] 6.2  - Avoid container sprawl
+[INFO]      * There are currently a total of 8 containers, with 2 of them currently running
+
+
+[INFO] 7 - Docker Swarm Configuration
+[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
+[PASS] 7.2  - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
+[PASS] 7.3  - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)
+[PASS] 7.4  - Ensure data exchanged between containers are encrypted on different nodes on the overlay network
+[PASS] 7.5  - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)
+[PASS] 7.6  - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)
+[PASS] 7.7  - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
+[PASS] 7.8  - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)
+[PASS] 7.9  - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)
+[PASS] 7.10  - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)
+
+[INFO] Checks: 105
+[INFO] Score: 16

labs/lab7/scanning/dockle-results.txt

@@ -0,0 +1,20 @@
+Unable to find image 'goodwithtech/dockle:latest' locally
+latest: Pulling from goodwithtech/dockle
+7b26c2f269ea: Pulling fs layer
+d1a9c31cfbd5: Pulling fs layer
+7b26c2f269ea: Download complete
+7b26c2f269ea: Pull complete
+d1a9c31cfbd5: Verifying Checksum
+d1a9c31cfbd5: Download complete
+d1a9c31cfbd5: Pull complete
+Digest: sha256:eade932f793742de0aa8755406c7677cd7696f8675b6180926f7eeffa7abe6b9
+Status: Downloaded newer image for goodwithtech/dockle:latest
+SKIP	- DKL-LI-0001: Avoid empty password
+	* failed to detect etc/shadow,etc/master.passwd
+INFO	- CIS-DI-0005: Enable Content trust for Docker
+	* export DOCKER_CONTENT_TRUST=1 before docker pull/build
+INFO	- CIS-DI-0006: Add HEALTHCHECK instruction to the container image
+	* not found HEALTHCHECK statement
+INFO	- DKL-LI-0003: Only put necessary files
+	* unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store 
+	* unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store