Feature/lab7

[pepegx]

Summary

This PR adds my Lab 7 submission for container security analysis and deployment hardening.

The work covers three areas:

1. Container image vulnerability scanning and image-level security review for bkimminich/juice-shop:v19.0.0
2. Docker host / daemon benchmarking against Docker Bench / CIS-style checks
3. Runtime hardening comparison across three deployment profiles: default, hardened, and production

The main written report is in labs/submission7.md, and all raw evidence files are committed under labs/lab7/.

Scope of Work

Task 1 - Image vulnerability and configuration analysis

Completed:

• Pulled and analyzed the target Juice Shop image
• Collected Docker Scout CVE output
• Collected Dockle image configuration output
• Reviewed image metadata such as configured user and healthcheck presence
• Documented top critical/high findings and overall image posture

Artifacts:

• labs/lab7/scanning/scout-cves.txt
• labs/lab7/scanning/dockle-results.txt
• labs/lab7/scanning/snyk-results.txt
• labs/lab7/scanning/snyk-results-amd64.txt
• labs/lab7/scanning/snyk-manifest-inspect.txt

Important note:

• The Snyk comparison was attempted and documented, but it could not be completed successfully because I did not
  have a valid SNYK_TOKEN in this environment.
• The saved Snyk output shows the final blocker as 401 Unauthorized.

Task 2 - Docker security benchmarking

Completed:

• Attempted the stock Docker Bench command from the lab
• Documented the Docker Desktop compatibility issue with the stock invocation
• Re-ran the official Docker Bench scripts in a Docker Desktop-compatible way
• Corrected the rerun to include the docker_bench_security label so the helper container was excluded from the
  benchmark results
• Updated the report with the corrected totals from the labeled benchmark run

Final benchmark summary:

• PASS: 32
• WARN: 26
• FAIL: 0
• INFO: 38
• NOTE: 9
• Checks: 105
• Score: 4

Artifacts:

• labs/lab7/hardening/docker-bench-results.txt
• labs/lab7/hardening/docker-bench-results-stock-failure.txt
• labs/lab7/hardening/docker-bench-results-rehosted.txt
• labs/lab7/hardening/docker-bench-src/

Task 3 - Deployment hardening comparison

Completed:

• Ran the target application in three profiles:
  • juice-default
  • juice-hardened
  • juice-production
• Verified functionality locally
• Captured runtime configuration and resource limits
• Compared capabilities, security options, memory/CPU settings, PID limits, and restart policies
• Documented the security trade-offs between development-oriented and production-oriented profiles

Observed result:

• All three profiles returned HTTP 200 during local verification

Artifacts:

• labs/lab7/analysis/deployment-comparison.txt

Report Contents

The submission report in labs/submission7.md includes:

• environment and execution context
• commands used
• top image vulnerabilities and their impact
• Dockle findings and posture assessment
• corrected Docker Bench summary and warning analysis
• deployment comparison table
• explanation of each hardening flag
• answers to the lab's critical thinking questions
• documented limitations and environment-specific blockers

Limitations / Honesty Notes

• Task 1.3 with Snyk is documented as incomplete because a valid SNYK_TOKEN was not available.
• Docker Bench required a Docker Desktop-compatible rerun because the stock command from the lab was not directly
  runnable on this host.
• For the production profile, the Docker Engine on this machine accepted seccomp=builtin rather than the lab
  wording seccomp=default; this is documented in the report.

Checklist

• Task 1 analyzed and documented
• Task 2 benchmarked and documented
• Task 3 compared and documented
• Raw evidence committed under labs/lab7/
• Final report added as labs/submission7.md