jonasbg · May 7, 2025 09:41
diff --git a/gistfile1.txt b/gistfile1.txt

 # 🛠️ INSTRUCTION.md – DevSecOps Container Tooling

 This file documents each Docker container used in the DevSecOps workshop. Every tool runs in a container, scans the mounted source code, and outputs results locally. Most containers operate **entirely offline** once the image is pulled and databases (if applicable) are cached.

 ---

 ## 🧰 1. Environment Setup – Clone Target Project

 ### 1.1 Instruction (this) document

 Copy curl to local $PATH folder
 ```bash
 chmod a+x /usr/bin/curl
 cp /usr/bin/curl /usr/local/bin/curl
 ```

 Download instructions:

 ```bash
 curl https://gist.githubusercontent.com/jonasbg/0816177c5788a5f32e5dfb72b341131a/raw/42f18ab137129161a513bd671cc806af7277241a/gistfile1.txt -o instructions.md
 ```

 ### 1.2 Download sample project

 ```bash
 docker run --network host --rm -v $(pwd):/src -w /src alpine/git clone https://github.com/jonasbg/linux-webterminal.git
 ```

 **Purpose:**  
 Initial step to clone a sample project (the Linux web terminal) into your local environment for scanning. This sets up a working directory at `./linux-webterminal`.

 **Note:** This container is for setup only and not a discussion point.

 ---

 ## 🔍 2. Dynamic Application Testing (DAST) – OWASP ZAP Baseline Scan

 ```bash
 docker run --rm --network host ghcr.io/zaproxy/zaproxy zap-baseline.py -t https://shell.nhn.one
 ```

 **Use Case:**  
 ZAP scans a **running web app** (at `https://shell.nhn.one`) for common vulnerabilities such as missing headers, XSS, insecure cookies, etc. This **baseline scan** performs a safe passive test, suitable for CI/CD environments.

 ### 💬 Group Discussion:
 1. What kind of security vulnerabilities can only be detected at runtime (e.g., DAST vs. SAST)?
 2. How could we integrate ZAP into our pipeline to test a staging deployment automatically?
 3. What risks might we face by skipping runtime testing of applications?

 ---

 ## 🧪 3. Static Code Analysis – Semgrep

 ```bash
 docker run -it --network host -v "${PWD}:/src" semgrep/semgrep semgrep scan --config auto
 ```

 **Use Case:**  
 Semgrep scans source code for **insecure coding patterns** using pre-defined rules. It supports multiple languages (JavaScript, Go, Python, etc.) and is useful for **early detection** of issues like SQL injection, XSS, or hardcoded secrets.

 ### 💬 Group Discussion:
 1. What are the trade-offs between using Semgrep's `--config auto` and custom rules?
 2. How can SAST tools like Semgrep improve security **without slowing down** developers?
 3. What types of findings should cause a CI build to fail?

 ---

 ## 🐍 4. Static Code Analysis for Python – Bandit

 ```bash
 docker run --rm -v "$PWD":/src -w /src cytopia/bandit -r .
 ```

 **Use Case:**  
 Bandit analyzes **Python source code** to detect common security issues like use of insecure functions (`eval`, `exec`), hardcoded passwords, or dangerous imports (e.g., `pickle`, `subprocess`).

 ### 💬 Group Discussion:
 1. Why is it important to analyze Python code statically even before testing?
 2. How can teams tune Bandit's configuration to reduce false positives?
 3. How does Bandit help enforce secure coding practices in Python?

 ---

 ## 🔒 5. Go Static Analysis – Gosec

 ```bash
 docker run --rm -v "$PWD":/src -w /src securego/gosec ./...
 ```

 **Use Case:**  
 Gosec analyzes **Go source code** for common security issues like command injection, use of weak crypto, and hardcoded secrets. It walks the abstract syntax tree (AST) for deeper analysis.

 ### 💬 Group Discussion:
 1. What specific Go language features make static analysis important for security?
 2. How can teams prioritize Gosec findings based on risk level?
 3. What strategies can reduce false positives in static analysis tools?

 ---

 ## 📦 6. Filesystem & Dependency Vulnerability Scanning – Trivy

 ```bash
 docker run --rm --network host -v "$PWD":/app -w /app aquasec/trivy fs .
 ```

 **Use Case:**  
 Trivy scans the **filesystem** (project directory) for vulnerable libraries, OS packages, secrets, and misconfigurations. This is useful for applications written in multiple languages.

 ### 💬 Group Discussion:
 1. When should Trivy be used in the pipeline – pre-build, post-build, or both?
 2. How does Trivy differ from traditional package managers' audit tools (e.g., `npm audit`)?
 3. How can teams ensure Trivy’s vulnerability database stays updated in an **offline** environment?

 ---

 ## 📄 7. Dockerfile Best Practices – Hadolint

 ```bash
 docker run --rm -i hadolint/hadolint < Dockerfile
 ```

 **Use Case:**  
 Hadolint checks your **Dockerfile** for best practices and security anti-patterns (e.g., using `latest` tags, running as root, missing `HEALTHCHECK`).

 ### 💬 Group Discussion:
 1. What Dockerfile practices can lead to security issues in containers?
 2. How can we make linting Dockerfiles a **routine** part of code reviews?
 3. Should Dockerfile security checks fail the build or only warn?

 ---

 ## 🧬 8. Dependency Vulnerability Analysis – OWASP Dependency-Check

 ```bash
 docker run --rm -v "${PWD}:/src" owasp/dependency-check:latest \
  --project "SampleApp" --scan /src --format "JSON" --out /src/dc_report.json
 ```

 **Use Case:**  
 Scans declared dependencies (e.g., `pom.xml`, `package.json`, `requirements.txt`) against the **NVD CVE database** to identify known vulnerabilities.

 ### 💬 Group Discussion:
 1. How does scanning declared dependencies differ from scanning the final build?
 2. What challenges arise from managing vulnerability database updates offline?
 3. How can teams decide when to **block a build** due to a dependency vulnerability?

 ---

 ## 🛠️ 9. Supply Chain Vulnerability Scanning – OSV-Scanner

 ```bash
 docker run -it --network host -v ${PWD}:/src ghcr.io/google/osv-scanner --format json -r /src
 ```

 **Use Case:**  
 OSV-Scanner (by Google) checks your project’s dependencies against the **Open Source Vulnerabilities (OSV)** database. It supports multiple ecosystems (npm, pip, Go, Maven, etc.) and is particularly useful for **open source projects**.

 ### 💬 Group Discussion:
 1. How can OSV-Scanner complement tools like Dependency-Check?
 2. How often should vulnerability scanning occur – per commit, nightly, or release only?
 3. How can we handle vulnerabilities in dependencies **we can’t easily upgrade**?

 ---

 ✅ **Tips for All Tools:**
 - Ensure the project files are in the working directory before running the scans.
 - Most tools support additional flags like `--exit-code` or `--severity` to fine-tune behavior.
 - Use `--output` or `--format` to generate machine-readable reports (JSON, SARIF) for dashboards or aggregators.

	# 🛠️ INSTRUCTION.md – DevSecOps Container Tooling

	This file documents each Docker container used in the DevSecOps workshop. Every tool runs in a container, scans the mounted source code, and outputs results locally. Most containers operate entirely offline once the image is pulled and databases (if applicable) are cached.

	---

	## 🧰 1. Environment Setup – Clone Target Project

	### 1.1 Instruction (this) document

	Copy curl to local $PATH folder
	```bash
	chmod a+x /usr/bin/curl
	cp /usr/bin/curl /usr/local/bin/curl
	```

	Download instructions:

	```bash
	curl https://gist.githubusercontent.com/jonasbg/0816177c5788a5f32e5dfb72b341131a/raw/42f18ab137129161a513bd671cc806af7277241a/gistfile1.txt -o instructions.md
	```

	### 1.2 Download sample project

	```bash
	docker run --network host --rm -v $(pwd):/src -w /src alpine/git clone https://github.com/jonasbg/linux-webterminal.git
	```

	Purpose:
	Initial step to clone a sample project (the Linux web terminal) into your local environment for scanning. This sets up a working directory at `./linux-webterminal`.

	Note: This container is for setup only and not a discussion point.

	---

	## 🔍 2. Dynamic Application Testing (DAST) – OWASP ZAP Baseline Scan

	```bash
	docker run --rm --network host ghcr.io/zaproxy/zaproxy zap-baseline.py -t https://shell.nhn.one
	```

	Use Case:
	ZAP scans a running web app (at `https://shell.nhn.one`) for common vulnerabilities such as missing headers, XSS, insecure cookies, etc. This baseline scan performs a safe passive test, suitable for CI/CD environments.

	### 💬 Group Discussion:
	1. What kind of security vulnerabilities can only be detected at runtime (e.g., DAST vs. SAST)?
	2. How could we integrate ZAP into our pipeline to test a staging deployment automatically?
	3. What risks might we face by skipping runtime testing of applications?

	---

	## 🧪 3. Static Code Analysis – Semgrep

	```bash
	docker run -it --network host -v "${PWD}:/src" semgrep/semgrep semgrep scan --config auto
	```

	Use Case:
	Semgrep scans source code for insecure coding patterns using pre-defined rules. It supports multiple languages (JavaScript, Go, Python, etc.) and is useful for early detection of issues like SQL injection, XSS, or hardcoded secrets.

	### 💬 Group Discussion:
	1. What are the trade-offs between using Semgrep's `--config auto` and custom rules?
	2. How can SAST tools like Semgrep improve security without slowing down developers?
	3. What types of findings should cause a CI build to fail?

	---

	## 🐍 4. Static Code Analysis for Python – Bandit

	```bash
	docker run --rm -v "$PWD":/src -w /src cytopia/bandit -r .
	```

	Use Case:
	Bandit analyzes Python source code to detect common security issues like use of insecure functions (`eval`, `exec`), hardcoded passwords, or dangerous imports (e.g., `pickle`, `subprocess`).

	### 💬 Group Discussion:
	1. Why is it important to analyze Python code statically even before testing?
	2. How can teams tune Bandit's configuration to reduce false positives?
	3. How does Bandit help enforce secure coding practices in Python?

	---

	## 🔒 5. Go Static Analysis – Gosec

	```bash
	docker run --rm -v "$PWD":/src -w /src securego/gosec ./...
	```

	Use Case:
	Gosec analyzes Go source code for common security issues like command injection, use of weak crypto, and hardcoded secrets. It walks the abstract syntax tree (AST) for deeper analysis.

	### 💬 Group Discussion:
	1. What specific Go language features make static analysis important for security?
	2. How can teams prioritize Gosec findings based on risk level?
	3. What strategies can reduce false positives in static analysis tools?

	---

	## 📦 6. Filesystem & Dependency Vulnerability Scanning – Trivy

	```bash
	docker run --rm --network host -v "$PWD":/app -w /app aquasec/trivy fs .
	```

	Use Case:
	Trivy scans the filesystem (project directory) for vulnerable libraries, OS packages, secrets, and misconfigurations. This is useful for applications written in multiple languages.

	### 💬 Group Discussion:
	1. When should Trivy be used in the pipeline – pre-build, post-build, or both?
	2. How does Trivy differ from traditional package managers' audit tools (e.g., `npm audit`)?
	3. How can teams ensure Trivy’s vulnerability database stays updated in an offline environment?

	---

	## 📄 7. Dockerfile Best Practices – Hadolint

	```bash
	docker run --rm -i hadolint/hadolint < Dockerfile
	```

	Use Case:
	Hadolint checks your Dockerfile for best practices and security anti-patterns (e.g., using `latest` tags, running as root, missing `HEALTHCHECK`).

	### 💬 Group Discussion:
	1. What Dockerfile practices can lead to security issues in containers?
	2. How can we make linting Dockerfiles a routine part of code reviews?
	3. Should Dockerfile security checks fail the build or only warn?

	---

	## 🧬 8. Dependency Vulnerability Analysis – OWASP Dependency-Check

	```bash
	docker run --rm -v "${PWD}:/src" owasp/dependency-check:latest \
	--project "SampleApp" --scan /src --format "JSON" --out /src/dc_report.json
	```

	Use Case:
	Scans declared dependencies (e.g., `pom.xml`, `package.json`, `requirements.txt`) against the NVD CVE database to identify known vulnerabilities.

	### 💬 Group Discussion:
	1. How does scanning declared dependencies differ from scanning the final build?
	2. What challenges arise from managing vulnerability database updates offline?
	3. How can teams decide when to block a build due to a dependency vulnerability?

	---

	## 🛠️ 9. Supply Chain Vulnerability Scanning – OSV-Scanner

	```bash
	docker run -it --network host -v ${PWD}:/src ghcr.io/google/osv-scanner --format json -r /src
	```

	Use Case:
	OSV-Scanner (by Google) checks your project’s dependencies against the Open Source Vulnerabilities (OSV) database. It supports multiple ecosystems (npm, pip, Go, Maven, etc.) and is particularly useful for open source projects.

	### 💬 Group Discussion:
	1. How can OSV-Scanner complement tools like Dependency-Check?
	2. How often should vulnerability scanning occur – per commit, nightly, or release only?
	3. How can we handle vulnerabilities in dependencies we can’t easily upgrade?

	---

	✅ Tips for All Tools:
	- Ensure the project files are in the working directory before running the scans.
	- Most tools support additional flags like `--exit-code` or `--severity` to fine-tune behavior.
	- Use `--output` or `--format` to generate machine-readable reports (JSON, SARIF) for dashboards or aggregators.