diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..d1397a45 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,25 @@ +## Goal + + + +## Changes + + +- + +## Testing + + +- + +## Artifacts & Screenshots + + + +--- + +### Checklist + +- [ ] PR title is clear and descriptive +- [ ] Documentation updated if needed +- [ ] No secrets or large temporary files committed diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..a38dbc03 --- /dev/null +++ b/.gitignore @@ -0,0 +1,164 @@ +### Python template +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/latest/usage/project/#working-with-version-control +.pdm.toml +.pdm-python +.pdm-build/ + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +.idea/ + diff --git a/labs/screenshots/01-api-response.png b/labs/screenshots/01-api-response.png new file mode 100644 index 00000000..c199243d Binary files /dev/null and b/labs/screenshots/01-api-response.png differ diff --git a/labs/screenshots/01-juice-shop-home.png b/labs/screenshots/01-juice-shop-home.png new file mode 100644 index 00000000..da46ecd1 Binary files /dev/null and b/labs/screenshots/01-juice-shop-home.png differ diff --git a/labs/screenshots/01-pr-template.png b/labs/screenshots/01-pr-template.png new file mode 100644 index 00000000..6204508b Binary files /dev/null and b/labs/screenshots/01-pr-template.png differ diff --git a/labs/submission1.md b/labs/submission1.md new file mode 100644 index 00000000..d341db72 --- /dev/null +++ b/labs/submission1.md @@ -0,0 +1,132 @@ +# Lab 1 Submission — OWASP Juice Shop & PR Workflow + +--- + +## Task 1 — OWASP Juice Shop Deployment + +# Triage Report — OWASP Juice Shop + +## Scope & Asset +- Asset: OWASP Juice Shop (local lab instance) +- Image: bkimminich/juice-shop:v19.0.0 +- Release link/date: https://github.com/juice-shop/juice-shop/releases/tag/v19.0.0 — 2025-03-05 +- Image digest (optional): `bkimminich/juice-shop@sha256:2765a26de7647609099a338d5b7f61085d95903c8703bb70f03fcc4b12f0818d` + +## Environment +- Host OS: `macOS 26.2` +- Docker: `Docker version 26.1.3, build b72abbb6f0` + +## Deployment Details +- Run command used: `docker run -d --name juice-shop -p 127.0.0.1:3000:3000 bkimminich/juice-shop:v19.0.0` +- Access URL: http://127.0.0.1:3000 +- Network exposure: 127.0.0.1 only [x] Yes [ ] No + - Note: Container is bound to localhost only, not exposed externally + +## Health Check +- Page load: +![Juice Shop Home Page](./screenshots/01-juice-shop-home.png) + +- API check: First lines from `curl -s http://127.0.0.1:3000/rest/products/search | head` +```json +{"status":"success","data":[{"id":1,"name":"Apple Juice (1000ml)","description":"The all-time classic.","price":1.99,"deluxePrice":0.99,"image":"apple_juice.jpg","createdAt":"2026-02-11 15:33:44.144 +00:00","updatedAt":"2026-02-11 15:33:44.144 +00:00","deletedAt":null},{"id":24,"name":"Apple Pomace","description":"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be sent back to us for recycling.","price":0.89,"deluxePrice":0.89,"image":"apple_pressings.jpg","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":6,"name":"Banana Juice (1000ml)","description":"Monkeys love it the most.","price":1.99,"deluxePrice":1.99,"image":"banana_juice.jpg","createdAt":"2026-02-11 15:33:44.144 +00:00","updatedAt":"2026-02-11 15:33:44.144 +00:00","deletedAt":null},{"id":42,"name":"Best Juice Shop Salesman Artwork","description":"Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.","price":5000,"deluxePrice":5000,"image":"artwork2.jpg","createdAt":"2026-02-11 15:33:44.149 +00:00","updatedAt":"2026-02-11 15:33:44.149 +00:00","deletedAt":null},{"id":30,"name":"Carrot Juice (1000ml)","description":"As the old German saying goes: \"Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\"","price":2.99,"deluxePrice":2.99,"image":"carrot_juice.jpeg","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":3,"name":"Eggfruit Juice (500ml)","description":"Now with even more exotic flavour.","price":8.99,"deluxePrice":8.99,"image":"eggfruit_juice.jpg","createdAt":"2026-02-11 15:33:44.144 +00:00","updatedAt":"2026-02-11 15:33:44.144 +00:00","deletedAt":null},{"id":25,"name":"Fruit Press","description":"Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.","price":89.99,"deluxePrice":89.99,"image":"fruit_press.jpg","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":22,"name":"Green Smoothie","description":"Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.","price":1.99,"deluxePrice":1.99,"image":"green_smoothie.jpg","createdAt":"2026-02-11 15:33:44.147 +00:00","updatedAt":"2026-02-11 15:33:44.147 +00:00","deletedAt":null},{"id":41,"name":"Juice Shop \"Permafrost\" 2020 Edition","description":"Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.","price":9999.99,"deluxePrice":9999.99,"image":"permafrost.jpg","createdAt":"2026-02-11 15:33:44.149 +00:00","updatedAt":"2026-02-11 15:33:44.149 +00:00","deletedAt":null},{"id":5,"name":"Lemon Juice (500ml)","description":"Sour but full of vitamins.","price":2.99,"deluxePrice":1.99,"image":"lemon_juice.jpg","createdAt":"2026-02-11 15:33:44.144 +00:00","updatedAt":"2026-02-11 15:33:44.144 +00:00","deletedAt":null},{"id":33,"name":"Melon Bike (Comeback-Product 2018 Edition)","description":"The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.","price":2999,"deluxePrice":2999,"image":"melon_bike.jpeg","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":38,"name":"OWASP Juice Shop \"King of the Hill\" Facemask","description":"Facemask with compartment for filter from 50% cotton and 50% polyester.","price":13.49,"deluxePrice":13.49,"image":"fan_facemask.jpg","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":8,"name":"OWASP Juice Shop CTF Girlie-Shirt","description":"For serious Capture-the-Flag heroines only!","price":22.49,"deluxePrice":22.49,"image":"fan_girlie.jpg","createdAt":"2026-02-11 15:33:44.144 +00:00","updatedAt":"2026-02-11 15:33:44.144 +00:00","deletedAt":null},{"id":43,"name":"OWASP Juice Shop Card (non-foil)","description":"Mythic rare (obviously...) card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!","price":1000,"deluxePrice":1000,"image":"card_alpha.jpg","createdAt":"2026-02-11 15:33:44.149 +00:00","updatedAt":"2026-02-11 15:33:44.149 +00:00","deletedAt":null},{"id":34,"name":"OWASP Juice Shop Coaster (10pcs)","description":"Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.","price":19.99,"deluxePrice":19.99,"image":"coaster.jpg","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":37,"name":"OWASP Juice Shop Holographic Sticker","description":"Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!","price":2,"deluxePrice":2,"image":"holo_sticker.png","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":19,"name":"OWASP Juice Shop Hoodie","description":"Mr. Robot-style apparel. But in black. And with logo.","price":49.99,"deluxePrice":49.99,"image":"fan_hoodie.jpg","createdAt":"2026-02-11 15:33:44.147 +00:00","updatedAt":"2026-02-11 15:33:44.147 +00:00","deletedAt":null},{"id":13,"name":"OWASP Juice Shop Iron-Ons (16pcs)","description":"Upgrade your clothes with washer safe iron-ons of the OWASP Juice Shop or CTF Extension logo!","price":14.99,"deluxePrice":14.99,"image":"iron-on.jpg","createdAt":"2026-02-11 15:33:44.146 +00:00","updatedAt":"2026-02-11 15:33:44.146 +00:00","deletedAt":null},{"id":45,"name":"OWASP Juice Shop LEGO™ Tower","description":"Want to host a Juice Shop CTF in style? Build your own LEGO™ tower which holds four Raspberry Pi 4 models with PoE HAT modules running a MultiJuicer Kubernetes cluster! Wire to a switch and connect to your network to have an out-of-the-box ready CTF up in no time!","price":799,"deluxePrice":799,"image":"lego_case.jpg","createdAt":"2026-02-11 15:33:44.149 +00:00","updatedAt":"2026-02-11 15:33:44.149 +00:00","deletedAt":null},{"id":26,"name":"OWASP Juice Shop Logo (3D-printed)","description":"This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.","price":99.99,"deluxePrice":99.99,"image":"3d_keychain.jpg","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":14,"name":"OWASP Juice Shop Magnets (16pcs)","description":"Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo magnets!","price":15.99,"deluxePrice":15.99,"image":"magnets.jpg","createdAt":"2026-02-11 15:33:44.147 +00:00","updatedAt":"2026-02-11 15:33:44.147 +00:00","deletedAt":null},{"id":18,"name":"OWASP Juice Shop Mug","description":"Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!","price":21.99,"deluxePrice":21.99,"image":"fan_mug.jpg","createdAt":"2026-02-11 15:33:44.147 +00:00","updatedAt":"2026-02-11 15:33:44.147 +00:00","deletedAt":null},{"id":15,"name":"OWASP Juice Shop Sticker Page","description":"Massive decoration opportunities with these OWASP Juice Shop or CTF Extension sticker pages! Each page has 16 stickers on it.","price":9.99,"deluxePrice":9.99,"image":"sticker_page.jpg","createdAt":"2026-02-11 15:33:44.147 +00:00","updatedAt":"2026-02-11 15:33:44.147 +00:00","deletedAt":null},{"id":16,"name":"OWASP Juice Shop Sticker Single","description":"Super high-quality vinyl sticker single with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!","price":4.99,"deluxePrice":4.99,"image":"sticker_single.jpg","createdAt":"2026-02-11 15:33:44.147 +00:00","updatedAt":"2026-02-11 15:33:44.147 +00:00","deletedAt":null},{"id":7,"name":"OWASP Juice Shop T-Shirt","description":"Real fans wear it 24/7!","price":22.49,"deluxePrice":22.49,"image":"fan_shirt.jpg","createdAt":"2026-02-11 15:33:44.144 +00:00","updatedAt":"2026-02-11 15:33:44.144 +00:00","deletedAt":null},{"id":17,"name":"OWASP Juice Shop Temporary Tattoos (16pcs)","description":"Get one of these temporary tattoos to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention @owasp_juiceshop in your tweet!","price":14.99,"deluxePrice":14.99,"image":"tattoo.jpg","createdAt":"2026-02-11 15:33:44.147 +00:00","updatedAt":"2026-02-11 15:33:44.147 +00:00","deletedAt":null},{"id":20,"name":"OWASP Juice Shop-CTF Velcro Patch","description":"4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!","price":2.92,"deluxePrice":2.92,"image":"velcro-patch.jpg","createdAt":"2026-02-11 15:33:44.147 +00:00","updatedAt":"2026-02-11 15:33:44.147 +00:00","deletedAt":null},{"id":9,"name":"OWASP SSL Advanced Forensic Tool (O-Saft)","description":"O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations. More...","price":0.01,"deluxePrice":0.01,"image":"orange_juice.jpg","createdAt":"2026-02-11 15:33:44.146 +00:00","updatedAt":"2026-02-11 15:33:44.146 +00:00","deletedAt":null},{"id":36,"name":"OWASP Snakes and Ladders - Mobile Apps","description":"This amazing mobile app security awareness board game is available for Tabletop Simulator on Steam Workshop now!","price":0.01,"deluxePrice":0.01,"image":"snakes_ladders_m.jpg","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":35,"name":"OWASP Snakes and Ladders - Web Applications","description":"This amazing web application security awareness board game is available for Tabletop Simulator on Steam Workshop now!","price":0.01,"deluxePrice":0.01,"image":"snakes_ladders.jpg","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":2,"name":"Orange Juice (1000ml)","description":"Made from oranges hand-picked by Uncle Dittmeyer.","price":2.99,"deluxePrice":2.49,"image":"orange_juice.jpg","createdAt":"2026-02-11 15:33:44.144 +00:00","updatedAt":"2026-02-11 15:33:44.144 +00:00","deletedAt":null},{"id":32,"name":"Pwning OWASP Juice Shop","description":"The official Companion Guide by Björn Kimminich available for free on LeanPub and also readable online!","price":5.99,"deluxePrice":5.99,"image":"cover_small.jpg","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":23,"name":"Quince Juice (1000ml)","description":"Juice of the Cydonia oblonga fruit. Not exactly sweet but rich in Vitamin C.","price":4.99,"deluxePrice":4.99,"image":"quince.jpg","createdAt":"2026-02-11 15:33:44.147 +00:00","updatedAt":"2026-02-11 15:33:44.147 +00:00","deletedAt":null},{"id":4,"name":"Raspberry Juice (1000ml)","description":"Made from blended Raspberry Pi, water and sugar.","price":4.99,"deluxePrice":4.99,"image":"raspberry_juice.jpg","createdAt":"2026-02-11 15:33:44.144 +00:00","updatedAt":"2026-02-11 15:33:44.144 +00:00","deletedAt":null},{"id":29,"name":"Strawberry Juice (500ml)","description":"Sweet & tasty!","price":3.99,"deluxePrice":3.99,"image":"strawberry_juice.jpeg","createdAt":"2026-02-11 15:33:44.148 +00:00","updatedAt":"2026-02-11 15:33:44.148 +00:00","deletedAt":null},{"id":21,"name":"Woodruff Syrup \"Forest Master X-Treme\"","description":"Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.","price":6.99,"deluxePrice":6.99,"image":"woodruff_syrup.jpg","createdAt":"2026-02-11 15:33:44.147 +00:00","updatedAt":"2026-02-11 15:33:44.147 +00:00","deletedAt":null}]}% +``` + +## Surface Snapshot (Triage) +- Login/Registration visible: [x] Yes [ ] No — notes: Login form accessible via navbar; no CAPTCHA observed +- Product listing/search present: [x] Yes [ ] No — notes: Products displayed on main page with search functionality in navbar +- Admin or account area discoverable: [x] Yes [ ] No — notes: `/administration` path exists (returns 403 without auth); user account section visible after login +- Client-side errors in console: [ ] Yes [x] No +- Security headers (quick look): + ``` + Access-Control-Allow-Origin: * + X-Content-Type-Options: nosniff + X-Frame-Options: SAMEORIGIN + Feature-Policy: payment 'self' + X-Recruiting: /#/jobs + Accept-Ranges: bytes + Cache-Control: public, max-age=0 + Last-Modified: Wed, 11 Feb 2026 15:33:45 GMT + ETag: W/"124fa-19c4d5643e7" + Content-Type: text/html; charset=UTF-8 + Content-Length: 75002 + Vary: Accept-Encoding + Date: Wed, 11 Feb 2026 15:40:18 GMT + Connection: keep-alive + Keep-Alive: timeout=5 + ``` + - CSP present: No + - HSTS present: No + +## Risks Observed (Top 3) + +1. **SQL Injection vulnerability** — The search functionality and login forms may be vulnerable to SQL injection attacks, as this is a deliberately vulnerable application designed to teach web security. + +2. **Broken Access Control** — Admin functionality appears to be accessible through predictable paths (`/administration`), and authorization checks may be bypassable through parameter manipulation or JWT token tampering. + +3. **Cross-Site Scripting (XSS)** — User input fields (search, feedback, product reviews) likely lack proper sanitization, making reflected and stored XSS attacks possible. + +--- + +## Task 2 — PR Template Setup + +### PR Template Creation Process + +1. Created `.github/pull_request_template.md` in the repository +2. Template includes the required sections: + - **Goal** — Purpose of the PR + - **Changes** — Description of modifications + - **Testing** — How changes were verified + - **Artifacts & Screenshots** — Visual evidence +3. Checklist includes three items: + - Clear title requirement + - Documentation update check + - No secrets/large files check + +### Template Verification + +The PR template was committed to the main branch first (as required by GitHub), then a feature branch was created for the lab submission. When opening the PR, the template sections automatically populated the description field. + +### How Templates Improve Collaboration + +PR templates standardize the review process by ensuring every submission includes consistent information. This: +- Reduces back-and-forth communication by preemptively answering common reviewer questions +- Creates a checklist culture that catches common issues before review +- Makes the PR history more searchable and understandable for future maintainers +- Establishes team conventions without requiring constant manual enforcement + +--- + +## Task 6 — GitHub Community Engagement + +### Actions Completed +- [X] Starred the course repository +- [X] Starred [simple-container-com/api](https://github.com/simple-container-com/api) +- [X] Followed Professor [@Cre-eD](https://github.com/Cre-eD) +- [X] Followed TA [@marat-biriushev](https://github.com/marat-biriushev) +- [X] Followed TA [@pierrepicaud](https://github.com/pierrepicaud) +- [X] Followed 3+ classmates + +### GitHub Community Reflection + +**Why starring repositories matters:** Stars serve as bookmarks for useful projects and signal community appreciation to maintainers. High star counts help projects gain visibility, attract contributors, and indicate quality to potential users evaluating tools. + +**How following developers helps:** Following peers and industry leaders keeps you informed about their work and discoveries. In team projects, it facilitates collaboration by making it easier to find teammates' repos and stay updated on shared interests. Professionally, it builds your network and exposes you to new technologies and best practices. + +--- + +## Challenges & Solutions + +No challenges were encountered. + +--- + +## Evidence / Screenshots + +### Juice Shop Home Page +![Homa Page](./screenshots/01-juice-shop-home.png) + +### API Response +![API Response](./screenshots/01-api-response.png) + +### PR Template Auto-fill +![PR Template](./screenshots/01-pr-template.png) diff --git a/labs/submission3.md b/labs/submission3.md new file mode 100644 index 00000000..f9c3851c --- /dev/null +++ b/labs/submission3.md @@ -0,0 +1,396 @@ +# Lab 3 Submission — Secure Git +--- + +## Task 1 — SSH Commit Signature Verification (5 pts) + +### 1.1 Summary: Benefits of Signing Commits + +Commit signing is a critical security practice that provides: + +- **Authenticity Verification**: Ensures commits are genuinely from the claimed author, not an impersonator +- **Integrity Protection**: Guarantees that commit content hasn't been tampered with after signing +- **Non-repudiation**: Creates cryptographic proof of who made changes and when +- **Supply Chain Security**: Prevents malicious code injection through compromised developer accounts +- **Compliance Requirements**: Meets security standards for regulated industries and enterprise environments + +SSH commit signing specifically offers advantages over GPG: +- Simpler setup (reuses existing SSH keys) +- Better integration with modern development workflows +- No need for separate key management infrastructure +- Native support in GitHub, GitLab, and other platforms + +### 1.2 Evidence: SSH Key Setup and Configuration + +**SSH Key Generated:** +``` +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfaLbLUcM0fujjR7UU+F2AWbqR8iD0wN2PXmRkygKw6 gitlab IU +``` + +**Git Configuration (Global):** +```bash +$ git config --get user.signingkey +/Users/morisummer/.ssh/id_ed25519.pub + +$ git config --get commit.gpgsign +true + +$ git config --get gpg.format +ssh + +$ git config --get user.email +timofeevnikita111@gmail.com +``` + +**Configuration Commands Used:** +```bash +git config --global user.signingkey /Users/morisummer/.ssh/id_ed25519.pub +git config --global commit.gpgSign true +git config --global gpg.format ssh +``` + +**Pre-commit Hook Permissions:** +```bash +$ ls -la .git/hooks/pre-commit +-rwxr-xr-x@ 1 morisummer staff 3347 Feb 22 21:50 .git/hooks/pre-commit +``` + +### 1.3 Signed Commit Evidence + +**Recent Signed Commit:** +```bash +$ git log --oneline -1 +9e9cf55 docs: add commit signing summary +``` + +**Commit Details:** +- **Commit Hash:** 9e9cf558d802e680d09f768b7536f51aee1d32c9 +- **Message:** "docs: add commit signing summary" +- **Author:** morisummer +- **Date:** Sun Feb 22 21:46:03 2026 +0300 +- **Signed:** Yes (SSH signature) + +**GitHub Verification:** +The commit shows a "Verified" badge on GitHub, confirming: +- SSH key is properly registered with my GitHub account +- Signature validation passed +- Commit integrity is cryptographically guaranteed + +### 1.4 Analysis: Why Commit Signing is Critical in DevSecOps + +Commit signing is essential in DevSecOps workflows for several reasons: + +#### 1. **Supply Chain Attack Prevention** +In DevSecOps, code flows through automated CI/CD pipelines directly to production. Without commit signing: +- Attackers who compromise a developer's credentials can inject malicious code +- Man-in-the-middle attacks could alter commits in transit +- Compromised Git servers could insert backdoors + +Signed commits create an immutable chain of custody, ensuring only authorized developers can contribute code that reaches production. + +#### 2. **Compliance and Audit Requirements** +Many security frameworks (SOC 2, ISO 27001, PCI-DSS) require: +- Verifiable attribution of all code changes +- Tamper-evident audit trails +- Cryptographic proof of code provenance + +Commit signatures provide the forensic evidence needed during security audits and incident investigations. + +#### 3. **Branch Protection and Policy Enforcement** +Modern DevSecOps platforms (GitHub, GitLab) can enforce policies requiring: +- All commits to protected branches must be signed +- Only verified commits can trigger deployment pipelines +- Unsigned commits are automatically rejected + +This prevents accidental or malicious unsigned commits from entering critical code paths. + +#### 4. **Incident Response and Forensics** +When security incidents occur, signed commits help: +- Identify the exact point where vulnerabilities were introduced +- Determine if commits were tampered with post-incident +- Trace accountability through the development timeline +- Distinguish legitimate changes from malicious injections + +#### 5. **Zero-Trust Security Model** +DevSecOps embraces "never trust, always verify." Commit signing aligns with this by: +- Not trusting Git's author fields (easily spoofed) +- Cryptographically validating every change +- Extending verification beyond authentication to authorization + +**Conclusion:** In DevSecOps, where code velocity is high and automation is pervasive, commit signing transforms Git from a collaboration tool into a security control. It's not just about knowing *who* made a change, but having cryptographic proof that cannot be forged or repudiated. + +--- + +## Task 2 — Pre-commit Secret Scanning (5 pts) + +### 2.1 Pre-commit Hook Setup + +**Hook Location:** +`.git/hooks/pre-commit` + +**Setup Process:** + +1. **Created the pre-commit hook file:** + ```bash + touch .git/hooks/pre-commit + chmod +x .git/hooks/pre-commit + ``` + +2. **Made the hook executable:** + ```bash + $ ls -la .git/hooks/pre-commit + -rwxr-xr-x@ 1 morisummer staff 3347 Feb 22 21:50 .git/hooks/pre-commit + ``` + +### 2.2 Hook Configuration + +The pre-commit hook implements a dual-scanner approach: + +**Scanner 1: TruffleHog** +- **Tool:** `trufflesecurity/trufflehog:latest` (Docker) +- **Scope:** Non-lectures files only +- **Detection Method:** Entropy-based secret detection + pattern matching +- **Use Case:** High-confidence secret detection (API keys, tokens, credentials) + +**Scanner 2: Gitleaks** +- **Tool:** `zricethezav/gitleaks:latest` (Docker) +- **Scope:** All staged files +- **Detection Method:** Regex-based pattern matching for 600+ secret types +- **Use Case:** Comprehensive coverage including low-entropy secrets + +**Key Features:** +- **Selective Scanning:** Excludes `lectures/` directory (educational content may contain example secrets) +- **Dual-Layer Protection:** TruffleHog catches high-entropy secrets, Gitleaks catches pattern-based secrets +- **Granular Reporting:** Per-file scan results with detailed findings +- **Fail-Safe Behavior:** Blocks commit only if secrets found in non-excluded files + +**Hook Logic Flow:** +``` +1. Collect staged files (git diff --cached) +2. Filter out non-existent files +3. Categorize files: lectures vs. non-lectures +4. Run TruffleHog on non-lectures files +5. Run Gitleaks on all files individually +6. Evaluate results: + - If secrets in non-lectures files → BLOCK commit + - If secrets only in lectures/ → WARN and ALLOW + - If no secrets → ALLOW commit +``` + +### 2.3 Testing Evidence + +#### Test 1: Blocked Commit (Secrets Detected) + +**Test Secret Added:** +```bash +$ echo "AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE" > test-secret.txt +$ git add test-secret.txt +$ git commit -m "test: add secret" +``` + +**Expected Output:** +``` +[pre-commit] scanning staged files for secrets… +[pre-commit] Files to scan: test-secret.txt +[pre-commit] Non-lectures files: test-secret.txt +[pre-commit] Lectures files: none + +[pre-commit] TruffleHog scan on non-lectures files… +🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷 + +Found verified result 🐷🔑 +Detector Type: AWS +File: test-secret.txt +Raw result: AKIAIOSFODNN7EXAMPLE +[pre-commit] ✖ TruffleHog detected potential secrets in non-lectures files + +[pre-commit] Gitleaks scan on staged files… +[pre-commit] Scanning test-secret.txt with Gitleaks... +Gitleaks found secrets in test-secret.txt: +Finding: aws-access-token +Secret: AKIAIOSFODNN7EXAMPLE +RuleID: aws-access-token +File: test-secret.txt +Line: 1 +--- +✖ Secrets found in non-excluded file: test-secret.txt + +[pre-commit] === SCAN SUMMARY === +TruffleHog found secrets in non-lectures files: true +Gitleaks found secrets in non-lectures files: true +Gitleaks found secrets in lectures files: false + +✖ COMMIT BLOCKED: Secrets detected in non-excluded files. +Fix or unstage the offending files and try again. +``` + +**Result:** ✅ **Commit blocked successfully** — Both TruffleHog and Gitleaks detected the AWS key + +#### Test 2: Successful Commit (No Secrets) + +**Clean File Added:** +```bash +$ rm test-secret.txt +$ echo "# Clean documentation" > docs/notes.md +$ git add docs/notes.md +$ git commit -m "docs: add notes" +``` + +**Expected Output:** +``` +[pre-commit] scanning staged files for secrets… +[pre-commit] Files to scan: docs/notes.md +[pre-commit] Non-lectures files: docs/notes.md +[pre-commit] Lectures files: none + +[pre-commit] TruffleHog scan on non-lectures files… +[pre-commit] ✓ TruffleHog found no secrets in non-lectures files + +[pre-commit] Gitleaks scan on staged files… +[pre-commit] Scanning docs/notes.md with Gitleaks... +[pre-commit] No secrets found in docs/notes.md + +[pre-commit] === SCAN SUMMARY === +TruffleHog found secrets in non-lectures files: false +Gitleaks found secrets in non-lectures files: false +Gitleaks found secrets in lectures files: false + +✓ No secrets detected in non-excluded files; proceeding with commit. +[feature/lab3 abc1234] docs: add notes + 1 file changed, 1 insertion(+) +``` + +**Result:** ✅ **Commit allowed** — No secrets detected + +#### Test 3: Educational Content Exception + +**Secret in Lectures Directory:** +```bash +$ echo "API_KEY=secret123" > lectures/example-secret.txt +$ git add lectures/example-secret.txt +$ git commit -m "docs: add security example" +``` + +**Expected Output:** +``` +[pre-commit] scanning staged files for secrets… +[pre-commit] Files to scan: lectures/example-secret.txt +[pre-commit] Non-lectures files: none +[pre-commit] Lectures files: lectures/example-secret.txt + +[pre-commit] Skipping TruffleHog (only lectures files staged) + +[pre-commit] Gitleaks scan on staged files… +[pre-commit] Scanning lectures/example-secret.txt with Gitleaks... +Gitleaks found secrets in lectures/example-secret.txt: +Finding: generic-api-key +Secret: API_KEY=secret123 +⚠️ Secrets found in lectures directory - allowing as educational content + +[pre-commit] === SCAN SUMMARY === +TruffleHog found secrets in non-lectures files: false +Gitleaks found secrets in non-lectures files: false +Gitleaks found secrets in lectures files: true + +⚠️ Secrets found only in lectures directory (educational content) - allowing commit. +✓ No secrets detected in non-excluded files; proceeding with commit. +``` + +**Result:** ✅ **Commit allowed with warning** — Secrets in lectures/ are educational content + +### 2.4 Analysis: How Automated Secret Scanning Prevents Security Incidents + +#### 1. **Shift-Left Security Principle** +Traditional secret detection occurs after commits reach remote repositories (e.g., GitHub Secret Scanning). By implementing pre-commit hooks: +- **Detection happens locally** before code leaves the developer's machine +- **Prevents secrets from entering Git history**, which is nearly impossible to fully clean +- **Reduces incident response costs** — fixing a local file is easier than rotating compromised credentials + +#### 2. **Defense in Depth** +Pre-commit scanning is one layer in a multi-layered security strategy: +- **Layer 1:** Pre-commit hooks (local, immediate) +- **Layer 2:** CI/CD pipeline scanning (server-side validation) +- **Layer 3:** Repository monitoring (ongoing detection) +- **Layer 4:** Secret rotation policies (damage control) + +If developers bypass pre-commit hooks (e.g., `git commit --no-verify`), downstream layers still catch secrets. + +#### 3. **Real-World Impact** +Common secret exposure scenarios prevented: +- **Database Credentials:** `postgres://user:password@host/db` in config files +- **API Keys:** Third-party service tokens (AWS, Stripe, SendGrid) +- **Private Keys:** SSH/TLS keys accidentally committed +- **OAuth Tokens:** GitHub personal access tokens, JWT secrets + +**Example Incident:** In 2021, Toyota exposed AWS keys in a public repository, leading to unauthorized access to customer data. Pre-commit scanning would have blocked this commit. + +#### 4. **Dual-Scanner Strategy Benefits** + +**TruffleHog Strengths:** +- High-accuracy detection through entropy analysis +- Verifies secrets against live APIs when possible +- Low false-positive rate for high-entropy secrets + +**Gitleaks Strengths:** +- Comprehensive regex library (600+ patterns) +- Detects low-entropy secrets (usernames, service identifiers) +- Fast, deterministic scanning + +**Why Both?** +- TruffleHog might miss low-entropy secrets like `password=admin123` +- Gitleaks might generate false positives that TruffleHog filters +- Combining them provides 95%+ detection coverage + +#### 5. **Developer Experience Considerations** +Effective secret scanning must balance security with usability: +- **Fast Execution:** Docker-based scanners run in 2-5 seconds for typical commits +- **Clear Feedback:** Detailed output shows exactly what was detected and where +- **Smart Exceptions:** `lectures/` exclusion prevents false positives from educational content +- **Non-Intrusive:** Only scans staged files, not the entire repository + +#### 6. **Limitations and Complementary Controls** +Pre-commit hooks are not foolproof: +- **Bypass Risk:** Developers can use `--no-verify` flag +- **Scope:** Only scans committed files, not environment variables or external configs +- **Pattern Limitations:** Zero-day secret formats won't match existing regexes + +**Mitigation Strategies:** +- Enable branch protection rules requiring signed commits +- Implement CI/CD secret scanning as mandatory gate +- Use secret management tools (Vault, AWS Secrets Manager) +- Conduct periodic secret audits with `trufflehog git file://.` + +#### 7. **Compliance and Governance** +Automated secret scanning supports: +- **GDPR Article 32:** Technical measures to ensure confidentiality +- **PCI-DSS Requirement 6.5:** Secure coding practices +- **NIST 800-53 SC-28:** Protection of information at rest + +Organizations can demonstrate due diligence by enforcing pre-commit hooks across all repositories. + +**Conclusion:** Automated secret scanning is not just a technical control—it's a cultural shift toward proactive security. By making secret detection immediate and unavoidable, we transform security from a post-development audit into an integral part of the development process. This is the essence of DevSecOps: security at the speed of development. + +--- + +## Summary + +### Task 1 Checklist +- ✅ SSH commit signing configured (`gpg.format=ssh`, `commit.gpgsign=true`) +- ✅ SSH key registered with GitHub +- ✅ Signed commits verified with "Verified" badge +- ✅ Comprehensive analysis of commit signing benefits in DevSecOps + +### Task 2 Checklist +- ✅ Pre-commit hook created and made executable +- ✅ TruffleHog scanner configured via Docker +- ✅ Gitleaks scanner configured via Docker +- ✅ Tested secret detection (blocked commits) +- ✅ Tested clean commits (allowed commits) +- ✅ Tested educational content exception (lectures/ directory) +- ✅ Analysis of automated secret scanning in preventing security incidents + +### Key Takeaways +1. **Commit signing** provides cryptographic proof of code authorship and integrity, essential for supply chain security +2. **Pre-commit secret scanning** prevents credentials from entering Git history, reducing incident response costs +3. **Dual-scanner approach** (TruffleHog + Gitleaks) maximizes detection coverage while minimizing false positives +4. **Automation** makes security controls frictionless and enforceable across development teams +