diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 00000000..e1aa7d43
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,23 @@
+## Goal
+
+<!-- The purpose of this pull request -->
+
+## Changes
+
+<!-- The main changes introduced by this PR -->
+
+## Testing
+
+<!-- How the changes were tested (commands, scenarios, checks) -->
+
+## Artifacts & Screenshots
+
+<!-- Links to reports, screenshots, logs, or other supporting artifacts -->
+
+---
+
+### Checklist
+
+- [ ] PR title is clear and descriptive
+- [ ] Documentation updated if needed
+- [ ] No secrets, temporary files, or large binaries included
diff --git a/labs/img/juice-home.jpg b/labs/img/juice-home.jpg
new file mode 100644
index 00000000..caf9f30f
Binary files /dev/null and b/labs/img/juice-home.jpg differ
diff --git a/labs/img/lab3-secret-blocked.png b/labs/img/lab3-secret-blocked.png
new file mode 100644
index 00000000..b68fccc0
Binary files /dev/null and b/labs/img/lab3-secret-blocked.png differ
diff --git a/labs/img/lab3-verified.png b/labs/img/lab3-verified.png
new file mode 100644
index 00000000..2e99be2d
Binary files /dev/null and b/labs/img/lab3-verified.png differ
diff --git a/labs/submission1.md b/labs/submission1.md
new file mode 100644
index 00000000..d65295db
--- /dev/null
+++ b/labs/submission1.md
@@ -0,0 +1,183 @@
+# Lab 1 — OWASP Juice Shop & PR Workflow
+
+## Task 1 — Triage Report — OWASP Juice Shop
+
+# Triage Report — OWASP Juice Shop
+
+## Scope & Asset
+- Asset: OWASP Juice Shop (local lab instance)
+- Image: bkimminich/juice-shop:v19.0.0
+- Release link/date: https://github.com/juice-shop/juice-shop/releases/tag/v19.0.0 — September 2024
+- Image digest (optional): *(not collected)*
+
+---
+
+## Environment
+- Host OS: Ubuntu Linux (VirtualBox VM, user: vboxuser, host: amirLinux)
+- Docker version: 28.2.2
+
+---
+
+## Deployment Details
+
+Run command used:
+
+```bash
+docker run -d --name juice-shop \
+  -p 127.0.0.1:3000:3000 \
+  bkimminich/juice-shop:v19.0.0
+```
+
+Access URL: http://127.0.0.1:3000
+
+Network exposure: 127.0.0.1 only — [x] Yes [ ] No
+
+Because the container port is bound explicitly to localhost
+
+## Health Check
+
+1. UI Check
+
+Navigated to http://127.0.0.1:3000
+
+The OWASP Juice Shop UI loaded successfully
+
+Screenshot: labs/img/juice-home.jpg
+
+2. API Check
+
+Command executed:  
+```bash
+curl -s http://127.0.0.1:3000/rest/products | head
+```
+
+Output:  
+```html
+<html>
+  <head>
+    <meta charset='utf-8'>
+    <title>Error: Unexpected path: /rest/products</title>
+  </head>
+  <body>
+    ...
+  </body>
+</html>
+```
+
+This confirms that:
+
+the backend is reachable,
+
+the request hits the application,
+
+but this specific version/route returns a generic error handler page — acceptable for triage documentation
+
+
+## Surface Snapshot (Triage)
+
+Login/Registration visible:  Yes
+Notes: Login and Register shown in the top menu.
+
+Product listing/search present:  Yes
+Notes: Main page includes product cards + search bar.
+
+Admin/account area discoverable: Yes
+Notes: Account menu and admin panel options visible in UI.
+
+Client-side console errors: No
+Notes: No JS errors in browser DevTools.
+
+Security headers (quick look):  
+```bash 
+curl -I http://127.0.0.1:3000
+```
+
+Notes:
+Headers are minimal and lack CSP/HSTS/X-Frame-Options.
+Expected for a deliberately insecure training application, but would be a serious issue in production
+
+## Risks Observed (Top 3)
+
+1. Verbose stack traces exposed to users.
+/rest/products returns HTML containing internal error messages and detailed stack traces — dangerous information disclosure in real environments.
+
+2. Application could be accidentally exposed publicly.
+If binded to 0.0.0.0 or deployed to a VPS, attackers could exploit Juice Shop’s intentional vulnerabilities.
+
+3. Large attack surface (auth, search, basket, admin).
+Many user input points → higher risk of XSS, SQLi, IDOR, and broken authentication if this were a real e-commerce system
+
+## Task 2 - PR Template Setup & Verification
+
+PR Template Creation
+
+A pull request template was added at:  
+```bash
+.github/pull_request_template.md
+```
+
+Template includes:
+
+Sections: Goal, Changes, Testing, Artifacts & Screenshots
+
+Checklist:
+
+ PR title is clear and descriptive
+
+ Documentation updated if needed
+
+ No secrets, temporary files, or large binaries included
+
+This ensures consistent structure and quality across all lab submissions 
+
+Template Application Verification
+
+Steps performed:
+
+1. Created a new branch:  
+```bash
+git checkout -b feature/lab1
+```
+
+2. Added the submission file and screenshot:  
+```bash
+git add labs/submission1.md labs/img/juice-home.png
+git commit -m "docs(lab1): add submission1 report"
+git push -u origin feature/lab1
+```
+
+3. Opened a pull request inside my fork (feature/lab1 → main)
+
+4. GitHub automatically applied the PR template:
+
+* Goal
+
+* Changes
+
+* Testing
+
+* Artifacts & Screenshots
+
+* 3-step Checklist
+
+5. Filled in the template with deployment/testing details 
+
+How Templates Improve Collaboration
+
+Ensures every PR has a clear purpose and structure
+
+Reduces review time for instructors
+
+Prevents mistakes (missing docs, secrets, temp files)
+
+Standardizes workflow for all future labs
+
+
+## Challenges & Solutions
+
+API endpoint returned HTML instead of JSON.
+Resolved by analyzing server logs, confirming the backend is up,
+and documenting the behaviour properly in the triage report.
+
+PR template not loading at first.
+Fixed by committing the template on the main branch of my fork — required by GitHub
diff --git a/labs/submission3.md b/labs/submission3.md
new file mode 100644
index 00000000..1d5a1da6
--- /dev/null
+++ b/labs/submission3.md
@@ -0,0 +1,150 @@
+# Lab 3 — Secure Git
+
+## Task 1 — SSH Commit Signing
+
+### Benefits of Commit Signing
+
+- Ensures each commit can be traced back to a verified developer identity.
+- Protects against tampering and spoofed commits in shared repositories.
+- Enables CI/CD and code review systems to enforce policies on trusted changes only.
+
+### Setup Steps Performed
+
+1. Generated / reused SSH key:
+
+```bash
+ssh-keygen -t ed25519 -C "a.fayzullin@innopolis.university"
+```
+
+2. Added the public key as an SSH signing key in GitHub (Settings → SSH and GPG keys → New SSH key → Type: Signing key).
+
+3. Configured Git to use SSH for signing:
+
+```bash
+git config --global gpg.format ssh
+git config --global user.signingkey ~/.ssh/id_ed25519
+git config --global commit.gpgSign true
+git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
+```
+
+4. Added my signing key to ~/.ssh/allowed_signers:
+
+```bash 
+echo "$(git config user.email) $(cat ~/.ssh/id_ed25519.pub)" > ~/.ssh/allowed_signers
+```
+
+5. Used ssh-agent to load the key:
+
+```bash
+eval "$(ssh-agent -s)"
+ssh-add ~/.ssh/id_ed25519
+```
+
+6. Created signed commits, for example:
+
+```bash
+git commit -S -m "docs(lab3): add submission3 draft"
+```
+
+### Evidence
+
+Local verification:
+
+```bash
+git log --show-signature -1
+```
+
+commit 73c2142f65d4a6ebfb7bed847bc80a51b0225483 (HEAD -> feature/lab3)
+Good "git" signature for a.fayzullin@innopolis.university
+
+### Why Commit Signing Is Critical in DevSecOps
+
+Commit signing is crucial in DevSecOps because it binds changes in the repository to a verified identity. This prevents attackers or compromised accounts from silently introducing malicious code, backdoors, or configuration changes. Signed commits enable automated pipelines and reviewers to trust the provenance of changes and to enforce policies such as “only signed commits from trusted keys are allowed into protected branches”
+
+
+## Task 2 — Pre-commit Secret Scanning
+
+### Hook Setup
+
+A local Git pre-commit hook was created at:
+
+.git/hooks/pre-commit
+
+The hook:
+
+* Collects staged files.
+
+* Runs TruffleHog (Docker) on non-lectures/ files.
+
+* Runs Gitleaks (Docker) on all staged files.
+
+* Blocks commits if secrets are detected in non-excluded files.
+
+The hook was made executable:
+
+```bash
+chmod +x .git/hooks/pre-commit
+```
+
+### Blocked Commit (Secrets Detected)
+
+A test AWS secret was added to:
+
+labs/lab3/fake-secret.txt
+
+When attempting to commit:
+
+```bash
+git commit -S -m "test: add fake secret"
+```
+
+The hook detected a secret and blocked the commit.
+
+Example output:
+
+[pre-commit] scanning staged files for secrets…
+[pre-commit] TruffleHog scan on non-lectures files…
+✖ TruffleHog detected potential secrets in non-lectures files
+✖ COMMIT BLOCKED: Secrets detected in non-excluded files.
+Fix or unstage the offending files and try again.
+
+This demonstrates that the hook prevents sensitive data from entering the repository history.
+
+(Optional screenshot path: labs/img/lab3-secret-blocked.png)
+
+### Successful Commit (No Secrets)
+
+After removing the test secret file:
+
+```bash
+git reset HEAD labs/lab3/fake-secret.txt
+rm labs/lab3/fake-secret.txt
+```
+
+A new commit was attempted:
+
+```bash
+git add labs/submission3.md
+git commit -S -m "docs(lab3): finalize secret scanning task"
+```
+
+The hook scanned the files and allowed the commit:
+
+✓ No secrets detected in non-excluded files; proceeding with commit.
+
+### Why Automated Secret Scanning Matters
+
+Automated pre-commit scanning shifts security left into the developer workflow.
+It prevents accidental leaks of:
+
+* API keys
+
+* Cloud credentials
+
+* JWT secrets
+
+Database passwords
+
+By blocking commits locally, secrets never reach remote repositories or commit history, significantly reducing the risk of credential exposure and incident response costs.
+
+This aligns with DevSecOps principles by integrating security controls directly into the development lifecycle.
