Pull Request

Goal

Implement Lab 2 and Lab 3 DevSecOps practices: threat modeling with Threagile, HTTPS/encryption hardening, SSH commit signing, and local pre-commit secret scanning with TruffleHog and Gitleaks.

Changes

• Added labs/submission2.md and labs/lab2/PR_REPORT.md documenting Lab 2 threat modeling:
  • Baseline and secure Threagile models and outputs
  • Top 5 risks with composite scoring
  • Risk category delta table (baseline vs secure)
  • Analysis of the impact of HTTPS and encryption controls
• Added labs/submission3.md documenting Lab 3 secure Git setup:
  • SSH signing key github-devsecops generation and configuration steps
  • Explanation of commit signing benefits and DevSecOps relevance
  • Pre-commit hook design and testing plan for TruffleHog + Gitleaks
• Installed .git/hooks/pre-commit to:
  • Run TruffleHog on non-lectures/* staged files via Docker
  • Run Gitleaks on all staged files via Docker
  • Block commits when secrets are found in non-lectures files and allow (with warning) for lectures/*

Additional lab checklist (per instructions):

• Task 1 done — SSH commit signing setup
• Task 2 done — Pre-commit secrets scanning setup

Testing

• Ran Threagile Docker commands for both baseline and secure models and verified:
  • report.pdf, diagrams, and JSON exports were generated in labs/lab2/baseline/ and labs/lab2/secure/
• Exercised the pre-commit hook by staging files and observing:
  • TruffleHog and Gitleaks containers start and scan staged files
  • Hook output summarizes which files were scanned and whether secrets were found
• (To be done on GitHub UI) Verified at least one commit on this branch shows the “Verified” badge using the github-devsecops SSH signing key.

Artifacts

• Threat modeling artifacts:
  • labs/lab2/baseline/{report.pdf,data-flow-diagram.png,data-asset-diagram.png,risks.json,stats.json,technical-assets.json}
  • labs/lab2/secure/{report.pdf,data-flow-diagram.png,data-asset-diagram.png,risks.json,stats.json,technical-assets.json}
• Documentation:
  • labs/submission2.md — full Lab 2 write-up
  • labs/lab2/PR_REPORT.md — PR-style summary for Lab 2
  • labs/submission3.md — full Lab 3 secure Git write-up
• (Optional to attach in PR):
  • Screenshot of GitHub commit showing Verified (SSH-signed)
  • Terminal output showing pre-commit hook blocking a test secret and allowing a clean commit

Checklist

• Clear, descriptive PR title
• Documentation updated if needed
• No secrets or large temporary files committed