Himan10

Kyverno + AWS Notation: Enforcing Signed Container Images in EKS

Overview

This guide demonstrates how to enforce signed container image verification in an Amazon EKS cluster using:

Kyverno – Kubernetes policy engine
AWS Notation (kyverno-notation-aws) – signature verification
AWS Signer – image signing
IRSA (IAM Roles for Service Accounts) – secure AWS access

HOWTO

write plans/reviews/architecture for claude, below are the examples found on Github

Anti-Patterns to Avoid

Don't delete session.json without checking if session is active
Don't modify git state while an agent is running
Don't retry billing/quota errors (they're not retryable)
Don't ignore PentestError type - it indicates the error category
Don't make random changes hoping something works

Purpose

Generate Nuclei security templates from OpenAPI (Swagger) specifications using AI-assisted scripting.
Manual: @create_nuclei.
glob: *.yaml, *.yml, *.json, .yml, .yaml, .json

Always create a Changelog.md to keep track of changes made to the codebase.
Changelog.md should also include the changes made to Windsurf's workspace rules.

EXECUTION

CREATE or MODIFY Changelog.md.

Secure Code Review

Semgrep

Commands: (Only works in Linux or similar distributions)

Installation:
- Create a virtual environment: python3 -m venv “my_env”
- Activate the created virtual environment:
  - Windows: source “my_env”/Scripts/Activate
  - Linux: source “my_env”/bin/activate
  - Once activated, use “pip” to download the semgrep library: pip install semgrep
    Semgrep can also be installed directly without creating any virtual environment but it’s always recommended to have a virtual environment set-up in case things go wrong, you can switch back to your normal environment and work with it.

Missing functionalities in API (Jobs)

Jobs
1. Industry
2. Job Type
3. Salary
4. Qualification
5. Vacency position
6. Total applyed (we already have a number of applicants for this)
7. About the Job:

	id: REMOVE_TOKENS
	info:
	name: "Broken Authentication by removing auth token"
	description: "API doesn't validate the authenticity of token. Attacker can remove the auth token and access the endpoint."
	details: >
	"The endpoint appears to be vulnerable to broken authentication attack. The original request was replayed by removing victim's <b>auth</b> token. The server responded with 2XX success codes.<br>"
	"<b>Background:</b> Authentication is the process of attempting to verify the digital identity of the sender of a communication. Testing the authentication schema means understanding how the authentication process works and using that information to
	circumvent the authentication mechanism. While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple
	understatement of security threats often result in authentication schemes that can be bypassed

	<?xml version="1.0" encoding="UTF-8"?>
	<opml version="1.0">
	<head>
	<title>Engineering Blogs</title>
	</head>
	<body>
	<outline text="Engineering Blogs" title="Engineering Blogs">
	<outline type="rss" text="8th Light" title="8th Light" xmlUrl="https://8thlight.com/insights/feed/rss.xml" htmlUrl="https://8thlight.com/blog/"/>
	<outline type="rss" text="AdRoll" title="AdRoll" xmlUrl="http://tech.adroll.com/feed.xml" htmlUrl="http://tech.adroll.com/blog/"/>
	<outline type="rss" text="Advanced Web Machinery" title="Advanced Web Machinery" xmlUrl="https://advancedweb.hu/atom.xml" htmlUrl="https://advancedweb.hu/"/>

	class User(models.Model):
	"""
	Represents a user profile with related details.

	This class defines the attributes associated with a user profile.
	This class has two foreign keys that point to Job and Company table
	"""

	def media_upload_path(instance, filename):
	return f"user_{instance.user_id}/data/{filename}"

	2023-05-02T21:30:52+05:30 [Genymotion Player:159871] [debug] ==== STARTING PLAYER ====
	2023-05-02T21:30:52+05:30 [Genymotion Player:159871] [debug] Player version: "3.3.3" 20230301-8f94f87b97
	2023-05-02T21:30:52+05:30 [Genymotion Player:159871] [debug] args: ("/opt/genymotion/player", "--vm-name", "07706b39-b5d5-437a-aa36-a71663de9778")
	2023-05-02T21:30:52+05:30 [Genymotion Player:159871] [debug] "Local socket created at path: /tmp/dcd0d36bfe6c40ac5b8d66e9efb9b069"
	2023-05-02T21:30:52+05:30 [Genymotion Player:159871] [debug] No proxy set
	2023-05-02T21:30:52+05:30 [Genymotion Player:159871] [debug] Host date and time: "02 May 2023 21:30:52 +0530"
	2023-05-02T21:30:52+05:30 [Genymotion Player:159871] [debug] "Notifying launchpad of status change: 07706b39-b5d5-437a-aa36-a71663de9778 BOOTING"
	2023-05-02T21:30:52+05:30 [Genymotion Player:159871] [debug] Progress dialog is visible. devicePixelRatio: 1
	2023-05-02T21:30:52+05:30 [Genymotion Player:159871] [debug] Device is up to date
	2023-05-02T21:30:52+05:30 [Genymo

	Jan 04 20:03:42 blackHat systemd-coredump[16912]: [🡕] Process 16904 (wireshark) of user 1000 dumped core.

	Stack trace of thread 16904:
	#0 0x00007ff4c08ba64c n/a (libc.so.6 + 0x8864c)
	#1 0x00007ff4c086a958 raise (libc.so.6 + 0x38958)
	#2 0x00007ff4c085453d abort (libc.so.6 + 0x2253d)
	#3 0x00007ff4c1aea03c n/a (libwsutil.so.14 + 0xc03c)
	#4 0x00007ff4c1afb02a ws_log (libwsutil.so.14 + 0x1d02a)
	#5 0x0000564a86f04a63 n/a (wireshark + 0x249a63)
	#6 0x00007ff4c0e38ab8 n/a (libQt5Core.so.5 + 0xe0ab8)