Chapter 3. Retesting
Artifacts Delta — Current vs Previous
This table summarizes what changed in the security artifacts after the latest fixes.
Use the “Verify” commands (right column) to reproduce the numbers locally.
| Tool | Metric (scope) | Before | After | Δ | Evidence file(s) | Verify locally |
|---|---|---|---|---|---|---|
| Trivy | High vulns (image) | 1 | 0 | −1 | artifacts/trivy-image.json | `jq ‘[.Results[]?.Vulnerabilities[]? |
| Semgrep | Findings total (Go app) | N/A | N/A | — | artifacts/semgrep.json | `jq ‘.results? |
| Semgrep | XSS (reflected) | (not flagged) | (not flagged) | — | (manual validation) | Visit http://…/echo?input=<script>alert(1)</script> → script should not execute |
| TruffleHog | Verified secrets (app/ only) | 0 | 0 | 0 | artifacts/trufflehog.json | `jq -c ‘select(.Source==“filesystem” and (.Verified==true))’ artifacts/trufflehog.json |
| Checkov | Failed checks (K8s manifests) | X | Y | ΔX | artifacts/checkov.json | `jq ‘.summary? // {} |
| Checkov | Key hardening present (seccomp, caps drop, probes, SA token, ns) | present | — | infra/k8s/deployment.yaml | `grep -nE ‘seccompProfile | |
| ZAP | High / Medium alerts (baseline) | 0 / M | 0 / M’ | — | artifacts/zap/report.json (if present) | `jq -r ‘[.site[]?.alerts[]? |
Notes
- Trivy: expect High=0 after upgrading the Go toolchain/base image (e.g.,
golang:1.24.6-alpine). - Semgrep: our fix removes the reflected XSS behavior (manual validation); your ruleset may not have flagged it originally.
- TruffleHog: canary strings should be removed or allow-listed; we block only on verified credentials.
- Checkov: after adding probes, seccomp, caps drop, SA token hardening, namespace, and basic NetPols, failures should drop significantly.
- ZAP: baseline tends to report header hygiene as Medium/Low; after adding headers (CSP/XFO/XCTO/HSTS*), counts should reduce (HSTS only with TLS).
How to Refresh This Table
Capture a “before” snapshot (optional if you already have one):
rm -rf artifacts_before && mkdir -p artifacts_before cp -a artifacts/* artifacts_before/ 2>/dev/null || trueApply Fixes and re-run scans:
make build sca
make sast secrets
make iac
make cd
make zap
- Make delta table
bash scripts/artifacts_delta.sh > artifacts/ARTIFACTS.md
echo "Wrote artifacts/ARTIFACTS.md"
How to reproduce
optional: snapshot current as “before”
rm -rf artifacts_before && mkdir -p artifacts_before cp -a artifacts/* artifacts_before/ 2>/dev/null || true
regenerate table
bash scripts/artifacts_delta.sh > artifacts/ARTIFACTS.md
Makefile convenience target
Add this to your starter Makefile so readers can do make artifacts-delta:
artifacts-delta:
@bash scripts/artifacts_delta.sh > artifacts/ARTIFACTS.md
@echo "Wrote artifacts/ARTIFACTS.md"