Update from task 5bb0efc9-d673-48ab-b8ba-8b2026a7691d

.github/workflows/docs-check.yml

@@ -0,0 +1,57 @@
+name: Documentation Quality Check
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  markdown-lint:
+    name: Markdown Linting
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+
+      - name: Install markdownlint
+        run: npm install -g markdownlint-cli
+
+      - name: Run markdownlint
+        run: |
+          cat > .markdownlint.json << 'CONFIG'
+          {
+            "default": true,
+            "MD013": false,
+            "MD033": false,
+            "MD024": false
+          }
+          CONFIG
+          markdownlint '**/*.md' --ignore node_modules || true
+
+  validate-yaml:
+    name: Validate YAML Files
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install yamllint
+        run: pip install yamllint
+
+      - name: Run yamllint
+        run: yamllint hands-on-labs/*.yml labs-executable/**/*.yml || true
+
+  shellcheck:
+    name: Shell Script Validation
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@2.0.0
+        with:
+          check_together: 'yes'

.gitignore

@@ -0,0 +1,69 @@
+```
+# Dependencies
+node_modules/
+
+# Environment
+.env
+.env.local
+*.env.*
+
+# Logs
+*.log
+
+# Editor/IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*.tmp
+
+# System
+.DS_Store
+Thumbs.db
+
+# Build artifacts
+dist/
+build/
+target/
+__pycache__/
+*.pyc
+*.class
+*.o
+*.obj
+*.exe
+*.dll
+*.so
+*.a
+*.out
+
+# Testing/coverage
+.coverage
+coverage/
+htmlcov/
+.mypy_cache/
+.pytest_cache/
+
+# Compressed files
+*.zip
+*.gz
+*.tar
+*.tgz
+*.bz2
+*.xz
+*.7z
+*.rar
+*.zst
+*.lz4
+*.lzh
+*.cab
+*.arj
+*.rpm
+*.deb
+*.Z
+*.lz
+*.lzo
+*.tar.gz
+*.tar.bz2
+*.tar.xz
+*.tar.zst
+```

cheatsheets/devsecops-security.md

@@ -0,0 +1,178 @@
+# 🔒 DevSecOps Security Cheatsheet
+
+## Security Scanning Commands
+
+### Container Security (Trivy)
+```bash
+# Install Trivy
+curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh
+
+# Scan image
+trivy image nginx:latest
+
+# Scan with severity filter
+trivy image --severity HIGH,CRITICAL myapp:latest
+
+# Generate report
+trivy image -f table -o report.txt myapp:latest
+
+# Scan filesystem
+trivy fs /path/to/code
+```
+
+### Infrastructure as Code (Checkov)
+```bash
+# Install
+pip install checkov
+
+# Scan Terraform
+checkov -d terraform/
+
+# Scan with output
+checkov -d . -o junitxml -o report.xml
+
+# Skip specific checks
+checkov -d . --skip-check CKV_AWS_20
+```
+
+### SAST (Semgrep)
+```bash
+# Install
+pip install semgrep
+
+# Run scan
+semgrep --config auto .
+
+# Specific language
+semgrep --lang python .
+
+# Output formats
+semgrep --json --output results.json .
+```
+
+## Secrets Management
+
+### HashiCorp Vault CLI
+```bash
+# Login
+vault login
+
+# Read secret
+vault read secret/data/myapp
+
+# Write secret
+vault write secret/data/myapp password=secret123
+
+# List secrets
+vault list secret/data/
+
+# Enable KV engine
+vault secrets enable -path=secret kv-v2
+```
+
+### AWS Secrets Manager
+```bash
+# Get secret value
+aws secretsmanager get-secret-value \
+  --secret-id my-secret \
+  --query SecretString --output text
+
+# Create secret
+aws secretsmanager create-secret \
+  --name my-secret \
+  --secret-string '{"password":"secret123"}'
+```
+
+## Network Security
+
+### Firewall Rules (UFW)
+```bash
+# Enable firewall
+sudo ufw enable
+
+# Allow specific ports
+sudo ufw allow 22/tcp    # SSH
+sudo ufw allow 443/tcp   # HTTPS
+
+# Deny IP
+sudo ufw deny from 192.168.1.100
+
+# Status
+sudo ufw status verbose
+```
+
+### iptables Basics
+```bash
+# List rules
+sudo iptables -L -n -v
+
+# Allow port
+sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+
+# Drop IP
+sudo iptables -A INPUT -s 192.168.1.100 -j DROP
+
+# Save rules
+sudo iptables-save > /etc/iptables/rules.v4
+```
+
+## SSL/TLS
+
+### OpenSSL Commands
+```bash
+# Generate private key
+openssl genrsa -out server.key 2048
+
+# Create CSR
+openssl req -new -key server.key -out server.csr
+
+# Self-signed certificate
+openssl req -x509 -nodes -days 365 \
+  -newkey rsa:2048 \
+  -keyout server.key -out server.crt
+
+# View certificate
+openssl x509 -in server.crt -text -noout
+
+# Check SSL connection
+openssl s_client -connect example.com:443
+```
+
+### Let's Encrypt (Certbot)
+```bash
+# Install
+sudo apt install certbot python3-certbot-nginx
+
+# Obtain certificate
+sudo certbot --nginx -d example.com
+
+# Auto-renew
+sudo certbot renew --dry-run
+```
+
+## Security Best Practices Checklist
+
+- [ ] Enable MFA on all accounts
+- [ ] Rotate credentials regularly
+- [ ] Use least privilege principle
+- [ ] Scan containers before deployment
+- [ ] Enable encryption at rest and in transit
+- [ ] Implement network segmentation
+- [ ] Monitor and log security events
+- [ ] Keep systems updated
+- [ ] Backup critical data
+- [ ] Test incident response plan
+
+## Common CVEs to Watch
+
+| CVE | Description | Mitigation |
+|-----|-------------|------------|
+| Log4Shell | Remote code execution in Log4j | Update to 2.17+ |
+| Shellshock | Bash vulnerability | Patch bash |
+| Heartbleed | OpenSSL memory leak | Update OpenSSL |
+
+## Resources
+
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [CIS Benchmarks](https://www.cisecurity.org/)
+- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)

devsecops/README.md

@@ -0,0 +1,68 @@
+# 🔒 DevSecOps - Security in DevOps
+
+Integrate security practices throughout the DevOps lifecycle.
+
+## Key Topics
+
+### Security Scanning
+- Static Application Security Testing (SAST)
+- Dynamic Application Security Testing (DAST)
+- Software Composition Analysis (SCA)
+- Container security scanning
+
+### Infrastructure Security
+- Network segmentation
+- Security groups and firewalls
+- Secrets management
+- Identity and Access Management (IAM)
+
+### Compliance & Governance
+- Policy as Code
+- Audit logging
+- Compliance automation
+- Security benchmarks (CIS)
+
+## Tools
+
+| Category | Tools |
+|----------|-------|
+| SAST | SonarQube, Semgrep, Bandit |
+| DAST | OWASP ZAP, Burp Suite |
+| SCA | Snyk, Dependabot, Trivy |
+| Container Security | Clair, Anchore, Docker Scan |
+| Secrets | HashiCorp Vault, AWS Secrets Manager |
+| Policy | OPA, Kyverno, Checkov |
+
+## Best Practices
+
+1. **Shift Left** - Test security early in development
+2. **Automate Everything** - Security checks in CI/CD
+3. **Least Privilege** - Minimal permissions
+4. **Defense in Depth** - Multiple security layers
+5. **Continuous Monitoring** - Real-time threat detection
+
+## Getting Started
+
+```bash
+# Install Trivy for container scanning
+curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh
+
+# Scan a container image
+trivy image nginx:latest
+
+# Install Checkov for IaC scanning
+pip install checkov
+
+# Scan Terraform code
+checkov -d .
+```
+
+## Resources
+
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/)
+- [DevSecOps Roadmap](https://github.com/devsecops/roadmap)
+
+---
+
+**Status:** Initial content - expanding soon

hands-on-labs/app/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "devops-lab-app",
+  "version": "1.0.0",
+  "main": "server.js",
+  "scripts": {
+    "start": "node server.js"
+  },
+  "dependencies": {
+    "express": "^4.18.2",
+    "pg": "^8.11.3",
+    "ioredis": "^5.3.2"
+  }
+}