Skip to content

feat(course): Hands-on Docker Hacking — editorial draft#4

Draft
donny-devops wants to merge 4 commits into
mainfrom
course-update-1
Draft

feat(course): Hands-on Docker Hacking — editorial draft#4
donny-devops wants to merge 4 commits into
mainfrom
course-update-1

Conversation

@donny-devops

Copy link
Copy Markdown
Owner

markdown Updated course scaffold with complete modules and quizzes. Ready for board review.

11 modules in course/modules/
22 assessments in course/quizzes/

Copilot AI review requested due to automatic review settings July 7, 2026 17:40
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@sonarqubecloud

sonarqubecloud Bot commented Jul 7, 2026

Copy link
Copy Markdown

@amazon-q-developer amazon-q-developer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

This PR adds 11 course modules and 22 assessments for a Docker security hacking course. However, there are critical issues that must be fixed before merge:

Critical Issues Found

1. Quiz Content Logic Error (Blocks Merge)
All 11 module quizzes contain identical generic questions that don't match their module titles. This makes the assessments non-functional for their intended educational purpose. Each quiz must have module-specific questions that test the concepts covered in that module.

2. Security Warning Removed (Blocks Merge)
The README removed the critical security warning about intentional vulnerabilities. This warning must be restored to prevent users from accidentally deploying vulnerable systems in production environments.

Required Actions

  1. Replace the duplicated quiz questions in all 11 module quiz files with content specific to each module's topic
  2. Replace the duplicated final assessment questions in all 11 final quiz files with module-specific content
  3. Restore the security warning in README.md

The course module content itself appears well-structured with appropriate security examples and remediation guidance.


You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.


⚠️ This PR contains more than 30 files. Amazon Q is better at reviewing smaller PRs, and may miss issues in larger changesets.

Comment thread course/quizzes/exposed-apis.md
Comment thread course/quizzes/container-escape.md
Comment on lines +3 to +8
1. Which control is most specific to syscall filtering?
A) AppArmor B) SELinux C) seccomp D) cgroups
2. Exposing Docker API without auth primarily risks:
A) slower builds B) disk usage C) full host compromise D) image pulls failing
3. The strongest container isolation boundary is:
A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Logic Error: Replace generic questions with module-specific content about image tampering and supply chain security. Questions should address topics like image signing with cosign, digest pinning, registry trust, tag mutation attacks, and vulnerability scanning tools (Trivy/Grype) mentioned in the module.

Comment thread course/quizzes/dos.md
Comment on lines +3 to +6
1. Which option most directly reduces runtime breakout surface?
A) --privileged B) drop caps + seccomp + read-only C) expose 2375 D) host network
2. Which is a reliable signal of insecure images?
A) pinned digest + signed provenance B) latest tag from unknown registry C) small image size D) alpine base

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Logic Error: Replace generic final assessment questions with module-specific content about exposed container APIs. Both questions appear identical across all final assessments. Question 1 is about runtime breakout (not API exposure), and question 2 is about insecure images (not API exposure). Questions should assess understanding of Docker daemon socket security, TLS configuration, port binding risks, and API authentication mechanisms.

Comment on lines +3 to +6
1. Which option most directly reduces runtime breakout surface?
A) --privileged B) drop caps + seccomp + read-only C) expose 2375 D) host network
2. Which is a reliable signal of insecure images?
A) pinned digest + signed provenance B) latest tag from unknown registry C) small image size D) alpine base

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Logic Error: Replace generic final assessment questions with module-specific content about container escape techniques. These questions are identical across all final assessments. Questions should assess understanding of Docker socket mounting risks, privileged container dangers, capability management, host namespace sharing, and rootless Docker.

Comment thread course/quizzes/lsm.md
Comment on lines +5 to +8
2. Exposing Docker API without auth primarily risks:
A) slower builds B) disk usage C) full host compromise D) image pulls failing
3. The strongest container isolation boundary is:
A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Logic Error: Replace questions 2 and 3 with LSM-specific content. While question 1 correctly addresses syscall filtering (relevant to seccomp), questions 2 and 3 are identical to other quizzes and don't relate to Linux Security Modules. Questions should cover AppArmor profiles, SELinux contexts, MAC vs DAC, security-opt flags, and the differences between seccomp, AppArmor, and SELinux as explained in the module.

Comment thread README.md

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository to an editorial-review draft for the “Hands-on Docker Hacking” course by adding module and assessment markdown content, plus light repo scaffolding/documentation updates.

Changes:

  • Added course module drafts under course/modules/ and quiz/final assessment drafts under course/quizzes/.
  • Simplified the root README.md to a short course/module list.
  • Added supporting repo docs (COURSE_SUMMARY.md, tests/README.md) and a new .gitignore.

Reviewed changes

Copilot reviewed 33 out of 34 changed files in this pull request and generated 15 comments.

Show a summary per file
File Description
README.md Updates the top-level course overview/module list (but currently drops the safety warning).
COURSE_SUMMARY.md Adds an editorial-board summary of scope/counts (counts currently don’t match repo contents).
.gitignore Adds common ignores for Python/Node/Rust/editor artifacts.
tests/README.md Adds placeholder guidance for where to put tests and suggested runners.
course/modules/02-exposed-apis.md Adds “Exposed Container APIs” module (contains a Markdown formatting issue in the compliant example).
course/modules/03-container-escape.md Adds “Container Escape” module draft.
course/modules/04-image-tampering.md Adds “Container Image Tampering” module draft.
course/modules/05-insecure-config.md Adds “Insecure Container Configuration” module draft.
course/modules/06-dos.md Adds “Denial-of-Service (DoS)” module draft.
course/modules/07-kernel-vulns.md Adds “Kernel Vulnerabilities” module draft.
course/modules/08-shared-kernel.md Adds “Shared Kernel Exploitation” module draft.
course/modules/09-orchestration.md Adds “Insecure Container Orchestration” module draft.
course/modules/10-insecure-images.md Adds “Insecure Container Images” module draft.
course/modules/11-lsm.md Adds “Seccomp/AppArmor/SELinux” module draft.
course/quizzes/container-escape.md Adds module quiz (answer key issue for Q3).
course/quizzes/container-escape-final.md Adds module final assessment.
course/quizzes/dos.md Adds module quiz (answer key issue for Q3).
course/quizzes/dos-final.md Adds module final assessment.
course/quizzes/exposed-apis.md Adds module quiz (answer key issue for Q3).
course/quizzes/exposed-apis-final.md Adds module final assessment.
course/quizzes/image-tampering.md Adds module quiz (answer key issue for Q3).
course/quizzes/image-tampering-final.md Adds module final assessment.
course/quizzes/insecure-config.md Adds module quiz (answer key issue for Q3).
course/quizzes/insecure-config-final.md Adds module final assessment.
course/quizzes/insecure-images.md Adds module quiz (answer key issue for Q3).
course/quizzes/insecure-images-final.md Adds module final assessment.
course/quizzes/kernel-vulns.md Adds module quiz (answer key issue for Q3).
course/quizzes/kernel-vulns-final.md Adds module final assessment.
course/quizzes/lsm.md Adds module quiz (answer key issue for Q3).
course/quizzes/lsm-final.md Adds module final assessment.
course/quizzes/orchestration.md Adds module quiz (answer key issue for Q3).
course/quizzes/orchestration-final.md Adds module final assessment.
course/quizzes/shared-kernel.md Adds module quiz (answer key issue for Q3).
course/quizzes/shared-kernel-final.md Adds module final assessment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread README.md
Comment on lines +3 to +5
Hands-on Docker Hacking course.

## Quick Start
```
git clone https://github.com/donny-devops/docker-hacking-lab
cd docker-hacking-lab
docker compose up -d
```

## Course Modules
- Module 0: Lab Setup
- Module 1: Docker Internals and Attack Surface
- Module 2: Enumeration and Reconnaissance
- Module 3: Escape via Privileged Flag
- Module 4: Escape via Host Path Mount
- Module 5: Docker Socket Exploitation
- Module 6: TCP Daemon Exploitation
- Module 7: Image and Registry Attacks
- Module 8: Supply Chain Attacks
- Module 9: Network Attacks and Lateral Movement
- Module 10: Runtime Defense
## Course modules
Comment on lines +10 to +12
## Compliant
docker run -d -p 127.0.0.1:2376:2376 `
--tlsverify --tlscacert ca.pem --tlscert cert.pem --tlskey key.pem docker:dind
Comment thread COURSE_SUMMARY.md
- Files stored in `course/modules/` and `course/quizzes/`

## Notes
- Draft PR opened: see linked PR
3. The strongest container isolation boundary is:
A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket
## Answers
1. C 2. C 3. C
3. The strongest container isolation boundary is:
A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket
## Answers
1. C 2. C 3. C
Comment thread course/quizzes/lsm.md
3. The strongest container isolation boundary is:
A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket
## Answers
1. C 2. C 3. C
3. The strongest container isolation boundary is:
A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket
## Answers
1. C 2. C 3. C
3. The strongest container isolation boundary is:
A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket
## Answers
1. C 2. C 3. C
Comment thread COURSE_SUMMARY.md
Comment on lines +5 to +7
- 11 modules with intro, attack scenario, compliant/noncompliant examples, remediation, lab
- 22 assessments: 3 questions per module quiz + 2 final questions per module
- Files stored in `course/modules/` and `course/quizzes/`
Comment thread COURSE_SUMMARY.md

## Scope
- 11 modules with intro, attack scenario, compliant/noncompliant examples, remediation, lab
- 22 assessments: 3 questions per module quiz + 2 final questions per module
@secure-code-warrior-for-github

Copy link
Copy Markdown

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial-of-Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

@donny-devops donny-devops self-assigned this Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants