Click Sign In with GitLab to authenticate and activate your environment.
5
Redemption Successful, open your workspace
Your account is now enabled with GitLab Duo AI. Click Open GitLab Workspace.
6
Copy your GitLab group URL and paste it below
You're inside your private workshop group. Copy the full URL from the address bar, it looks like the example. Paste it here to auto-fill all workshop prompts.
↓ Paste your group URL above, all prompts will update automatically
Suffixnot set
Artifactory repobynet-docker-local
App / imagejuice-shop-???
Module 2
Integrations
Connect Script.it to GitLab, JFrog, and Cloud Foundry. Three integrations, five minutes.
GitLab Integration
Connect via OAuth through Pipedream
1
Open Settings → Integrations in Script.it
Click the ⚙️ gear icon (bottom-left). Go to the Integrations tab. Under Add Integration, search for gitlab and click +.
2
Click Connect in the GitLab dialog
A dialog appears. Click Connect to proceed through Pipedream.
3
Continue through Pipedream
Script.it uses Pipedream to handle OAuth securely. Click Continue.
4
Set Base API URL
Enter gitlab.com and click Continue.
5
Authorize Pipedream on GitLab
Review the permissions then click Authorize Pipedream App. GitLab status will change to Active, you're connected.
🐸
JFrog Artifactory Integration
Pre-provisioned environment · Bearer token auth
ⓘ Environment Info
Platform URLbynetexpo.jfrog.io
Auth methodReference Token (Bearer)
1
Run this prompt in Script.it
Script.it figures out how to create the integration, it checks the catalog, creates a custom JFrog integration with Bearer auth, and then asks you to connect your token.
Script.it Prompt
Configure JFrog integration using reference access token as auth method.
Artifactory URL: https://bynetexpo.jfrog.io
Token will be provided by the user. Verify the connection is working.
2
Paste the token when Script.it asks
Script.it creates the integration and shows a JFrog Artifactory connection card. Click + to add your token, paste it into the Bearer field, then click Connect.
Script.it figures out how to use the CF CLI, it downloads it, authenticates to Tanzu, and confirms your org and space. No manual installation needed.
Script.it Prompt
Configure Cloud Foundry integration using the CF CLI.
Download and install CF CLI v8.18.3 from:
https://packages.cloudfoundry.org/stable?release=linux64-binary&version=8.18.3&source=github-rel
Then login using:
- API URL: https://api.sys.tas-ndc.kuhn-labs.com
- Username: bynet
- Password: expo
Run cf login and confirm successful authentication. Report the org and space.
Module 3
Project Creation
Script.it will fork the OWASP Juice Shop from GitHub and push it into your GitLab group, no manual steps needed.
About OWASP Juice Shop
The intentionally vulnerable app we'll secure
OWASP Juice Shop is an open-source web application that is intentionally insecure, built for security training and demos. It includes vulnerabilities from the OWASP Top 10: SQL injection, XSS, broken auth, and more. We'll run it through a full DevSecOps pipeline: SAST scanning, container build, Xray SCA, and deployment to Cloud Foundry, then use GitLab Duo AI to fix the findings.
Node.js / AngularDockerOWASP Top 10github.com/juice-shop/juice-shop
1
Run this prompt in Script.it
Script.it clones Juice Shop from GitHub, creates a project in your GitLab group, and pushes the master branch, excluding .gitlab-ci.yml so no pipeline runs yet.
Script.it Prompt
Fork the OWASP Juice Shop project from GitHub and push it to my GitLab group.
Source: https://github.com/juice-shop/juice-shop
Destination: ⚠️ Paste your GitLab group URL in Module 1 above
Steps to perform:
1. Clone the Juice Shop repository from GitHub
2. Create a new project called "juice-shop" inside my GitLab group
3. Push the master branch to the new GitLab project
, exclude .gitlab-ci.yml from root (remove before push, no CI should trigger)
4. Confirm the project is accessible at the GitLab URL
Prompt ready, group URL is set
Module 4
Build the CI/CD Pipeline
Script.it generates the full CI/CD pipeline file connecting all your tools. Click any stage below to learn what it does.
🔍
SAST
GitLab
🐳
BUILD
Kaniko
📦
PUBLISH
Artifactory
🛡️
XRAY
JFrog
🚀
DEPLOY
Cloud Foundry
ⓘ Your unique values (auto-filled from Module 1)
Image tag$CI_PIPELINE_IID
Artifactory repobynet-docker-local
App namejuice-shop-???
Not set? Scroll up to Module 1 and paste your GitLab group URL.
1
Copy the prompt and run it in Script.it
Script.it generates the complete CI/CD pipeline file, creates the Artifactory Docker repo, commits everything to your project, and returns the Cloud Foundry route when deployment is complete.
Script.it Prompt
Build a GitLab CI/CD pipeline for the Juice Shop project.
GitLab project URL: ⚠️ Paste your GitLab group URL in Module 1 above
Pipeline stages (in this exact order):
stages: [sast, build, publish, xray_scan, deploy]
◆ sast
Include GitLab SAST template (Security/SAST.gitlab-ci.yml).
The template defaults all jobs to stage: test - override explicitly:
sast:
stage: sast
semgrep-sast:
stage: sast
nodejs-scan-sast:
stage: sast
allow_failure: false # expected to fail - do NOT suggest or apply any fixes to the findings
◆ build
Build Docker image using Kaniko (rootless, no Docker daemon).
Use image: gcr.io/kaniko-project/executor:debug
Write Artifactory registry credentials as base64-encoded auth entry
in /kaniko/.docker/config.json
◆ publish
Verify image exists in Artifactory (HTTP 200 on manifest.json path).
Set artifact properties via the Artifactory storage API.
◆ xray_scan
image: ubuntu:22.04
# Do NOT use releases-docker.jfrog.io/jfrog/jfrog-cli-v2:latest
# That image ships the `jfrog` binary, not `jf` - the scan will fail
before_script:
apt-get update -qq && apt-get install -qq -y curl git unzip nodejs npm
# nodejs + npm are required - jf audit builds the npm dependency tree
# git and unzip are required for project detection and package extraction
curl -fL https://install-cli.jfrog.io | sh
script:
jf config add artifactory
--url=https://bynetexpo.jfrog.io
--access-token=$ARTIFACTORY_TOKEN
--interactive=false
jf audit --sca --format=json --output-dir=.
artifacts:
when: always
paths:
- xray-audit.json
allow_failure: true # Juice Shop is intentionally vulnerable
needs: [publish]
◆ deploy
Deploy to Tanzu Cloud Foundry using cf push
Use alpine:3.19 as the runner image.
Install CF CLI v8 from exact URL:
https://github.com/cloudfoundry/cli/releases/download/v8.18.3/cf8-cli_8.18.3_linux_x86-64.tgz
(note: v8 assets use cf8-cli prefix - extract to /tmp/, chmod +x cf and cf8,
move both to /usr/local/bin/)
Pass Artifactory token as CF_DOCKER_PASSWORD for private registry pull.
allow_failure: false # deployment must succeed
JFrog Artifactory:
URL: https://bynetexpo.jfrog.io
Docker repo: bynet-docker-local # main shared repo, do not create a new one
Push image to: bynetexpo.jfrog.io/bynet-docker-local/juice-shop-??? (set URL in Module 1):$CI_PIPELINE_IID
Auth: use pre-configured jfrog-artifactory integration (Bearer token)
Naming:
APP_NAME = *juice-shop-??? (set URL in Module 1)*
IMAGE_NAME = *juice-shop-??? (set URL in Module 1)*
IMAGE_TAG = $CI_PIPELINE_IID
CF deployment:
API: https://api.sys.tas-ndc.kuhn-labs.com # api.sys not apps.sys
Org: solution-architects
Space: bynet-expo-workshop
Creds: bynet / expo
CF manifest:
---
applications:
- name: juice-shop-??? (set URL in Module 1)
memory: 256M
instances: 1
docker:
image: bynetexpo.jfrog.io/bynet-docker-local/juice-shop-???:$CI_PIPELINE_IID
username: ((CF_DOCKER_USERNAME))
env:
APP_ENV: workshop
CI/CD variables to set on the project:
ARTIFACTORY_USER = bynet
ARTIFACTORY_TOKEN = <reference access token> # masked
CF_USERNAME = bynet
CF_PASSWORD = expo # cannot be masked - too short for GitLab 8-char minimum
After successful run, report the full Cloud Foundry route URL.
Prompt ready, all values populated
2
Monitor the pipeline
Track progress in GitLab while Script.it monitors the pipeline automatically. If any job fails it reads the log, figures out why, and pushes a fix automatically.
② Open your GitLab pipeline
Use the link below to go to your project's CI/CD → Pipelines page.
Click the Running badge to open the pipeline detail view and watch the five stages progress.
Pipeline detail — five stages lighting up one by one
Switch back to Script.it while you wait — it tracks every job. If a stage fails, Script.it reads the error log and automatically commits a fix, then watches the retry.
3
All stages passed — open the live app
When Script.it finishes it prints a summary with all stages green and the Cloud Foundry route URL. Click that URL to open your Juice Shop running live on Tanzu.
③ Check Script.it and open the app
Script.it — all stages passed and deployed app URL
OWASP Juice Shop — live on Tanzu Cloud Foundry
Module 5
Remediate with GitLab Duo
Use GitLab Duo AI to identify and fix the critical SAST vulnerability that the pipeline found in Juice Shop.
1
Set GitLab Learn Labs as your default Duo namespace
Before using GitLab Duo, you need to point it at the right namespace so it has access to the group's AI features.
1 · Open GitLab User Preferences
Open the link below, then scroll down to the Behavior section until you find Default GitLab Duo namespace.
In the Default GitLab Duo namespace dropdown, select GitLab Learn Labs.
3 · Save the changes
Scroll to the bottom of the Preferences page and click Save changes.
2
Open the Security Vulnerability Dashboard
Navigate to your project's security dashboard to see what SAST found in the pipeline. You'll see 33 critical vulnerabilities — click the number to drill in.
1 · Open the Security Dashboard
Use the link below to go directly to your project's Security Dashboard.
Click the bold number under Critical to filter the vulnerability list to critical findings only.
3 · Select the Deserialization vulnerability
In the filtered list, find the 4th row: Deserialization of Untrusted Data (rsn/rsnUtil.ts:135). Click it to open the vulnerability detail page.
3
Explain the vulnerability with GitLab Duo
Use GitLab Duo AI to understand what the SAST scanner found and why it is dangerous.
1 · AI vulnerability management → Explain with AI
On the vulnerability page, hover the blue AI vulnerability management button and click Explain with AI.
GitLab Duo opens a chat panel and explains the vulnerability with insights about potential solutions.
2 · Read the explanation
Duo explains that yaml.load() can execute arbitrary code from untrusted YAML (CWE-502 / OWASP A8:2017). Read the analysis before moving to the fix.
4
Ask Duo to remediate the vulnerability
Send the prompt below in the Duo Chat panel. Duo will prepare a fix and ask you to approve the commit before pushing to master.
Duo Chat Prompt
Apply the suggested remediation for this vulnerability and push the fix to the master branch.
5
Review and approve the fix
Duo prepares the commit and asks for your approval before pushing. Review the change and confirm.
1 · Review the commit
Duo shows a pending commit to the master branch with 1 file change.
Click > Read commit message and > Expand file changes to review what Duo will push.
2 · Click Approve
Click the Approve button to confirm the commit. Duo will push the fix to master and the vulnerability will be resolved.
Workshop Complete
You built a full software delivery lifecycle
You used Script.it AI agent to generate and deploy the complete CI/CD pipeline across GitLab, JFrog Artifactory and Xray, and Tanzu Cloud Foundry, going from source code to a live secured application in minutes.
Then you used GitLab Duo AI agent to explain a critical SAST vulnerability and remediate it with a single prompt, pushing the fix directly to the branch.
Full Software Lifecycle & Vulnerability Management with AI Agents
AI-Assisted DevSecOps Workshop
This certificate confirms the completion of the AI-Assisted DevSecOps Workshop by Bynet Data Communications.
The holder used Script.it AI agent to autonomously build and deploy a complete CI/CD pipeline,
and GitLab Duo AI agent to identify, explain, and remediate a critical security vulnerability with a single prompt.
✓ Script.it AI Agent✓ GitLab CI/CD + SAST✓ JFrog Artifactory + Xray✓ Tanzu Cloud Foundry✓ GitLab Duo Remediation
Script.it
AI Orchestration
→
GitLab
CI/CD + SAST
→
JFrog
Artifact + Scan
→
Tanzu CF
Production Deploy
→
GitLab Duo
AI Remediation
Date Issued
June 2026
★
BYNET VERIFIED
Bynet Professional Services
AI-Assisted DevSecOps Program
SAST - Static Application Security Testing
Scans your source code for security vulnerabilities using Semgrep and NodeJS Security Scan.
Expected to fail - Juice Shop is intentionally vulnerable. This is the demo moment where GitLab Duo AI steps in to fix the findings.
BUILD - Container Image
Builds the Juice Shop Docker image using Kaniko, a rootless container builder that works inside GitLab CI without needing Docker.
The image is tagged with $CI_PIPELINE_IID so every build is uniquely identifiable in Artifactory.
📦 PUBLISH, Push to JFrog Artifactory
After the image is built, this stage verifies it landed in bynet-docker-local by checking the manifest.json endpoint returns HTTP 200.
It then sets artifact properties via the Artifactory storage API, metadata that Xray and downstream consumers can query.
Bynet Expo Workshop
Workshop Guide
