Hugging Face's logo

Spaces:
matthewspring
/
anycoder-50949dd7
Running

App Files Community
anycoder-50949dd7 / index.html
matthewspring's picture
matthewspring
Upload folder using huggingface_hub
411e0cb verified
raw
history blame contribute delete
29.6 kB
 <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Gemma 3 Hardened Container - Ubuntu Scripts v2.1</title>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
<style>
:root {
--primary: #1a1a2e;
--secondary: #16213e;
--accent: #0f3460;
--highlight: #e94560;
--success: #00d9a0;
--warning: #ffc107;
--danger: #dc3545;
--info: #17a2b8;
--light: #f8f9fa;
--dark: #0a0a0f;
--fixed: #2ecc71;
--ubuntu: #E95420;
--shadow: 0 4px 20px rgba(143, 37, 37, 0.3);
--radius: 12px;
--transition: all 0.3s cubic-bezier(0.4, 0, 0.2, 1);
}
* {
margin: 0;
padding: 0;
box-sizing: border-box;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
}
body {
background: linear-gradient(135deg, var(--dark) 0%, var(--primary) 50%, var(--secondary) 100%);
color: var(--light);
line-height: 1.6;
min-height: 100vh;
}
header {
background: linear-gradient(135deg, rgba(233, 84, 32, 0.9) 0%, rgba(26, 26, 46, 0.95) 100%);
padding: 1.5rem 2rem;
border-bottom: 3px solid var(--ubuntu);
position: sticky;
top: 0;
z-index: 100;
}
.header-content {
max-width: 1400px;
margin: 0 auto;
display: flex;
justify-content: space-between;
align-items: center;
flex-wrap: wrap;
gap: 1rem;
}
.logo {
display: flex;
align-items: center;
gap: 1rem;
text-decoration: none;
color: white;
}
.logo-icon {
width: 50px;
height: 50px;
background: white;
border-radius: 50%;
display: flex;
align-items: center;
justify-content: center;
}
.logo-icon i {
font-size: 1.5rem;
color: var(--ubuntu);
}
.logo-text h1 {
font-size: 1.4rem;
font-weight: 700;
}
.logo-text span {
font-size: 0.8rem;
opacity: 0.9;
}
.built-with {
font-size: 0.9rem;
}
.built-with a {
color: var(--warning);
text-decoration: none;
font-weight: 600;
}
.built-with a:hover {
text-decoration: underline;
}
main {
max-width: 1400px;
margin: 2rem auto;
padding: 0 1.5rem;
}
.intro-section {
background: linear-gradient(135deg, rgba(233, 84, 32, 0.15) 0%, rgba(26, 26, 46, 0.9) 100%);
border: 1px solid var(--ubuntu);
border-radius: var(--radius);
padding: 2rem;
margin-bottom: 2rem;
}
.intro-header {
display: flex;
align-items: center;
gap: 1rem;
margin-bottom: 1.5rem;
}
.intro-icon {
width: 60px;
height: 60px;
background: var(--ubuntu);
border-radius: 50%;
display: flex;
align-items: center;
justify-content: center;
font-size: 1.8rem;
}
.intro-title {
font-size: 1.6rem;
color: var(--light);
}
.intro-subtitle {
color: rgba(255, 255, 255, 0.7);
font-size: 0.95rem;
}
.version-badge {
display: inline-block;
background: var(--success);
color: var(--dark);
padding: 0.3rem 0.8rem;
border-radius: 20px;
font-size: 0.75rem;
font-weight: 700;
margin-left: 0.5rem;
}
.quick-start {
background: rgba(0, 0, 0, 0.4);
border-radius: 8px;
padding: 1.5rem;
margin-top: 1.5rem;
}
.quick-start h3 {
color: var(--success);
margin-bottom: 1rem;
display: flex;
align-items: center;
gap: 0.5rem;
}
.quick-start-code {
background: rgba(0, 0, 0, 0.5);
border-radius: 6px;
padding: 1rem;
font-family: 'Fira Code', 'Courier New', monospace;
font-size: 0.85rem;
overflow-x: auto;
}
.quick-start-code .comment {
color: #6a9955;
}
.quick-start-code .command {
color: #dcdcaa;
}
.security-phases {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(300px, 1fr));
gap: 1.5rem;
margin-bottom: 2rem;
}
.phase-card {
background: linear-gradient(135deg, rgba(26, 26, 46, 0.95) 0%, rgba(22, 33, 62, 0.95) 100%);
border-radius: var(--radius);
border: 1px solid rgba(255, 255, 255, 0.1);
overflow: hidden;
transition: var(--transition);
}
.phase-card:hover {
border-color: var(--success);
transform: translateY(-3px);
box-shadow: 0 10px 30px rgba(0, 217, 160, 0.2);
}
.phase-card-header {
padding: 1.2rem 1.5rem;
display: flex;
align-items: center;
gap: 1rem;
}
.phase-card-header.build {
background: linear-gradient(135deg, #3498db, #2980b9);
}
.phase-card-header.deploy {
background: linear-gradient(135deg, #9b59b6, #8e44ad);
}
.phase-card-header.runtime {
background: linear-gradient(135deg, #e74c3c, #c0392b);
}
.phase-icon {
width: 45px;
height: 45px;
background: rgba(255, 255, 255, 0.2);
border-radius: 50%;
display: flex;
align-items: center;
justify-content: center;
font-size: 1.3rem;
}
.phase-title h3 {
font-size: 1rem;
font-weight: 600;
}
.phase-title span {
font-size: 0.75rem;
opacity: 0.9;
}
.phase-card-body {
padding: 1.5rem;
}
.phase-description {
color: rgba(255, 255, 255, 0.8);
font-size: 0.9rem;
margin-bottom: 1rem;
line-height: 1.6;
}
.phase-tools {
display: flex;
flex-wrap: wrap;
gap: 0.5rem;
}
.tool-badge {
background: rgba(255, 255, 255, 0.1);
border: 1px solid rgba(255, 255, 255, 0.2);
padding: 0.3rem 0.7rem;
border-radius: 20px;
font-size: 0.75rem;
color: var(--light);
}
.scripts-grid {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(350px, 1fr));
gap: 1.5rem;
margin-bottom: 2rem;
}
.script-card {
background: linear-gradient(135deg, rgba(26, 26, 46, 0.95) 0%, rgba(22, 33, 62, 0.95) 100%);
border-radius: var(--radius);
border: 1px solid rgba(255, 255, 255, 0.1);
overflow: hidden;
transition: var(--transition);
}
.script-card:hover {
border-color: var(--ubuntu);
transform: translateY(-3px);
box-shadow: 0 10px 30px rgba(233, 84, 32, 0.2);
}
.script-card-header {
background: linear-gradient(135deg, var(--ubuntu), #c0392b);
padding: 1.2rem 1.5rem;
display: flex;
align-items: center;
justify-content: space-between;
}
.script-card-title {
display: flex;
align-items: center;
gap: 0.8rem;
font-weight: 600;
font-size: 1rem;
}
.script-card-title i {
font-size: 1.2rem;
}
.script-badge {
background: rgba(255, 255, 255, 0.2);
padding: 0.3rem 0.8rem;
border-radius: 20px;
font-size: 0.7rem;
font-weight: 600;
}
.script-card-body {
padding: 1.5rem;
}
.script-description {
color: rgba(255, 255, 255, 0.8);
font-size: 0.9rem;
margin-bottom: 1rem;
line-height: 1.6;
}
.script-features {
list-style: none;
margin-bottom: 1.5rem;
}
.script-features li {
display: flex;
align-items: center;
gap: 0.6rem;
padding: 0.4rem 0;
font-size: 0.85rem;
color: rgba(255, 255, 255, 0.7);
}
.script-features li i {
color: var(--success);
font-size: 0.8rem;
}
.script-features li i.new-feature {
color: var(--warning);
}
.script-actions {
display: flex;
gap: 0.8rem;
flex-wrap: wrap;
}
.btn {
padding: 0.6rem 1.2rem;
border-radius: 8px;
border: none;
cursor: pointer;
font-weight: 600;
font-size: 0.85rem;
display: inline-flex;
align-items: center;
gap: 0.5rem;
transition: var(--transition);
text-decoration: none;
}
.btn-primary {
background: var(--ubuntu);
color: white;
}
.btn-primary:hover {
background: #c0392b;
transform: translateY(-2px);
}
.btn-secondary {
background: rgba(255, 255, 255, 0.1);
color: var(--light);
border: 1px solid rgba(255, 255, 255, 0.2);
}
.btn-secondary:hover {
background: rgba(255, 255, 255, 0.2);
}
.full-script-section {
background: linear-gradient(135deg, rgba(26, 26, 46, 0.95) 0%, rgba(22, 33, 62, 0.95) 100%);
border-radius: var(--radius);
margin-bottom: 2rem;
border: 1px solid rgba(255, 255, 255, 0.1);
overflow: hidden;
}
.script-section-header {
background: rgba(0, 0, 0, 0.3);
padding: 1rem 1.5rem;
display: flex;
justify-content: space-between;
align-items: center;
border-bottom: 1px solid rgba(255, 255, 255, 0.1);
flex-wrap: wrap;
gap: 1rem;
}
.script-section-title {
display: flex;
align-items: center;
gap: 0.8rem;
font-size: 1.1rem;
font-weight: 600;
}
.script-section-title i {
color: var(--ubuntu);
}
.script-tabs {
display: flex;
background: rgba(0, 0, 0, 0.2);
border-bottom: 1px solid rgba(255, 255, 255, 0.1);
overflow-x: auto;
}
.script-tab {
padding: 0.8rem 1.5rem;
background: none;
border: none;
color: rgba(255, 255, 255, 0.6);
cursor: pointer;
font-size: 0.85rem;
border-bottom: 2px solid transparent;
transition: var(--transition);
white-space: nowrap;
display: flex;
align-items: center;
gap: 0.5rem;
}
.script-tab:hover {
color: var(--light);
background: rgba(255, 255, 255, 0.05);
}
.script-tab.active {
color: var(--ubuntu);
border-bottom-color: var(--ubuntu);
background: rgba(233, 84, 32, 0.1);
}
.script-content {
display: none;
position: relative;
}
.script-content.active {
display: block;
}
.script-code {
background: #1e1e1e;
padding: 1.5rem;
max-height: 700px;
overflow: auto;
font-family: 'Fira Code', 'Courier New', monospace;
font-size: 0.78rem;
line-height: 1.6;
}
.script-code pre {
margin: 0;
white-space: pre;
}
.copy-btn {
position: absolute;
top: 1rem;
right: 1rem;
background: var(--ubuntu);
color: white;
border: none;
padding: 0.5rem 1rem;
border-radius: 6px;
cursor: pointer;
font-size: 0.8rem;
display: flex;
align-items: center;
gap: 0.4rem;
transition: var(--transition);
z-index: 10;
}
.copy-btn:hover {
background: #c0392b;
}
.copy-btn.copied {
background: var(--success);
}
/* Syntax highlighting */
.sh-comment {
color: #6a9955;
}
.sh-string {
color: #ce9178;
}
.sh-keyword {
color: #569cd6;
}
.sh-function {
color: #dcdcaa;
}
.sh-variable {
color: #9cdcfe;
}
.sh-command {
color: #4ec9b0;
}
.sh-flag {
color: #c586c0;
}
.sh-number {
color: #b5cea8;
}
.sh-operator {
color: #d4d4d4;
}
.alert {
padding: 1rem 1.5rem;
border-radius: 8px;
margin-bottom: 1.5rem;
display: flex;
align-items: flex-start;
gap: 1rem;
}
.alert-warning {
background: rgba(255, 193, 7, 0.15);
border: 1px solid rgba(255, 193, 7, 0.4);
}
.alert-warning i {
color: var(--warning);
font-size: 1.3rem;
}
.alert-info {
background: rgba(23, 162, 184, 0.15);
border: 1px solid rgba(23, 162, 184, 0.4);
}
.alert-info i {
color: var(--info);
font-size: 1.3rem;
}
.alert-success {
background: rgba(0, 217, 160, 0.15);
border: 1px solid rgba(0, 217, 160, 0.4);
}
.alert-success i {
color: var(--success);
font-size: 1.3rem;
}
.alert-content h4 {
margin-bottom: 0.3rem;
color: var(--light);
}
.alert-content p {
font-size: 0.9rem;
color: rgba(255, 255, 255, 0.8);
}
.fixes-list {
background: rgba(0, 0, 0, 0.3);
border-radius: 8px;
padding: 1.5rem;
margin-top: 1.5rem;
}
.fixes-list h3 {
color: var(--success);
margin-bottom: 1rem;
display: flex;
align-items: center;
gap: 0.5rem;
}
.fix-item {
display: flex;
align-items: flex-start;
gap: 1rem;
padding: 0.8rem 0;
border-bottom: 1px solid rgba(255, 255, 255, 0.1);
}
.fix-item:last-child {
border-bottom: none;
}
.fix-icon {
width: 30px;
height: 30px;
background: var(--success);
border-radius: 50%;
display: flex;
align-items: center;
justify-content: center;
flex-shrink: 0;
}
.fix-icon i {
color: white;
font-size: 0.8rem;
}
.fix-content h4 {
font-size: 0.95rem;
color: var(--light);
margin-bottom: 0.3rem;
}
.fix-content p {
font-size: 0.85rem;
color: rgba(255, 255, 255, 0.7);
}
footer {
background: rgba(0, 0, 0, 0.5);
padding: 2rem;
text-align: center;
border-top: 1px solid rgba(255, 255, 255, 0.1);
}
.footer-text {
color: rgba(255, 255, 255, 0.6);
font-size: 0.9rem;
}
.footer-text a {
color: var(--ubuntu);
text-decoration: none;
}
.footer-text a:hover {
text-decoration: underline;
}
@media (max-width: 768px) {
.header-content {
flex-direction: column;
text-align: center;
}
.scripts-grid {
grid-template-columns: 1fr;
}
.security-phases {
grid-template-columns: 1fr;
}
.script-code {
font-size: 0.7rem;
}
.script-tabs {
flex-wrap: nowrap;
}
}
</style>
</head>
<body>
<header>
<div class="header-content">
<a href="#" class="logo">
<div class="logo-icon">
<i class="fab fa-ubuntu"></i>
</div>
<div class="logo-text">
<h1>Gemma 3 Hardened Container <span class="version-badge">v2.1</span></h1>
<span>Ubuntu Shell Scripts - Production Ready with Full Security Pipeline</span>
</div>
</a>
<div class="built-with">
Built with <a href="https://huggingface.co/spaces/akhaliq/anycoder" target="_blank">anycoder</a>
</div>
</div>
</header>
<main>
<!-- Introduction -->
<section class="intro-section">
<div class="intro-header">
<div class="intro-icon">
<i class="fas fa-terminal"></i>
</div>
<div>
<h2 class="intro-title">Ubuntu Shell Scripts for Hardened LLM Container</h2>
<p class="intro-subtitle">Complete deployment scripts with all critical fixes + Build, Deploy & Runtime security phases</p>
</div>
</div>
<div class="fixes-list">
<h3><i class="fas fa-wrench"></i> Critical Fixes Applied in v2.1</h3>
<div class="fix-item">
<div class="fix-icon"><i class="fas fa-check"></i></div>
<div class="fix-content">
<h4>FIX #1: exec for Signal Handling</h4>
<p>Using <code>exec /usr/local/bin/llama-server</code> ensures the LLM server replaces the shell process (PID 1), receiving Docker's SIGTERM directly for proper graceful shutdown.</p>
</div>
</div>
<div class="fix-item">
<div class="fix-icon"><i class="fas fa-check"></i></div>
<div class="fix-content">
<h4>FIX #2: Build Phase - Vulnerability Scanning</h4>
<p>Integrated Trivy scanner in CI/CD pipeline to scan container image layers for CVEs before pushing to registry.</p>
</div>
</div>
<div class="fix-item">
<div class="fix-icon"><i class="fas fa-check"></i></div>
<div class="fix-content">
<h4>FIX #3: Deploy Phase - Policy Enforcement</h4>
<p>Kyverno policies for Kubernetes admission control - enforcing non-root, resource limits, and network isolation.</p>
</div>
</div>
<div class="fix-item">
<div class="fix-icon"><i class="fas fa-check"></i></div>
<div class="fix-content">
<h4>FIX #4: Runtime Phase - Active Protection</h4>
<p>Falco rules for real-time syscall monitoring and anomaly detection with automatic threat response.</p>
</div>
</div>
</div>
<div class="quick-start">
<h3><i class="fas fa-rocket"></i> Quick Start</h3>
<div class="quick-start-code">
<pre><span class="comment"># 1. Download and make executable</span>
<span class="command">chmod +x</span> gemma3-*.sh
<span class="comment"># 2. Run the setup script (requires sudo)</span>
<span class="command">sudo ./gemma3-setup.sh</span>
<span class="comment"># 3. Build with vulnerability scanning</span>
<span class="command">./gemma3-build-scan.sh</span>
<span class="comment"># 4. Deploy with policy enforcement (Kubernetes)</span>
<span class="command">kubectl apply -f</span> kyverno-policies.yaml
<span class="command">kubectl apply -f</span> gemma3-deployment.yaml
<span class="comment"># 5. Enable runtime protection</span>
<span class="command">./gemma3-runtime-protect.sh</span>
<span class="comment"># 6. Verify security posture</span>
<span class="command">./gemma3-verify.sh</span></pre>
</div>
</div>
</section>
<!-- Security Phases -->
<h2 style="color: var(--light); margin-bottom: 1.5rem; display: flex; align-items: center; gap: 0.8rem;">
<i class="fas fa-shield-alt" style="color: var(--success);"></i>
Three-Phase Security Architecture
</h2>
<div class="security-phases">
<div class="phase-card">
<div class="phase-card-header build">
<div class="phase-icon">
<i class="fas fa-hammer"></i>
</div>
<div class="phase-title">
<h3>Build Phase</h3>
<span>Vulnerability Scanning</span>
</div>
</div>
<div class="phase-card-body">
<p class="phase-description">
Integrated into CI/CD, tools scan container image layers for known CVEs. This prevents vulnerable code from reaching the registry.
</p>
<div class="phase-tools">
<span class="tool-badge"><i class="fas fa-search"></i> Trivy</span>
<span class="tool-badge"><i class="fas fa-shield-virus"></i> Clair</span>
<span class="tool-badge"><i class="fas fa-bug"></i> Grype</span>
<span class="tool-badge"><i class="fab fa-docker"></i> Docker Scout</span>
</div>
</div>
</div>
<div class="phase-card">
<div class="phase-card-header deploy">
<div class="phase-icon">
<i class="fas fa-gavel"></i>
</div>
<div class="phase-title">
<h3>Deploy Phase</h3>
<span>Policy Enforcement</span>
</div>
</div>
<div class="phase-card-body">
<p class="phase-description">
Kubernetes Admission Controllers check manifests against security policies before pods start (non-root, resource limits, network isolation).
</p>
<div class="phase-tools">
<span class="tool-badge"><i class="fas fa-clipboard-check"></i> Kyverno</span>
<span class="tool-badge"><i class="fas fa-balance-scale"></i> OPA Gatekeeper</span>
<span class="tool-badge"><i class="fas fa-lock"></i> Pod Security</span>
</div>
</div>
</div>
<div class="phase-card">
<div class="phase-card-header runtime">
<div class="phase-icon">
<i class="fas fa-eye"></i>
</div>
<div class="phase-title">
<h3>Runtime Phase</h3>
<span>Active Protection</span>
</div>
</div>
<div class="phase-card-body">
<p class="phase-description">
Real-time monitoring of syscalls, file access, and network activity. Detects and blocks anomalous behavior based on behavioral profiles.
</p>
<div class="phase-tools">
<span class="tool-badge"><i class="fas fa-crow"></i> Falco</span>
<span class="tool-badge"><i class="fas fa-spider"></i> Sysdig</span>
<span class="tool-badge"><i class="fas fa-network-wired"></i> Cilium</span>
</div>
</div>
</div>
</div>
<!-- Alerts -->
<div class="alert alert-success">
<i class="fas fa-check-circle"></i>
<div class="alert-content">
<h4>Signal Handling Fixed</h4>
<p>The entrypoint now uses <code>exec</code> to replace the shell with llama-server, ensuring proper SIGTERM delivery for graceful shutdown of GPU resources.</p>
</div>
</div>
<div class="alert alert-warning">
<i class="fas fa-exclamation-triangle"></i>
<div class="alert-content">
<h4>Prerequisites Required</h4>
<p>These scripts require Ubuntu 20.04+, Docker 20.10+, and sudo privileges. For Kubernetes features: kubectl, helm, and cluster admin access.</p>
</div>
</div>
<!-- Script Cards -->
<div class="scripts-grid">
<div class="script-card">
<div class="script-card-header">
<div class="script-card-title">
<i class="fas fa-cogs"></i>
gemma3-setup.sh
</div>
<span class="script-badge">Main Setup</span>
</div>
<div class="script-card-body">
<p class="script-description">
Complete system setup script that configures the host, builds the Docker image, and applies all security hardening.
</p>
<ul class="script-features">
<li><i class="fas fa-check"></i> Installs Docker and dependencies</li>
<li><i class="fas fa-check"></i> Creates non-root user (UID 1000)</li>
<li><i class="fas fa-check"></i> Generates Dockerfile with security</li>
<li><i class="fas fa-check"></i> Configures seccomp and AppArmor</li>
<li><i class="fas fa-check"></i> Sets up proper logging to stdout</li>
</ul>
<div class="script-actions">
<button class="btn btn-primary" onclick="scrollToScript('setup')">
<i class="fas fa-eye"></i> View Script
</button>
<button class="btn btn-secondary" onclick="downloadScript('setup')">
<i class="fas fa-download"></i> Download
</button>
</div>
</div>
</div>
<div class="script-card">
<div class="script-card-header">
<div class="script-card-title">
<i class="fas fa-play-circle"></i>
gemma3-entrypoint.sh
</div>
<span class="script-badge">Container Entry</span>
</div>
<div class="script-card-body">
<p class="script-description">
Container entrypoint with exec-based process replacement for proper signal handling and graceful shutdown.
</p>
<ul class="script-features">
<li><i class="fas fa-star new-feature"></i> <strong>exec</strong> for PID 1 signal handling</li>
<li><i class="fas fa-check"></i> Hardware RNG verification</li>
<li><i class="fas fa-check"></i> Entropy pool monitoring</li>
<li><i class="fas fa-check"></i> Stdout/stderr logging only</li>
<li><i class="fas fa-check"></i> Graceful SIGTERM handling</li>
</ul>
<div class="script-actions">
<button class="btn btn-primary" onclick="scrollToScript('entrypoint')">
<i class="fas fa-eye"></i> View Script
</button>
<button class="btn btn-secondary" onclick="downloadScript('entrypoint')">
<i class="fas fa-download"></i> Download
</button>
</div>
</div>
</div>
<div class="script-card">
<div class="script-card-header" style="background: linear-gradient(135deg, #3498db, #2980b9);">
<div class="script-card-title">
<i class="fas fa-search"></i>
gemma3-build-scan.sh
</div>
<span class="script-badge">NEW: Build Phase</span>
</div>
<div class="script-card-body">
<p class="script-description">
CI/CD integration script for vulnerability scanning with Trivy before pushing images to registry.
</p>
<ul class="script-features">
<li><i class="fas fa-star new-feature"></i> Trivy vulnerability scanner</li>
<li><i class="fas fa-star new-feature"></i> CVE severity thresholds</li>
<li><i class="fas fa-star new-feature"></i> SBOM generation</li>
<li><i class="fas fa-star new-feature"></i> Registry push gates</li>
<li><i class="fas fa-star new-feature"></i> JSON/SARIF reports</li>
</ul>
<div class="script-actions">
<button class="btn btn-primary" onclick="scrollToScript('build')">
<i class="fas fa-eye"></i> View Script
</button>
<button class="btn btn-secondary" onclick="downloadScript('build')">
<i class="fas fa-download"></i> Download
</button>
</div>
</div>
</div>
<div class="script-card">
<div class="script-card-header" style="background: linear-gradient(135deg, #9b59b6, #8e44ad);">
<div class="script-card-title">
<i class="fas fa-gavel"></i>
kyverno-policies.yaml
</div>
<span class="script-badge">NEW: Deploy Phase</span>
</div>
<div class="script-card-body">
<p class="script-description">
Kubernetes admission controller policies for enforcing security requirements at deployment time.
</p>
<ul class="script-features">
<li><i class="fas fa-star new-feature"></i> Non-root enforcement</li>
<li><i class="fas fa-star new-feature"></i> Resource limits required</li>
<li><i class="fas fa-star new-feature"></i> Read-only root filesystem</li>
<li><i class="fas fa-star new-feature"></i> Host namespace blocking</li>
<li><i class="fas fa-star new-feature"></i> Privileged container denial</li>
</ul>
<div class="script-actions">
<button class="btn btn-primary" onclick="scrollToScript('kyverno')">
<i class="fas fa-eye"></i> View Policy
</button>
<button class="btn btn-secondary" onclick="downloadScript('kyverno')">
<i class="fas fa-download"></i> Download
</button>
</div>
</div>
</div>
<div class="script-card">
<div class="script-card-header" style="background: linear-gradient(135deg, #e74c3c, #c0392b);">
<div class="script-card-title">
<i class="fas fa-crow"></i>
gemma3-runtime-protect.sh
</div>
<span class="script-badge">NEW: Runtime Phase</span>
</div>
<div class="script-card-body">
<p class="script-description">
Falco-based runtime security with custom rules for LLM container behavioral monitoring.
</p>
<ul class="script-features">
<li><i class="fas fa-star new-feature"></i> Syscall monitoring</li>
<li><i class="fas fa-star new-feature"></i> File access detection</li>
<li><i class="fas fa-star new-feature"></i> Network anomaly alerts</li>
<li><i class="fas fa-star new-feature"></i> Shell spawn detection</li>
<li><i class="fas fa-star new-feature"></i> Automatic threat response</li>
</ul>
<div class="script-actions">
<button class="btn btn-primary" onclick="scrollToScript('runtime')">
<i class="fas fa-eye"></i> View Script
</button>
<button class="btn btn-secondary" onclick="downloadScript('runtime')">
<i class="fas fa-download"></i> Download
</button>
</div>
</div>
</div>
<div class="script-card">
<div class="script-card-header">
<div class="script-card-title">
<i class="fas fa-shield-alt"></i>
gemma3-verify.sh
</div>
<span class="script-badge">Security Audit</span>
</div>
<div class="script-card-body">
<p class="script-description">
Comprehensive verification script that audits all three security phases and generates a compliance report.
</p>
<ul class="script-features">
<li><i class="fas fa-check"></i> Filesystem permissions check</li>
<li><i class="fas fa-check"></i> Capability verification</li>
<li><i class="fas fa-check"></i> Seccomp profile validation</li>
<li><i