Verified or Not? Ep. 2 — Snyk's Own Test App Scanned With 9 Engines
Episode 2 of the series 'Verified or Not' focuses on testing Snyk's nodejs-goof application using nine different scanning engines. The scan resulted in 213 findings, including 33 critical and 91 high severity issues, but all findings were marked intentional due to the app's purpose as a deliberately vulnerable demo. The episode highlights the importance of context in vulnerability scanning, as Debuggix recognized the known vulnerabilities of the test repository.
- ▪The scan utilized nine engines including Semgrep, Bandit, and Trivy.
- ▪A total of 213 findings were reported, with 33 classified as critical and 91 as high severity.
- ▪Debuggix understood the context of the app being a known vulnerable test repo, resulting in zero needs for attention.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3897779) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Lucky Posted on May 21 Verified or Not? Ep. 2 — Snyk's Own Test App Scanned With 9 Engines #verifiedornot #debuggix #cybersecurity #snyk Episode 2 of Verified or Not — testing Debuggix against known repositories. Last week: OWASP Juice Shop — 0 issues. This week: Snyk's nodejs-goof — the deliberately vulnerable app Snyk uses to demo their own scanner. 🔍 THE SCAN • 9 engines: Semgrep, Bandit, Gitleaks, TruffleHog, Trivy, ESLint, Hadolint, Checkov, OSV-Scanner • 213 findings.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
