Test
This is a deliberately vulnerable Node.js application designed for testing container vulnerability scanning tools like Trivy.
- Express 4.16.4 - Contains known security vulnerabilities
- Lodash 4.17.4 - Vulnerable to prototype pollution and template injection
- Moment 2.19.3 - Contains regular expression DoS vulnerabilities
- Axios 0.18.0 - Has known security issues
- JSONWebToken 8.3.0 - Vulnerable to various JWT-related attacks
- Mongoose 5.0.0 - Contains security vulnerabilities
- Uses Node.js 14.15.0 base image which contains known OS-level vulnerabilities
- Template Injection -
/templateendpoint vulnerable to lodash template injection - Weak JWT Secret - Uses predictable JWT signing secret
- SSRF -
/fetchendpoint allows arbitrary URL fetching without validation - No Input Validation - Various endpoints lack proper input sanitization
docker build -t vulnerable-app:latest .docker run -p 3000:3000 vulnerable-app:latest# Scan the built image
trivy image vulnerable-app:latest
# Scan for high and critical vulnerabilities only
trivy image --severity HIGH,CRITICAL vulnerable-app:latest
# Generate JSON report
trivy image --format json --output results.json vulnerable-app:latestGET /- Welcome messageGET /health- Health checkPOST /template- Vulnerable template renderingPOST /jwt- JWT token generation with weak secretPOST /fetch- External URL fetching (SSRF vulnerable)
This repository includes several GitHub Actions workflows for automated building and security scanning:
defender-cli-scan.yml runs automatically.
-
security-scan.yml- Main security scanning workflow [DISABLED]- Manual trigger only (workflow_dispatch)
- Builds Docker image with caching
- Runs comprehensive Trivy scans (SARIF, JSON, table formats)
- Uploads results to GitHub Security tab
- Includes container security, config, filesystem, and secret scans
-
pr-security-check.yml- Pull request security validation [DISABLED]- Manual trigger only (workflow_dispatch)
- Provides detailed vulnerability summary in PR comments
- Counts vulnerabilities by severity level
- Uploads scan artifacts for review
-
reusable-build.yml- Reusable Docker build workflow- Used by other workflows to eliminate duplicate builds
- Configurable image tagging and optional container testing
- Efficient Docker layer caching
- Outputs built image name for downstream jobs
-
build.yml- Container build and basic testing [DISABLED]- Manual trigger only (workflow_dispatch)
- Uses reusable build workflow with container testing enabled
- Health check validation
-
msdo-scan.yml- Microsoft Security DevOps scanning [DISABLED]- Manual trigger only (workflow_dispatch)
- Builds Docker image and runs Microsoft Security DevOps Action
- Integrates with Microsoft security tooling
-
quick-trivy-scan.yml- Quick vulnerability assessment [DISABLED]- Manual trigger only (workflow_dispatch)
- Builds Docker image and runs focused Trivy scan
- Fast feedback for development iterations
-
defender-cli-scan.yml- Microsoft Defender CLI scanning [ACTIVE]- Triggers on push/PR to main branches or manual dispatch
- Builds Docker image and runs auto-detecting CLI download
- Requires secret credentials configuration for full functionality
- SARIF Upload: Results appear in GitHub's Security tab
- PR Comments: Automatic vulnerability summaries on pull requests
- Artifacts: Detailed scan results stored for 30 days
- Scheduled Scans: Weekly security checks to catch new vulnerabilities
Currently Active Workflows:
- Only
defender-cli-scan.ymlruns automatically on main branch pushes and PRs
Disabled Workflows:
- All other workflows are set to manual trigger only (
workflow_dispatch) - Go to Actions tab in your GitHub repository
- Select the workflow you want to run
- Click "Run workflow"
To Re-enable Disabled Workflows:
- Edit the workflow file (e.g.,
.github/workflows/security-scan.yml) - Uncomment the
on:section with push/pull_request triggers - Comment out or remove the manual-only
on: workflow_dispatch:section - Commit and push the changes
Use only for security testing and educational purposes in isolated environments.