This repository contains a deliberately vulnerable application created specifically for testing container security scanning tools like Trivy.
THIS APPLICATION CONTAINS INTENTIONAL SECURITY VULNERABILITIES
- Do NOT deploy in production environments
- Do NOT expose to the internet
- Use only in isolated test environments
- Do NOT use as a base for real applications
This application intentionally includes:
- Outdated Node.js packages with known CVEs
- Vulnerable versions of Express, Lodash, Moment, Axios, JWT, and Mongoose
- Outdated Node.js Docker base image with OS-level vulnerabilities
- Template injection vulnerabilities
- Weak authentication mechanisms
- Server-Side Request Forgery (SSRF)
- Missing input validation
Since this is a test application with intentional vulnerabilities:
- Security vulnerabilities are expected and intentional
- Report only if you find issues with the testing infrastructure or documentation
- Open an issue for build problems or workflow failures
When using this application for security testing:
- Network Isolation: Run in isolated networks only
- Container Isolation: Use appropriate container isolation
- Access Control: Restrict access to test environments only
- Monitoring: Monitor for any unintended network activity
- Cleanup: Remove containers and images after testing
| Version | Supported | Purpose |
|---|---|---|
| Latest | ✅ Testing Only | Security scanner testing |
| All | ❌ NOT for Production | Educational/Testing only |
This project is licensed under MIT License - see LICENSE file for details.
The MIT license applies to the code structure and documentation, but remember that this code should never be used in production environments due to intentional security vulnerabilities.