Skip to content

DEMO (do not merge): intentionally insecure examples #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

DEMO (do not merge): intentionally insecure examples #1

wants to merge 5 commits into from

Conversation

@karlllewis
Copy link
Collaborator

@karlllewis karlllewis commented Aug 11, 2025
edited
Loading

🚫 Purposefully Failing PR – Guardrails Demo

Goal: Demonstrate CNCISO’s secure-by-default-starter guardrails in action.
This PR intentionally includes insecure files that violate our security posture.

❌ What’s in this PR

  • examples/bad_secret.txt → Harmless fake token string to trigger Gitleaks locally.
  • examples/Dockerfile.bad → Unpinned base image (:latest) and runs as root.
  • examples/pod-insecure.yamlprivileged: true, allowPrivilegeEscalation: true, root user.

🔍 Expected Behavior

  • Pre-commit hooks: Block commits containing secrets on developer machines.
  • CI (security workflow):
    • Run Trivy (vuln + config) and upload SARIF to Code scanning alerts.
    • Generate and publish SBOM (sbom-spdx artifact).
    • Fail the job on HIGH/CRITICAL findings (by design).

🧪 How to Reproduce Locally

# secrets guardrail
echo "ghp_FAKE_TOKEN_1234567890ABCDEF" > examples/bad_secret.txt
git add examples/bad_secret.txt
git commit -m "test: add fake token (should fail)"   # should be blocked by Gitleaks

###📚 Next Steps
We'll open a follow-up passing PR that:

  • Pins base images and runs as non-root
  • Removes insecure settings from k8s manifests
  • Keeps SBOM publishing and passes the security workflow

This PR is a teaching tool and will remain unmerged to preserve the failing example

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 11, 2025
View reviewed changes
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trivy found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@karlllewis karlllewis changed the title test: add intentionally insecure examples (Dockerfile + k8s) DEMO (do not merge): intentionally insecure examples Aug 11, 2025
@karlllewis karlllewis marked this pull request as draft August 11, 2025 06:30
@karlllewis
Copy link
Collaborator Author

karlllewis commented Aug 11, 2025

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karlllewis