Skip to content

DEMO (do not merge): intentionally insecure examples#1

Draft
karlllewis wants to merge 5 commits intomainfrom
test/bad-examples
Draft

DEMO (do not merge): intentionally insecure examples#1
karlllewis wants to merge 5 commits intomainfrom
test/bad-examples

Conversation

@karlllewis
Copy link
Copy Markdown
Collaborator

@karlllewis karlllewis commented Aug 11, 2025
edited
Loading

🚫 Purposefully Failing PR – Guardrails Demo

Goal: Demonstrate CNCISO’s secure-by-default-starter guardrails in action.
This PR intentionally includes insecure files that violate our security posture.

❌ What’s in this PR

  • examples/bad_secret.txt → Harmless fake token string to trigger Gitleaks locally.
  • examples/Dockerfile.bad → Unpinned base image (:latest) and runs as root.
  • examples/pod-insecure.yamlprivileged: true, allowPrivilegeEscalation: true, root user.

🔍 Expected Behavior

  • Pre-commit hooks: Block commits containing secrets on developer machines.
  • CI (security workflow):
    • Run Trivy (vuln + config) and upload SARIF to Code scanning alerts.
    • Generate and publish SBOM (sbom-spdx artifact).
    • Fail the job on HIGH/CRITICAL findings (by design).

🧪 How to Reproduce Locally

# secrets guardrail
echo "ghp_FAKE_TOKEN_1234567890ABCDEF" > examples/bad_secret.txt
git add examples/bad_secret.txt
git commit -m "test: add fake token (should fail)"   # should be blocked by Gitleaks

###📚 Next Steps
We'll open a follow-up passing PR that:

  • Pins base images and runs as non-root
  • Removes insecure settings from k8s manifests
  • Keeps SBOM publishing and passes the security workflow

This PR is a teaching tool and will remain unmerged to preserve the failing example

github-advanced-security[bot]
github-advanced-security AI found potential problems Aug 11, 2025
View reviewed changes
Copy link
Copy Markdown

@github-advanced-security github-advanced-security AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trivy found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@karlllewis karlllewis changed the title test: add intentionally insecure examples (Dockerfile + k8s) DEMO (do not merge): intentionally insecure examples Aug 11, 2025
@karlllewis karlllewis marked this pull request as draft August 11, 2025 06:30
@karlllewis
Copy link
Copy Markdown
Collaborator Author

karlllewis commented Aug 11, 2025

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karlllewis @github-advanced-security