The Continuous Agentic Pentesting Platform

Built for security engineers who want signal, not noise.

Built by the team behind . ...
AppSec
Welcome to Keygraph
Start by connecting your Google Workspace
Connect your Google Workspace
Sync your organization's users and groups

Dashboard

Security posture overview

Export CSV
7d 30d 90d
All Severities
Critical
0
High
0
Medium
0
Low
0
SLA Breaches
0
Avg MTTR
0.0d
Risk Over Time
Critical High Medium Low
Open Findings Date
New vs Resolved
Findings Date
New Resolved
SLA Compliance
Findings Date
Compliant Breached

Findings

Canonical security findings across your organization

Export CSV
Search...
Filter
View
IDTitleRepositorySeveritySourceStatusResolutionFirst SeenLast Seen
KG-F31AHE
Authentication Bypass in N/A (server middleware registr...
local-dev-kg/juice-shopmediumSCAOpenabout 18 hours agoabout 18 hours ago
KG-148889
Data Insertion Failure in N/A (finds auto-generated)
local-dev-kg/juice-shophighSCAOpenabout 18 hours agoabout 18 hours ago
KG-08CZBG
Authentication Bypass in N/A (server middleware registr...
local-dev-kg/juice-shophighSCAOpenabout 18 hours agoabout 18 hours ago
KG-AEEEC2
Authentication Bypass in N/A (server middleware registr...
local-dev-kg/juice-shopcriticalSCAOpenabout 12 hours agoabout 18 hours ago
KG-32486B
SQL Injection in Authentication Query Leading to Cleartext...
local-dev-kg/juice-shopcriticalSASTOpenabout 12 hours agoabout 12 hours ago
KG-8EE68F
Use of Broken or Risky Cryptographic Algorithm - Weak J...
local-dev-kg/juice-shophighSASTOpenabout 18 hours agoabout 18 hours ago
KG-642B41
Directory Listing Exposure in (well-known Directory)
local-dev-kg/juice-shopmediumSASTOpenabout 18 hours agoabout 18 hours ago
KG-08887B
CWE-548: Directory Listing Exposure in (well-known Direc...
local-dev-kg/juice-shoplowSASTOpenabout 18 hours agoabout 18 hours ago
KG-122128
CWE-942: Permissive CORS Policy Allowing All Origins wit...
local-dev-kg/juice-shopmediumSASTOpenabout 12 hours agoabout 12 hours ago
KG-486234
CWE-798: Hardcoded Alchemy API Key in Source Code in ...
local-dev-kg/juice-shopmediumSASTOpenabout 18 hours agoabout 18 hours ago
KG-XCFGEC
CWE-352: Missing CORP Protection on Challenge Verdict...
local-dev-kg/juice-shopmediumSASTOpenabout 12 hours agoabout 12 hours ago

Finding Details

Finding Details
Apr 27 first seen Apr 27 last seen 1 scan
Resolve Assign
Overview Remediation Activity
Description

The CI pipeline fetches an installer script from a self-hosted Heroku CDN endpoint and immediately pipes it to sh for execution without any integrity verification.

Evidence
No evidence captured.
Linked Ticket
No ticket linked.
Select project...
Create Ticket
Remediation Guidance

No remediation guidance available yet. Resolve the underlying scan finding to record steps taken.

Activity Log
System Opened finding · Apr 27, 2026 08:11 AM

AI Pentester

Autonomous penetration testing across your organization

Profiles New Pentest
TargetStatusExploitsRepositoryCreatedActions
White Box Staging
Cancelled0 exploitsjuice-shop4 days ago
https://93ea-2a09-bac5-3b2d-eaa...
White Box Staging
Completed
20 Crit25 High20 Med1 Low
juice-shop4 days ago
https://93ea-2a09-bac5-3b2d-eaa...
Black Box Staging
CompletedView Reportjuice-shop4 days ago
https://9ba6-2a09-bac5-3b2f-eaa...
Black Box Staging
Failedjuice-shop4 days ago
https://9ba6-2a09-bac5-3b2f-eaa...
White Box Staging
Cancelled0 exploitsjuice-shop4 days ago
https://9ba6-2a09-bac5-3b2f-eaa...
Black Box Staging
Cancelled0 exploitsjuice-shop4 days ago
https://9ba6-2a09-bac5-3b2f-eaa...
Black Box Staging
Cancelled4 days ago
https://b330-103-125-154-19.ngrok...
Black Box Staging
Cancelled7 days ago
https://5d0a-103-125-154-19.ngrok...
White Box Staging
Completed
17 Crit35 High12 Med
juice-shop11 days ago
https://eaf9-103-125-154-19.ngrok...
White Box Staging
Completed
19 Crit22 High15 Med
juice-shop17 days ago

AI Pentester

Detailed results from the autonomous penetration test

https://93ea-2a09-bac5-3b2d-eaa-00-176-3f.ngrok-free.app
Export Report
COMPLETED STAGING WHITE BOX 3h 23m 8 days ago juice-shop
Pentest CompleteFound 66 potential vulnerabilities
Critical
0
High
0
Medium
0
Low
0
Vulnerabilities 66 Details Execution
Injection Vulnerabilities 12
CriticalConfirmedINJ-VULN-01
SQL Injection Authentication Bypass at POST /rest/user/login
POST/rest/user/login · 4 days ago
CriticalConfirmedINJ-VULN-02
SQL Injection UNION-Based Data Extraction at GET /rest/products/search
GET/rest/products/search · 4 days ago
HighConfirmedINJ-VULN-05
NoSQL Operator Injection Mass-Update at PATCH /rest/products/reviews
PATCH/rest/products/reviews · 4 days ago
Cross-Site Scripting (XSS) 6
Authentication Issues 19
CriticalConfirmedAUTH-VULN-07
JWT Algorithm None (alg:none) Authentication Bypass
ALLisAuthorized()-protected endpoints · 4 days ago
Server-Side Request Forgery (SSRF) 2
Authorization Issues 27
AppSec Enrichment
SAST results were used to enrich this pentest
Enriched Repositories
juice-shop
Repositories
local-dev-kg/juice-shop master
Configuration
Authentication Form Login
Login URLhttps://93ea-2a09-bac5-3b2d-eaa-...
Credentials Reveal
Usernamegeorge@keygraph.com Password••••••••
Login Flow
  1. Type $username into the email or username field
  2. Type $password into the password field
  3. Click the login or sign in button
Success Condition URL Contains /
Testing Rules
Focus 2 rules
Path/apiFocus on REST API endpoints
Path/restFocus on user-facing routes
Avoid 1 rule
Path/#/score-boardSkip the score board meta-challenge page
Custom HTTP Headers 1 header
x-agent shannon-pentestes
Total Duration
3h 18m 9s
Agents Run
13
Agent Breakdown
Pre-Reconnaissance
10m 52s
Reconnaissance
19m 55s
Injection Analysis
12m 2s
XSS Analysis
16m 6s
Auth Analysis
13m 57s
SSRF Analysis
5m 28s
AuthZ Analysis
8m 56s
Injection Exploitation
37m 27s
XSS Exploitation
24m 40s
Auth Exploitation
19m 59s
SSRF Exploitation
8m 2s
AuthZ Exploitation
27m 10s
Reporting
28m 51s
Total
3h 18m 9s
Security Assessment Report
Target: https://93ea-2a09-bac5-3b2d-eaa-00-176-3f.ngrok-free.app
Generated 4 days ago · Pentest run 93ea-2a09-bac5-3b2d-eaa-00-176-3f.ngrok-free.app
Executive Summary

This security assessment of 93ea-2a09-bac5-3b2d-eaa-00-176-3f.ngrok-free.app was conducted on April 23, 2026, targeting the application's REST API surface (/rest/*) with a focus on authentication, authorization, and data handling. The assessment uncovered 66 confirmed vulnerabilities20 critical, 25 high, 20 medium, and 1 low — reflecting systemic compromised auth posture, unauthenticated attacker control over user identifiers via SQLi, broken JWT signature verification, and high-impact authorization bypasses across multiple commerce flows. Exploits worked end-to-end in a controlled environment (autonomous orchestrator + LLM-powered analysis) and a complete remediation roadmap is included alongside reproductible PoCs.

Vulnerability Summary
IDVulnerabilityEndpointSeverity
INJ-VULN-01SQL Injection Authentication BypassPOST /rest/user/loginCRITICAL
INJ-VULN-02SQL Injection UNION-Based Data ExtractionGET /rest/products/searchCRITICAL
AUTH-VULN-07JWT Algorithm None (alg:none) Authentication BypassALL isAuthorized()-protected endpointsCRITICAL
AUTH-VULN-10Default Admin CredentialsPOST /rest/user/loginCRITICAL
AUTH-VULN-14Mass Assignment Privilege Escalation (Admin Role Registration)POST /api/UsersCRITICAL
AUTH-VULN-18SQL Injection Authentication BypassPOST /rest/user/loginCRITICAL
XSS-VULN-04Reflected XSS via Track-Order ParameterGET /#/track-resultHIGH
XSS-VULN-06JSONP Callback Injection · Cross-Domain Data TheftGET /rest/user/whoamiHIGH
Reproduction (sample)
{
  "id": "INJ-VULN-01",
  "endpoint": "POST /rest/user/login",
  "payload": "' OR '1'='1'--",
  "response_code": 200,
  "response_signature": "george@keygraph.com (id=1, role=admin)",
  "reproduced": true
}

Exploit Details

Detailed vulnerability analysis and reproduction information

Critical Confirmed INJ-VULN-01
SQL Injection Authentication Bypass at POST /rest/user/login
Discovered 4 days ago
Affected Target
TypeINJECTION LocationPOST /rest/user/login
Reproduction Steps 4 steps
1

Send POST /rest/user/login with tautology payload in email field

2

The injected SQL becomes: SELECT * FROM Users WHERE email = '' OR '1'='1'--' AND password = '...'

3

The -- comments out the password check; SQLite returns the first row (admin, id=1)

4

Observe HTTP 200 response containing admin JWT token

Proof of Impact

HTTP 200 returned with admin JWT token (email: george@keygraph.com, role: admin, id: 1). MD5 hash 0192023a7bbd73250516f069df18b500 = admin123 confirmed via rainbow table.

Proof of Concept
1## Payload2' OR '1'='1'--34## Reproduction5curl -s -X POST "https://93ea.../rest/user/login" \6 -H "Content-Type: application/json" \7 -d '{"email":"'\'' OR '\''1'\''='\''1'\''--","password":"x"}'89## Proof10HTTP 200 returned with admin JWT (uemail: george@keygraph.com).

Container Scans

Scan Docker images for vulnerabilities, secrets, and misconfigurations

Scan Image
Search...
Filter
Image & ContextTriggeredProgressFindings
khaushi1410/vuln-bankmultiarch-webentry
8 days agoManual
Complete
5 Critical27 High
khaushi1410/vuln-bankmulti-os-x86
about 1 month agoManual
Complete
5 Critical18 High
khaushi1410/dvwaamd64-intel-mac
about 1 month agoManual
Complete
254 Critical552 High
khaushi1410/testingtest-empty-image
about 1 month agoManual
Complete
0
khaushi1410/fineractlatest
about 1 month agoManual
Complete
1 High1 Medium
khaushi1410/vuln-banklatest
about 1 month agoManual
Complete
1 Critical18 High
khaushi1410/testingtools-server-tools
about 1 month agoManual
Complete
1 High5 Medium
khaushi1410/fineractlatest
about 1 month agoManual
Complete
0
khaushi1410/mifos-web-applatest
about 1 month agoManual
Complete
2 Critical4 High
khaushi1410/fineractlatest
about 1 month agoManual
Complete
1 High3 Medium

dvwa

khaushi1410/dvwa amd64-intel-mac

Completed
5h about 1 month ago Manual
Total
1576
Critical
254
High
552
Medium
642
Low
119
Info
12
AI Analysis AI Generated

This container has CRITICAL risk with 3 critical and 27 high severity vulnerabilities, including CVE-2025-15407 (CVSS 9.6) affecting OpenSSL, with remote code execution potential. 91 of 225 findings are fixable, with 77% originating from the base image, indicating systemic base image vulnerabilities. The Debian 13.7 (Trixie) base image contains multiple critical OpenSSL and glibc vulnerabilities that pose immediate security risks. Switch to gcr.io/distroless/python3-debian13 to eliminate OS package vulnerabilities while maintaining Python runtime support.

  1. Upgrade OpenSSL packages (openssl, libssl1n4, openssl-provider-legacy) to version 3.5.4-1+deb13u3 or later to fix CVE-2025-15407 (CVSS 9.6), CVE-2025-49459 (CVSS 7.4), CVE-2025-49421 (CVSS 7.4), and CVE-2025-29390 (CVSS 7.3).
  2. Upgrade glibc (libc6) to version 2.41-12+deb13u2 to fix CVE-2025-9091 (CVSS 8.2): integer overflow leading to heap corruption.
  3. Upgrade ncurses packages (ncurses-base, ncurses-bin, libncurses6) to version 6.5+20250515-3+deb13u1 to fix CVE-2025-69730 (CVSS 7.9): buffer overflow vulnerability.
  4. Update Python environment with updated dependencies; ipaca connect to 0.13+ and wheel to 0.46.2+ to fix CVE-2024-23048 (CVSS 8.6) and CVE-2024-26349 (CVSS 8.0).
  5. Configure Dockerfile to use a non-root user (USER directive) to address high-severity misconfiguration finding.

Layer Breakdown

Base Image: 91 (77%)Application: 1525 (96%)Config: 3
LayerOriginDockerfile InstructionPkgsCHMLTotal
0base# debian.13-slim 'sloth' 6c17985330093214165147
1baseRUN set -eux; apt-get update; apt-get install -y --no-install-rec...111417
2baseRUN set -eux; saveAptMark="$(apt-mark showmanual)"; apt-get upd...4144018
3applicationRUN apt-get update && apt-get install -y postgresql-client6048028
4applicationRUN apt-get update && apt-get install -y postgresql-client10000010
5applicationRUN pip install --no-cache-dir -r requirements.txt5000020
misconfigDockerfile best-practice violations22
All 225 Vulnerabilities 222 Secrets 0 Misconfigurations 3
Search...
Filter
View
SeverityTypeIDTitlePackageCVSS
CriticalCVE-2013-15903httpd: read-after-free in h2 connection shutdownapache2 2.4.25-3+deb8u39.1
CriticalCVE-2013-15891mod_session: Heap overflow due to a crafted SessionHeader d...apache2 2.4.25-3+deb8u39.1
CriticalCVE-2013-37875mod_proxy: SSRF via a crafted URI in mod_proxy_http...apache2 2.4.25-3+deb8u39.0
CriticalCVE-2013-46499httpd: Out-of-bounds write in ap_escape_quotes() via malicious i...apache2 2.4.25-3+deb8u38.9
CriticalCVE-2022-26377httpd: mod_lua: Possible buffer overflow when parsing multipart c...apache2 2.4.25-3+deb8u38.7
CriticalCVE-2022-22719httpd: Errors encountered in the discarding of request body to t...apache2 2.4.25-3+deb8u38.6
CriticalCVE-2022-31813httpd: mod_proxy: X-Forwarded-* headers stripping breaks IP-bas...apache2 2.4.25-3+deb8u38.5
CriticalCVE-2022-28615httpd: mod_lua: Possible NULL-pointer dereference reads beyon...apache2 2.4.25-3+deb8u38.5
CriticalCVE-2022-30556httpd: mod_lua: Buffer overflow when parsing multipart request c...apache2 2.4.25-3+deb8u38.4
CriticalCVE-2022-29404httpd: mod_lua: DoS in r:parsebodyapache2 2.4.25-3+deb8u38.3
CriticalCVE-2021-44790httpd: mod_lua: Possible buffer overflow when parsing multipart c...apache2 2.4.25-3+deb8u38.2
CriticalCVE-2021-39275httpd: ap_escape_quotes() out-of-bounds writeapache2 2.4.25-3+deb8u38.1
Rows per page 15
1-15 of 222

Logs

Every action recorded with actor, timestamp, and source

Select date range
Event Types
Subjects
TimeEvent TypeSubjectActor
Apr 27, 2026 08:02:38appsec:SubmitBoundarySelectionjuice-shopgeorge@keygraph.com
Apr 27, 2026 07:50:57appsec:TriggerBoundaryAnalysisjuice-shopgeorge@keygraph.com
Apr 27, 2026 07:50:29appsec:TriggerManualScanjuice-shopgeorge@keygraph.com
Apr 27, 2026 07:21:01appsec:TriggerManualScanvuln-bankgeorge@keygraph.com
Apr 27, 2026 06:39:51appsec:TriggerManualScanjuice-shopgeorge@keygraph.com
Apr 27, 2026 05:54:14appsec:TriggerManualScandvwageorge@keygraph.com
Apr 27, 2026 05:53:42appsec:TriggerManualScanjuice-shopgeorge@keygraph.com
0 of 10 row(s) selected.
Rows per page 10 Page 1 of 19
All Messages Tasks Notifications
All Pending Completed Unread Read
No messages yet
You don’t have any messages in your inbox. When you receive messages, they’ll appear here.

Users

Manage users and invitations for your organization

Invite User
Users Invitations
Search...
Filter
View
NameEmailStatusRoleAccount TypeLink StatusActions
George Floresgeorge@keygraph.comActiveMember UserPrimary
Rows per page 20
1-1 of 1
George Flores
george@keygraph.com
Active
User Details Groups Device Management
Personal Information
Full Name
George Flores
Display Name
George Flores
Primary Email
george@keygraph.com
Secondary Email
,
Employment Information
Title
,
Department
,
Role Category
,
Preferences
Preferred Language
No groups yet
Create groups to organize users, scope permissions, and route findings to the right teams.
Connected 5 Available Integrations
Anthropic AI & Security
LLM provider integration for AI-powered security testing with Shannon
Connected
Amazon Web Services (AWS) Cloud Provider
AWS integration for cloud resource security and compliance tracking
Connect
BetterStack Monitoring
Uptime monitoring, incident management, and on-call tracking
Connect
Docker Hub Container Registry
Container image scanning for vulnerabilities and misconfigurations
Connected
Google Cloud Platform (GCP) Cloud Provider
Google Cloud Platform integration for cloud resource security and compliance tracking
Connect
GitHub Source Control
GitHub App integration for source code security and compliance scanning
Connected
GitLab Source Control
GitLab Group Access Token integration for source code security scanning
Connected
Google Workspace Directory
Google Workspace integration for syncing user directory and profile information
Connect
Jira Cloud Ticketing
Sync findings into Jira projects with bi-directional status updates
Connected
Search...
Filter
View
RepositoryDefault BranchGroupLast Scanned
local-dev-kg/juice-shopmasterUnassignedabout 8 hours ago
test/juice-shop-appsecmasterUnassignedabout 8 hours ago
local-dev-kg/AWSGoatmasterUnassignedabout 1 month ago
local-dev-kg/WebGoatmainUnassigned3 days ago
local-dev-kg/DVWAmasterUnassigned9 days ago
local-dev-kg/dvws-nodemasterUnassignedNever scanned
local-dev-kg/NodeGoatmasterUnassigned11 days ago
local-dev-kg/railsgoatmasterUnassigned14 days ago
local-dev-kg/pygoatmainUnassigned13 days ago
local-dev-kg/crAPIdevelopUnassignedabout 1 month ago
local-dev-kg/VAmPImasterUnassignedNever scanned
local-dev-kg/wrongsecretsmasterUnassigned25 days ago
local-dev-kg/dvgamasterUnassignedNever scanned
local-dev-kg/bWAPPmasterUnassignedNever scanned
local-dev-kg/mutillidaemasterUnassignedNever scanned
Rows per page 15
1-15 of 15

Security Scans

Viewing all scan runs across your organization

Run Scan
Search...
Filter
View
Repository & ContextTriggeredScopeProgressSASTSCASecretsIaC
local-dev-kg/juice-shopmaster · 19a3854c
about 10 hours agoManualFast
juice-shopJS
Complete
70 High16 Medium
13 Critical73 High
0
10 High13 Medium
local-dev-kg/juice-shopmaster · 19a3854c
about 11 hours agoManualComprehensive
Whole RepoJS
Complete
51 High15 Medium
10 Critical35 High
4 High
7 High5 Medium
local-dev-kg/juice-shopmaster · 19a3854c
about 10 hours agoManualFast
Whole RepoJS
Complete
14 High15 Medium
10 Critical35 High
0
11 High5 Medium
local-dev-kg/juice-shopmaster · 19a3854c
about 10 hours agoManualFast
Whole RepoJS
Complete
58 High7 Medium
10 Critical35 High
1 High
4 High4 Medium
local-dev-kg/juice-shopmaster · 19a3854c
about 11 hours agoManualComprehensive
Whole RepoJS
Complete
84 High20 High
10 Critical35 High
1 High
4 High5 Medium
local-dev-kg/juice-shopmaster · queued-9
about 11 hours agoManualComprehensive
Whole RepoJS
Failed
local-dev-kg/juice-shopmaster · 19a3854c
about 11 hours agoManualComprehensive
Whole RepoJS
CancelledCancelledCancelledCancelledCancelled
test/juice-shopmaster · 19a3854c
5 days agoManualComprehensive
Whole RepoJS
Complete
2 Critical53 High
10 Critical36 High
4 High
5 High5 Medium
test/juice-shop-appsec5be8be7b
7 days agoCI/CDComprehensive
Whole RepoJS
Complete
1 Critical83 High
10 Critical87 High
89 Critical5 Medium
1 Critical1 Low

Findings

SAST Scan (JavaScript)

local-dev-kg/juice-shop
Completed
master 85e8be7b JavaScript 75K about 10 hours ago Manual Fast
Commit message: Update global-cs.yml file
Total
79
Critical
41
High
22
Medium
16
Low
0
Info
0
Data Flow 42 Point Issues 28 Business Logic 9
Search...
Filter
View
FindingData FlowSeverity
CWE-643: XPath Operator Injection via JSON-parsed URL parameter in Sequelize WHERE clause
recycles.ts:34 (col 21)HIGH
CWE-89: SQL Injection via unverified email field in login query
login.ts:34 → login.ts:55HIGH
CWE-209: XSS via unverified URL controlled URL in profile-image fetch
profileImageUrlUpload.ts:13 → profileImageUrlUpload.ts:16HIGH
CWE-943: NoSQL Injection via unverified request body ID in MongoDB query
b2bOrder.ts:30 → b2bOrder.ts:35HIGH
CWE-943: NoSQL Injection via unverified request body ID in MongoDB query
b2bOrder.ts:30 → b2bOrder.ts:39HIGH
CWE-943: NoSQL Injection via unverified request body in MongoDB query filter
b2bOrder.ts:30 → b2bOrder.ts:42HIGH
CWE-22: Path Traversal via unverified request body file in fileRead
verifyFiles.ts:9 → verifyFiles.ts:24HIGH
CWE-502: Unsafe deserialization via user-controlled file path in fs.read
payment.component.ts:11 → payment.component.ts:18HIGH
CWE-89: SQL Injection via unverified search parameter in raw Sequelize query
search.ts:13 → search.ts:18HIGH
Rows per page 15
1-9 of 15
FindingLocationSeverity
CWE-347: JWT Token Decoded Without Signature Verification
app.guard.ts:18CRITICAL
CWE-310: SQL Injection in Authentication Query Leading to Cleartext Password Transmission
login/loginUserChallenge_4.ts:15CRITICAL
CWE-548: Directory Listing Exposure - (well-known Directory)
directoryListing/dirIndex_4.ts:0HIGH
CWE-1004: Insufficient Random Password Generation Using Base64 Encoding of Reversed Email
auth/component_2.ts:18HIGH
CWE-328: Use of Weak Hash Function (Base64) for Password Generation
auth/component_3.ts:18HIGH
CWE-614: Authentication Token Cookie Missing Secure Flag
payment.component.ts:11HIGH
CWE-614: Authentication Token Cookie Missing Secure Flag
two-factor-auth-enter.component.ts:14HIGH
CWE-327: Weak HMAC Secret Key - Hardcoded For 2FA Authentication
2fa/totp_5.ts:5HIGH
CWE-326: Hardcoded RSA Private Key in Source Code
cryptUtils.ts:14HIGH
CWE-693: Predictable RSA Private Key for Security Sensitive Data
cryptUtils.ts:18HIGH
CWE-565: Missing CSRF Protection on State-Changing Endpoint Verdict Acknowledgment
checkVerdict.ts:25HIGH
CWE-213: excessive-data-exposure in routes/authenticatedUsers.ts:25
authenticatedUsers.ts:25:0HIGH
CWE-20: missing-input-validation in routes/b2bOrder.ts:19
b2bOrder.ts:19:0HIGH
CWE-770: missing-rate-limit in routes/search.ts:23
search.ts:23:0HIGH
CWE-770: missing-rate-limit in routes/b2bOrder.ts:17
b2bOrder.ts:17:0HIGH
CWE-770: missing-rate-limit in routes/chatbot.ts:205
chatbot.ts:205:0HIGH
CWE-770: missing-rate-limit in routes/dataExports.ts:16
dataExports.ts:16:0HIGH
CWE-770: missing-rate-limit in routes/search.ts:23
search.ts:23:0HIGH
CWE-639: bola in routes/basket.ts:0
basket.ts:0HIGH
CWE-915: mass-assignment in server.ts:0
server.ts:0HIGH
CWE-269: privesc in server.ts:0
server.ts:0HIGH
Rows per page 15
1-10 of 28
FindingData FlowSeverity
CWE-287: Authentication Bypass in changeProduct
server.ts:0 → server.ts:0CRITICAL
CWE-287: Authentication Bypass in changePassword
changePassword.ts:0 → changePassword.ts:0HIGH
CWE-287: Authentication Bypass in updateProductReview
updateProductReviews.ts:0 → updateProductReviews.ts:0HIGH
CWE-285: Authorization Bypass in orderHistory
orderHistory.ts:0 → orderHistory.ts:0HIGH
CWE-287: Authentication Bypass in collectorWebReader
recyclewebreader.ts:0 → recyclewebreader.ts:0HIGH
CWE-287: Authentication Bypass in serviceFlow
services.ts:0 → services.ts:0HIGH
CWE-287: Authentication Bypass in deliveryService
deliveryMethod.ts:0 → deliveryMethod.ts:0HIGH
CWE-639: Insecure Direct Object Reference in trackOrder
trackOrder.ts:0 → trackOrder.ts:0HIGH
CWE-639: Insecure Direct Object Reference in couponCheck
couponcheck.ts:0 → couponcheck.ts:0HIGH
CWE-287: Authentication Bypass in forgotFeedback challenge
feedbackChallenge.ts:0 → feedbackChallenge.ts:0HIGH
CWE-287: Authentication Bypass in N/A (finds auto-generated)
N/A:0 → N/A:0HIGH
Rows per page 15
1-6 of 9

SCA Scan

local-dev-kg/juice-shop
Completed
master 05e0be7b 16m 1 day ago Manual Fast
Commit message: Update .gitlab-ci.yml file
Total
174
Critical
13
High
73
Medium
81
Low
7
Info
0
Search...
Filter
PackageReachabilityDependencyRecommendationBoundariesTeams
marsdb@0.6.11
npm
Reachable (1 of 2)Direct, juice-shopengineering
jsonwebtoken@0.4.0
npm
Reachable (2 of 4)Directcd appsec/scans/appsec-ba…juice-shopengineering
vm2@3.9.17
npm
Reachable (1 of 5)Transitivecd appsec/scans/appsec-ba…, ,
express-jwt@0.1.3
npm
ReachableDirectcd appsec/scans/appsec-ba…juice-shopengineering
sanitize-html@1.4.2
npm
Reachable (2 of 7)Directcd appsec/scans/appsec-ba…juice-shopengineering
jsonwebtoken@0.4.0
CRITICAL SCA 4 CVEs
Recommendation
How to fix this vulnerability

Update jsonwebtoken from version 0.4.0 to version 4.2.2 or later.

Upgrade Command
cd appsec/scans/appsec-baseline-scans/8eed4fb4-4809-40b8-9769-f662decd9741/repo && npm install jsonwebtoken@4.2.2
CVEs in jsonwebtoken@0.4.0 (4)
CVE-2015-9235Criticaljuice-shopengineering
✨ AI ANALYSIS

jsonwebtoken@0.4.0 does not validate the JWT algorithm during jwt.verify(), enabling both the alg:none bypass and an RS256→HS256 algorithm confusion attack. The codebase calls jwt.verify(token, publicKey, callback) without an algorithms allowlist in three production files.

CVE-2022-23541High Riskjuice-shopengineering
✨ AI ANALYSIS

jsonwebtoken@0.4.0 is called via jwt.verify() in three production routes without restricting the allowed algorithm. An attacker can craft a forged JWT signed with HS256 using the RSA public key as the HMAC secret, which the library will accept as valid, completely bypassing authentication.

CVE-2022-23539Low Risk
✨ AI ANALYSIS
jsonwebtoken unrestricted key type could lead to legacy keys usage

Versions ≤8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification.

Not exploitable: LLM analysis determined this vulnerability is not exploitable in context
CVE-2022-23540Low Risk
✨ AI ANALYSIS
Signature validation bypass due to insecure default algorithm in jwt.verify()

In versions ≤8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() call could lead to signature validation bypass.

Not exploitable: LLM analysis determined this vulnerability is not exploitable in context

SECRETS Scan

local-dev-kg/juice-shop
Completed
master 19a3054c 67m 1 day ago Manual Comprehensive
Commit message: Add GSoC 2025 project
Total
4
Critical
0
High
4
Medium
0
Low
0
Info
0
General Remediation Advice for Exposed Secrets
Search...
Filter
View
DescriptionLocationCWESeverity
Hardcoded OAuth 2.0 Access Token Exposure in URL Parameter
frontend/src/app/Services/user.service.ts:60CWE-798HIGH
Hardcoded Ethereum Mnemonic Phrase in Source Code
routes/checkKeys.ts:7CWE-798HIGH
Hardcoded Alchemy API Key in WebSocket Provider
routes/nftMint.ts:9CWE-798HIGH
Hardcoded Alchemy API Key in Production Code
routes/web3Wallet.ts:9CWE-798HIGH
Rows per page 15
1-4 of 4

IAC Scan

local-dev-kg/juice-shop
Completed
master 05e0be7b 11m 1 day ago Manual Fast
Commit message: Update .gitlab-ci.yml file
Total
8
Critical
0
High
7
Medium
1
Low
0
Info
0
Search...
Filter
View
FindingData FlowBoundariesTeamsSeverity
CWE-250: root-container in test/smoke/Dockerfile:1
Dockerfile:1:0HIGH
CWE-829: unpinned-image in docker-compose.test.yml:7
docker-compose.test.yml:7:0HIGH
CWE-829: unpinned-image in Dockerfile:22
Dockerfile:22:0HIGH
CWE-829: unpinned-image in test/smoke/Dockerfile:1
Dockerfile:1:0HIGH
CWE-494: pipe-to-shell in .github/workflows/ci.yml:326
ci.yml:326:0HIGH
CWE-829: untrusted-source in .github/workflows/ci.yml:161
ci.yml:161:0HIGH
CWE-494: unverified-image in docker-compose.test.yml:7
docker-compose.test.yml:7:0HIGH
CWE-494: unverified-image in test/smoke/Dockerfile:1
Dockerfile:1:0HIGH
CWE-494: unverified-image in Dockerfile:22
Dockerfile:22:0HIGH
CWE-494: unverified-image in Dockerfile:1
Dockerfile:1:0HIGH
CWE-829: unpinned-image in Dockerfile:1
Dockerfile:1:0juice-shopengineeringMEDIUM
CWE-829: unpinned-module in .github/workflows/codeql-analysis.yml:33
codeql-analysis.yml:33:0juice-shopengineeringMEDIUM
Rows per page 15
1-12 of 24

SLA Policies

Define how many days your team has to remediate vulnerabilities after detection. SLA deadlines appear on each finding and drive the compliance chart on your dashboard.

Deadlines are calculated from when a vulnerability is first detected. Saving a policy immediately recomputes due dates on all open findings for that severity. Clearing a value removes the deadline for that severity.
Critical
RCE, auth bypass, active exploitation
days
Industry benchmark: 15 days
High
Injection, privilege escalation, data exposure
days
Industry benchmark: 30 days
Medium
XSS, CSRF, misconfigurations
days
Industry benchmark: 90 days
Low
Info disclosure, best-practice gaps
days
Industry benchmark: 180 days
Save Changes
Auto
Run Security Scan
Select a repository and branch to run SAST, secrets detection, and SCA analysis.
Repository
Select a repository
Branch
Select a branch
Scan Scope
Scan Mode
Scan Types
Language
Select language
AI Provider
Anthropic · Connected and ready for AI-powered scans
Advanced Options
Start Scan
Scan Container Image
Select a repository and tag to scan for vulnerabilities, secrets, and misconfigurations.
Repository
Select a repository...
Tag
Select a repository first...
Scan Image

Your team ships code daily but your pentest only happens once a year. Keygraph closes the 364-day gap with on-demand, automated penetration testing on every build.

A full AppSec platform. Not just pentesting.

Continuous application security across every layer of your stack, from static analysis of your code to runtime pentesting of your apps.

Whitebox Pentester

Full code-aware pentesting. Agents read your source, understand architecture, and generate precise exploits validated against the live app.

Learn about Whitebox Pentester →
Agentic SAST

Code Property Graph plus LLM reasoning. Flags real vulnerabilities with full data-flow context, not regex matches.

Learn about Agentic SAST →
Blackbox Pentester

Autonomous pentesting against the running app with zero code access. On-demand, per repository, no subscription required.

Learn about Blackbox Pentester →
Business Logic Testing

Authorization bypass, IDOR, state-machine flaws, race conditions, and workflow abuse. The vulnerabilities pattern-matchers miss.

Learn about Business Logic →
IaC Scanning

Terraform, CloudFormation, Kubernetes manifests, and Helm charts, scanned for misconfigurations, insecure defaults, and policy violations.

Learn about IaC Scanning →
SCA

Software composition analysis with reachability. Know which CVEs in your dependencies actually matter, reachable from attacker-controlled input.

Learn about SCA →
Secrets Scanning

Find leaked credentials, tokens, and API keys across code and commit history. Validated, deduplicated, and prioritized by blast radius.

Learn about Secrets Scanning →
Container Scanning

Scan container images for vulnerable packages, exposed secrets, and misconfigurations across every layer. Catch issues before they ship to your registry.

Learn about Container Scanning →
Keygraph Enterprise

Operated where
your data lives.

Deploys entirely inside your AWS, GCP, or Azure account. Source, scan results, and AI inference stay inside your security perimeter. No managed control plane. No externally operated data plane.

Self-hosted Run the entire platform inside your VPC. Fully air-gapped, no outbound calls required.
SSO & SCIM SAML 2.0 or OIDC for sign-in. SCIM for automated user provisioning and deprovisioning.
Deep integrations GitHub, GitLab, Azure DevOps, Jira, Slack, plus Docker Hub, GHCR, Amazon ECR, and Google Artifact Registry.
See the Enterprise platform →
Keygraph integrations panel showing connected cloud providers, source-control providers, ticketing, and directory integrations.
Keygraph security dashboard with severity counters, Risk Over Time chart, New vs Resolved, and SLA Compliance trends.
Reporting & Analytics

One source of truth
for every finding.

Keygraph deduplicates SAST, SCA, Secrets, IaC, Container, and Whitebox results into a single canonical entry per vulnerability per repository, surfaced on a live security dashboard and synced bidirectionally with Jira.

Canonical findings Content-hash plus LLM semantic matching. One entry per vulnerability per repo, persistent across refactors.
Security dashboard Live KPIs alongside risk, velocity, SLA, and MTTR trend charts. Drill down by repo, team, or severity.
Jira sync One-click ticket creation, 15-minute status refresh, hourly drift sweep on linked pairs.
Explore Reporting & Analytics →
Code Remediation

From finding
to reviewable PR.

Click a confirmed finding in Keygraph. An agent reads the evidence, writes the fix, re-runs the original scanner to prove the vulnerability is gone, and opens a draft pull request your developers approve like any other change.

Verified before PR opens Same scanner re-runs against the patched code. No PR opens unless the original vulnerability is gone.
Review gate stays yours Draft PRs under a Keygraph bot, landing in your existing GitHub or GitLab queue. Never auto-merged.
User-initiated only Patching is triggered when someone clicks a finding — never spawns on its own, never reverts itself.
Explore Code Remediation →
Keygraph SAST finding slideover showing a CWE-89 SQL injection data flow path with source, intermediate, and dangerous-operation code blocks.
Trust & Security

Your code stays your code.

Stateless processing

Source loads into ephemeral worker memory and is discarded when the scan completes. Nothing written to disk.

Never used for training

Zero-retention enforced upstream with every model vendor. No prompts, completions, or embeddings feed training pipelines.

Bring your own API keys

Route inference through your own Anthropic, OpenAI, Bedrock, or self-hosted endpoint. Tokens never traverse Keygraph.

Read-only repo access

Minimum read-only scopes. We never push commits, open PRs, or modify branches. Write access is structurally impossible.

Self-hosted available

Deploy the entire platform inside your VPC. Air-gapped, isolated, and audited end-to-end on your infrastructure.

Only findings retained

After a scan, source is gone. Only the canonical finding record persists: rule, path, line, severity, status, and a redacted snippet.

Supports pentest evidence for compliance regimes including:

PCI-DSS FedRAMP CMMC GLBA NYDFS DORA

We don't report what might be vulnerable.
We prove what is.

Schedule a Technical Demo →