Intentionally vulnerable ARKO-style demo application. Do not deploy.
Legacy claims authorization and partner settlement workflow written in GnuCOBOL. This repo is meant to look and behave like the other DevSecAI demo apps: application code, seeded findings catalog, CI, Docker, Kubernetes, Terraform, and smoke tests.
Stack: GnuCOBOL · Docker · Kubernetes · Terraform · GitHub Actions
Coverage: 11 SAST · 6 IaC · 3 pipeline findings across OWASP Top 10 themes including broken access control, cryptographic failures, injection, security misconfiguration, integrity failures, and SSRF. See DEMO.md and demo.yaml.
The compiled batch binary supports several legacy operations:
authorize <claim-id> <operator-id>validates a payout request.export <claim-id> <target-path>writes a settlement archive to a caller-provided path.sync <claim-id> <callback-url>mirrors a claim event to a partner endpoint.report <claim-id> <html-path>writes an operator-facing HTML summary.inspect <claim-id> <source-path>previews a local batch file or archive.settle <claim-id> <partner-code>builds the settlement query sent to the ledger.plugin <claim-id> <program-name>invokes a named batch exit module.
brew install gnu-cobol
makemake testLEGACY_BATCH_KEY=demo-batch-key ./bin/cobrix-claims-batch authorize CLM-1001 night-shift
LEGACY_BATCH_KEY=demo-batch-key ./bin/cobrix-claims-batch export CLM-1001 /tmp/claim-1001.txt
LEGACY_BATCH_KEY=demo-batch-key ./bin/cobrix-claims-batch sync CLM-1001 https://partner.example.net/callback
COBRIX_REPORT_NOTE='<script>alert(1)</script>' ./bin/cobrix-claims-batch report CLM-1001 /tmp/claim-1001.html
./bin/cobrix-claims-batch inspect CLM-1001 samples/claim-archive.txt
./bin/cobrix-claims-batch settle CLM-1001 partner-a
./bin/cobrix-claims-batch plugin CLM-1001 REPRICEsrc/application code and copybookstests/smoke checks used by CIinfra/k8s/intentionally weak Kubernetes manifestsinfra/terraform/intentionally weak Terraform resources.github/workflows/ci.ymlintentionally imperfect build pipeline