⚠️ ARKO Demo Application — contains intentional vulnerabilities. Do not deploy.
Clinical trial enrolment and adverse-event reporting API for the (fictional) Halix Therapeutics sponsor organisation. Used as part of the ARKO Coverage Demos suite.
Stack: Python 3.11 · FastAPI · Postgres · AWS (Terraform) · Kubernetes.
- Enrol patients into trials (
/enrolments) - Capture adverse-event reports with attached source documents (
/aes) - Provide investigator file downloads (
/files) - Notify external monitoring services on event triggers (
/internal/notify) - Expose a thin admin surface for site coordinators (
/admin)
It exercises every layer of the ARKO decision engine. Specifically it ships:
- 12 seeded SAST findings spanning SQLi, hardcoded secrets, weak crypto, command injection, path traversal, SSRF, insecure deserialisation, PII-in-logs, and IDOR.
- 7 seeded IaC findings across Terraform (S3, RDS, security groups), Dockerfile, and Kubernetes manifests.
- 4 vulnerable Python dependencies with known CVEs.
- 4 seeded GitHub Actions misconfigurations.
See DEMO.md for the full inventory.
- HIPAA Security Rule §164.312 (technical safeguards)
- GDPR Articles 5(1)(f), 25, 32
- 21 CFR Part 11 (electronic records, audit trails)
arko scan --tenant=demos --report=json > report.json
arko demo verify --expected=demo.yaml --actual=report.json