Welcome to Verified or Not — the series where I put Debuggix to the test against real,
known repositories to prove it actually works.
For the first 6 episodes, I'm not scanning random code. I'm targeting repos that the
security community already knows inside and out. Deliberately vulnerable apps. Repos
with documented issues. Codebases with published threat models.
Why? Because anyone can claim their scanner works. I'm proving it.
━━━━━━━━━━━━━━━━━━━━━━
EPISODE 1: OWASP Juice Shop
The most famous vulnerable web app in the world. 38,000 GitHub stars. Built by the
Open Web Application Security Project to teach developers how NOT to write code.
Juice Shop has over 100 documented vulnerabilities spanning the entire OWASP Top Ten.
SQL injection. XSS. Path traversal. Broken authentication. It's all there, on purpose.
THE TEST
━━━━━━━━━━━━━━━━━━━━━━
If Debuggix is real, it should detect this is a deliberately vulnerable training app
and NOT flag it as a production emergency. A dumb scanner would dump 500 findings and
tell you to fix them. A smart scanner reads the documentation and understands context.
THE SCAN
━━━━━━━━━━━━━━━━━━━━━━
• 9 engines running in parallel
• Semgrep, Bandit, Gitleaks, TruffleHog, Trivy, ESLint, Hadolint, Checkov, OSV-Scanner
• 945 source files
• 134,000 lines of code
• Scan time: ~3 minutes
THE RESULTS
━━━━━━━━━━━━━━━━━━━━━━
• Needs Attention: 0
• Reviewed: 32
All 32 findings were automatically classified as intentional. Why? Because Debuggix
read the README and SECURITY.md. It detected the keywords "deliberately vulnerable"
and "OWASP." It knew this app was built to be hacked.
This is the difference between a scanner that just looks for patterns and a scanner
that understands what it's looking at.
WHAT THIS PROVES
━━━━━━━━━━━━━━━━━━━━━━
✓ Multi-engine scanning catches what single tools miss
✓ AI filtering eliminates noise (32 findings, 0 false alarms)
✓ Documentation-aware scanning understands intent
✓ Known vulnerable repos are correctly identified
NEXT EPISODE
━━━━━━━━━━━━━━━━━━━━━━
Episode 2: I scan another known-vulnerable repo. Will it hold up?
LINKS
• Scan your repo free: https://debuggix.space
• Juice Shop: https://github.com/juice-shop/juice-shop
• OWASP: https://owasp.org
NEW EPISODE EVERY WEEK
Episodes 1–6: Testing against known repos to prove Debuggix works.
Episode 7+: Scanning trending repos. Verified or Not?
