menu

Verified or Not? Ep. 1 — Testing 9 Engines Against OWASP Juice Shop

posted 1 min read

Welcome to Verified or Not — the series where I put Debuggix to the test against real,
known repositories to prove it actually works.

For the first 6 episodes, I'm not scanning random code. I'm targeting repos that the
security community already knows inside and out. Deliberately vulnerable apps. Repos
with documented issues. Codebases with published threat models.

Why? Because anyone can claim their scanner works. I'm proving it.

━━━━━━━━━━━━━━━━━━━━━━

EPISODE 1: OWASP Juice Shop

The most famous vulnerable web app in the world. 38,000 GitHub stars. Built by the
Open Web Application Security Project to teach developers how NOT to write code.

Juice Shop has over 100 documented vulnerabilities spanning the entire OWASP Top Ten.
SQL injection. XSS. Path traversal. Broken authentication. It's all there, on purpose.

THE TEST
━━━━━━━━━━━━━━━━━━━━━━
If Debuggix is real, it should detect this is a deliberately vulnerable training app
and NOT flag it as a production emergency. A dumb scanner would dump 500 findings and
tell you to fix them. A smart scanner reads the documentation and understands context.

THE SCAN
━━━━━━━━━━━━━━━━━━━━━━
• 9 engines running in parallel
• Semgrep, Bandit, Gitleaks, TruffleHog, Trivy, ESLint, Hadolint, Checkov, OSV-Scanner
• 945 source files
• 134,000 lines of code
• Scan time: ~3 minutes

THE RESULTS
━━━━━━━━━━━━━━━━━━━━━━
• Needs Attention: 0
• Reviewed: 32

All 32 findings were automatically classified as intentional. Why? Because Debuggix
read the README and SECURITY.md. It detected the keywords "deliberately vulnerable"
and "OWASP." It knew this app was built to be hacked.

This is the difference between a scanner that just looks for patterns and a scanner
that understands what it's looking at.

WHAT THIS PROVES
━━━━━━━━━━━━━━━━━━━━━━
✓ Multi-engine scanning catches what single tools miss
✓ AI filtering eliminates noise (32 findings, 0 false alarms)
✓ Documentation-aware scanning understands intent
✓ Known vulnerable repos are correctly identified

NEXT EPISODE
━━━━━━━━━━━━━━━━━━━━━━
Episode 2: I scan another known-vulnerable repo. Will it hold up?

LINKS
• Scan your repo free: https://debuggix.space
• Juice Shop: https://github.com/juice-shop/juice-shop
• OWASP: https://owasp.org

NEW EPISODE EVERY WEEK
Episodes 1–6: Testing against known repos to prove Debuggix works.
Episode 7+: Scanning trending repos. Verified or Not?

Part 1 of 1 in Verified or Not
Lucky M.K
197 Points8 Badges2 6
debuggix.space
3Posts
2Comments
1Followers
1Connections
Build your own developer journey
Track progress. Share learning. Stay consistent.
Create your profile

1 Comment

Hi, How are you?.
I believe I can bring real profit to you.
See what I do: https://topstar-ai.github.io
I would value the chance to connect — contact me anytime.

0 votes
🔥 Join developers growing publicly
Share your knowledge, build in public, and grow your developer presence with a global community.
Join CoderLegion

More Posts

Defending Against AI Worms: Securing Multi-Agent Systems from Self-Replicating Prompts

alessandro_pignati - Apr 2

Your Backup Data Knows More Than You Think. HYCU aiR Is Finally Asking It the Right Questions.

Tom Smithverified - May 14

OWASP's Duty to Human Rights: Why AI Security Matters for Human Dignity

strange-developer - Jun 3

AI Reliability Gap: Why Large Language Models are not for Safety-Critical Systems

praneeth - Mar 31

Hardening the Agentic Loop: A Technical Guide to NVIDIA NemoClaw and OpenShell

alessandro_pignati - Mar 26
chevron_left

More From Lucky

The 7-Zip RCE Flaw (CVE-2026-48095): Inside the Shift Loophole

Debuggix Security Scanner

Related Jobs

View all jobs →

Commenters (This Week)

13 comments
2 comments
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!