Intentionally vulnerable go (golang) application to test coverage of SAST tools.
All vulnerabilities are marked with
// vulnerability in code.
- SQL Injection (SQLi)
- Command Injection (RCE)
- Hardcoded secret
Ensure docker compose is installed.
Run the application with
Thunder Client is used to document HTTP requests for test cases as well as vulnerabilities. Folder thunder-tests in the repo contains these test cases. This makes it convenient to test various vulnerabilities.
In development mode Gow is used to watch for file changes and rebuild the app.
To run in dev mode run:
docker-compose -f docker-compose-dev.yml up --build
Stop and delete volume for DB to recreate DB:
docker-compose down --remove-orphans --volumes --rmi local