This repository contains INTENTIONALLY VULNERABLE dependencies for security testing purposes only.
DO NOT USE IN PRODUCTION. These scenarios are designed to test Microsoft Defender for Cloud's Code-to-Cloud security mapping capabilities.
Purpose: Test Code-to-Cloud security mapping and vulnerability correlation across the full DevSecOps pipeline.
What it demonstrates:
- Repository → GitHub Actions workflow → Docker image → Azure Container Registry → AKS deployment → vulnerability assessment
- End-to-end correlation from source code dependencies to running containers
- Vulnerability detection and traceability across the software supply chain
Use case: Validates that Microsoft Defender for Cloud can:
- Discover GitHub repositories via connector
- Map GitHub Actions workflows to container images
- Track images from ACR to AKS workloads
- Correlate vulnerabilities from source (package.json) to runtime (deployed containers)
┌─────────────────────────────────────────────────────────────────────┐
│ GitHub Repository (thechmodmaster/code2cloud-scenarios) │
│ └─ package.json: ajv@6.12.2 (CVE-2020-15366) │
└────────────────────────┬────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────┐
│ GitHub Actions Workflow (c2c-vuln-container-build.yml) │
│ └─ OIDC Authentication → Azure │
└────────────────────────┬────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────┐
│ Docker Build │
│ └─ Base: node:16-alpine + npm install ajv@6.12.2 │
└────────────────────────┬────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────┐
│ Azure Container Registry (c2cscenarioacr.azurecr.io) │
│ └─ Image: c2cscenario/vuln-app:latest + digest │
└────────────────────────┬────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────┐
│ AKS Deployment (c2cscenario-aks) │
│ └─ Namespace: c2c-scenarios │
│ └─ Workload: vuln-app │
└────────────────────────┬────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────┐
│ Microsoft Defender for Cloud - Vulnerability Assessment │
│ └─ CVE-2020-15366 (ajv@6.12.2 Prototype Pollution) │
│ └─ Traceable from repo → workflow → image → workload │
└─────────────────────────────────────────────────────────────────────┘
Before getting started, ensure you have:
- Azure CLI (
az) installed and authenticated (az login) - kubectl installed (Kubernetes CLI)
- GitHub CLI (
gh) installed (optional, for managing secrets) - Bash shell (WSL, Git Bash, or Linux/macOS terminal)
- An Azure subscription with Owner or Contributor + User Access Administrator permissions
- A GitHub repository (fork or clone of
thechmodmaster/code2cloud-scenarios) - Permissions to configure GitHub repository secrets
| Component | Configuration |
|---|---|
| GitHub Repo | thechmodmaster/code2cloud-scenarios |
| Azure Subscription | Code2Cloud (2484489b-da82-4300-9f01-406602c2efbc) |
| Tenant Domain | 7d45cbc7657f85d6a9.onmicrosoft.com |
| Region | East US |
| Resource Group | c2cscenario-rg |
| ACR | c2cscenarioacr (login: c2cscenarioacr.azurecr.io) |
| AKS Cluster | c2cscenario-aks |
| Managed Identity | c2cscenario-github-identity |
| Image | c2cscenarioacr.azurecr.io/c2cscenario/vuln-app |
| K8s Namespace | c2c-scenarios |
| Test Vulnerability | ajv@6.12.2 (CVE-2020-15366 - Prototype Pollution) |
The deployment script creates all required Azure infrastructure:
# Navigate to the repository root
cd code2cloud-scenarios
# Make the script executable
chmod +x infra/deploy-azure.sh
# Run the deployment
./infra/deploy-azure.shWhat gets created:
- ✅ Resource Group:
c2cscenario-rg - ✅ Azure Container Registry:
c2cscenarioacr(Standard SKU) - ✅ AKS Cluster:
c2cscenario-aks(1 node, Standard_DS2_v2) - ✅ Managed Identity:
c2cscenario-github-identity - ✅ Federated Credential: Configured for GitHub Actions OIDC (repo:
thechmodmaster/code2cloud-scenarios) - ✅ Role Assignments:
AcrPushon ACR (for image push)Azure Kubernetes Service Cluster User Roleon AKS (for deployment)
Important: Save the output from the script — you'll need the Client ID and Tenant ID for the next step.
After the deployment script completes, configure these secrets in your GitHub repository:
| Secret Name | Value | Where to Get It |
|---|---|---|
AZURE_CLIENT_ID |
Managed Identity Client ID | Output from deploy-azure.sh script |
AZURE_TENANT_ID |
Azure Tenant ID | Output from deploy-azure.sh script |
AZURE_SUBSCRIPTION_ID |
2484489b-da82-4300-9f01-406602c2efbc |
Fixed value (Code2Cloud subscription) |
# Set secrets using values from the deployment script output
gh secret set AZURE_CLIENT_ID --body "<client-id-from-script>"
gh secret set AZURE_TENANT_ID --body "<tenant-id-from-script>"
gh secret set AZURE_SUBSCRIPTION_ID --body "2484489b-da82-4300-9f01-406602c2efbc"- Go to your repository on GitHub
- Navigate to Settings → Secrets and variables → Actions
- Click New repository secret
- Add each secret with the values from the deployment script output
Trigger the vulnerable container build and deploy workflow:
gh workflow run c2c-vuln-container-build.yml- Go to your repository on GitHub
- Navigate to Actions
- Select C2C Vulnerable Container Build & Deploy
- Click Run workflow → Run workflow
What the workflow does:
- Authenticates to Azure using OIDC (Workload Identity Federation)
- Builds a Docker image containing ajv@6.12.2 (vulnerable)
- Pushes the image to ACR with a unique digest
- Updates the AKS deployment with the new image digest
- Outputs correlation metadata (commit SHA, image digest, timestamps)
After the workflow completes successfully:
- Open the Azure Portal
- Navigate to Microsoft Defender for Cloud
- Go to Environment settings → Add environment → GitHub
- Follow the connector setup wizard:
- Authenticate to GitHub
- Select the repository:
thechmodmaster/code2cloud-scenarios - Grant required permissions (read repository metadata, workflows, packages)
- Wait for the connector to sync (typically 5-15 minutes)
The workflow generates correlation metadata that you'll need for verification:
Locations:
- GitHub Actions → Select the workflow run → Summary tab (see "Correlation Summary")
- Workflow logs → Expand the step "Print Correlation Summary"
- Azure CLI:
az acr repository show-tags --name c2cscenarioacr --repository c2cscenario/vuln-app --detail --output table
Example output:
Image URI: c2cscenarioacr.azurecr.io/c2cscenario/vuln-app@sha256:abc123...
Commit SHA: 1a2b3c4d
Build Time: 2024-01-15T10:30:00Z
# Show repository details
az acr repository show \
--name c2cscenarioacr \
--repository c2cscenario/vuln-app
# List all image manifests with details
az acr repository show-manifests \
--name c2cscenarioacr \
--repository c2cscenario/vuln-app \
--detail \
--output tableExpected output: You should see at least one manifest with tags (e.g., latest, <commit-sha>, run-<run-id>) and a digest starting with sha256:.
# Get AKS credentials
az aks get-credentials \
--resource-group c2cscenario-rg \
--name c2cscenario-aks
# Check pods in the c2c-scenarios namespace
kubectl get pods -n c2c-scenarios
# Describe the deployment to see the image
kubectl describe deployment vuln-app -n c2c-scenarios
# Check pod details (including image digest)
kubectl get pods -n c2c-scenarios -l app=vuln-app -o jsonpath='{.items[0].spec.containers[0].image}'Expected output:
- Pods should be in
Runningstate - Image should match:
c2cscenarioacr.azurecr.io/c2cscenario/vuln-app@sha256:...(with digest, notlatest)
After creating the GitHub connector in Microsoft Defender for Cloud, verify these correlations:
- Repository
thechmodmaster/code2cloud-scenariosappears in Code-to-Cloud views - Repository metadata is accurate (commit history, contributors)
-
package.jsonwithajv@6.12.2is visible in source code view
- GitHub Actions workflow
c2c-vuln-container-build.ymlis discovered - Workflow runs are visible with timestamps and commit SHAs
- Workflow → image mapping shows the correlation (workflow produced image X)
- Container image
c2cscenarioacr.azurecr.io/c2cscenario/vuln-appis visible - Image digest matches the workflow output (verify exact
sha256:...hash) - Image tags include commit SHA and build run ID
- Image metadata shows creation timestamp and size
- ACR
c2cscenarioacris discovered as a cloud resource - Repository
c2cscenario/vuln-appappears within the ACR - Image → ACR association is clear
- CVE-2020-15366 (ajv Prototype Pollution) is detected
- Vulnerability severity is correctly reported (Medium/High)
- Affected package
ajv@6.12.2is identified - Remediation guidance suggests upgrading to
ajv@6.12.3or later - Vulnerability is traceable from:
- Source:
package.jsonin GitHub repo - Build: GitHub Actions workflow
- Artifact: Container image in ACR
- Runtime: AKS workload
- Source:
- AKS cluster
c2cscenario-aksis discovered - Namespace
c2c-scenariosis visible - Deployment
vuln-appappears in workload views - Workload → container image mapping is correct (shows same digest)
- Kubernetes workload references the vulnerable image
- Pod status is healthy (Running)
- You can trace from repository → workflow → image → AKS workload
- Vulnerability appears in all relevant views (repo, image, workload)
- Timeline shows the progression (commit → build → push → deploy)
- Security posture reflects the intentional vulnerability
| Package | Version | CVE | Type | Severity | CVSS |
|---|---|---|---|---|---|
| ajv | 6.12.2 | CVE-2020-15366 | Prototype Pollution | Medium/High | 5.6 |
| node | 16.x (EOL) | Multiple | Various | Various | N/A |
About CVE-2020-15366:
- Vulnerability: Prototype pollution via the
ajv.validate()function - Impact: An attacker can inject properties into
Object.prototype, potentially leading to Denial of Service or other attacks - Remediation: Upgrade to
ajv@6.12.3or later - Why included: This vulnerability is well-documented, has a clear CVE, and is easily detectable by security scanners — making it ideal for testing correlation flows
Additional vulnerabilities:
- Node.js 16.x is End-of-Life (EOL) and contains multiple vulnerabilities — this adds realism to the test scenario
Note: These vulnerabilities are intentionally included for testing purposes. Do not deploy this scenario to production environments.
To delete all Azure resources created by this scenario:
# Make cleanup script executable
chmod +x infra/cleanup-azure.sh
# Run cleanup (deletes resource group and all resources)
./infra/cleanup-azure.shWhat gets deleted:
- Resource Group
c2cscenario-rgand everything in it:- ACR (and all images)
- AKS cluster
- Managed Identity
- Virtual network, disks, and other resources created by AKS
Note: This does not delete the GitHub connector. To remove the connector, go to Microsoft Defender for Cloud → Environment settings → GitHub → Remove connector.
code2cloud-scenarios/
├── README.md # This file
├── .github/
│ └── workflows/
│ └── c2c-vuln-container-build.yml # Build & deploy workflow
├── scenarios/
│ └── vulnerable-container/
│ ├── Dockerfile # Container image with ajv@6.12.2
│ ├── package.json # Node.js dependencies
│ ├── server.js # Simple Express server
│ └── k8s/
│ ├── namespace.yaml # Kubernetes namespace
│ └── deployment.yaml # Deployment + Service
└── infra/
├── deploy-azure.sh # Creates Azure resources
└── cleanup-azure.sh # Deletes resource group
To create additional test scenarios:
-
Create a new scenario directory:
mkdir -p scenarios/new-scenario/k8s
-
Define the vulnerability:
- Choose a package with a known CVE
- Update
package.json(or equivalent dependency file) - Document the CVE and expected behavior
-
Create Dockerfile:
- Base image with the vulnerable dependency
- Minimal application (just enough to run)
-
Create K8s manifests:
- Deployment with labels indicating the scenario
- Service (if needed)
- Add annotations for traceability
-
Create or update workflow:
- Build and push to ACR
- Deploy to AKS
- Tag with scenario name
-
Document:
- Update README with scenario details
- Add to verification checklist
- Log4Shell (Log4j): Java application with log4j 2.14.1
- Spring4Shell: Spring Framework 5.3.17
- Python Dependency: Flask with known vulnerability
- Multi-stage build: Testing image layer correlation
- Helm chart: Testing Helm-based deployments
- Verify GitHub secrets are set correctly
- Check that the Managed Identity federated credential matches the repository name
- Ensure the Azure subscription ID is correct
- Verify the Managed Identity has
AcrPushrole on the ACR - Check ACR firewall settings (ensure GitHub Actions IP ranges are allowed)
- Verify the Managed Identity has the correct AKS role
- Check if the namespace
c2c-scenariosexists - Ensure AKS cluster is running and healthy
- Wait 15-30 minutes for Defender for Cloud to scan the image
- Verify the GitHub connector is active and syncing
- Check that the image digest in AKS matches the one in ACR
MIT License - See LICENSE file for details.
REMINDER: This repository contains intentionally vulnerable code for testing purposes only. Use at your own risk.