Demo repository representing a slice of a large enterprise application estate (~300 applications, primarily Java and .NET) with a mature vulnerability backlog. It is designed for running Devin Security Swarm scans and autonomous remediation workflows against real, production-grade codebases — not synthetic seeded vulnerabilities.
| Service | Stack | Source | Why it's here |
|---|---|---|---|
services/retirement-core-banking |
Java 17 / Spring Boot / Gradle | Apache Fineract 1.8.4 (Apache-2.0) | Real core-banking / retirement-services platform pinned to a 2023 release, carrying a genuine backlog of known CVEs in its dependency tree (Spring, Jackson, snakeyaml, etc.) |
services/policy-admin-portal |
.NET Framework 4.7.2 / ASP.NET MVC 5 / NuGet | eShopModernizing (MIT) | Legacy .NET line-of-business app with an aged packages.config (Newtonsoft.Json 12.0.1, log4net 2.0.10, jQuery 3.5.0, bootstrap 4.3.1, …) |
infrastructure/ |
Terraform + Packer + Docker | This repo | Infra/AMI vulnerability track: pinned outdated AMIs and end-of-life base images |
- Application backlog: 500+ open application vulnerabilities across the estate; ticket history restarts in January 2026 (new VIT module), but the underlying vulnerabilities are more than a year old — hence the pinned 2023 release tags.
- Infrastructure backlog: 8,000+ open Critical/High infrastructure
vulnerabilities, dominated by outdated AMIs and base images — see
infrastructure/. - Remediation loop: security scan → VIT ticket → L3 triage/fix →
security re-scan → confirm → close. The automated analog implemented here is
documented in
docs/REMEDIATION_WORKFLOW.md.
Two scanner paths are wired in .github/workflows/:
- Snyk (
snyk-scan.yml) — Open Source (Gradle + NuGet) and IaC scans, matching estates standardized on Snyk. Requires aSNYK_TOKENsecret. - Trivy (
vuln-auto-remediate.yml) — scanner-agnostic fallback path with the closed-loop Devin auto-remediation trigger (no external account needed).
Devin Security Swarm can also be pointed directly at this repository; the two service trees and the IaC tree give it Java, .NET, and infrastructure findings in a single scan.
services/
retirement-core-banking/ # Apache Fineract 1.8.4 (full source tree)
policy-admin-portal/ # ASP.NET MVC 5 solution (packages.config)
infrastructure/
terraform/ # EC2 fleet pinned to outdated AMIs
packer/ # AMI build template on an EOL base image
docker/ # EOL base-image Dockerfile
docs/
REMEDIATION_WORKFLOW.md # Closed-loop scan→fix→verify→escalate flow
services/retirement-core-bankingretains its Apache-2.0 license and notices.services/policy-admin-portaloriginates from eShopModernizing (MIT).