acme/payments-api

main·npm, go

How RedFlag works

Most teams assume their security scanners catch everything. They don't. RedFlag plants real CVEs in a safe test branch, runs your scanners against them, and scores exactly what got through. Then tells you how to fix it.

  1. Step 1
    Connect your repo

    Link any GitHub repository using a Personal Access Token. RedFlag never touches your production code.

  2. Step 2
    We inject real CVEs

    RedFlag plants 12+ known vulnerabilities (Log4Shell, Text4Shell, vm2 escape and more) into a temporary test branch that gets deleted after the scan.

  3. Step 3
    Get your score

    Your Dependabot and GitHub Actions scanners run against the injected vulnerabilities. RedFlag scores how many they catch, weighted by severity. See exactly what was missed.

84
Detection score
Injected
10
Detected
8
Missed
2
Avg detection
00:05:11

Injection results

10 CVEs planted in test branch

CVEPackageSeverityEcosystemDetectedTime to alert
CVE-2023-45857axios@1.5.0highnpm Detected00:04:12
CVE-2024-21626runc@1.1.11criticalgo Detected00:02:48
CVE-2023-26136tough-cookie@4.0.0mediumnpm Detected00:08:31
CVE-2024-28849follow-redirects@1.15.4mediumnpm Missed
CVE-2023-50447Pillow@10.1.0highpypi Detected00:06:09
CVE-2024-22195Jinja2@3.1.2mediumpypi Detected00:11:54
CVE-2023-44487golang.org/x/nethighgo Missed
CVE-2024-27983node@20.11.0highnpm Detected00:03:22
CVE-2023-38545curl@8.3.0criticalsystem Detected00:01:55
CVE-2024-3094xz-utils@5.6.0criticalsystem Missed

Activity

Recent events for this repository

  1. 12:04:22Initialized scan session #4821
  2. 12:04:25Created branch redflag/inject-2024
  3. 12:04:31Injected 10 CVE payloads across 3 ecosystems
  4. 12:04:48Triggered GitHub Actions workflow
  5. 12:06:12Dependabot alert: CVE-2024-21626 detected
  6. 12:07:34Dependabot alert: CVE-2023-38545 detected
  7. 12:11:02Missed: CVE-2024-3094 (xz-utils backdoor)
  8. 12:14:48Scan complete — score 70/100
RedFlag · 2026