Juice Shop Assessment | LOGOS Governance & SBOM Snapshot

LOGOS GOVERNANCE SYSTEMS INC.

Governance & SBOM Snapshot

OWASP Juice Shop Demo | Repository Dependency & Governance Assessment — ENG-F0DEA306

Report Type	Security & Governance Posture Assessment
Prepared By	LOGOS Governance Systems Inc.
Assessment Target	OWASP Juice Shop Demo
Scope	https://github.com/juice-shop/juice-shop.git
Classification	Sample Report — Demonstration
Date	2026-03-30

This report does not constitute a penetration test, security audit, or compliance certification.

1. Executive Summary

LOGOS Governance Systems conducted a read-only dependency and governance posture snapshot of the subject repository. This assessment covers software composition analysis (SBOM generation), verified vulnerability identification, and secrets exposure detection across full git history.

This report contains only verified findings — confirmed across multiple independent scanners using LOGOS quorum verification. Single-source findings are excluded from client deliverables.

Overall Posture Grade

13 secrets detected in repository history — test credentials exposed

0 CRITICAL 0 HIGH 0 MEDIUM 13 SECRETS

The repository assessment identified 14 total findings, of which 14 were verified through multi-source confirmation. 0 critical and 0 high severity CVE issues were identified. However, 13 secrets were detected in repository history, primarily test credentials in 2FA test files.

2. Scope and Method

Analysis was conducted against the subject repository using read-only access. No credentials, private data, or production systems were accessed.

SBOM Generation: syft enumerated all detected components, producing CycloneDX-format bill of materials.
Vulnerability Scanning: grype applied against generated SBOM. All CVE findings cross-verified against NVD.
Secrets Detection: gitleaks scanned full git history for exposed credentials, API keys, and tokens.
Quorum Verification: Only findings confirmed across 2+ independent sources are included in this report.

3. Verified Dependency Risks

No verified CVE findings in this assessment. Dependencies are well-maintained and patched.

4. Secrets & Exposure Findings

Location	Type	Severity	Action
`test/api/2fa.test.ts:42`	Test Secret	Critical	Move to secrets manager
`test/api/2fa.test.ts:66`	Test Secret	Critical	Move to secrets manager
`test/api/2fa.test.ts:85`	Test Secret	Critical	Move to secrets manager
`test/api/2fa.test.ts:144`	Test Secret	Critical	Move to secrets manager
`test/api/2fa.test.ts:176`	Test Secret	Critical	Move to secrets manager
`test/api-supertest/basket.test.ts:110`	Test Secret	Critical	Move to secrets manager
`test/api-supertest/data-export.test.ts:25`	Test Secret	Critical	Move to secrets manager
+ 6 additional secrets in test files

5. Prioritized Recommendations

Immediate — Before Next Release

Rotate all exposed credentials immediately. Treat as compromised.
Move test secrets to environment variables or test fixtures loaded at runtime.

Near-Term — 30 Days

Implement automated SBOM generation in CI/CD pipeline.
Pin all dependency versions to exact releases.
Add pre-commit hooks for secrets detection.

Governance Foundation — 60-90 Days

Establish dependency update policy with security review gate.
Implement secrets management solution (Vault, AWS Secrets Manager, etc.).
Document vulnerability response runbook with SLAs by severity.