⚠️ Demo report — this report uses fictional data for portfolio demonstration purposes. It shows the actual output format generated by the pipeline on every Jenkins build.

Security Scan Report — retail-banking-api

Executive summary  ·  Demo report with fictional data
Repository
dev-team/retail-banking-api
Branch
feature/payment-gateway
Commit
a3f8c92d1e04b7f9
Build
#47
Scan date
2026-04-15 09:42:17 UTC
Jenkins
Build #47
FAILED ❌
Semgrep found 2 blocking security issue(s). | Dependency-Check found 3 CRITICAL and 8 HIGH vulnerabilities.
3
Critical CVEs
8
High CVEs
14
Medium findings
13
Blocking pipeline

Tool results

Semgrep SAST

ERROR 2 blocking
WARNING 6 warnings
8 total  ·  658 rules
View full findings

Dependency-Check SCA

CRITICAL 3 critical
HIGH 8 high
MEDIUM 11 medium
22 total CVEs
View full CVE report

SonarQube SAST

HIGH 4 hotspots unreviewed
MEDIUM 1 vulnerability
Quality Gate: FAILED
View SonarQube dashboard

Semgrep SAST — key findings

Severity File Line Rule Description
ERROR app/Http/Controllers/PaymentController.php 142 sql-injection SQL query built by string concatenation with user-supplied input. Use parameterised queries.
ERROR Dockerfile 31 no-user-directive Container runs as root — specify a non-root USER before CMD.
WARNING app/Services/AuthService.php 87 weak-hash-md5 MD5 used for password hashing — use password_hash() with PASSWORD_BCRYPT.
WARNING app/Http/Controllers/UserController.php 214 sensitive-data-in-logs Variable named 'password' may be written to application logs.
WARNING app/Http/Controllers/ReportController.php 56 missing-auth-check Controller method has no explicit authorisation check.

Dependency-Check SCA — critical and high CVEs

Severity CVE Package CVSS Description
CRITICAL CVE-2021-3129 facade/ignition:2.5.1 9.8 Remote code execution via unsafe deserialization in Laravel debug mode.
CRITICAL CVE-2024-22723 laravel/framework:9.52.0 9.1 SQL injection vulnerability in Eloquent query builder under specific conditions.
CRITICAL CVE-2023-29197 guzzlehttp/psr7:2.4.3 7.5 Improper header validation allows header injection attacks.
HIGH CVE-2022-24894 symfony/http-kernel:5.4.19 8.1 Sensitive cookie values may be exposed via HttpCache.
HIGH CVE-2022-23601 symfony/form:5.4.19 8.8 CSRF token not validated in certain form configurations.
...and 17 more CVEs — see dc-report-full.html for complete list

SonarQube — security hotspots

Priority File Line Description
HIGH app/Http/Controllers/PaymentController.php 89 Disabling CSRF protection is security-sensitive — verify this is intentional.
HIGH config/session.php 12 HTTP-only flag not set on session cookie — vulnerable to XSS session hijacking.
MEDIUM app/Services/CryptoService.php 34 Cipher algorithm AES-128-ECB is not semantically secure — use AES-256-GCM.
MEDIUM app/Http/Middleware/CorsMiddleware.php 18 CORS policy allows all origins (*) — restrict to known trusted origins.

Scan metadata

ItemValue
Projectretail-banking-api
Repositorydev-team/retail-banking-api
Commit SHAa3f8c92d1e04b7f9b3d2e1f0a9c8
Branchfeature/payment-gateway
Scan date2026-04-15 09:42:17 UTC
Jenkins build#47
Pipeline statusFAILED
Semgrep rulesets p/php  ·  p/csharp  ·  p/owasp-top-ten  ·  p/security-audit
Dependency-Check v12.1.0  ·  NVD database 2026-04-15
SonarQube v10.5.1  ·  Quality Gate: Security Gate
Files scanned147 PHP  ·  4 JS  ·  1 Dockerfile  ·  1 XML
Generated automatically by the Jenkins security pipeline  ·  Build #47  ·  2026-04-15 09:42:17 UTC  ·  This is a demo report — data is fictional