I run Debuggix, a free security scanner that runs 9 engines in parallel. For Episode 3 of our "Verified or Not" series, we scanned Kubernetes Goat — a deliberately vulnerable K8s cluster designed for security training.
Here's what happened.
The Scan
Kubernetes Goat is a massive repo. Multiple Dockerfiles, infrastructure configs, Python scripts, shell scripts — the kind of project that makes scanners light up like a Christmas tree.
I pasted the URL into Debuggix and let all 9 engines rip: Semgrep, Bandit, Gitleaks, TruffleHog, Trivy, ESLint, Hadolint, Checkov, OSV-Scanner.
The Raw Results
134 total findings
2 critical
32 high
33 medium
14 low
A traditional scanner would dump all 134 on you and call it a day.
What Debuggix Did Differently
The AI filter cross-referenced every finding against the project's README. It saw phrases like "deliberately vulnerable" and "security training" — and correctly classified all 134 findings as intentional.
Needs Attention: 0
Reviewed: 134
Every "critical" and "high" finding was part of the training environment. The filter understood the project's purpose and acted accordingly.
Why This Matters
Most security tools are dumb. They flag everything and leave you to sort through the noise. Debuggix reads your project documentation and understands context. A vulnerable training cluster shouldn't trigger the same alarms as a production API — and with the AI filter, it doesn't.
What's Next
Episode 4 drops next week — scanning a real production project. Subscribe to the series if you want to see how Debuggix handles actual codebases.
Scan your own repo free: debuggix.space
Top comments (0)