Demo Repo
The cerbi-log-risk-demo repo ships intentionally risky logging in five languages plus a working governance policy. It shows both halves of Cerbi: the scanner finding unsafe logs before production, and runtime governance blocking or redacting sensitive fields before logs reach downstream observability tools.
GitHub account required. Codespaces usage may count against your GitHub quota.
What the demo proves
Step 1 - First scan (report mode)
In the Codespace terminal (or locally after dotnet tool install -g Cerbi.Scanner), run the scan in report mode. --fail-on none is demo/report mode: it generates JSON, SARIF, and Markdown output without stopping the walkthrough.
mkdir -p scan-results cerbi-scanner scan \ --path . \ --policy policies/cerbi-policy.yml \ --fail-on none \ --format json --output scan-results/findings.json \ --sarif scan-results/findings.sarif \ --summary scan-results/build-summary.md
Expected result
The scan finds unsafe logging. That is the point - the repo is intentionally risky. Open scan-results/build-summary.md for the human-readable summary, or inspect findings.json and findings.sarif.
Step 2 - CI/CD gate mode
Change one flag. --fail-on error is CI/CD gate mode: the command exits non-zero when high-risk logging is found, which fails the build. This is the entire CI integration - same command, one flag.
cerbi-scanner scan \ --path . \ --policy policies/cerbi-policy.yml \ --fail-on error \ --format json --output scan-results/findings.json \ --sarif scan-results/findings.sarif \ --summary scan-results/build-summary.md
Step 3 - Runtime governance in action
The scanner catches unsafe logging before it ships. The demo also shows the other half: Cerbi runtime governance enforcing the same policy inside the running application. Sensitive fields like ssn and creditCard are blocked or redacted in-process - before the log ever leaves the application for Splunk, Datadog, or any downstream tool. Follow the repo README for the runtime walkthrough.
Your application
log.Info({ ssn, creditCard, ... })
CerbiStream enforces in-process
ssn: blocked · creditCard: [REDACTED]
Downstream tools
Splunk · Datadog · SIEM
Governance happens before the log leaves the application - downstream tools only ever receive the governed version.
The core moment
Sensitive data was governed before leaving the application. Existing structured logging calls keep working - governance is enforced at the source, not patched downstream.
What each output is for
findings.json
Machine-readable findings for automation, dashboards, and custom tooling.
findings.sarif
Standard SARIF for GitHub code scanning and security tab integration.
build-summary.md
Human-readable Markdown summary for build logs and pull request comments.
Zero setup in Codespaces. One SDK locally.
The Codespace comes preconfigured - open it and run the scan. Running locally requires only the .NET SDK to install the scanner CLI. No Azure subscription, Docker, paid observability service, or Cerbi account is required. The repo contains no real personal data, secrets, connection strings, or API keys.
Get started
Open the Codespace, run one scan, read the findings. Then run the scanner against your own repositories - or see how CerbiShield turns findings into continuous governance.