Demo Repo

The cerbi-log-risk-demo repo ships intentionally risky logging in five languages plus a working governance policy. It shows both halves of Cerbi: the scanner finding unsafe logs before production, and runtime governance blocking or redacting sensitive fields before logs reach downstream observability tools.

GitHub account required. Codespaces usage may count against your GitHub quota.

What the demo proves

Demonstrated behaviors

  • The scanner finds intentionally unsafe logging in C#, Go, Java, Node/TypeScript, and Python
  • Findings include PII, secrets, raw payloads, unsafe structured fields, and object dumps
  • One scan produces JSON, SARIF, and Markdown output you can inspect immediately
  • Flipping --fail-on none to --fail-on error turns the same scan into a CI/CD build gate
  • Cerbi runtime governance blocks or redacts sensitive fields in-process, before logs reach downstream observability tools
  • Everything runs read-only - the scanner never modifies your source or uploads your code

What this does not claim

  • It is not a production application
  • It is not an observability pipeline and does not replace Splunk, Datadog, or your SIEM
  • It does not contain real personal data, secrets, connection strings, or API keys
  • Scanner findings are static-analysis results, not proof of runtime data exposure
  • Runtime governance does not require rewriting every logging call - existing structured logging patterns continue to work

Step 1 - First scan (report mode)

In the Codespace terminal (or locally after dotnet tool install -g Cerbi.Scanner), run the scan in report mode. --fail-on none is demo/report mode: it generates JSON, SARIF, and Markdown output without stopping the walkthrough.

report mode - generates findings without failing
mkdir -p scan-results

cerbi-scanner scan \
  --path . \
  --policy policies/cerbi-policy.yml \
  --fail-on none \
  --format json --output scan-results/findings.json \
  --sarif scan-results/findings.sarif \
  --summary scan-results/build-summary.md

Expected result

The scan finds unsafe logging. That is the point - the repo is intentionally risky. Open scan-results/build-summary.md for the human-readable summary, or inspect findings.json and findings.sarif.

Step 2 - CI/CD gate mode

Change one flag. --fail-on error is CI/CD gate mode: the command exits non-zero when high-risk logging is found, which fails the build. This is the entire CI integration - same command, one flag.

gate mode - fails the build on high-risk findings
cerbi-scanner scan \
  --path . \
  --policy policies/cerbi-policy.yml \
  --fail-on error \
  --format json --output scan-results/findings.json \
  --sarif scan-results/findings.sarif \
  --summary scan-results/build-summary.md

Step 3 - Runtime governance in action

The scanner catches unsafe logging before it ships. The demo also shows the other half: Cerbi runtime governance enforcing the same policy inside the running application. Sensitive fields like ssn and creditCard are blocked or redacted in-process - before the log ever leaves the application for Splunk, Datadog, or any downstream tool. Follow the repo README for the runtime walkthrough.

The core moment

Sensitive data was governed before leaving the application. Existing structured logging calls keep working - governance is enforced at the source, not patched downstream.

What each output is for

findings.json

Machine-readable findings for automation, dashboards, and custom tooling.

findings.sarif

Standard SARIF for GitHub code scanning and security tab integration.

build-summary.md

Human-readable Markdown summary for build logs and pull request comments.

Zero setup in Codespaces. One SDK locally.

The Codespace comes preconfigured - open it and run the scan. Running locally requires only the .NET SDK to install the scanner CLI. No Azure subscription, Docker, paid observability service, or Cerbi account is required. The repo contains no real personal data, secrets, connection strings, or API keys.

Get started

Five minutes to real findings.

Open the Codespace, run one scan, read the findings. Then run the scanner against your own repositories - or see how CerbiShield turns findings into continuous governance.

Demo Repo | Cerbi Logging Governance | Cerbi