# Cerbi Scanner — Sample Findings Report

> Demo data only. Generated from the intentionally unsafe `Zeroshi/cerbi-log-risk-demo` repository. No real credentials, personal data, or production source code are included.

## Scan summary

- **Mode:** Report only
- **Policy:** `policies/cerbi-policy.yml`
- **Repository:** `cerbi-log-risk-demo`
- **Findings:** 6 total — 3 error, 2 warning, 1 informational
- **Blocking:** Disabled for this sample run

## Findings

### CERBI-SEC-001 — Forbidden secret field

- **Severity:** Error
- **Location:** `UnsafeApi/Controllers/AuthController.cs:47`
- **Field:** `password`
- **Evidence:** A structured logging property uses a field name classified as forbidden by policy.
- **Remediation:** Remove the value from the log event. Log authentication outcome, correlation ID, and service context instead.

### CERBI-SEC-004 — API token may be logged

- **Severity:** Error
- **Location:** `node-api/src/middleware/requestLogger.ts:32`
- **Field:** `apiKey`
- **Evidence:** A structured property matches the `token` rule through a configured alias.
- **Remediation:** Exclude the value or replace it with non-sensitive metadata such as token type and validation result.

### CERBI-PII-002 — Email address in structured field

- **Severity:** Warning
- **Location:** `python-api/app/orders.py:81`
- **Field:** `userEmail`
- **Evidence:** A structured property matches the `email` warning rule through a configured alias.
- **Remediation:** Prefer a non-sensitive user reference. If business context requires the field, document and govern it explicitly.

### CERBI-STRUCT-001 — Required correlation field missing

- **Severity:** Error
- **Location:** `go-api/internal/orders/handler.go:64`
- **Field:** `correlationId`
- **Evidence:** The log event is missing a field required by the active policy.
- **Remediation:** Include the request correlation ID in the structured event.

### CERBI-STRUCT-002 — Required environment field missing

- **Severity:** Warning
- **Location:** `java-api/src/main/java/com/cerbi/Orders.java:118`
- **Field:** `environment`
- **Evidence:** The log event is missing the deployment environment required by policy.
- **Remediation:** Enrich the event with the application environment through logger context.

### CERBI-QUALITY-003 — Raw object payload logged

- **Severity:** Informational
- **Location:** `UnsafeApi/Controllers/CheckoutController.cs:93`
- **Field:** `request`
- **Evidence:** A complete request object is passed into a logging call, increasing the chance of accidental sensitive-data exposure.
- **Remediation:** Log an allow-listed set of operational fields instead of the complete object.

## Suggested first action

Run Cerbi Scanner in report-only mode, review the findings with application owners, and tune policy before enabling any failure threshold. Policy gates are optional and remain controlled by your team.

## Product boundary

Cerbi Scanner performs assessment and can support optional CI policy gates. CerbiStream and CerbiShield are separate, optional runtime-governance products used only where continuous enforcement is justified.
