C Clarista
/ credit-memo-demo PROD
● Local

Your apps

Every app you've taken from vibe-coded to enterprise-governed — running on Clarista, with code & data in your own cloud. Open one to see its deployment, security, data and compliance posture.

Overview

The basics we capture about this app — who owns it, where its code and data live, and which frameworks apply. Fields are editable inline.

App identity

Running

Where it lives

What it does

credit-memo-demo Running
CPU
0.009 cores
limit 1.0 · 0.9% used
Memory
298 MiB
limit 8 GiB · 3.6% used
Restarts (7d)
2
last: OOMKilled · 2d ago
Uptime (30d)
99.2%
2 incidents

Resource usage — last 30 days

CPU Memory
30 days ago20d10dToday

Logs

credit-memo-demo · stdout + stderr

Keys & environment variables

The keys this app needs, reconciled across what's declared (.env.example), referenced in code, and set in the deploy environment. Clarista records the inventory and registration state — the secret values live in your vault, never here.

8 keys
KeyPurposeDeclaredIn codeIn deployStatusRecommendation
Status is derived by reconciling the three sources. "Hardcoded" and "Missing in deploy" are the ones to act on before go-live.

Source code

The repository connected to this app. Clarista runs this code as-is — there are no build versions to manage here. To run a different version, create a separate app.

github.com/acme/credit-memo-demo main connected
Last synced 2c4d6e8 · “wire up s3 backup” · John Roe · 14 Mar 2026
Dockerfile

Security & Scans

Findings from the latest scan, aggregated and de-duplicated across scanners and mapped to severity, stage and control.

Security posture
C
72/100
▲ 6 points vs last scan

Open findings

11 total · scanned 22 Jun, 11:45

Risk trend

last 6 scans
Open findings down 19 → 11 over 5 weeks

Scanner coverage

7 scanners · last run 22 Jun, 11:45 · completed in 4m 12s
11 findings
SeverityFindingScanStageLocationStatus
Showing 1–11 of 11
Click any finding for full details and remediation. Severity is normalized across all scans; where a check carries no native severity, Clarista derives it from the rule — shown with a “derived” marker.

Code vulnerabilities — SAST

Static analysis of the application source · runs on every build
Stage 1 · init container
HighSQL injection — tainted SQL string
src/views/reports.py : 42 · python.django.security.injection.tainted-sql-string

Detected SQL injection: user input flows into a raw SQL string without parameterization. Use Django’s parameterized queries: cursor.execute(sql, [params]).

42cursor.execute(f"SELECT * FROM reports WHERE owner_id = {user_id}")
OWASP A03:2021 — InjectionCWE-89djangoconfidence: HIGHimpact: HIGH
Show dataflow trace
Taint source — src/views/reports.py:38
user_id = request.GET['user_id'] → flows into raw SQL at line 42
View rule ↗Ignore / triage
MediumReflected XSS via res.send()
src/server.js : 14 · javascript.express.security.audit.express-xss

User-controlled data flows into res.send() without escaping — potential reflected XSS.

14res.send(`<p>Hello ${req.query.name}</p>`);
OWASP A07:2021 — XSSCWE-79expressconfidence: MEDIUM
View rule ↗Ignore / triage
Severities are normalized to High / Medium / Low across all scans.

Secrets in git history

Scans the full commit history for committed secrets
Stage 1 · init container
AWS access key1 finding · derived CRITICAL
CritAWS access keyseverity derived from rule
42AKIA****************
File scripts/deploy.sh:42Commit 9f8c1e3Author Jane DoeDate 2025-12-01Entropy 4.45
View commitMark rotated
Access token1 finding · derived HIGH
HighPersonal access tokenseverity derived from rule
8ghp_****************************
File .env.example:8Commit 2c4d6e8Author John RoeDate 2026-03-14Entropy 4.81
View commitMark rotated

IaC & Dockerfile misconfiguration

Scans Dockerfile, Kubernetes and infrastructure config for misconfiguration
Stage 1 · init container
dockerfile3 passed · 2 failed
SeverityCheckLocationGuideline
MedderivedContainer has no non-root USER/Dockerfile:1Fix ↗
MedderivedNo HEALTHCHECK instruction/DockerfileFix ↗
kubernetes12 passed · 1 failed
SeverityCheckResourceGuideline
HighderivedRoot filesystem not read-onlyDeployment/credit-memo-demoFix ↗
Some configuration checks carry no native severity; Clarista assigns one by check type (Dockerfile → Medium; privileged / host / filesystem on Kubernetes → High). Each row links to remediation guidance.

Image vulnerabilities — CVEs

Scans the built image for known vulnerabilities (CVEs) · every build
Stage 2 · post-build
OS packages — alpine 3.19.11 vulnerability
HighCVE-2026-2511CVSS 7.5 · source: nvd

openssl: TLS server may crash on memory exhaustion in ASN.1 parser.

Package openssl 3.1.4-r1Fixed in 3.1.5-r0 ✓CWE CWE-401Published 2026-04-15
npm — package-lock.json1 vulnerability
HighCVE-2024-21539CVSS 5.3 · source: ghsa

@eslint/plugin-kit: Regular Expression Denial of Service (ReDoS) in ConfigCommentParser.

Package @eslint/plugin-kit 0.2.0Fixed in 0.2.3 ✓CWE CWE-1333Published 2024-10-21
Grouped by package source (OS packages vs language ecosystem). “Fixed in” shows the first safe version; CVE IDs link to the advisory.

Software Bill of Materials

CycloneDX 1.5 · generated on every image build
Stage 2 · post-build
Components
312
npm · apk
Direct deps
41
from manifest
Licenses
14
2 flagged copyleft
Format
CycloneDX 1.5
+ SPDX
credit-memo-demo · sha256:abc… · 1.2 MB SBOM
ComponentVersionTypeLicensePURL
react18.3.1libraryMITpkg:npm/react@18.3.1
express4.19.2libraryMITpkg:npm/express@4.19.2
@eslint/plugin-kit0.2.0libraryApache-2.0pkg:npm/%40eslint/plugin-kit@0.2.0
openssl3.1.4-r1apkOpenSSLpkg:apk/alpine/openssl@3.1.4-r1
Showing 4 of 312 — paginated. Full SBOM too large to render inline; use Download.

Runtime web vulnerabilities — DAST

Dynamic scan of the running app · target credit-memo-demo.acme.clarista.app · runs automatically after deploy
Stage 4 · runtime
MediumContent Security Policy (CSP) header not set2 URLs affected
plugin 10038 · confidence: High · CWE-693

CSP is an added layer of defence against XSS and data-injection attacks. The header is missing on responses.

AffectedGET /GET /login
Solution & reference
Configure the server / load balancer to set Content-Security-Policy on all responses. Ref: developer.mozilla.org/docs/Web/HTTP/CSP
MediumX-Frame-Options header not set1 URL affected
plugin 10020 · confidence: Medium · CWE-1021

X-Frame-Options is not set, leaving pages open to clickjacking via framing.

AffectedGET /
Solution & reference
Set X-Frame-Options to DENY or SAMEORIGIN on all returned pages. Ref: rfc7034
Risk levels are normalized. One issue can affect multiple URLs, so the badge shows the number of affected pages, not separate findings.

Data — datasets & interfaces

App datasets are profiled in Clarista Fabric (data quality, fields, classification, PII). Inbound / outbound interfaces are registered by the app developer.
Stage 4 · runtime

Assessment results

Scope was set from the app owner's intake answers.

Frameworks in scope — derived from the assessment
In scope
42
controls · 8 domains
Automated
18
scanner-verified
Manual
5
owner-attested
Pending
19
need owner input
Each control is set Critical or Standard for your firm, based on your institution type. Red rows = a Critical control still Pending — attend to these first.

Settings

Firm-level scope and how scans behave, how the app is isolated, and which packs apply.

Firm regulatory scope

Set once by the compliance team — applies to every app, so app owners never re-answer these.
Firm-wide
Operating institution
Primary jurisdiction
FINRA-registered broker-dealer
Brings FINRA supervision, books-and-records (17a-3/4) and communications rules into scope.
Bank holds over $30B in assets
Raises the model-risk and resilience bar (SR 26-2, FFIEC).
Operates in New York (NYDFS)
Adds 23 NYCRR Part 500 — CISO designation, 72-hour reporting, annual certification.
Subject to California privacy (CCPA / CPRA)
Adds CPPA risk assessments, ADMT and consumer-rights controls.
Engages in consumer lending
Adds fair-lending overlays (ECOA / Reg B, FCRA) for credit decisions.
Saved at the firm level. App owners describe only what their app does — the regulatory overlay is applied for them.

Enforcement & isolation

Blocking mode
If on, a critical finding or failed admission control stops the deploy. If off, the app deploys and issues show on the dashboard.
gVisor sandbox runtime
Run customer pods under the runsc sandboxed kernel. Enforced via admission policy on the untrusted node pool.
Kyverno admission gate
Guarantee every pod gets the sandbox runtimeClass, non-root, no-privileged, limits, no SA token.
LLM Guard inline guardrail
Route the app’s LLM traffic through input / output guardrails (injection, PII, secrets, toxicity).
Continuous runtime scanning
Continuously re-scans the running pod after deploy.

Applied control packs

Clarista Secure Baseline
Mandatory for all hosted apps.
On · locked
SOC 2 (technical)
Maps app controls to SOC 2 Trust Services Criteria.
HIPAA §164.312
Apply only if the app handles PHI.
OWASP LLM Top 10
AI-specific risk controls.

Roadmap — where Settings grows

Flexibility lives here as configuration, not new screens. Phase 1 ships the two cards above.
Scanners & engines
Add or configure a scanner, map it to controls, set severity thresholds — onboard a client's specific tool or artifact without code.
Phase 2
Indicators (Fabric-linked)
Define an indicator (KCI/KRI, what it measures), link it to a Clarista Fabric result, and bind it to a control. The Input / Output metrics are the first instances of this pattern.
Phase 2
Frameworks & control packs
Per-client framework selection and client-specific controls mapped to frameworks.
Phase 2
Attestation library
Reusable owner comment templates (e.g. the hosting-vendor SOC 2 / ISO 27001 note) applied across control groups at scale.
Phase 3
Integrations
Connect repo & data sources (customer cloud), env / vault provider, deploy target.
Phase 3