Validate with Canaries

Canary vulnerabilities are intentional, controlled security flaws you plant in your application to validate that CodeWall detects them. They act as a baseline confidence check.

Why use canaries

• Verify coverage — confirm the agent is reaching and testing the right areas
• Benchmark detection — measure how well CodeWall performs against known issues
• Test your pipeline — validate that findings flow through to your integrations (Slack, Jira, webhooks)

Setting up a canary

1. Choose a vulnerability type

Pick a common, well-understood vulnerability:

• Reflected XSS — add a parameter that reflects unescaped input in the response
• SQL Injection — add an endpoint with unsanitized database input
• Open Redirect — add a redirect endpoint that accepts arbitrary URLs
• IDOR — add an endpoint that returns data based on a user-controlled ID without authorization checks

2. Deploy the canary

Add the vulnerable endpoint to your staging or test environment. Keep it simple and clearly exploitable — the goal is to verify detection, not test edge cases.

3. Run a test

Launch a test with the canary endpoint in scope. After the test completes, check whether the canary was detected in the findings.

4. Evaluate

• Detected — CodeWall is working as expected for this vulnerability class
• Not detected — check if the endpoint was in scope, accessible, and the canary was properly exploitable. Contact support if the issue persists.

Best practices

• Use canaries in staging environments, not production
• Remove canaries after validation — don't leave intentional vulnerabilities deployed
• Test one vulnerability type at a time for clear results
• Document your canaries so your team knows they're intentional