Demo 01 ~3 min

The Poisoned Pipeline

See what happens when corrupted sensor data hits an unprotected pipeline — then watch Makoto stop it cold.

Corrupted data accepted silently → Unsigned data rejected at intake

The Problem

Your IoT pipeline ingests CSV files from partner devices — temperature sensors, humidity monitors, industrial gauges. Every hour, new data arrives and flows straight into your analytics database. Nobody checks where the files came from or whether they've been tampered with. The pipeline trusts everything it receives.

One morning, a corrupted file slips through. It contains SQL injection payloads hidden in sensor IDs, physically impossible temperature readings, and NaN values where numbers should be. Your analytics silently absorbs all of it. Dashboards show garbage data, alerts fire for phantom anomalies, and your team spends two days tracking down the source — because there's no record of who sent the file, when it was created, or whether it was ever valid.

What You Will See

Without Makoto

━━━ PART 1: Pipeline WITHOUT DBOM ━━━ 📥 Ingesting sensors_corrupted.csv (no provenance check)... Data quality scan: ⚠️ Row [SENSOR-004 @ 2025-01-15T10:03:00Z]: temperature='nan' is not a valid number ⚠️ Row [SENSOR-005 @ 2025-01-15T10:04:00Z]: temperature='9999.99' is physically impossible ⚠️ Row [SENSOR-006 @ 2025-01-15T10:05:00Z]: temperature='-273.16' is physically impossible ⚠️ Row [SENSOR-007 @ 2025-01-15T10:06:00Z]: humidity=150.00% exceeds 100% Pipeline result: processed 10 rows ❌ Corrupted data was accepted — no gate, no check, no trail. SQL injection payload, NaN values, and impossible readings all passed through.

With Makoto

━━━ PART 2: Pipeline WITH DBOM Gate ━━━ 📥 Attempting to ingest sensors_corrupted.csv... ❌ REJECTED: No DBOM file found for sensors_corrupted.csv This file has no provenance. Unsigned data is not trusted. 📥 Attempting to ingest sensors_clean.csv... ✅ DBOM found: sensors_clean.dbom.json 🔍 Verifying DBOM... Source URI: s3://iot-ingest/sensors/2025-01-15/sensors_clean.csv Hash: a1b2c3d4... (sha256) Signer: github:data-eng-team ✅ Hash verified — file matches DBOM ✅ Signer trusted — data accepted

Run It

$ git clone https://github.com/makoto-project/makoto

$ cd makoto/demos/01-poisoned-pipeline

$ ./run.sh

Key Insight: Without provenance, your pipeline has no immune system — it accepts everything, including poison.

What Else This Handles

Third-party data feeds where you can't inspect the source infrastructure
Regulatory environments requiring data lineage documentation (GDPR, SOX)
Multi-team pipelines where one team's output is another team's input
Automated data exchanges between organizations with different trust levels

← Setup Guide Demo 02: Reproducibility Gap →