diff --git a/app.py b/app.py
new file mode 100644
index 0000000..0d0c24d
--- /dev/null
+++ b/app.py
@@ -0,0 +1,31 @@
+# A simple app with some issues for Heimdall to find
+
+import os
+import subprocess
+
+def get_user_input():
+    query = input("Enter search: ")
+    # SQL injection vulnerability
+    result = db.execute(f"SELECT * FROM users WHERE name = '{query}'")
+    return result
+
+def run_command(cmd):
+    # Command injection vulnerability  
+    subprocess.call(cmd, shell=True)
+
+# Hardcoded secret
+API_KEY = "sk-1234567890abcdef"
+
+def fetch_data():
+    # No error handling
+    response = requests.get(f"https://api.example.com?key={API_KEY}")
+    return response.json()
+# More code
+# Even more
+# debug2
+# foreground test
+# actual test
+# retry
+# fixed clone
+# deepen test
+# full clone