Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
58 of your 110 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.72s · analysis 9.44s · 2.8 MB · GitHub API rate-limit (preflight)

bdfinst/agentic-dev-team

https://github.com/bdfinst/agentic-dev-team · scanned 2026-06-05 13:07 UTC (5 days, 7 hours ago) · 10 languages

346 raw signals (104 security + 242 graph) 11th percentile · Typescript · small (2-20K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 7 hours ago · v2 · 189 actionable findings from 2 signal sources. 36 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
44.5
/100
Security checks
38
72 findings
System graph
51
100.0% cov · 117 findings
Critical
6
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 23.3 0.25 5.83
testing_score 46.0 0.20 9.20
documentation_score 89.0 0.15 13.35
practices_score 65.0 0.15 9.75
code_quality 63.4 0.10 6.34
Overall 1.00 50.5
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 6 High 29 Medium 27 Low 91 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 72 System graph 117 Crowd 0 Layer: Cicd 11 Quality 56 Security 20 Software 58 Frontend 10 Network 4 Hardware 5 Api 25
Scan summary Quality grade C- (50/100). Dimensions: security 23, maintainability 40. 104 findings (28 security). 10,518 lines analyzed.

Showing 151 of 189 actionable findings. 225 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
evals/semgrep-rulesets/ml-patterns/positive/bad_pickle.py:9
critical Security checks quality Quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
evals/semgrep-rulesets/ml-patterns/positive/bad_pickle.py:9
critical Security checks quality Quality conf 0.80 ✓ Repobility Admin endpoint without auth: POST /admin/reload-model
Handler `admin_reload_model` serves an /admin path (/admin/reload-model) and the function has no Depends/Security parameter and no auth marker in its body. Admin without auth = full takeover.
evals/comparative/fixture-repo/services/fraud-scoring/src/server.py:19
critical Security checks security secrets conf 0.95 3 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
2 files, 3 locations
evals/comparative/fixture-repo/services/fraud-scoring/tests/test_scorer.py:6, 7 (2 hits)
evals/custom-tools/entropy-check/fixture/.env.staging:3
critical Security checks security secrets conf 0.95 Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
Gitleaks detected a committed secret or credential pattern.
evals/fixtures/sec-hardcoded-secrets.ts:9
high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `warnings` used but not imported
The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
scripts/lib/apply_accepted_risks.py:211
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in evals/semgrep-rulesets/llm-safety/positive/bad_llm_usage.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
lines 7, 12
evals/semgrep-rulesets/llm-safety/positive/bad_llm_usage.py:7, 12 (2 hits)
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
evals/upgrade-migration/migrate.py:129
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks.
Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group.
plugins/dev-team/hooks/destructive-guard.sh:56
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
plugins/dev-team/skills/static-analysis-integration/adapters/security-review-adapter.py:175
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
plugins/security-assessment/scripts/verify-report.sh:155
high Security checks quality Quality conf 1.00 ✓ Repobility 8 occurrences `self._check_budget` used but never assigned in __init__
Method `_request` of class `HTTPClient` reads `self._check_budget`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
lines 101, 102, 105, 111, 117, 126, 129, 133
plugins/security-assessment/harness/redteam/lib/http_client.py:101, 102, 105, 111, 117, 126, 129, 133 (8 hits)
high Security checks cicd CI/CD security conf 0.92 Dockerfile copies the entire context without .dockerignore
COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.
evals/comparative/fixture-repo/services/fraud-scoring/Dockerfile:12 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 Dockerfile copies the entire context without .dockerignore
COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.
evals/comparative/fixture-repo/services/auth-gateway/Dockerfile:9 CI/CD securitycontainers
high Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences Dockerfile FROM `node:20` not pinned by digest
`FROM node:20` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
2 files, 4 locations
evals/comparative/fixture-repo/services/auth-gateway/Dockerfile:1, 5 (2 hits)
evals/comparative/fixture-repo/services/fraud-scoring/Dockerfile:2, 9 (2 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility Express DELETE /api/users/:id has no auth
Express route DELETE /api/users/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
evals/fixtures/sec-sql-injection.ts:43
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /api/login has no auth
Express route POST /api/login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
evals/fixtures/sec-sql-injection.ts:25
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /events has no auth
Express route POST /events declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
evals/codebase-recon/fixtures/ts-monorepo/packages/api/src/server.ts:9
high Security checks quality Quality conf 0.80 ✓ Repobility Express POST /score has no auth
Express route POST /score declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
evals/comparative/fixture-repo/services/auth-gateway/src/server.ts:28
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /ingest has no auth
Handler `ingest` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
evals/codebase-recon/fixtures/polyglot/backend/app.py:30
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /predict has no auth
Handler `predict` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
evals/comparative/fixture-repo/services/fraud-scoring/src/server.py:35
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 6 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 6 locations
evals/comparative/fixture-repo/.github/workflows/ci.yml:11, 12, 31 (3 hits)
evals/codebase-recon/fixtures/ts-monorepo/.github/workflows/ci.yml:11, 12 (2 hits)
.github/workflows/plugin-tests.yml:12
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility GitHub Action is tag-pinned rather than SHA-pinned
Action `googleapis/release-please-action` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
.github/workflows/release-please.yml:16 CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 scikit-learn: PYSEC-2024-110
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words…
plugins/security-assessment/harness/redteam/requirements.txt
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/users/${user.id}/notifications (evals/fixtures/cx-callback-hell.ts:67)
`evals/fixtures/cx-callback-hell.ts:67` calls `GET /api/users/${user.id}/notifications` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/users/<p>/notifications` If this points at an external API, prefix it with `http…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/users/${user.id}/prefs (evals/fixtures/cx-callback-hell.ts:64)
`evals/fixtures/cx-callback-hell.ts:64` calls `GET /api/users/${user.id}/prefs` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/users/<p>/prefs` If this points at an external API, prefix it with `https://` so the mat…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://loyalty-api.internal/v2/customers/${customerId}/tier (evals/fixtures/dm-leaky-abstraction.ts:37)
`evals/fixtures/dm-leaky-abstraction.ts:37` calls `GET https://loyalty-api.internal/v2/customers/${customerId}/tier` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios Normalized path used for matching: `/https:/loyalty-api.internal/v2/customers/<p>/tier` …
Dangling fetchAxios
high System graph api Wiring conf 1.00 Dangling fetch: POST https://api.stripe.com/v1/charges (evals/fixtures/sec-hardcoded-secrets.ts:38)
`evals/fixtures/sec-hardcoded-secrets.ts:38` calls `POST https://api.stripe.com/v1/charges` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios Normalized path used for matching: `/https:/api.stripe.com/v1/charges` If this points at an external API, prefix …
Dangling fetchAxios
high System graph api Wiring conf 1.00 Dangling fetch: POST https://payments.stripe.com/v1/charges (evals/fixtures/dm-leaky-abstraction.ts:70)
`evals/fixtures/dm-leaky-abstraction.ts:70` calls `POST https://payments.stripe.com/v1/charges` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios Normalized path used for matching: `/https:/payments.stripe.com/v1/charges` If this points at an external API…
Dangling fetchAxios
high System graph security auth conf 1.00 FastAPI POST `admin_reload_model` without auth dependency — evals/comparative/fixture-repo/services/fraud-scoring/src/server.py:18
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
evals/comparative/fixture-repo/services/fraud-scoring/src/server.py:18 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `predict` without auth dependency — evals/comparative/fixture-repo/services/fraud-scoring/src/server.py:34
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
evals/comparative/fixture-repo/services/fraud-scoring/src/server.py:34 securityAuth fastapi unauth mutation
high System graph security security conf 1.00 Insecure pattern 'tls_verify_false' in evals/comparative/fixture-repo/services/fraud-scoring/src/crypto_utils.py:16
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
evals/comparative/fixture-repo/services/fraud-scoring/src/crypto_utils.py:16 Tls verify false
high System graph security security conf 1.00 Insecure pattern 'tls_verify_false' in evals/comparative/ground-truth.yaml:305
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
evals/comparative/ground-truth.yaml:305 Tls verify false
high System graph security security conf 1.00 Insecure pattern 'tls_verify_false' in evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py:9
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py:9 Tls verify false
high System graph security security conf 1.00 Insecure pattern 'tls_verify_false' in plugins/security-assessment/knowledge/semgrep-rules/crypto-anti-patterns.yaml:44
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
plugins/security-assessment/knowledge/semgrep-rules/crypto-anti-patterns.yaml:44 Tls verify false
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
evals/semgrep-rulesets/ml-patterns/positive/bad_pickle.py:9
medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py:9
medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
evals/comparative/fixture-repo/services/fraud-scoring/src/crypto_utils.py:16
medium Security checks quality Quality conf 1.00 [SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pulling from env. These get committed verbatim — production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand
Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder.
plugins/security-assessment/harness/tools/shared-cred-hash-match.py:65
medium Security checks quality Quality conf 1.00 [SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pulling from env. These get committed verbatim — production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand
Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder.
plugins/dev-team/tools/entropy-check.py:96
low Security checks quality Error handling conf 0.55 ✓ Repobility 6 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
6 files, 6 locations
evals/semgrep-rulesets/fraud-domain/negative/good_scoring.py:8
evals/semgrep-rulesets/fraud-domain/positive/bad_scoring.py:9
evals/static-analysis-tools/validate.py:248
plugins/security-assessment/harness/redteam/orchestrator.py:91
plugins/security-assessment/harness/redteam/probes/05_evasion_attack.py:88
scripts/lib/normalize_findings.py:75
Error handlingquality
medium Security checks cicd CI/CD security conf 0.86 Database dump or local database file is included in Docker build context
Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions.
.dockerignore CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
evals/comparative/fixture-repo/services/fraud-scoring/Dockerfile:9 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
evals/comparative/fixture-repo/services/auth-gateway/Dockerfile:6 CI/CD securitycontainers
medium Security checks software dependencies conf 0.90 npm package `@types/express` is 1 major version(s) behind (^4.17.0 -> 5.0.6)
`@types/express` is pinned/resolved at ^4.17.0 but the latest stable release on the npm registry is 5.0.6 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
evals/comparative/fixture-repo/services/auth-gateway/package.json
medium Security checks software dependencies conf 0.90 npm package `dotenv` is 1 major version(s) behind (^16.3.0 -> 17.4.2)
`dotenv` is pinned/resolved at ^16.3.0 but the latest stable release on the npm registry is 17.4.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
evals/comparative/fixture-repo/services/auth-gateway/package.json
medium Security checks software dependencies conf 0.90 npm package `express` is 1 major version(s) behind (^4.18.2 -> 5.2.1)
`express` is pinned/resolved at ^4.18.2 but the latest stable release on the npm registry is 5.2.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
evals/fixtures/cs-broken-paths/package.json
medium Security checks software dependencies conf 0.90 2 occurrences npm package `express` is 1 major version(s) behind (^4.19.0 -> 5.2.1)
`express` is pinned/resolved at ^4.19.0 but the latest stable release on the npm registry is 5.2.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
evals/codebase-recon/fixtures/ts-monorepo/packages/api/package.json
evals/comparative/fixture-repo/services/auth-gateway/package.json
medium Security checks software dependencies conf 0.90 ✓ Repobility 5 occurrences requirements.txt: `fastapi` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
lines 2, 3, 4, 5, 6
evals/comparative/fixture-repo/services/fraud-scoring/requirements.txt:2, 3, 4, 5, 6 (5 hits)
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — evals/comparative/fixture-repo/services/auth-gateway/src/server.ts:20
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
evals/comparative/fixture-repo/.github/workflows/ci.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-please.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in evals/comparative/ground-truth.yaml:293
Found a known-risky pattern (weak_hash). Review and replace if possible.
evals/comparative/ground-truth.yaml:293 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in plugins/security-assessment/knowledge/semgrep-rules/crypto-anti-patterns.yaml:34
Found a known-risky pattern (weak_hash). Review and replace if possible.
plugins/security-assessment/knowledge/semgrep-rules/crypto-anti-patterns.yaml:34 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in plugins/security-assessment/knowledge/severity-floors.json:14
Found a known-risky pattern (weak_hash). Review and replace if possible.
plugins/security-assessment/knowledge/severity-floors.json:14 Weak hash
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — evals/custom-tools/validate.py:33
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — evals/semgrep-rulesets/crypto-anti-patterns/negative/good_crypto.py:9
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py:9
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — evals/upgrade-migration/migrate.py:122
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph network Security conf 1.00 Privileged port 13 in use
Port 13 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
scripts/phase-timer.sh Ports
medium System graph network Security conf 1.00 Privileged port 2 in use
Port 2 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
scripts/phase-timer.sh Ports
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
11 test file(s) for 111 source file(s) (ratio 0.10). Consider adding integration or unit tests for critical paths.
Coverage
high Security checks cicd CI/CD security conf 0.72 Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
evals/comparative/fixture-repo/services/fraud-scoring/Dockerfile:6 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
plugins/dev-team/tools/model-hash-verify.py:126 duplicationquality
low Security checks software dependencies conf 0.90 Python package `fastapi` is minor version(s) behind (0.111.0 -> 0.136.3)
`fastapi==0.111.0` is minor version(s) behind the latest stable release on PyPI (0.136.3). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
evals/codebase-recon/fixtures/polyglot/backend/requirements.txt:1
low Security checks software dependencies conf 0.90 Python package `uvicorn` is minor version(s) behind (0.30.0 -> 0.49.0)
`uvicorn==0.30.0` is minor version(s) behind the latest stable release on PyPI (0.49.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
evals/codebase-recon/fixtures/polyglot/backend/requirements.txt:3
low System graph quality Integrity conf 1.00 17 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `API_UPSTREAM`, `EMULATION_MODE`, `KNOWLEDGE_INDEX_CORPUS_ROOTS`, `KNOWLEDGE_INDEX_OUTPUT`, `MAX_RETRIES`, `MODEL_ENDPOINT`, `MODEL_PATH`, `NODE_TLS_REJECT_UNAUTHORIZED` + 9 more. Add them (with a placeholder/comment) to .env.example so onboarding …
config drift
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
evals/comparative/fixture-repo/services/auth-gateway/Dockerfile:1 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
evals/comparative/fixture-repo/services/auth-gateway/Dockerfile:5 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.10
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
evals/comparative/fixture-repo/services/fraud-scoring/Dockerfile:2 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.10-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
evals/comparative/fixture-repo/services/fraud-scoring/Dockerfile:9 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/codebase-recon/fixtures/non-git-basic/src/main.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/codebase-recon/fixtures/polyglot/frontend/src/main.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/codebase-recon/fixtures/ts-monorepo/packages/api/src/routes/auth.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/codebase-recon/fixtures/ts-monorepo/packages/api/src/server.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/comparative/fixture-repo/services/auth-gateway/src/routes/admin.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/sec-env-gitignored/src/app.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/sec-safe-headers.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/sec-sql-injection.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/sec-xss-vulnerable.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/sv-effect-pitfalls.svelte.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/sv-store-subscription-leak.svelte.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/test-assertion-roulette.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/test-missing-edge-cases.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/test-mystery-guest.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/test-no-assertions.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/test-overspecified-mocks.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/test-shared-state.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/test-thorough-edge-cases.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/test-weak-assertions.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: evals/fixtures/test-well-structured.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 4 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/lib/apply_accepted_risks.py:load_findings_jsonl, scripts/lib/skeleton_report.py:load_findings This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they'…
4 occurrences
repo-level (4 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `processInvoiceLegacy` in evals/fixtures/te-long-functions.ts:44
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `searchUsersLegacy` in evals/fixtures/te-duplicate-code.ts:23
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: build_features
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/fraud-domain/negative/good_scoring.py:14
low System graph software Dead code conf 1.00 Possibly dead Python function: build_features
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/fraud-domain/positive/bad_scoring.py:19
low System graph software Dead code conf 1.00 Possibly dead Python function: chat_with_claude
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/llm-safety/negative/good_llm_usage.py:6
low System graph software Dead code conf 1.00 Possibly dead Python function: chat_with_claude
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/llm-safety/positive/bad_llm_usage.py:10
low System graph software Dead code conf 1.00 Possibly dead Python function: encrypt_bad_cbc
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py:17
low System graph software Dead code conf 1.00 Possibly dead Python function: encrypt_bad_des
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py:23
low System graph software Dead code conf 1.00 Possibly dead Python function: encrypt_good_gcm
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/crypto-anti-patterns/negative/good_crypto.py:17
low System graph software Dead code conf 1.00 Possibly dead Python function: encrypt_payload
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/comparative/fixture-repo/services/fraud-scoring/src/crypto_utils.py:20
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_remote_signature
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/comparative/fixture-repo/services/fraud-scoring/src/crypto_utils.py:14
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_trusted
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/crypto-anti-patterns/negative/good_crypto.py:7
low System graph software Dead code conf 1.00 Possibly dead Python function: fetch_untrusted
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py:7
low System graph software Dead code conf 1.00 Possibly dead Python function: hash_artifact
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
plugins/security-assessment/harness/redteam/lib/scope_check.py:92
low System graph software Dead code conf 1.00 Possibly dead Python function: hash_for_integrity
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/crypto-anti-patterns/negative/good_crypto.py:12
low System graph software Dead code conf 1.00 Possibly dead Python function: hash_for_integrity
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/crypto-anti-patterns/positive/bad_crypto.py:12
low System graph software Dead code conf 1.00 Possibly dead Python function: integrity_hash
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/comparative/fixture-repo/services/fraud-scoring/src/crypto_utils.py:9
low System graph software Dead code conf 1.00 Possibly dead Python function: is_self_owned
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
plugins/security-assessment/harness/redteam/lib/scope_check.py:41
low System graph software Dead code conf 1.00 Possibly dead Python function: load_bad_joblib
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/ml-patterns/positive/bad_pickle.py:12
low System graph software Dead code conf 1.00 Possibly dead Python function: load_bad_pickle
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/ml-patterns/positive/bad_pickle.py:7
low System graph software Dead code conf 1.00 Possibly dead Python function: load_bad_torch
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/ml-patterns/positive/bad_pickle.py:17
low System graph software Dead code conf 1.00 Possibly dead Python function: load_safe_safetensors
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/ml-patterns/negative/good_loading.py:11
low System graph software Dead code conf 1.00 Possibly dead Python function: load_safe_torch
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/ml-patterns/negative/good_loading.py:6
low System graph software Dead code conf 1.00 Possibly dead Python function: load_verified_onnx
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/semgrep-rulesets/ml-patterns/negative/good_loading.py:16
low System graph software Dead code conf 1.00 Possibly dead Python function: log_transaction_debug
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/comparative/fixture-repo/services/fraud-scoring/src/logging_config.py:13
low System graph software Dead code conf 1.00 Possibly dead Python function: objective
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
plugins/security-assessment/harness/redteam/probes/05_evasion_attack.py:71
low System graph software Dead code conf 1.00 Possibly dead Python function: precision_estimate
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
evals/comparative/score.py:543
low System graph software Dead code conf 1.00 Possibly dead Python function: refusal_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
plugins/security-assessment/harness/redteam/lib/scope_check.py:104
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — evals/codebase-recon/fixtures/ts-monorepo/packages/api/src/server.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — evals/comparative/fixture-repo/services/auth-gateway/src/server.ts:33
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — evals/fixtures/sds-prefilter-trivial/trivial-functions.ts:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — evals/fixtures/sec-env-gitignored/src/app.ts:15
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — evals/fixtures/sec-hardcoded-secrets.ts:36
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — evals/fixtures/sv-effect-pitfalls.svelte.ts:24
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — evals/fixtures/sv-proper-reactive.svelte.ts:25
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — evals/fixtures/sv-store-subscription-leak.svelte.ts:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — evals/fixtures/test-no-assertions.test.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: GET /actuator/heap
`evals/comparative/fixture-repo/services/fraud-scoring/src/server.py` declares `GET /actuator/heap` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documen…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/comments/render
`evals/fixtures/sec-xss-vulnerable.ts` declares `GET /api/comments/render` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/health
`evals/fixtures/sec-safe-headers.ts` declares `GET /api/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/users
`evals/fixtures/sec-sql-injection.ts` declares `GET /api/users` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/users/search
`evals/fixtures/sec-sql-injection.ts` declares `GET /api/users/search` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /profile/:username
`evals/fixtures/sec-xss-vulnerable.ts` declares `GET /profile/:username` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /search
`evals/fixtures/sec-xss-vulnerable.ts` declares `GET /search` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /admin/reload-model
`evals/comparative/fixture-repo/services/fraud-scoring/src/server.py` declares `POST /admin/reload-model` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or d…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/login
`evals/fixtures/sec-sql-injection.ts` declares `POST /api/login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /events
`evals/codebase-recon/fixtures/ts-monorepo/packages/api/src/server.ts` declares `POST /events` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /flush-cache
`evals/comparative/fixture-repo/services/auth-gateway/src/routes/admin.ts` declares `POST /flush-cache` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or doc…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /ingest
`evals/codebase-recon/fixtures/polyglot/backend/app.py` declares `POST /ingest` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /issue-token
`evals/comparative/fixture-repo/services/auth-gateway/src/routes/admin.ts` declares `POST /issue-token` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or doc…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /login
`evals/codebase-recon/fixtures/ts-monorepo/packages/api/src/routes/auth.ts` declares `POST /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or document…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /predict
`evals/comparative/fixture-repo/services/fraud-scoring/src/server.py` declares `POST /predict` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /score
`evals/comparative/fixture-repo/services/auth-gateway/src/server.ts` declares `POST /score` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /verify
`evals/codebase-recon/fixtures/ts-monorepo/packages/api/src/routes/auth.ts` declares `POST /verify` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documen…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /admin
`evals/comparative/fixture-repo/services/auth-gateway/src/server.ts` declares `USE /admin` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /api/
`evals/fixtures/sec-safe-headers.ts` declares `USE /api/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /auth
`evals/codebase-recon/fixtures/ts-monorepo/packages/api/src/server.ts` declares `USE /auth` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who…
Unused endpoint
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/0b85a2c0-d147-40cd-a902-26cae92c4136/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/0b85a2c0-d147-40cd-a902-26cae92c4136/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.