Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
54 of your 72 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 506.79s for a 507.7 MB repo slow.
  • Repobility's analysis ran in 3.61s after the clone landed.

microsoft/ai-agents-for-beginners

https://github.com/microsoft/ai-agents-for-beginners · scanned 2026-06-05 08:54 UTC (5 days, 19 hours ago) · 10 languages

70 findings 11/13 scanners ran

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

23 actionable findings from 1 signal source. 47 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

Combined
68.1
/100
Security checks
68
23 findings
System graph
—% cov · 0 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 18.0 0.20 3.60
documentation_score 82.0 0.15 12.30
practices_score 67.0 0.15 10.05
code_quality 74.0 0.10 7.40
Overall 1.00 64.3
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 5 Medium 4 Low 4 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 23 System graph 0 Crowd 0 Layer: Software 2 Quality 14 Cicd 6 Security 1

Showing 13 of 23 actionable findings. 70 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
11-agentic-protocols/code_samples/mcp-agents/client/resumable_client.py:221
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED020] Logging Credential Via Fstring: logger.error(f"failed for {api_key}") — secrets end up in log aggregators / sentry.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
11-agentic-protocols/code_samples/mcp-agents/client/resumable_client.py:58
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED108] `self._store_event_sync` used but never assigned in __init__: Method `store_event` of class `PersistentEventStore` reads `self._store_event_sync`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._store_event_sync = <default>` in __init__, or add a class-level default.
lines 133, 156, 242
11-agentic-protocols/code_samples/mcp-agents/server/event_store.py:133, 156, 242 (3 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/python:3.12` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/python:3.12` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM mcr.microsoft.com/devcontainers/python:3.12@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
.devcontainer/Dockerfile:1
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 2 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `pozil/auto-assign-issue` pinned to mutable ref `@v2`: `uses: pozil/auto-assign-issue@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char c…
2 files, 2 locations
.github/workflows/welcome-issue.yml:31
.github/workflows/welcome-pr.yml:31
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 2 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commi…
2 files, 2 locations
.github/workflows/welcome-issue.yml:14
.github/workflows/welcome-pr.yml:14
CI/CD securitySupply chainGitHub Actions
medium Security checks software dependencies conf 0.90 ✓ Repobility 18 occurrences [MINED124] requirements.txt: `azure-ai-inference` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `azure-ai-inference` with `azure-ai-inference==<version>` and manage upgrades through PRs / Dependabot.
lines 2, 3, 4, 5, 8, 9, 12, 15, +10 more
requirements.txt:2, 3, 4, 5, 8, 9, 12, 15, +10 more (18 hits)
low Security checks quality Error handling conf 0.55 ✓ Repobility 22 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
5 files, 22 locations
11-agentic-protocols/code_samples/github-mcp/app.py:62, 94, 114, 123, 261, 367, 392 (7 hits)
11-agentic-protocols/code_samples/mcp-agents/client/client.py:166, 203, 256, 377, 401, 419, 455 (7 hits)
11-agentic-protocols/code_samples/mcp-agents/client/resumable_client.py:191, 195, 223 (3 hits)
11-agentic-protocols/code_samples/mcp-agents/client/utils.py:80, 105, 117 (3 hits)
14-microsoft-agent-framework/code-samples/hotel_booking_workflow_sample.py:124, 146 (2 hits)
Error handlingquality
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.84 Docker build context is very large
Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
.devcontainer/Dockerfile:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.72 2 occurrences Dockerfile keeps pip download cache
Use `pip install --no-cache-dir ...` in container builds.
lines 4, 8
.devcontainer/Dockerfile:4, 8 (2 hits)
CI/CD securitycontainers
low Security checks quality Quality conf 0.60 5 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
5 files, 5 locations
02-explore-agentic-frameworks/code_samples/02-dotnet-agent-framework.cs:1
03-agentic-design-patterns/code_samples/03-dotnet-agent-framework.cs:7
04-tool-use/code_samples/04-dotnet-agent-framework.cs:8
08-multi-agent/code_samples/workflows-agent-framework/dotNET/02.dotnet-agent-framework-workflow-ghmodel-sequential.cs:60
08-multi-agent/code_samples/workflows-agent-framework/dotNET/04.dotnet-agent-framework-workflow-aifoundry-condition.cs:98
duplicationquality
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/0b896f18-8e7e-4293-ac65-699f3c3b237c/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/0b896f18-8e7e-4293-ac65-699f3c3b237c/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.