Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
90 of your 216 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 7.09s · analysis 18.07s · 14.7 MB · GitHub API rate-limit (preflight)

sansan0/TrendRadar

https://github.com/sansan0/TrendRadar · scanned 2026-06-05 09:52 UTC (5 days, 16 hours ago) · 10 languages

388 raw signals (206 security + 182 graph) 34th percentile · Python · medium (20-100K LoC) System graph score 60 (lower by 17)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 16 hours ago · v2 · 169 actionable findings from 2 signal sources. 127 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
55.8
/100
Security checks
51
109 findings
System graph
60
100.0% cov · 60 findings
Critical
6
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 35.2 0.25 8.80
testing_score 0.0 0.20 0.00
documentation_score 88.7 0.15 13.30
practices_score 59.0 0.15 8.85
code_quality 13.6 0.10 1.36
Overall 1.00 43.6
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 6 High 39 Medium 41 Low 60 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 109 System graph 60 Crowd 0 Layer: Quality 52 Software 82 Cicd 8 Security 9 Api 1 Frontend 3 Network 11 Hardware 3
Scan summary Quality grade D (44/100). Dimensions: security 35, maintainability 75. 206 findings (78 security). 36,128 lines analyzed.

Showing 146 of 169 actionable findings. 296 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 authlib: GHSA-wvwj-cvrp-7pv5
Authlib JWS JWK Header Injection: Signature Verification Bypass
uv.lock
critical Security checks security secrets conf 0.95 Discovered a Slack Webhook, which could lead to unauthorized message posting and data leakage in Slack channels.
Gitleaks detected a committed secret or credential pattern.
README-EN.md:1753
critical Security checks security secrets conf 0.95 Discovered a Slack Webhook, which could lead to unauthorized message posting and data leakage in Slack channels.
Gitleaks detected a committed secret or credential pattern.
README.md:1807
critical Security checks software dependencies conf 0.88 2 occurrences fastmcp: GHSA-vv7q-7jx5-f767
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
2 files, 2 locations
requirements.txt
uv.lock
critical Security checks software dependencies conf 0.88 2 occurrences litellm: GHSA-jjhc-v7c2-5hh6
LiteLLM: Authentication bypass via OIDC userinfo cache key collision
2 files, 2 locations
requirements.txt
uv.lock
critical Security checks software dependencies conf 0.88 2 occurrences litellm: GHSA-r75f-5x8p-qvmc
LiteLLM has SQL Injection in Proxy API key verification
2 files, 2 locations
requirements.txt
uv.lock
high Security checks quality Quality conf 1.00 ✓ Repobility 13 occurrences Missing import: `html` used but not imported
The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.
8 files, 13 locations
trendradar/__main__.py:885, 1081 (2 hits)
trendradar/ai/analyzer.py:271, 475 (2 hits)
trendradar/notification/dispatcher.py:117, 144 (2 hits)
trendradar/notification/splitter.py:1264, 1572 (2 hits)
trendradar/report/html.py:1822, 1975 (2 hits)
mcp_server/tools/notification.py:684
trendradar/core/loader.py:429
trendradar/report/generator.py:43
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.
setup-mac.sh:27
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.platforms` used but never assigned in __init__
Method `platform_ids` of class `AppContext` reads `self.platforms`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
lines 104, 114, 119, 155, 161, 165, 169, 173, +17 more
trendradar/context.py:104, 114, 119, 155, 161, 165, 169, 173, +17 more (25 hits)
high Security checks software dependencies conf 0.88 authlib: GHSA-7432-952r-cw78
Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle
uv.lock
high Security checks software dependencies conf 0.88 authlib: GHSA-7wc2-qxgw-g8gg
Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification
uv.lock
high Security checks software dependencies conf 0.88 authlib: GHSA-m344-f55w-2m6j
Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding
uv.lock
high Security checks software dependencies conf 0.88 authlib: PYSEC-2026-188
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attac…
uv.lock
high Security checks software dependencies conf 0.88 authlib: PYSEC-2026-25
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.
uv.lock
high Security checks software dependencies conf 0.88 cryptography: GHSA-r6ph-v2qm-q3c2
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves
uv.lock
high Security checks software dependencies conf 0.88 cryptography: PYSEC-2026-35
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography woul…
uv.lock
high Security checks software dependencies conf 0.88 cryptography: PYSEC-2026-36
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in…
uv.lock
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest
`FROM python:3.12-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
docker/Dockerfile:1
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest
`FROM python:3.12-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
docker/Dockerfile.mcp:1
high Security checks software dependencies conf 0.88 2 occurrences fastmcp: GHSA-5h2m-4q8j-pqpj
FastMCP OAuth Proxy token reuse across MCP servers
2 files, 2 locations
requirements.txt
uv.lock
high Security checks software dependencies conf 0.88 2 occurrences fastmcp: GHSA-c2jp-c369-7pvx
FastMCP Auth Integration Allows for Confused Deputy Account Takeover
2 files, 2 locations
requirements.txt
uv.lock
high Security checks software dependencies conf 0.88 2 occurrences fastmcp: GHSA-rcfx-77hg-w2wv
FastMCP updated to MCP 1.23+ due to CVE-2025-66416
2 files, 2 locations
requirements.txt
uv.lock
high Security checks software dependencies conf 0.88 2 occurrences fastmcp: GHSA-rww4-4w9c-7733
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
2 files, 2 locations
requirements.txt
uv.lock
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 11 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 11 locations
.github/workflows/crawler.yml:57, 116 (4 hits)
.github/workflows/docker.yml:33, 83 (4 hits)
.github/workflows/issue-guard.yml:22, 39 (3 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 15 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `Mattraks/delete-workflow-runs` pinned to mutable ref `@v2` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
4 files, 15 locations
.github/workflows/docker.yml:36, 39, 45, 52, 61, 86, 89, 95, +2 more (10 hits)
.github/workflows/clean-crawler.yml:21 (2 hits)
.github/workflows/crawler.yml:122 (2 hits)
.github/workflows/issue-guard.yml:25
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 2 occurrences litellm: GHSA-53mr-6c8q-9789
LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint
2 files, 2 locations
requirements.txt
uv.lock
high Security checks software dependencies conf 0.88 2 occurrences litellm: GHSA-69x8-hrgq-fjj8
LiteLLM: Password hash exposure and pass-the-hash authentication bypass
2 files, 2 locations
requirements.txt
uv.lock
high Security checks software dependencies conf 0.88 2 occurrences litellm: GHSA-v4p8-mg3p-g94g
LiteLLM: Authenticated command execution via MCP stdio test endpoints
2 files, 2 locations
requirements.txt
uv.lock
high Security checks software dependencies conf 0.88 2 occurrences litellm: GHSA-wxxx-gvqv-xp7p
LiteLLM has a sandbox escape in custom-code guardrail
2 files, 2 locations
requirements.txt
uv.lock
high Security checks software dependencies conf 0.88 2 occurrences litellm: GHSA-xqmj-j6mv-4862
LiteLLM: Server-Side Template Injection in /prompts/test endpoint
2 files, 2 locations
requirements.txt
uv.lock
high Security checks software dependencies conf 0.88 mcp: GHSA-9h52-p55h-vw2f
Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default
uv.lock
high Security checks software dependencies conf 0.88 python-multipart: GHSA-pp6c-gr5w-3c5g
python-multipart has Denial of Service via unbounded multipart part headers
uv.lock
high Security checks software dependencies conf 0.88 python-multipart: GHSA-wp53-j4wj-2cfg
Python-Multipart has Arbitrary File Write via Non-Default Configuration
uv.lock
high Security checks software dependencies conf 0.88 starlette: GHSA-7f5h-v6xp-fcq8
Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``
uv.lock
high Security checks software dependencies conf 0.88 starlette: PYSEC-2026-161
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
uv.lock
high Security checks software dependencies conf 0.88 urllib3: GHSA-2xpw-w6gg-jr37
urllib3 streaming API improperly handles highly compressed data
uv.lock
high Security checks software dependencies conf 0.88 urllib3: GHSA-38jv-5279-wg99
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
uv.lock
high Security checks software dependencies conf 0.88 urllib3: GHSA-gm62-xv2j-4w53
urllib3 allows an unbounded number of links in the decompression chain
uv.lock
high Security checks software dependencies conf 0.88 urllib3: PYSEC-2026-141
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
uv.lock
high System graph security Secrets conf 1.00 .env file present in repo: docker/.env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
Config
medium Security checks quality Practices conf 1.00 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
Add a .gitignore appropriate for your language/framework.
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
trendradar/utils/time.py:269
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
start-http.sh:21
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
mcp_server/server.py:120
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-c427-h43c-vf67
AIOHTTP accepts duplicate Host headers
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-hg6j-4rv6-33pg
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-jg22-mg44-37j8
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-m5qp-6w8w-w647
AIOHTTP has a Multipart Header Size Bypass
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-p998-jp59-783m
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
uv.lock
medium Security checks software dependencies conf 0.88 aiohttp: GHSA-w2fm-2cpv-w7v5
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
uv.lock
medium Security checks software dependencies conf 0.88 authlib: GHSA-fg6f-75jq-6523
Authlib has 1-click Account Takeover vulnerability
uv.lock
medium Security checks quality Quality Average file size is 602 lines (recommend <300)
Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle — each module should have one clear purpose.
low Security checks quality Error handling conf 0.55 ✓ Repobility 25 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
3 files, 25 locations
trendradar/__main__.py:75, 164, 266, 298, 445, 568, 617, 1211, +11 more (19 hits)
docker/manage.py:31, 46, 127, 149, 236 (5 hits)
mcp_server/server.py:177
Error handlingquality
medium Security checks cicd CI/CD security conf 0.94 2 occurrences Compose service `trendradar` image uses the latest tag
The latest tag is mutable and can change without a code review, producing different images from the same source.
lines 1, 57
docker/docker-compose.yml:1, 57 (2 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
docker/Dockerfile.mcp:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
docker/Dockerfile:1 CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 2 occurrences fastmcp: GHSA-m8x7-r2rg-vh5g
FastMCP has a Command Injection vulnerability - Gemini CLI
2 files, 2 locations
requirements.txt
uv.lock
medium Security checks software dependencies conf 0.88 2 occurrences fastmcp: GHSA-mxxr-jv3v-6pgc
FastMCP vulnerable to reflected XSS in client's callback page
2 files, 2 locations
requirements.txt
uv.lock
medium Security checks software dependencies conf 0.88 2 occurrences fastmcp: GHSA-rj5c-58rq-j5g5
FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name
2 files, 2 locations
requirements.txt
uv.lock
medium Security checks software dependencies conf 0.88 idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
uv.lock
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
trendradar/report/html.py:2229
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.90 Python package `fastmcp` is 1 major version(s) behind (2.12.5 -> 3.4.0)
`fastmcp==2.12.5` is 1 major version(s) behind the latest stable release on PyPI (3.4.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:4
medium Security checks software dependencies conf 0.90 Python package `tenacity` is 1 major version(s) behind (8.5.0 -> 9.1.4)
`tenacity==8.5.0` is 1 major version(s) behind the latest stable release on PyPI (9.1.4). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:10
medium Security checks software dependencies conf 0.90 Python package `websockets` is 3 major version(s) behind (13.1 -> 16.0)
`websockets==13.1` is 3 major version(s) behind the latest stable release on PyPI (16.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:5
medium Security checks software dependencies conf 0.88 python-dotenv: GHSA-mf9w-mj56-hr94
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
uv.lock
medium Security checks software dependencies conf 0.88 python-multipart: GHSA-mj87-hwqh-73pj
python-multipart affected by Denial of Service via large multipart preamble or epilogue data
uv.lock
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
setup-mac.sh:27
medium Security checks software dependencies conf 0.88 werkzeug: GHSA-29vq-49wr-vm6x
Werkzeug safe_join() allows Windows special device names
uv.lock
medium Security checks software dependencies conf 0.88 werkzeug: GHSA-87hc-h4r5-73f7
Werkzeug safe_join() allows Windows special device names with compound extensions
uv.lock
medium Security checks software dependencies conf 0.88 werkzeug: GHSA-hgf8-39gv-g3f2
Werkzeug safe_join() allows Windows special device names
uv.lock
medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in docker/manage.py:24
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
docker/manage.py:24 Subprocess shell true
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — docker/manage.py:418
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph network Security conf 1.00 Privileged port 11 in use
Port 11 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
config/timeline.yaml Ports
medium System graph network Security conf 1.00 Privileged port 12 in use
Port 12 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
config/timeline.yaml Ports
medium System graph network Security conf 1.00 Privileged port 13 in use
Port 13 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
config/timeline.yaml Ports
medium System graph network Security conf 1.00 Privileged port 14 in use
Port 14 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
config/timeline.yaml Ports
medium System graph network Security conf 1.00 Privileged port 15 in use
Port 15 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
config/timeline.yaml Ports
medium System graph network Security conf 1.00 Privileged port 17 in use
Port 17 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
config/timeline.yaml Ports
medium System graph network Security conf 1.00 Privileged port 19 in use
Port 19 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
config/timeline.yaml Ports
medium System graph network Security conf 1.00 Privileged port 20 in use
Port 20 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
config/timeline.yaml Ports
medium System graph network Security conf 1.00 Privileged port 21 in use
Port 21 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
config/timeline.yaml Ports
medium System graph network Security conf 1.00 Privileged port 23 in use
Port 23 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
config/timeline.yaml Ports
medium System graph network Security conf 1.00 Privileged port 587 in use
Port 587 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
mcp_server/tools/notification.py Ports
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 66 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
low Security checks software dependencies conf 0.88 aiohttp: GHSA-2vrm-gr82-f7m5
AIOHTTP has CRLF injection through multipart part content type header construction
uv.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-3wq7-rqq7-wx6j
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
uv.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-63hf-3vf5-4wqf
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass
uv.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-966j-vmvw-g2g9
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
uv.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-hcc4-c3v8-rx92
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
uv.lock
low Security checks software dependencies conf 0.88 aiohttp: GHSA-mwh4-6h8g-pg8w
AIOHTTP has HTTP response splitting via \r in reason phrase
uv.lock
high Security checks cicd CI/CD security conf 0.56 2 occurrences Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
lines 1, 57
docker/docker-compose.yml:1, 57 (2 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 2 occurrences Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
lines 1, 57
docker/docker-compose.yml:1, 57 (2 hits)
CI/CD securitycontainers
low Security checks quality Quality conf 0.60 4 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
4 files, 4 locations
mcp_server/tools/search_tools.py:191
mcp_server/tools/storage_sync.py:254
mcp_server/tools/system.py:43
trendradar/storage/remote.py:103
duplicationquality
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.74 Public web app has no robots.txt
Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.
robots.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
low Security checks software dependencies conf 0.88 pygments: GHSA-5239-wwwm-4pmq
Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching
uv.lock
low Security checks software dependencies conf 0.90 Python package `json-repair` is minor version(s) behind (0.58.6 -> 0.60.1)
`json-repair==0.58.6` is minor version(s) behind the latest stable release on PyPI (0.60.1). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:9
low Security checks software dependencies conf 0.90 Python package `litellm` is minor version(s) behind (1.82.6 -> 1.87.1)
`litellm==1.82.6` is minor version(s) behind the latest stable release on PyPI (1.87.1). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:8
low Security checks software dependencies conf 0.90 Python package `pytz` is minor version(s) behind (2026.1 -> 2026.2)
`pytz==2026.1` is minor version(s) behind the latest stable release on PyPI (2026.2). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:2
low Security checks software dependencies conf 0.90 Python package `requests` is minor version(s) behind (2.33.0 -> 2.34.2)
`requests==2.33.0` is minor version(s) behind the latest stable release on PyPI (2.34.2). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
requirements.txt:1
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.12-slim-bookworm
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/Dockerfile:1 containersPinned dependencies
low System graph frontend Frontend quality conf 1.00 Icon-only button without accessible name — docs/assets/script.js:1790
A `<button>` whose only child is a single glyph or symbol needs `title=` or `aria-label=` so screen readers (and tooltips on hover) work. Why: P3 in CHECKLIST.md — icon-only buttons skipped a title. Rule id: fq.button.no-label
Fq button no label
low System graph quality Integrity conf 1.00 13 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: trendradar/context.py:render_feishu, trendradar/context.py:render_dingtalk This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
13 occurrences
repo-level (13 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 3 occurrences Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: trendradar/notification/senders.py:send_to_feishu, trendradar/notification/senders.py:send_to_dingtalk, trendradar/notification/senders.py:send_to_wework, trendradar/notification/senders.py:send_to_slack This is *the* AI-coder failure mode (4× more d…
3 occurrences
repo-level (3 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `calculate_days_old` in trendradar/__main__.py:28
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `calculate_days_old` in trendradar/utils/time.py:242
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `list_objects_v2` in trendradar/storage/remote.py:698
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `title_data_copy` in trendradar/notification/renderer.py:91
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `title_data_copy` in trendradar/notification/splitter.py:690
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `validate_date_not_too_old` in mcp_server/utils/date_parser.py:312
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `validate_date_not_too_old` in mcp_server/utils/validators.py:667
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: is_first_crawl
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
trendradar/context.py:230
low System graph software Dead code conf 1.00 Possibly dead Python function: make_cache_key
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
mcp_server/services/cache_service.py:14
low System graph software Dead code conf 1.00 Possibly dead Python function: manual_run
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docker/manage.py:35
low System graph software Dead code conf 1.00 Possibly dead Python function: merge_with
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
trendradar/storage/base.py:230
low System graph software Dead code conf 1.00 Possibly dead Python function: parse_url
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
trendradar/crawler/rss/parser.py:196
low System graph software Dead code conf 1.00 Possibly dead Python function: pull_from_remote
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
trendradar/storage/manager.py:176
low System graph software Dead code conf 1.00 Possibly dead Python function: render_ai_analysis_telegram
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
trendradar/ai/formatter.py:233
low System graph software Dead code conf 1.00 Possibly dead Python function: render_dingtalk
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
trendradar/context.py:386
low System graph software Dead code conf 1.00 Possibly dead Python function: render_feishu
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
trendradar/context.py:369
low System graph software Dead code conf 1.00 Possibly dead Python function: restart_supercronic
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docker/manage.py:430
low System graph software Dead code conf 1.00 Possibly dead Python function: run_command
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docker/manage.py:24
low System graph software Dead code conf 1.00 Possibly dead Python function: show_config
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docker/manage.py:277
low System graph software Dead code conf 1.00 Possibly dead Python function: show_files
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docker/manage.py:336
low System graph software Dead code conf 1.00 Possibly dead Python function: show_logs
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docker/manage.py:404
low System graph software Dead code conf 1.00 Possibly dead Python function: show_status
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docker/manage.py:131
low System graph software Dead code conf 1.00 Possibly dead Python function: split_content
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
trendradar/context.py:402
low System graph software Dead code conf 1.00 Possibly dead Python function: translate
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
trendradar/ai/translator.py:65
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/assets/script.js:161
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Integrity conf 1.00 Stub function `get_latest_prompt_hash` (body is just `pass`/`return`) — trendradar/storage/base.py:481
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Complexity conf 1.00 Very large file: docs/assets/script.js (5831 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: mcp_server/tools/analytics.py (2639 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: mcp_server/tools/notification.py (1408 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: trendradar/__main__.py (2327 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: trendradar/notification/senders.py (1327 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: trendradar/notification/splitter.py (1871 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: trendradar/report/html.py (3221 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: trendradar/storage/sqlite_mixin.py (1765 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/1178e500-7bf6-4ce8-86a4-9303c4049b1d/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/1178e500-7bf6-4ce8-86a4-9303c4049b1d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.