Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
164 of your 327 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 20.6s · analysis 30.21s · 77.2 MB · GitHub API rate-limit (preflight)

microsoft/aspire

https://github.com/microsoft/aspire · scanned 2026-06-06 00:52 UTC (4 days ago) · 10 languages

805 raw signals (305 security + 500 graph) 11/13 scanners ran 83rd percentile · Csharp · huge (>500K LoC) System graph score 59 (higher by 27)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days ago · v2 · 307 actionable findings from 2 signal sources. 239 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
71.3
/100
Security checks
84
89 findings
System graph
59
100.0% cov · 218 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 65.0 0.15 9.75
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 67.0 0.15 10.05
practices_score 88.0 0.15 13.20
code_quality 79.0 0.10 7.90
Overall 1.00 85.9
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 40 Medium 37 Low 179 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 89 System graph 218 Crowd 0 Layer: Software 61 Quality 107 Security 9 Cicd 27 Frontend 40 Hardware 25 Api 38
Scan summary Quality grade A- (86/100). Dimensions: security 100, maintainability 65. 305 findings (92 security). 742,802 lines analyzed.

Showing 256 of 307 actionable findings. 546 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
playground/Stress/Stress.ApiService/ConsoleStresser.cs:54
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 25 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 160, 417, 418, 429, 430, 485, 487, 503, +17 more
.github/workflows/pr-docs-check.lock.yml:160, 417, 418, 429, 430, 485, 487, 503, +17 more (25 hits)
CI/CD securityworkflow secretsGitHub Actions
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.
extension/src/commands/walkthroughCommands.ts:22
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.
.github/workflows/polyglot-validation/install-dotnet.sh:12
high Security checks quality Quality conf 1.00 ✓ Repobility 16 occurrences [MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `Handler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.path = <default>` in __init__, or add a class-level default.
lines 45, 46, 47, 48, 56, 59, 61, 66, +8 more
playground/TypeScriptApps/RpsArena/python-player/app.py:45, 46, 47, 48, 56, 59, 61, 66, +8 more (16 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express DELETE /run_session/:id has no auth: Express route DELETE /run_session/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.delete('/run_session/:id', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/AspireDcpServer.ts:459
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /api/move has no auth: Express route POST /api/move declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/api/move', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
playground/TypeScriptApps/RpsArena/node-player/src/server.ts:63
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/asset has no auth: Express route POST /telemetry/asset declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/asset', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:297
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/commandLineFlags has no auth: Express route POST /telemetry/commandLineFlags declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/commandLineFlags', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:315
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/endOperation has no auth: Express route POST /telemetry/endOperation declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/endOperation', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:256
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/endUserTask has no auth: Express route POST /telemetry/endUserTask declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/endUserTask', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:264
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/fault has no auth: Express route POST /telemetry/fault declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/fault', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:276
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/operation has no auth: Express route POST /telemetry/operation declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/operation', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:268
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/property has no auth: Express route POST /telemetry/property declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/property', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:312
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/recurringProperty has no auth: Express route POST /telemetry/recurringProperty declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/recurringProperty', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:313
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/start has no auth: Express route POST /telemetry/start declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/start', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:248
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/startOperation has no auth: Express route POST /telemetry/startOperation declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/startOperation', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:252
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/startUserTask has no auth: Express route POST /telemetry/startUserTask declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/startUserTask', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:260
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /telemetry/userTask has no auth: Express route POST /telemetry/userTask declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/telemetry/userTask', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/DashboardTelemetryPassthrough.ts:272
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express PUT /run_session has no auth: Express route PUT /run_session declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.put('/run_session', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
extension/src/dcp/AspireDcpServer.ts:271
high Security checks software dependencies conf 0.90 ✓ Repobility 25 occurrences [MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/dotnet:10.0-noble` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/dotnet:10.0-noble` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM mcr.microsoft.com/devcontainers/dotnet:10.0-noble@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
12 files, 21 locations
playground/AspireWithNode/AspireWithNode.AppHost/frontend.Dockerfile:1, 8, 14 (3 hits)
playground/AspireWithJavaScript/AspireJavaScript.Angular/Dockerfile:2, 14 (2 hits)
playground/AspireWithJavaScript/AspireJavaScript.AppHost/node.Dockerfile:2, 8 (2 hits)
playground/AspireWithJavaScript/AspireJavaScript.React/Dockerfile:2, 14 (2 hits)
playground/AspireWithJavaScript/AspireJavaScript.Vue/Dockerfile:2, 14 (2 hits)
playground/withdockerfile/WithDockerfile.AppHost/dynamic-async.Dockerfile:1, 5 (2 hits)
playground/withdockerfile/WithDockerfile.AppHost/dynamic-sync.Dockerfile:1, 6 (2 hits)
playground/withdockerfile/WithDockerfile.AppHost/qots/Dockerfile:3, 9 (2 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility 7 occurrences [MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/qs` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` — host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry.
Verify the host is intentional. If your org uses a private registry, add it to your scanner's allowlist (CANONICAL_NPM_HOSTS). Otherwise, regenerate the lockfile against the canonical registry.
7 files, 7 locations
playground/AspireWithJavaScript/AspireJavaScript.NodeApp/package-lock.json:1
playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json:1
playground/AspireWithNode/NodeFrontend/package-lock.json:1
playground/PostgresEndToEnd/PostgresEndToEnd.NodeService/package-lock.json:1
playground/TypeScriptAppHost/express-api/package-lock.json:1
playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json:1
playground/TypeScriptApps/RpsArena/node-player/package-lock.json:1
high Security checks security secrets conf 1.00 [SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation.
Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed.
eng/scripts/aspire-pr-container/run-aspire-pr-container.sh:123
high Security checks cicd CI/CD security conf 1.00 [SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\s*USER\s+\S+` other than `root`.
Add `RUN adduser -D app && USER app` before the CMD/ENTRYPOINT.
playground/withdockerfile/WithDockerfile.AppHost/qots/qots.go:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 1.00 [SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\s*USER\s+\S+` other than `root`.
Add `RUN adduser -D app && USER app` before the CMD/ENTRYPOINT.
playground/deployers/Deployers.Dockerfile/app.py:1 CI/CD securitycontainers
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
eng/restore-toolset.sh:84
high Security checks cicd CI/CD security conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
playground/publishers/aspire-output/docker-compose.yaml:9 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
playground/publishers/Publishers.AppHost/docker-compose.yaml:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.84 2 occurrences Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
lines 1, 45
playground/publishers/Publishers.AppHost/docker-compose.yaml:1, 45 (2 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 4 occurrences Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
3 files, 4 locations
tests/Shared/Docker/Dockerfile.e2e:72, 86 (2 hits)
.github/workflows/polyglot-validation/Dockerfile.python:26
tests/Shared/Docker/Dockerfile.e2e-polyglot-base:74
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.90 ✓ Repobility GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `dotnet/arcade/.github/workflows/scheduled-action-cleanup-base.yml` pinned to mutable ref `@main`: `uses: dotnet/arcade/.github/workflows/scheduled-action-cleanup-base.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…
.github/workflows/backport.yml:26 CI/CD securitySupply chainGitHub Actions
high System graph api Wiring conf 1.00 Dangling fetch: DELETE /api/rounds (playground/TypeScriptApps/RpsArena/arena-frontend/src/App.tsx:91)
`playground/TypeScriptApps/RpsArena/arena-frontend/src/App.tsx:91` calls `DELETE /api/rounds` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rounds` If this points at an external API, prefix it with `https://` so th…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/leaderboard (playground/TypeScriptApps/RpsArena/arena-frontend/src/App.tsx:45)
`playground/TypeScriptApps/RpsArena/arena-frontend/src/App.tsx:45` calls `GET /api/leaderboard` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/leaderboard` If this points at an external API, prefix it with `https://…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/players (playground/TypeScriptApps/RpsArena/arena-frontend/src/App.tsx:52)
`playground/TypeScriptApps/RpsArena/arena-frontend/src/App.tsx:52` calls `GET /api/players` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/players` If this points at an external API, prefix it with `https://` so the…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET /api/rounds?limit=10 (playground/TypeScriptApps/RpsArena/arena-frontend/src/App.tsx:44)
`playground/TypeScriptApps/RpsArena/arena-frontend/src/App.tsx:44` calls `GET /api/rounds?limit=10` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rounds` If this points at an external API, prefix it with `https://`…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: GET https://127.0.0.1:1/browser-network-failure?ts=${Date.now()} (playground/BrowserTelemetry/BrowserTelemetry.Web/Scripts/index.js:85)
`playground/BrowserTelemetry/BrowserTelemetry.Web/Scripts/index.js:85` calls `GET https://127.0.0.1:1/browser-network-failure?ts=${Date.now()}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/127.0.0.1:1/brows…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/rounds/play (playground/TypeScriptApps/RpsArena/arena-frontend/src/App.tsx:78)
`playground/TypeScriptApps/RpsArena/arena-frontend/src/App.tsx:78` calls `POST /api/rounds/play` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rounds/play` If this points at an external API, prefix it with `https:/…
Dangling fetchFetch
high System graph api Wiring conf 1.00 Dangling fetch: POST /api/validatetoken (src/Aspire.Dashboard/Components/Pages/Login.razor.js:3)
`src/Aspire.Dashboard/Components/Pages/Login.razor.js:3` calls `POST /api/validatetoken` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/validatetoken` If this points at an external API, prefix it with `https://` so …
Dangling fetchFetch
high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch
dotnet/arcade/.github/workflows/scheduled-action-cleanup-base.yml@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/backport.yml:26 CI/CD securitySupply chainGithub actions
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
playground/aspireify-eval/polyglot/frontend/src/App.tsx:15
medium Security checks software dependencies conf 0.90 ✓ Repobility [MINED124] requirements.txt: `opentelemetry-distro[otlp]` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `opentelemetry-distro[otlp]` with `opentelemetry-distro[otlp]==<version>` and manage upgrades through PRs / Dependabot.
playground/python/instrumented_script/requirements.txt:1
medium Security checks cicd CI/CD security conf 1.00 [SEC068] Dockerfile: base image uses :latest or no tag: FROM uses :latest or no tag — builds are not reproducible and may pull a compromised parent image. Ported from trivy DS001 (Apache-2.0).
Pin to a specific version tag (e.g. python:3.12.4-slim) or digest (image@sha256:...).
playground/deployers/Deployers.Dockerfile/app.py:1 CI/CD securitycontainers
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
playground/python/flask_app/app.py:40
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/Aspire.Cli/Projects/AppHostRpcClient.cs:161
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/Aspire.Cli/Commands/AppHostFollowDisconnectHelpers.cs:41
low Security checks quality Error handling conf 0.55 ✓ Repobility 4 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
4 files, 4 locations
eng/common/cross/install-debs.py:92
playground/FoundryAgentBasic/app/main.py:49
playground/FoundryAgents/app/main.py:45
playground/deployers/Deployers.Dockerfile/app.py:81
Error handlingquality
medium Security checks cicd CI/CD security conf 0.94 Compose service `env-dashboard` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
playground/publishers/aspire-output/docker-compose.yaml:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.86 Database dump or local database file is included in Docker build context
Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow.
.dockerignore CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.88 4 occurrences Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
2 files, 4 locations
playground/publishers/Publishers.AppHost/docker-compose.yaml:1, 45 (2 hits)
playground/publishers/aspire-output/docker-compose.yaml:9, 57 (2 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 21 occurrences Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
12 files, 12 locations
.devcontainer/Dockerfile:1
.github/workflows/polyglot-validation/Dockerfile.golang:13
.github/workflows/polyglot-validation/Dockerfile.java:13
.github/workflows/polyglot-validation/Dockerfile.python:13
.github/workflows/polyglot-validation/Dockerfile.rust:13
.github/workflows/polyglot-validation/Dockerfile.typescript:14
eng/scripts/aspire-pr-container/Dockerfile:1
playground/AspireWithJavaScript/AspireJavaScript.Angular/Dockerfile:15
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 10 occurrences Dockerfile copies broad context with incomplete .dockerignore
Tighten .dockerignore or replace COPY . with explicit COPY statements.
10 files, 10 locations
playground/AspireWithJavaScript/AspireJavaScript.Angular/Dockerfile:11
playground/AspireWithJavaScript/AspireJavaScript.React/Dockerfile:11
playground/AspireWithJavaScript/AspireJavaScript.Vue/Dockerfile:11
playground/AzureContainerApps/AzureContainerApps.AppHost/AppWithDocker/Dockerfile:8
playground/AzureFunctionsEndToEnd/AzureFunctionsEndToEnd.Functions/Dockerfile:3
playground/deployers/Deployers.Dockerfile/Dockerfile:36
playground/publishers/Publishers.AppHost/qots/Dockerfile:5
playground/withdockerfile/WithDockerfile.AppHost/qots/Dockerfile:5
CI/CD securitycontainers
high Security checks software dependencies conf 0.70 3 occurrences Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
3 files, 3 locations
.github/workflows/dogfood-comment.yml:45
README.md:78
docs/using-latest-daily.md:22
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — extension/src/test/dashboardTelemetryRoutes.test.ts:89
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/AspireWithBun/BunFrontend/server.ts:11
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/AspireWithJavaScript/AspireJavaScript.React/src/components/App.js:8
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/AspireWithJavaScript/AspireJavaScript.Vite/src/App.tsx:9
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/AspireWithNode/NodeFrontend/app.js:60
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/BlazorStandalone/BlazorStandalone.ClientServiceDefaults/wwwroot/BlazorStandalone.ClientServiceDefaults.lib.module.js:7
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/BrowserTelemetry/BrowserTelemetry.Web/Scripts/index.js:70
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/BrowserTelemetry/BrowserTelemetry.Web/wwwroot/scripts/bundle.js:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/TypeScriptApps/RpsArena/arena-frontend/src/App.tsx:44
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/Aspire.Dashboard/wwwroot/framework/10/blazor.web.js:1
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/Aspire.Dashboard/wwwroot/framework/11/blazor.web.js:1
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/Aspire.Dashboard/wwwroot/js/d3.v7.min.js:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: .devcontainer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: eng/scripts/aspire-pr-container/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: playground/AspireWithJavaScript/AspireJavaScript.Angular/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: playground/AspireWithJavaScript/AspireJavaScript.React/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: playground/AspireWithJavaScript/AspireJavaScript.Vue/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: playground/AzureContainerApps/AzureContainerApps.AppHost/AppWithDocker/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: playground/AzureFunctionsEndToEnd/AzureFunctionsEndToEnd.Functions/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: playground/deployers/Deployers.Dockerfile/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: playground/PostgresEndToEnd/PostgresEndToEnd.JavaService/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: playground/publishers/Publishers.AppHost/qots/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: playground/withdockerfile/WithDockerfile.AppHost/qots/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 22 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
12 files, 12 locations
.github/workflows/agentics-maintenance-microsoft-aspire.dev.yml
.github/workflows/apply-test-attributes.yml
.github/workflows/backmerge-release.yml
.github/workflows/backport.yml
.github/workflows/deployment-cleanup.yml
.github/workflows/deployment-tests.yml
.github/workflows/extension-changelog.lock.yml
.github/workflows/extension-release.yml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in eng/common/cross/install-debs.py:236
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
eng/common/cross/install-debs.py:236 Subprocess shell true
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in src/Components/Aspire.Azure.Storage.Blobs/ConfigurationSchema.json:164
Found a known-risky pattern (weak_hash). Review and replace if possible.
src/Components/Aspire.Azure.Storage.Blobs/ConfigurationSchema.json:164 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in src/Components/Aspire.Azure.Storage.Files.DataLake/ConfigurationSchema.json:140
Found a known-risky pattern (weak_hash). Review and replace if possible.
src/Components/Aspire.Azure.Storage.Files.DataLake/ConfigurationSchema.json:140 Weak hash
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — eng/common/cross/install-debs.py:236
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 1.00 [CFG003] Docker COPY Everything: Copying entire directory may include secrets and build artifacts.
Use .dockerignore and COPY specific files/directories.
playground/withdockerfile/WithDockerfile.AppHost/AppHost.cs:27 CI/CD securitycontainers
low Security checks quality Error handling conf 1.00 3 occurrences [ERR003] Ignored Error (Go): Ignoring error return values.
Handle the error or use errcheck linter.
3 files, 3 locations
playground/GoDebugging/api/main.go:56
src/Aspire.Cli/Templating/Templates/go-starter/api/main.go:46
src/Aspire.Cli/Templating/Templates/go-starter/api/telemetry.go:100
low Security checks cicd CI/CD security conf 1.00 [SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive — orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\s*HEALTHCHECK\b`.
Add `HEALTHCHECK CMD curl -f http://localhost:PORT/health || exit 1`.
playground/withdockerfile/WithDockerfile.AppHost/qots/qots.go:1 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 1.00 [SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive — orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\s*HEALTHCHECK\b`.
Add `HEALTHCHECK CMD curl -f http://localhost:PORT/health || exit 1`.
playground/deployers/Deployers.Dockerfile/app.py:1 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.68 4 occurrences App service does not wait for database health
Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`.
2 files, 4 locations
playground/publishers/Publishers.AppHost/docker-compose.yaml:12, 27 (2 hits)
playground/publishers/aspire-output/docker-compose.yaml:20, 37 (2 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.56 5 occurrences Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
2 files, 5 locations
playground/publishers/Publishers.AppHost/docker-compose.yaml:12, 27, 45, 59 (4 hits)
playground/publishers/aspire-output/docker-compose.yaml:37
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 9 occurrences Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
2 files, 9 locations
playground/publishers/aspire-output/docker-compose.yaml:1, 20, 37, 57, 71 (5 hits)
playground/publishers/Publishers.AppHost/docker-compose.yaml:12, 27, 45, 59 (4 hits)
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.58 Database password is wired through an environment variable placeholder
Prefer Compose secrets or your platform secret manager with *_FILE variables where the image supports them. Rotate only if a real value was committed.
playground/publishers/aspire-output/docker-compose.yaml:9 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.58 Database password is wired through an environment variable placeholder
Prefer Compose secrets or your platform secret manager with *_FILE variables where the image supports them. Rotate only if a real value was committed.
playground/publishers/Publishers.AppHost/docker-compose.yaml:1 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.72 6 occurrences Dockerfile installs recommended OS packages
Add `--no-install-recommends` and explicitly list only packages the image needs.
6 files, 6 locations
.github/workflows/polyglot-validation/Dockerfile.golang:16
.github/workflows/polyglot-validation/Dockerfile.java:19
.github/workflows/polyglot-validation/Dockerfile.python:19
.github/workflows/polyglot-validation/Dockerfile.rust:19
.github/workflows/polyglot-validation/Dockerfile.typescript:22
playground/PostgresEndToEnd/PostgresEndToEnd.JavaService/Dockerfile:5
CI/CD securitycontainers
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 19 locations
playground/BlazorStandalone/BlazorStandalone.WeatherApi/Program.cs:1, 10, 11 (3 hits)
playground/AspireWithMaui/AspireWithMaui.ServiceDefaults/Extensions.cs:24, 27 (2 hits)
playground/BlazorHosted/BlazorHosted.WeatherApi/Program.cs:1, 11 (2 hits)
playground/FileBasedApps/FileBasedApps.WebFrontEnd/Program.cs:2, 4 (2 hits)
playground/Playground.ServiceDefaults/Extensions.cs:12, 22 (2 hits)
playground/PythonAppHost/app/main.py:57, 59 (2 hits)
playground/AspireWithJavaScript/AspireJavaScript.Vite/src/App.tsx:6
playground/AspireWithNode/AspireWithNode.ServiceDefaults/Extensions.cs:5
duplicationquality
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: mcr.microsoft.com/azure-functions/dotnet-isolated:4-dotnet-isolated8.0
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
playground/AzureFunctionsEndToEnd/AzureFunctionsEndToEnd.Functions/Dockerfile:10 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: mcr.microsoft.com/cbl-mariner/base/core:2.0.20260311
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
playground/withdockerfile/WithDockerfile.AppHost/qots/Dockerfile:9 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: mcr.microsoft.com/cbl-mariner/base/core:2.0.20260311
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
playground/publishers/Publishers.AppHost/qots/Dockerfile:9 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: mcr.microsoft.com/devcontainers/dotnet:10.0-noble
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
.devcontainer/Dockerfile:1 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: mcr.microsoft.com/dotnet/sdk:8.0
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
playground/AzureFunctionsEndToEnd/AzureFunctionsEndToEnd.Functions/Dockerfile:1 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: mcr.microsoft.com/mirror/docker/library/ubuntu:24.04
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
eng/scripts/aspire-pr-container/Dockerfile:1 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 2 occurrences Docker base image is tag-pinned but not digest-pinned: mcr.microsoft.com/openjdk/jdk:17-ubuntu
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
lines 2, 23
playground/PostgresEndToEnd/PostgresEndToEnd.JavaService/Dockerfile:2, 23 (2 hits)
containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: mcr.microsoft.com/oss/go/microsoft/golang:${GO_VERSION}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
playground/withdockerfile/WithDockerfile.AppHost/qots/Dockerfile:3 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: mcr.microsoft.com/oss/go/microsoft/golang:${GO_VERSION}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
playground/publishers/Publishers.AppHost/qots/Dockerfile:3 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: netaspireci.azurecr.io/library/python:3.8-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
playground/AzureContainerApps/AzureContainerApps.AppHost/AppWithDocker/Dockerfile:2 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: netaspireci.azurecr.io/library/python:3.8-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
playground/deployers/Deployers.Dockerfile/Dockerfile:2 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 3 occurrences Docker base image is tag-pinned but not digest-pinned: nginx:alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
3 files, 3 locations
playground/AspireWithJavaScript/AspireJavaScript.Angular/Dockerfile:14
playground/AspireWithJavaScript/AspireJavaScript.React/Dockerfile:14
playground/AspireWithJavaScript/AspireJavaScript.Vue/Dockerfile:14
containersPinned dependencies
low System graph hardware Supply chain conf 1.00 3 occurrences Docker base image is tag-pinned but not digest-pinned: node:20
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
3 files, 3 locations
playground/AspireWithJavaScript/AspireJavaScript.Angular/Dockerfile:2
playground/AspireWithJavaScript/AspireJavaScript.React/Dockerfile:2
playground/AspireWithJavaScript/AspireJavaScript.Vue/Dockerfile:2
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/aspireify-eval/dotnet-traditional/frontend/src/main.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/aspireify-eval/dotnet-traditional/frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/aspireify-eval/polyglot/frontend/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/aspireify-eval/polyglot/frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithBun/BunFrontend/server.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Angular/proxy.conf.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Angular/src/app/app.component.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Angular/src/app/app.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Angular/src/app/app.routes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Angular/src/main.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Angular/src/types/weatherForecast.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.NodeApp/app.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.React/webpack.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Vite/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Vite/src/models/Forecast.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Vite/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Vite/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Vue/src/main.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithJavaScript/AspireJavaScript.Vue/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AspireWithNode/NodeFrontend/instrumentation.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/AzureContainerApps/AzureContainerApps.AppHost/AppWithDocker/app.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/BrowserTelemetry/BrowserTelemetry.Web/webpack.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/FoundryAgentEnterprise/frontend/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/FoundryAgentEnterprise/frontend/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/FoundryAgentEnterprise/frontend/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/FoundryAgentEnterprise/frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/JavaAppHost/frontend/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/JavaAppHost/frontend/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/JavaAppHost/frontend/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/JavaAppHost/frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/python/instrumented_script/main.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/python/script_only/main.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/PythonAppHost/apphost.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/PythonAppHost/frontend/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/PythonAppHost/frontend/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/PythonAppHost/frontend/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/PythonAppHost/frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/Stress/Stress.AppHost/process-command-scripts/backup-restore.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/Stress/Stress.AppHost/process-command-scripts/container-exec.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/Stress/Stress.AppHost/process-command-scripts/environment.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/Stress/Stress.AppHost/process-command-scripts/output-limit.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/Stress/Stress.AppHost/process-command-scripts/stderr-failure.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/Stress/Stress.AppHost/process-command-scripts/stdin.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/Stress/Stress.AppHost/process-command-scripts/working-directory.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/TypeScriptAppHost/express-api/src/server.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/TypeScriptAppHost/process-command-scripts/node-process-check.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/TypeScriptAppHost/vite-frontend/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/TypeScriptAppHost/vite-frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/TypeScriptApps/RpsArena/arena-frontend/src/main.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/TypeScriptApps/RpsArena/arena-frontend/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph security security conf 1.00 Insecure pattern 'debug_true' in playground/python/flask_app/app.py:40
Found a known-risky pattern (debug_true). Review and replace if possible.
playground/python/flask_app/app.py:40 Debug true
low System graph quality Integrity conf 1.00 7 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: playground/FoundryAgentEnterprise/app/main.py:weather_forecast, playground/python/uvicorn_app/app.py:weather_forecast This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or do…
7 occurrences
repo-level (7 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: playground/FoundryAgentEnterprise/app/main.py:lifespan, playground/PythonAppHost/app/main.py:lifespan, src/Aspire.Cli/Templating/Templates/py-starter/app/main.py:lifespan This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — …
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: playground/FoundryAgentEnterprise/app/telemetry.py:configure_opentelemetry, playground/PythonAppHost/app/telemetry.py:configure_opentelemetry, playground/python/uvicorn_app/telemetry.py:configure_opentelemetry, src/Aspire.Cli/Templating/Templates/py-s…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `inferLegacy` in extension/src/debugger/languages/javascriptRuntime.ts:23
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `inferLegacy` in extension/src/test/javascriptRuntime.test.ts:15
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `nOld` in src/Aspire.Dashboard/wwwroot/framework/10/blazor.web.js:1
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `nOld` in src/Aspire.Dashboard/wwwroot/framework/11/blazor.web.js:1
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: agent_run
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
playground/FoundryAgentBasic/app/main.py:315
low System graph software Dead code conf 1.00 Possibly dead Python function: do_GET
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
playground/TypeScriptApps/RpsArena/python-player/app.py:44
low System graph software Dead code conf 1.00 Possibly dead Python function: do_POST
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
playground/TypeScriptApps/RpsArena/python-player/app.py:58
low System graph software Dead code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
playground/TypeScriptApps/RpsArena/python-player/app.py:83
low System graph software Dead code conf 1.00 Possibly dead Python function: weather_forecast
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
playground/python/uvicorn_app/app.py:30
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — extension/gulpfile.js:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — extension/scripts/generate-schema.js:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — extension/scripts/generate-version.js:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — extension/scripts/run-e2e.js:223
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — extension/src/test-e2e/helpers/fixtures.ts:347
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — extension/src/test/parsers.test.ts:1538
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/AspireWithBun/BunFrontend/server.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/AspireWithJavaScript/AspireJavaScript.NodeApp/app.js:81
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/AspireWithJavaScript/AspireJavaScript.React/src/components/App.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/AspireWithJavaScript/AspireJavaScript.Vite/src/App.tsx:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/AspireWithNode/NodeFrontend/app.js:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/AspireWithNode/NodeFrontend/instrumentation.js:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/BrowserTelemetry/BrowserTelemetry.Web/Scripts/index.js:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/JavaAppHost/api/src/index.ts:41
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/PostgresEndToEnd/PostgresEndToEnd.NodeService/app.ts:92
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/Stress/Stress.AppHost/process-command-scripts/backup-restore.js:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/Stress/Stress.AppHost/process-command-scripts/container-exec.js:3
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/Stress/Stress.AppHost/process-command-scripts/environment.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/Stress/Stress.AppHost/process-command-scripts/output-limit.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/Stress/Stress.AppHost/process-command-scripts/stderr-failure.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/Stress/Stress.AppHost/process-command-scripts/stdin.js:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/Stress/Stress.AppHost/process-command-scripts/working-directory.js:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/TypeScriptAppHost/express-api/src/server.ts:47
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/TypeScriptAppHost/process-command-scripts/node-process-check.js:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/src/app.ts:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — playground/TypeScriptApps/RpsArena/node-player/src/server.ts:73
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/Aspire.Cli/Templating/Templates/java-starter/api/src/index.ts:41
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/Aspire.Cli/Templating/Templates/ts-starter/api/src/index.ts:41
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/Aspire.Dashboard/Components/Controls/AssistantChat.razor.js:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/Aspire.Dashboard/wwwroot/framework/10/blazor.web.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/Aspire.Dashboard/wwwroot/framework/11/blazor.web.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/Aspire.Dashboard/wwwroot/js/app-metrics.js:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/Aspire.Dashboard/wwwroot/js/app.js:65
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — src/Aspire.Dashboard/wwwroot/js/highlight-11.11.1.min.js:107
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/Aspire.Cli.EndToEnd.Tests/Fixtures/JsPublish/api/server.js:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/Aspire.Cli.EndToEnd.Tests/Fixtures/JsPublish/nodeserver/server.js:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/Aspire.Cli.EndToEnd.Tests/Fixtures/JsPublish/npmscript/server.js:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests/tests/eslint-config.test.ts:211
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — tests/PolyglotAppHosts/Aspire.Hosting/TypeScript/process-command-scripts/stdin.js:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: ANY /
`playground/python/flask_app/app.py` declares `ANY /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: ANY /api/build-info
`playground/deployers/Deployers.Dockerfile/app.py` declares `ANY /api/build-info` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: ANY /api/data
`playground/python/flask_app/app.py` declares `ANY /api/data` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: ANY /api/health
`playground/deployers/Deployers.Dockerfile/app.py` declares `ANY /api/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: ANY /api/status
`playground/deployers/Deployers.Dockerfile/app.py` declares `ANY /api/status` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: DELETE /run_session/:id
`extension/src/dcp/AspireDcpServer.ts` declares `DELETE /run_session/:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/health
`playground/AspireWithJavaScript/AspireJavaScript.NodeApp/app.js` declares `GET /api/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting wh…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/info
`playground/TypeScriptApps/RpsArena/node-player/src/server.ts` declares `GET /api/info` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who con…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/weather
`playground/AspireWithJavaScript/AspireJavaScript.NodeApp/app.js` declares `GET /api/weather` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting w…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /api/welcome
`playground/AspireWithJavaScript/AspireJavaScript.NodeApp/app.js` declares `GET /api/welcome` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting w…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /cities
`playground/aspireify-eval/polyglot/api-weather/main.py` declares `GET /cities` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /hello/{name}
`playground/python/module_only/api.py` declares `GET /hello/{name}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /publish/asq
`playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/src/app.ts` declares `GET /publish/asq` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing o…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /publish/blob
`playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/src/app.ts` declares `GET /publish/blob` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /publish/eventhubs
`playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/src/app.ts` declares `GET /publish/eventhubs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider remo…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /telemetry/enabled
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `GET /telemetry/enabled` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /weather/{city}
`playground/aspireify-eval/polyglot/api-weather/main.py` declares `GET /weather/{city}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who con…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /api/move
`playground/TypeScriptApps/RpsArena/node-player/src/server.ts` declares `POST /api/move` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/asset
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/asset` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/commandLineFlags
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/commandLineFlags` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documentin…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/endOperation
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/endOperation` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting wh…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/endUserTask
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/endUserTask` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/fault
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/fault` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/operation
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/operation` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who c…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/property
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/property` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/recurringProperty
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/recurringProperty` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenti…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/start
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/start` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consu…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/startOperation
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/startOperation` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/startUserTask
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/startUserTask` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting w…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /telemetry/userTask
`extension/src/dcp/DashboardTelemetryPassthrough.ts` declares `POST /telemetry/userTask` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: PUT /run_session
`extension/src/dcp/AspireDcpServer.ts` declares `PUT /run_session` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: eng/scripts/get-aspire-cli-pr.sh (1941 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: extension/scripts/run-e2e.js (1475 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: extension/src/dcp/DashboardTelemetryPassthrough.ts (1099 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: extension/src/extension.ts (1235 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: extension/src/test/appHostDataRepository.test.ts (2601 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: extension/src/test/appHostTreeView.test.ts (2392 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: extension/src/test/parsers.test.ts (2033 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: extension/src/views/AppHostDataRepository.ts (1683 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: extension/src/views/AspireAppHostTreeProvider.ts (1533 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/Aspire.Dashboard/wwwroot/js/highlight-11.11.1.min.js (1417 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/Aspire.Hosting.CodeGeneration.Go.Tests/Snapshots/AtsGeneratedAspire.verified.go (2360 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/Aspire.Hosting.CodeGeneration.Java.Tests/Snapshots/AtsGeneratedAspire.verified.java (3509 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/Aspire.Hosting.CodeGeneration.Python.Tests/Snapshots/AtsGeneratedAspire.verified.py (2938 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/Aspire.Hosting.CodeGeneration.Python.Tests/Snapshots/TwoPassScanningGeneratedAspire.verified.py (11669 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/Aspire.Hosting.CodeGeneration.Rust.Tests/Snapshots/AtsGeneratedAspire.verified.rs (1770 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/Aspire.Hosting.CodeGeneration.TypeScript.Tests/Snapshots/AtsGeneratedAspire.verified.ts (4064 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/132ab074-fdbd-4836-8109-f7610ea43aba/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/132ab074-fdbd-4836-8109-f7610ea43aba/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.