Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
164 of your 327 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 20.6s · analysis 30.21s · 77.2 MB · GitHub API rate-limit (preflight)

microsoft/aspire

https://github.com/microsoft/aspire · scanned 2026-06-06 00:52 UTC (1 week, 2 days ago) · 10 languages

805 raw signals (305 security + 500 graph) 11/13 scanners ran 83rd percentile · Csharp · huge (>500K LoC) System graph score 59 (higher by 27)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 2 days ago · v2 · 307 actionable findings from 2 signal sources. 239 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
71.3
/100
Security checks
84
89 findings
System graph
59
100.0% cov · 218 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 65.0 0.15 9.75
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 67.0 0.15 10.05
practices_score 88.0 0.15 13.20
code_quality 79.0 0.10 7.90
Overall 1.00 85.9
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: info × excluding tests × Reset all
Severity: Critical 1 High 40 Medium 37 Low 179 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 89 System graph 218 Crowd 0 Layer: Software 61 Quality 107 Security 9 Cicd 27 Frontend 40 Hardware 25 Api 38
Scan summary Quality grade A- (86/100). Dimensions: security 100, maintainability 65. 305 findings (92 security). 742,802 lines analyzed.

Showing 48 of 307 actionable findings. 546 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

info Security checks quality Quality conf 1.00 ✓ Repobility [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.
Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context.
src/Aspire.Cli/Templating/CallbackTemplate.cs:8
info Security checks quality Quality conf 1.00 [SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).
Use static imports or a static mapping `const modules = { foo: require('./foo') }`.
extension/.mocharc.e2e.js:7
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.
Review and fix per the pattern semantics. See CWE-755 / for context.
src/Aspire.Hosting.CodeGeneration.Rust/Resources/base.rs:102
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
extension/scripts/prepareCorepackYarn.mjs:106
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match.
Review and fix per the pattern semantics. See CWE-476 / for context.
playground/TypeScriptApps/RpsArena/apphost.mts:59
info Security checks software dependencies conf 0.45 ✓ Repobility 25 occurrences [MINED128] go.mod replaces `apphost/modules/aspire` — points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines.
Local module replacement is common in samples and monorepos. Keep this visible as a packaging portability check, not a high-severity supply-chain issue.
12 files, 12 locations
playground/GoAppHost/go.mod:6
tests/PolyglotAppHosts/Aspire.Hosting.Azure.ApplicationInsights/Go/go.mod:6
tests/PolyglotAppHosts/Aspire.Hosting.Azure.CognitiveServices/Go/go.mod:6
tests/PolyglotAppHosts/Aspire.Hosting.Azure.ContainerRegistry/Go/go.mod:6
tests/PolyglotAppHosts/Aspire.Hosting.Azure.KeyVault/Go/go.mod:6
tests/PolyglotAppHosts/Aspire.Hosting.Azure.Kusto/Go/go.mod:6
tests/PolyglotAppHosts/Aspire.Hosting.Azure.OperationalInsights/Go/go.mod:6
tests/PolyglotAppHosts/Aspire.Hosting.Azure.PostgreSQL/Go/go.mod:6
dependenciessamples
info Security checks security secrets conf 0.85 3 occurrences [SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting.
Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs.
3 files, 3 locations
src/Aspire.Dashboard/Model/ValidateTokenMiddleware.cs:33
src/Aspire.Hosting.Azure/AcrLoginService.cs:76
src/Aspire.Hosting.RemoteHost/RemoteAppHostService.cs:100
info Security checks software Ssrf conf 1.00 3 occurrences [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
3 files, 3 locations
.github/workflows/create-failing-test-issue.js:104
extension/src/types/extensionApi.ts:79
extension/src/utils/urlSchemes.ts:26
info Security checks quality Quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
extension/src/utils/workspaceFileSearch.ts:171
info Security checks quality Quality conf 1.00 3 occurrences [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
3 files, 3 locations
.github/workflows/create-failing-test-issue.js:2
extension/scripts/prepareCorepackYarn.mjs:38
extension/src/editor/parsers/csharpAppHostParser.ts:140
info Security checks quality Quality conf 1.00 3 occurrences [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes — DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production.
Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint.
3 files, 3 locations
benchmarks/Aspire.Cli.Benchmarks/CorpusLoader.cs:71
extension/src/AspireExtensionContext.ts:83
extension/src/debugger/languages/azureFunctions.ts:49
info Security checks quality Quality conf 1.00 [SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected — attackers can call it directly.
Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip the…
playground/TypeScriptApps/RpsArena/node-player/src/server.ts:63
info Security checks security Injection conf 1.00 3 occurrences [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection).
For literal data structures: use ast.literal_eval(text) — only parses literals, raises on code. For formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists). For Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec'). If you genuinely need to execute admin-st…
3 files, 3 locations
.github/workflows/create-failing-test-issue.js:2
extension/scripts/prepareCorepackYarn.mjs:38
extension/src/editor/parsers/csharpAppHostParser.ts:140
info Security checks quality Quality conf 1.00 3 occurrences [SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).
Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`.
3 files, 3 locations
playground/GoDebugging/api/main.go:37
playground/aspireify-eval/polyglot/api-geo/main.go:46
src/Aspire.Cli/Templating/Templates/go-starter/api/main.go:65
info Security checks quality Quality conf 0.95 [COMP001] High cognitive complexity: Function `create` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=1, except=1, for=2, if=5, nested_bonus=1.
Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 — yours is 11.
src/Aspire.Hosting.CodeGeneration.Python/Resources/microvenv.py:42
info Security checks quality Quality conf 0.95 [COMP001] High cognitive complexity: Function `weather_forecast` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=2, for=1, if=3, nested_bonus=3.
Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 — yours is 9.
playground/PythonAppHost/app/main.py:57
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
3 files, 3 locations
eng/common/cross/tizen-fetch.sh:56
playground/AspireWithBun/BunFrontend/server.ts:18
playground/AzureFunctionsEndToEnd/AzureFunctionsEndToEnd.ApiService/Program.cs:85
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
Review and fix per the pattern semantics. See CWE-532 / for context.
3 files, 3 locations
extension/.mocharc.e2e.js:35
extension/gulpfile.js:42
extension/scripts/generate-schema.js:21
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
extension/src/server/progressNotifier.ts:77
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
extension/src/editor/AspireGutterDecorationProvider.ts:215
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.
Review and fix per the pattern semantics. See CWE-1188 / for context.
src/Aspire.Hosting.CodeGeneration.Python/Resources/microvenv.py:99
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED051] Csharp Null Forgive: x! tells compiler "definitely not null" — bypasses nullable check. NRE risk if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
3 files, 3 locations
playground/kafka/Consumer/ConsumerWorker.cs:36
src/Aspire.Cli/Backchannel/AppHostConnectionHelper.cs:75
src/Aspire.Cli/Commands/DoctorCommand.cs:191
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
Review and fix per the pattern semantics. See CWE-704 / for context.
3 files, 3 locations
extension/src/commands/configureLaunchJson.ts:29
extension/src/dcp/types.ts:28
extension/src/server/progressNotifier.ts:98
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
extension/src/server/AspireRpcServer.ts:66
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.
Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context.
extension/build.sh:98
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
Review and fix per the pattern semantics. See CWE-682 / for context.
3 files, 3 locations
playground/FoundryAgentEnterprise/frontend/src/App.tsx:133
playground/JavaAppHost/frontend/src/App.tsx:133
playground/PythonAppHost/frontend/src/App.tsx:133
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.
Review and fix per the pattern semantics. See CWE-401 / for context.
src/Aspire.Cli/Templating/Templates/go-starter/api/main.go:35
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.
Review and fix per the pattern semantics. See CWE-401 / for context.
playground/GoDebugging/api/main.go:50
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.
Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context.
playground/python/flask_app/app.py:40
info System graph quality Integrity conf 1.00 Commented-code block (13 lines) in extension/src/utils/telemetryRegistry.ts:12
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in .github/workflows/pr-docs-check/compute_signals.py:101
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in eng/clipack/npm/aspire.js:47
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in extension/src/debugger/AspireDebugSession.ts:124
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in extension/src/debugger/languages/dotnet.ts:213
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in extension/src/extension.ts:111
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in extension/src/services/AppHostLaunchService.ts:111
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in extension/src/test/aspireTerminalProvider.test.ts:574
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in extension/src/test/dashboardTelemetryPassthrough.test.ts:127
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in extension/src/views/AppHostDataRepository.ts:142
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in extension/src/utils/appHostDiscovery.ts:684
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests/tests/eslint-config.test.ts:3
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in extension/src/debugger/languages/bun.ts:47
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (7 lines) in extension/src/utils/telemetry.ts:19
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (8 lines) in extension/src/dcp/AspireDcpServer.ts:140
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (8 lines) in extension/src/dcp/DashboardTelemetryPassthrough.ts:10
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (8 lines) in extension/src/test/dashboardTelemetryRoutes.test.ts:13
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (9 lines) in extension/src/editor/AspireCodeLensProvider.ts:100
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph frontend Frontend quality conf 1.00 TODO/FIXME marker in shipping code — extension/src/debugger/launchProfiles.ts:160
Track in /reviews or /issues, not as a code comment that rots. Why: Drift control — shouldn't be the same as Quality TODO scanner. Rule id: fq.todo-marker
Fq todo marker
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/132ab074-fdbd-4836-8109-f7610ea43aba/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/132ab074-fdbd-4836-8109-f7610ea43aba/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.