Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
136 of your 414 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 62.94s for a 216.5 MB repo slow.
  • Repobility's analysis ran in 366.7s after the clone landed.

rust-lang/rust

https://github.com/rust-lang/rust · scanned 2026-06-05 05:29 UTC (3 hours, 23 minutes ago) · 10 languages

1398 findings (384 legacy + 1014 scanner) 11/13 scanners ran 80th percentile · Rust · huge (>500K LoC) Scanner says 64 (higher by 22)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 hours, 23 minutes ago · v2 · 891 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
76.9
/100
Repobility
90
384 legacy
9-layer
64
88.9% cov · 507 gaps
Critical
9
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 100.0 0.25 25.00
testing_score 85.0 0.20 17.00
documentation_score 87.0 0.15 13.05
practices_score 86.0 0.15 12.90
code_quality 50.0 0.10 5.00
Overall 1.00 85.7
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 9 High 270 Medium 96 Low 486 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 384 9-layer 507 Crowd 0 Layer: Quality 451 Cicd 214 Software 138 Security 20 Api 1 Hardware 66 Frontend 1
Scan summary Repository scanned at 63.6/100 with 88.9% coverage. It contains 36544 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 507 findings — concentrated in quality (308), software (74), hardware (66). Risk profile is high: 0 critical, 16 high, 62 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 803 of 891 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy quality quality conf 1.00 ✓ Repobility [MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes.
Add `import array` at the top of the file.
compiler/rustc_codegen_gcc/tools/generate_intrinsics.py:36 qualitylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APP_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
src/tools/miri/.github/workflows/ci.yml:227 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.ARTIFACTS_AWS_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ARTIFACTS_AWS_ACCESS_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:268 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.ARTIFACTS_AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ARTIFACTS_AWS_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:269 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CACHES_AWS_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHES_AWS_ACCESS_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:243 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CACHES_AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHES_AWS_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:244 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.DATADOG_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DATADOG_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:305 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.TOOLSTATE_REPO_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TOOLSTATE_REPO_ACCESS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:42 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.ZULIP_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZULIP_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
src/tools/miri/.github/workflows/ci.yml:276 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.ZULIP_BOT_EMAIL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZULIP_BOT_EMAIL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
src/tools/miri/.github/workflows/ci.yml:275 dependencylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
compiler/rustc_codegen_cranelift/src/debuginfo/line_info.rs:49 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path.
Review and fix per the pattern semantics. See CWE-1188 / for context.
library/std/src/sys/net/connection/uefi/mod.rs:150 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.
Review and fix per the pattern semantics. See CWE-1188 / for context.
compiler/rustc_codegen_cranelift/src/unwind_module.rs:105 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.
Review and fix per the pattern semantics. See CWE-1188 / for context.
compiler/rustc_codegen_cranelift/src/main_shim.rs:135 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.
Review and fix per the pattern semantics. See CWE-1188 / for context.
compiler/rustc_codegen_cranelift/example/issue-59326.rs:22 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._ignore_file` used but never assigned in __init__: Method `changed_routines` of class `Context` reads `self._ignore_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._ignore_file = <default>` in __init__, or add a class-level default.
library/compiler-builtins/ci/ci-util.py:254 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.capacity` used but never assigned in __init__: Method `update` of class `StdStringSyntheticProvider` reads `self.capacity`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.capacity = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:488 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.capacity` used but never assigned in __init__: Method `update` of class `StdStringSyntheticProvider` reads `self.capacity`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.capacity = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:491 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.capacity` used but never assigned in __init__: Method `update` of class `StdStringSyntheticProvider` reads `self.capacity`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.capacity = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:478 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.changed_routines` used but never assigned in __init__: Method `emit_workflow_output` of class `Context` reads `self.changed_routines`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.changed_routines = <default>` in __init__, or add a class-level default.
library/compiler-builtins/ci/ci-util.py:306 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.data_ptr` used but never assigned in __init__: Method `get_child_at_index` of class `StdStringSyntheticProvider` reads `self.data_ptr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.data_ptr = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:516 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.data_ptr` used but never assigned in __init__: Method `get_child_at_index` of class `StdStringSyntheticProvider` reads `self.data_ptr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.data_ptr = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:514 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.data_ptr` used but never assigned in __init__: Method `update` of class `StdStringSyntheticProvider` reads `self.data_ptr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.data_ptr = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:496 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.data_ptr` used but never assigned in __init__: Method `update` of class `StdStringSyntheticProvider` reads `self.data_ptr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.data_ptr = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:489 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.data_ptr` used but never assigned in __init__: Method `update` of class `StdStringSyntheticProvider` reads `self.data_ptr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.data_ptr = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:470 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.element_type` used but never assigned in __init__: Method `get_child_at_index` of class `StdStringSyntheticProvider` reads `self.element_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.element_type = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:517 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.element_type` used but never assigned in __init__: Method `update` of class `StdStringSyntheticProvider` reads `self.element_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.element_type = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:496 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.get_absolute_path` used but never assigned in __init__: Method `get_dir` of class `CachedFiles` reads `self.get_absolute_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.get_absolute_path = <default>` in __init__, or add a class-level default.
src/etc/htmldocck.py:288 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.get_absolute_path` used but never assigned in __init__: Method `get_file` of class `CachedFiles` reads `self.get_absolute_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.get_absolute_path = <default>` in __init__, or add a class-level default.
src/etc/htmldocck.py:258 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.get_absolute_path` used but never assigned in __init__: Method `get_tree` of class `CachedFiles` reads `self.get_absolute_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.get_absolute_path = <default>` in __init__, or add a class-level default.
src/etc/htmldocck.py:272 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.is_pr` used but never assigned in __init__: Method `_init_change_list` of class `Context` reads `self.is_pr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.is_pr = <default>` in __init__, or add a class-level default.
library/compiler-builtins/ci/ci-util.py:211 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.is_pr` used but never assigned in __init__: Method `may_skip_libm_ci` of class `Context` reads `self.is_pr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.is_pr = <default>` in __init__, or add a class-level default.
library/compiler-builtins/ci/ci-util.py:274 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.length` used but never assigned in __init__: Method `get_child_at_index` of class `StdStringSyntheticProvider` reads `self.length`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.length = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:512 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.length` used but never assigned in __init__: Method `num_children` of class `StdStringSyntheticProvider` reads `self.length`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.length = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:502 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.length` used but never assigned in __init__: Method `update` of class `StdStringSyntheticProvider` reads `self.length`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.length = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:494 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.length` used but never assigned in __init__: Method `update` of class `StdStringSyntheticProvider` reads `self.length`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.length = <default>` in __init__, or add a class-level default.
src/etc/lldb_providers.py:492 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.may_skip_libm_ci` used but never assigned in __init__: Method `emit_workflow_output` of class `Context` reads `self.may_skip_libm_ci`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.may_skip_libm_ci = <default>` in __init__, or add a class-level default.
library/compiler-builtins/ci/ci-util.py:328 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.resolve_path` used but never assigned in __init__: Method `get_dir` of class `CachedFiles` reads `self.resolve_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.resolve_path = <default>` in __init__, or add a class-level default.
src/etc/htmldocck.py:287 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.resolve_path` used but never assigned in __init__: Method `get_file` of class `CachedFiles` reads `self.resolve_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.resolve_path = <default>` in __init__, or add a class-level default.
src/etc/htmldocck.py:254 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.resolve_path` used but never assigned in __init__: Method `get_tree` of class `CachedFiles` reads `self.resolve_path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.resolve_path = <default>` in __init__, or add a class-level default.
src/etc/htmldocck.py:268 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_cranelift/.github/workflows/main.yml:98 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_cranelift/.github/workflows/abi-cafe.yml:59 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/stdarch.yml:29 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/gcc12.yml:38 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/release.yml:31 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/ci.yml:140 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/ci.yml:133 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/ci.yml:127 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/ci.yml:42 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/failures.yml:37 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/m68k.yml:38 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_cranelift/.github/workflows/main.yml:162 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_cranelift/.github/workflows/main.yml:140 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_cranelift/.github/workflows/main.yml:91 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_cranelift/.github/workflows/main.yml:37 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_cranelift/.github/workflows/main.yml:27 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_cranelift/.github/workflows/abi-cafe.yml:46 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `crate-ci/typos` pinned to mutable ref `@v1.32.0`: `uses: crate-ci/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: crate-ci/typos@<40-char-sha> # v1.32.0` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/ci.yml:134 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `streetsidesoftware/cspell-action` pinned to mutable ref `@v7`: `uses: streetsidesoftware/cspell-action@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: streetsidesoftware/cspell-action@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/ci.yml:135 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/stdarch.yml:36 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/gcc12.yml:45 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/release.yml:38 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/ci.yml:49 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/failures.yml:44 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
compiler/rustc_codegen_gcc/.github/workflows/m68k.yml:45 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:slim` not pinned by digest: `FROM node:slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
src/tools/rust-analyzer/.github/actions/github-release/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:22.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
src/ci/docker/host-x86_64/dist-x86_64-freebsd/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:22.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
src/ci/docker/host-x86_64/x86_64-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:24.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/armv7-unknown-linux-gnueabihf/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.04` not pinned by digest: `FROM ubuntu:25.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/mips64el-unknown-linux-gnuabi64/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.04` not pinned by digest: `FROM ubuntu:25.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/mips64-unknown-linux-gnuabi64/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/wasm32-wasip1/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/arm-unknown-linux-gnueabihf/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/aarch64-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/i686-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/aarch64_be-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/amdgcn-amd-amdhsa/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/x86_64-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/riscv64gc-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/loongarch64-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/mipsel-unknown-linux-musl/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/powerpc-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/s390x-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/riscv32gc-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/i586-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/hexagon-unknown-linux-musl/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/powerpc64le-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/nvptx64-nvidia-cuda/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/powerpc64-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:25.10` not pinned by digest: `FROM ubuntu:25.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:25.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
library/stdarch/ci/docker/mips-unknown-linux-gnu/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `quay.io/pypa/manylinux_2_28_aarch64` unpinned: `container/services image: quay.io/pypa/manylinux_2_28_aarch64` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `quay.io/pypa/manylinux_2_28_aarch64@sha256:<digest>`. Re-pin via Dependabot Docker scope.
src/tools/rust-analyzer/.github/workflows/release.yaml:48 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `quay.io/pypa/manylinux_2_28_x86_64` unpinned: `container/services image: quay.io/pypa/manylinux_2_28_x86_64` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `quay.io/pypa/manylinux_2_28_x86_64@sha256:<digest>`. Re-pin via Dependabot Docker scope.
src/tools/rust-analyzer/.github/workflows/release.yaml:43 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `rust:alpine` unpinned: `container/services image: rust:alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `rust:alpine@sha256:<digest>`. Re-pin via Dependabot Docker scope.
src/tools/rust-analyzer/.github/workflows/release.yaml:160 dependencylegacy
high Legacy software resource_exhaustion conf 1.00 [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants.
Cap user-controlled sizes BEFORE allocation: size = min(int(request.args.get('n', 100)), MAX_SIZE) Set framework-level limits: Flask: app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 FastAPI: use middleware to enforce request size Django: DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py …
library/std/src/os/xous/services.rs:69 resource_exhaustionlegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
compiler/rustc_codegen_gcc/build_system/src/rust_tools.rs:97 qualitylegacy
high Legacy cicd docker conf 0.92 Docker build context is very large
Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.92 Dockerfile copies the entire context without .dockerignore
Create .dockerignore before using broad context copies, or copy only the required files and directories.
src/tools/rust-analyzer/.github/actions/github-release/Dockerfile:3 dockerlegacy
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
rust-lang/josh-sync/.github/workflows/rustc-pull.yml@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
library/stdarch/.github/workflows/rustc-pull.yml:13 supply-chaingithub-actionspinned-dependencies
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
rust-lang/josh-sync/.github/workflows/rustc-pull.yml@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
src/doc/rustc-dev-guide/.github/workflows/rustc-pull.yml:12 supply-chaingithub-actionspinned-dependencies
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_borrowck/src/diagnostics/conflict_errors.rs:160
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_borrowck/src/diagnostics/conflict_errors.rs:160 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_codegen_cranelift/src/constant.rs:84
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_codegen_cranelift/src/constant.rs:84 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_codegen_ssa/src/mir/constant.rs:27
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_codegen_ssa/src/mir/constant.rs:27 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_codegen_ssa/src/mir/naked_asm.rs:72
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_codegen_ssa/src/mir/naked_asm.rs:72 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_const_eval/src/interpret/eval_context.rs:599
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_const_eval/src/interpret/eval_context.rs:599 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_const_eval/src/interpret/stack.rs:403
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_const_eval/src/interpret/stack.rs:403 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_data_structures/src/graph/dominators/mod.rs:159
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_data_structures/src/graph/dominators/mod.rs:159 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_expand/src/mbe/diagnostics.rs:81
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_expand/src/mbe/diagnostics.rs:81 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_mir_transform/src/instsimplify.rs:92
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_mir_transform/src/instsimplify.rs:92 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_monomorphize/src/collector.rs:711
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_monomorphize/src/collector.rs:711 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_public_bridge/src/builder.rs:61
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_public_bridge/src/builder.rs:61 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_resolve/src/imports.rs:998
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_resolve/src/imports.rs:998 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_trait_selection/src/error_reporting/traits/fulfillment_errors.rs:924
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_trait_selection/src/error_reporting/traits/fulfillment_errors.rs:924 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/rustc_trait_selection/src/error_reporting/traits/on_unimplemented.rs:46
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/rustc_trait_selection/src/error_reporting/traits/on_unimplemented.rs:46 owaspeval_used
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/tools/rust-analyzer/lib/smol_str/src/gdb_smolstr_printer.py:97 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/tools/rust-analyzer/lib/smol_str/src/gdb_smolstr_printer.py:78 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/tools/rust-analyzer/lib/smol_str/src/gdb_smolstr_printer.py:71 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/tools/rust-analyzer/lib/smol_str/src/gdb_smolstr_printer.py:54 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/tools/rust-analyzer/lib/smol_str/src/gdb_smolstr_printer.py:32 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/etc/lldb_batchmode/runner.py:140 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/bootstrap/bootstrap.py:1406 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/bootstrap/bootstrap.py:301 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/etc/gdb_load_rust_pretty_printers.py:15 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/etc/lldb_providers.py:301 qualitylegacy
medium Legacy security injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
compiler/rustc_codegen_gcc/build_system/src/rust_tools.rs:97 injectionlegacy
medium Legacy cicd docker conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/tools/rust-analyzer/.github/actions/github-release/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-rust-for-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-gnu-tools/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-gnu-nopt/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-gnu-miri/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-gnu-llvm-22/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-gnu-llvm-21/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-gnu-gcc/Dockerfile:4 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-gnu-distcheck/Dockerfile:13 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-gnu-debug/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-gnu-aux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/x86_64-fuchsia/Dockerfile:5 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/tidy/Dockerfile:3 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/pr-check-2/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/pr-check-1/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/optional-x86_64-gnu-parallel-frontend/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/i686-gnu-nopt/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/i686-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-x86_64-solaris/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-x86_64-netbsd/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-x86_64-musl/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-x86_64-linux/Dockerfile:5 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-x86_64-illumos/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-x86_64-freebsd/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-various-2/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-various-1/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-sparcv9-solaris/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-s390x-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-riscv64-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-powerpc64le-linux-musl/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-powerpc64le-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-powerpc64-linux-musl/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-powerpc64-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-powerpc-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-ohos-x86_64/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-ohos-armv7/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-ohos-aarch64/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-mipsel-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-mips64el-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-mips64-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-mips-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-loongarch64-musl/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-loongarch64-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-i686-linux/Dockerfile:5 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-i586-gnu-i586-i686-musl/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-armv7-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-armhf-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-arm-linux-musl/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-arm-linux-gnueabi/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/dist-android/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/disabled/riscv64gc-gnu/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/disabled/dist-x86_64-redox/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/disabled/dist-x86_64-haiku/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/disabled/dist-x86_64-dragonfly/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/disabled/dist-x86_64-android/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/disabled/dist-sparc64-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/disabled/dist-powerpcspe-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/disabled/dist-m68k-linux/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/disabled/dist-i686-android/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/disabled/dist-armv7-android/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/disabled/dist-aarch64-android/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/armhf-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-x86_64/arm-android/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-aarch64/dist-aarch64-linux/Dockerfile:5 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-aarch64/dist-aarch64-freebsd/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-aarch64/aarch64-gnu-llvm-21/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-aarch64/aarch64-gnu-debug/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/ci/docker/host-aarch64/aarch64-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/x86_64-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/wasm32-wasip1/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/s390x-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/riscv64gc-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/riscv32gc-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/powerpc64le-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/powerpc64-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/powerpc-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/nvptx64-nvidia-cuda/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/mipsel-unknown-linux-musl/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/mips64el-unknown-linux-gnuabi64/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/mips64-unknown-linux-gnuabi64/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/mips-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/loongarch64-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/i686-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/i586-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/hexagon-unknown-linux-musl/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/armv7-unknown-linux-gnueabihf/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/arm-unknown-linux-gnueabihf/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/amdgcn-amd-amdhsa/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/aarch64_be-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/stdarch/ci/docker/aarch64-unknown-linux-gnu/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/x86_64-unknown-linux-gnu/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/wasm32-unknown-unknown/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/thumbv7m-none-eabi/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/thumbv7em-none-eabihf/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/thumbv7em-none-eabi/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/thumbv6m-none-eabi/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/riscv64gc-unknown-linux-gnu/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/powerpc64le-unknown-linux-gnu/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/powerpc64-unknown-linux-gnu/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/powerpc-unknown-linux-gnu/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/mipsel-unknown-linux-gnu/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/mips64el-unknown-linux-gnuabi64/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/mips64-unknown-linux-gnuabi64/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/mips-unknown-linux-gnu/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/loongarch64-unknown-linux-gnu/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/i686-unknown-linux-gnu/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/i586-unknown-linux-gnu/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/armv7-unknown-linux-gnueabihf/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/arm-unknown-linux-gnueabihf/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/arm-unknown-linux-gnueabi/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
library/compiler-builtins/ci/docker/aarch64-unknown-linux-gnu/Dockerfile:2 dockerlegacy
medium Legacy cicd docker conf 0.90 Dockerfile installs dependencies after copying the full source tree
Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree.
src/tools/rust-analyzer/.github/actions/github-release/Dockerfile:6 dockerlegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
library/portable-simd/.github/workflows/ci.yml:167 dependencylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
src/tools/rustfmt/src/emitter/files_with_backup.rs:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
src/tools/clippy/clippy_lints/src/needless_update.rs:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
src/tools/clippy/clippy_lints/src/methods/cloned_instead_of_copied.rs:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
src/tools/clippy/clippy_lints/src/methods/clone_on_copy.rs:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
src/tools/clippy/clippy_lints/src/manual_string_new.rs:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
src/tools/clippy/clippy_lints/src/derive/expl_impl_clone_on_copy.rs:1 qualitylegacy
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/aarch64-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/arm-unknown-linux-gnueabi/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/arm-unknown-linux-gnueabihf/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/armv7-unknown-linux-gnueabihf/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/i586-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/i686-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/loongarch64-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/mips-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/mips64-unknown-linux-gnuabi64/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/mips64el-unknown-linux-gnuabi64/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/mipsel-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/powerpc-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/powerpc64-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/powerpc64le-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/riscv64gc-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/thumbv6m-none-eabi/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/thumbv7em-none-eabi/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/thumbv7em-none-eabihf/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/thumbv7m-none-eabi/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/wasm32-unknown-unknown/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/compiler-builtins/ci/docker/x86_64-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/aarch64-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/aarch64_be-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/amdgcn-amd-amdhsa/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/arm-unknown-linux-gnueabihf/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/armv7-unknown-linux-gnueabihf/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/hexagon-unknown-linux-musl/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/i586-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/i686-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/loongarch64-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/mips-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/mips64-unknown-linux-gnuabi64/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/mips64el-unknown-linux-gnuabi64/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/mipsel-unknown-linux-musl/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/nvptx64-nvidia-cuda/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/powerpc-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/powerpc64-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/powerpc64le-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/riscv32gc-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/riscv64gc-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/s390x-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/wasm32-wasip1/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: library/stdarch/ci/docker/x86_64-unknown-linux-gnu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
compiler/rustc_codegen_gcc/.github/workflows/m68k.yml:45 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
compiler/rustc_codegen_gcc/.github/workflows/failures.yml:44 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
compiler/rustc_codegen_gcc/.github/workflows/ci.yml:49 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
compiler/rustc_codegen_gcc/.github/workflows/release.yml:38 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
compiler/rustc_codegen_gcc/.github/workflows/gcc12.yml:45 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
compiler/rustc_codegen_gcc/.github/workflows/stdarch.yml:36 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peaceiris/actions-gh-pages@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
library/portable-simd/.github/workflows/doc.yml:26 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@nextest can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
library/portable-simd/.github/workflows/ci.yml:253 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
compiler/rustc_codegen_cranelift/.github/workflows/main.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
library/compiler-builtins/.github/workflows/publish.yaml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
library/compiler-builtins/.github/workflows/rustc-pull.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/dependencies.yml supply-chaingithub-actionsleast-privilege

Showing first 300 of 803. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/135b8f26-1def-44c0-a0c4-d9dcbf6d2e5e/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/135b8f26-1def-44c0-a0c4-d9dcbf6d2e5e/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.