Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Pixelle-Video

https://github.com/AIDC-AI/Pixelle-Video.git · scanned 2026-05-17 02:45 UTC (13 hours, 36 minutes ago) · 10 languages

216 findings (49 legacy + 167 scanner) 56th percentile · Python · medium (20-100K LoC) Scanner says 72 (lower by 18)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 13 hours, 36 minutes ago · v1 · 216 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
67.1
/100
Repobility
62
49 legacy
9-layer
72
100.0% cov · 167 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Severity distribution — click a segment to filter
Active filters: severity: low × excluding tests × Reset all
Severity: Critical 0 High 21 Medium 26 Low 76 Source: Legacy 49 9-layer 167 Crowd 0 Layer: Software 30 Security 24 Quality 125 Cicd 14 Hardware 3 Frontend 1 Api 19
Scan summary Repository scanned at 72.4/100 with 100.0% coverage. It contains 776 nodes across 21 cross-layer flows, written primarily in mixed languages. Engine surfaced 167 findings — concentrated in quality (107), software (21), api (19). Risk profile is high: 0 critical, 10 high, 8 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 76 of 216 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore dockerlegacy
low Legacy security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
authlegacy
low Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
docker-compose.yml:76 dockerlegacy
low Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
docker-compose.yml:35 dockerlegacy
low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
Dockerfile:24 dockerlegacy
low Legacy cicd docker conf 0.72 Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
Dockerfile:48 dockerlegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
pixelle_video/services/persistence.py:453 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
web/pipelines/i2v.py:147 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
web/pipelines/digital_human.py:501 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
web/pipelines/digital_human.py:82 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
web/pipelines/asset_based.py:245 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
web/pipelines/asset_based.py:158 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
web/components/style_config.py:11 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
pixelle_video/services/video_analysis.py:75 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
pixelle_video/services/media.py:153 qualitylegacy
low Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
pixelle_video/pipelines/standard.py:359 qualitylegacy
low Legacy quality quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt qualitylegacy
low Legacy quality quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt qualitylegacy
low Legacy quality quality conf 0.74 Public web app has no robots.txt
Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.
robots.txt qualitylegacy
low Legacy quality quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml qualitylegacy
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.11-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:3 supply-chaindockerpinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs.yml:21 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs.yml:26 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs.yml:31 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: api/routers/video.py:generate_video_sync, api/routers/video.py:generate_video_async This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: web/pipelines/action_transfer.py:list_action_transfer_workflows, web/pipelines/i2v.py:list_i2v_workflows This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why th…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: web/pipelines/action_transfer.py:generate_audio_visual_video, web/pipelines/i2v.py:generate_audio_visual_video This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: web/components/style_config.py:render_style_config, web/components/digital_tts_config.py:render_style_config This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document wh…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pixelle_video/llm_presets.py:get_preset_names, pixelle_video/llm_presets.py:get_preset This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pixelle_video/pipelines/standard.py:frame_progress_callback, pixelle_video/pipelines/standard.py:frame_progress_callback This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pixelle_video/utils/content_generators.py:generate_image_prompts, pixelle_video/utils/content_generators.py:generate_video_prompts This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Cons…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pixelle_video/services/history_manager.py:get_task_list, pixelle_video/services/persistence.py:list_tasks_paginated This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or docu…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pixelle_video/services/history_manager.py:get_statistics, pixelle_video/services/persistence.py:get_statistics This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pixelle_video/services/history_manager.py:delete_task, pixelle_video/services/persistence.py:delete_task This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why th…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: pixelle_video/prompts/image_generation.py:build_image_prompt_prompt, pixelle_video/prompts/video_generation.py:build_video_prompt_prompt This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene)…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: duplicate_task
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/history_manager.py:135 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: ensure_dir
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/utils/os_util.py:186 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: execute_video_generation
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/routers/video.py:211 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: export_task
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/history_manager.py:206 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: frame_progress_callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/pipelines/standard.py:376 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: generate_narrations_from_content
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/utils/content_generators.py:153 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: generate_video_prompts
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/utils/content_generators.py:372 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: generate_video_wrapper
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/service.py:255 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: image_prompt_progress
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/pipelines/standard.py:189 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: make_task_progress_callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
web/components/output_preview.py:304 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: regenerate_frame
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/history_manager.py:178 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: reload
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/config/manager.py:71 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: replacer
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/frame_html.py:290 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: report_progress
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packaging/windows/build.py:128 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: save_bytes_to_file
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/utils/os_util.py:160 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: task_exists
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/persistence.py:297 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: update_overall_progress
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
web/components/output_preview.py:296 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: update_progress
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
api/tasks/manager.py:181 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: update_progress
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
web/pipelines/asset_based.py:333 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: update_progress
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
web/components/output_preview.py:94 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: update_task_status
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
pixelle_video/services/persistence.py:163 dead-code
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /{task_id}
`api/routers/tasks.py` declares `DELETE /{task_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /
`api/app.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /bgm
`api/routers/resources.py` declares `GET /bgm` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /template/params
`api/routers/frame.py` declares `GET /template/params` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /templates
`api/routers/resources.py` declares `GET /templates` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /workflows/image
`api/routers/resources.py` declares `GET /workflows/image` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /workflows/media
`api/routers/resources.py` declares `GET /workflows/media` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /workflows/tts
`api/routers/resources.py` declares `GET /workflows/tts` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /{file_path:path}
`api/routers/files.py` declares `GET /{file_path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /{task_id}
`api/routers/tasks.py` declares `GET /{task_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /chat
`api/routers/llm.py` declares `POST /chat` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /generate
`api/routers/image.py` declares `POST /generate` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /generate/async
`api/routers/video.py` declares `POST /generate/async` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /generate/sync
`api/routers/video.py` declares `POST /generate/sync` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /image-prompt
`api/routers/content.py` declares `POST /image-prompt` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /narration
`api/routers/content.py` declares `POST /narration` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /render
`api/routers/frame.py` declares `POST /render` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /synthesize
`api/routers/tts.py` declares `POST /synthesize` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /title
`api/routers/content.py` declares `POST /title` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
{# ── 2026-05-17 Round 14: AI-agent bridge footer ────────────────────── Discoverability: the /agents/voting/ guide + MCP manifest exist but aren't linked from anywhere users actually land. Small, opt-in footer. #}
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/165367cf-223f-4f21-bba3-528fca54e0e5/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/165367cf-223f-4f21-bba3-528fca54e0e5/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.