← Back to scan
File as GitHub Issue repo: trycua/cua

Push this scan report to trycua/cua

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Action `actions/checkout` pinned to mutable ref `@v4`: `uses

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/u… .github/workflows/cd-swift-cua-driver.y…:239
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/cd-swift-cua-driver.y…:58
HIGH MINED115 [MINED115] Action `pdm-project/setup-pdm` pinned to mutable ref `@v3`: `uses: pdm-project… .github/workflows/py-reusable-publish.y…:61
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v4`: `uses: actions/setu… .github/workflows/py-reusable-publish.y…:51
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/py-reusable-publish.y…:38
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v4`: `uses: actions/setu… .github/workflows/cd-py-mcp-server.yml:63
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/cd-py-mcp-server.yml:36
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/cd-ts-core.yml:33
HIGH MINED115 [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions… .github/workflows/docker-reusable-publi…:200
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/u… .github/workflows/docker-reusable-publi…:158
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/docker-reusable-publi…:57
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/cd-py-core.yml:30
HIGH MINED115 [MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-b… .github/workflows/ts-reusable-build.yml:38
HIGH MINED115 [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-set… .github/workflows/ts-reusable-build.yml:32
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-… .github/workflows/ts-reusable-build.yml:26
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/ts-reusable-build.yml:23
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/cd-ts-cuabot.yml:33
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/git… .github/workflows/claude-auto-fix.yml:361
HIGH MINED115 [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-set… .github/workflows/claude-auto-fix.yml:196
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setu… .github/workflows/claude-auto-fix.yml:172
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-… .github/workflows/claude-auto-fix.yml:166
HIGH MINED115 [MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v4`: `u… .github/workflows/claude-auto-fix.yml:159
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/claude-auto-fix.yml:139
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/git… .github/workflows/claude-auto-fix.yml:111
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/git… .github/workflows/claude-auto-fix.yml:26
HIGH MINED118 [MINED118] Dockerfile FROM `budtmo/docker-android:emulator_11.0` not pinned by digest: `F… libs/qemu-docker/android/dev.Dockerfile:38
HIGH MINED118 [MINED118] Dockerfile FROM `eclipse-temurin:17-jdk` not pinned by digest: `FROM eclipse-t… libs/qemu-docker/android/dev.Dockerfile:9
HIGH MINED118 [MINED118] Dockerfile FROM `budtmo/docker-android:emulator_11.0` not pinned by digest: `F… libs/qemu-docker/android/Dockerfile:33
HIGH MINED118 [MINED118] Dockerfile FROM `eclipse-temurin:17-jdk` not pinned by digest: `FROM eclipse-t… libs/qemu-docker/android/Dockerfile:4
HIGH MINED118 [MINED118] Dockerfile FROM `trycua/windows-local:latest` not pinned by digest: `FROM tryc… libs/qemu-docker/windows/Dockerfile:13
HIGH MINED118 [MINED118] Dockerfile FROM `trycua/qemu-local:latest` not pinned by digest: `FROM trycua/… libs/qemu-docker/linux/Dockerfile:1
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-sli… libs/cua-bench/cua_bench/templates/agen…:2
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-sli… libs/cua-bench/cua_bench/cli/templates/…:1
HIGH MINED118 [MINED118] Dockerfile FROM `kasmweb/core-ubuntu-jammy:1.17.0` not pinned by digest: `FROM… libs/kasm/Dockerfile:1
HIGH MINED118 [MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resol… libs/xfce/Dockerfile.dev:3
HIGH MINED118 [MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resol… libs/xfce/Dockerfile:3
HIGH MINED118 [MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resol… libs/cuabot/Dockerfile:2
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-sli… libs/cua-bench/Dockerfile:2
HIGH MINED118 [MINED118] Dockerfile FROM `debian:bullseye-slim` not pinned by digest: `FROM debian:bull… libs/lumier/Dockerfile:2
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-sli… docs/scripts/docs-mcp-server/Dockerfile:25
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-sli… docs/scripts/docs-mcp-server/Dockerfile:2
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/charliermarsh/ruff-pre-commit` pinned to m… .pre-commit-config.yaml:35
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/psf/black` pinned to mutable rev `25.9.0`:… .pre-commit-config.yaml:28
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/PyCQA/isort` pinned to mutable rev `7.0.0`… .pre-commit-config.yaml:20
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-prettier` pinned to mut… .pre-commit-config.yaml:2
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-sli… Dockerfile:1
HIGH MINED112 [MINED112] FastAPI POST /playwright_exec has no auth: Handler `playwright_exec_endpoint` … libs/python/computer-server/computer_se…:1279
HIGH MINED112 [MINED112] FastAPI POST /responses has no auth: Handler `agent_response_endpoint` is regi… libs/python/computer-server/computer_se…:969
HIGH MINED112 [MINED112] FastAPI POST /pty/{pid}/resize has no auth: Handler `pty_resize` is registered… libs/python/computer-server/computer_se…:833
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/docs-generators/extract_python_…:48
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/docs-mcp-server/main.py:213
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/docs-mcp-server/main.py:202
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/docs-mcp-server/main.py:190
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/docs-mcp-server/main.py:179
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/docs-mcp-server/main.py:100
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/crawl_docs.py:160
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/modal_app.py:303
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/modal_app.py:1722
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/modal_app.py:1711
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/modal_app.py:1699
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/modal_app.py:1688
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/modal_app.py:1293
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/modal_app.py:1588
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… docs/scripts/modal_app.py:1091
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… tests/agent_loop_testing/agent_test_uit…:182
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… demo/1_fleet_throughput.py:106
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… demo/1_fleet_throughput.py:50
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… tests/android_rps_benchmark.py:424
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… tests/android_rps_benchmark.py:191
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… tests/cold_start_benchmark.py:34
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… tests/android_rps_benchmark_local.py:184
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … scripts/docs-generators/extract_python_…:202
MED SEC041 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blan… docs/src/components/doc-actions-menu.tsx:70
MED COMP001 [COMP001] High cognitive complexity: Function `crawl_all` has cognitive complexity 18 (So… docs/scripts/crawl_docs.py:176
MED DKR003 Dockerfile base image uses the latest tag libs/qemu-docker/windows/Dockerfile:14
MED DKR003 Dockerfile base image uses the latest tag libs/qemu-docker/linux/Dockerfile:1
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED MINED124 [MINED124] requirements.txt: `send2trash` has no version pin: Unpinned pip requirement me… libs/cua-bench/tasks/winarena_adapter/i…:12
MED MINED124 [MINED124] requirements.txt: `pygetwindow` has no version pin: Unpinned pip requirement m… libs/cua-bench/tasks/winarena_adapter/i…:11
MED MINED124 [MINED124] requirements.txt: `screeninfo` has no version pin: Unpinned pip requirement me… libs/cua-bench/tasks/winarena_adapter/i…:10
MED MINED124 [MINED124] requirements.txt: `pygame` has no version pin: Unpinned pip requirement means … libs/cua-bench/tasks/winarena_adapter/i…:9
MED MINED124 [MINED124] requirements.txt: `lxml` has no version pin: Unpinned pip requirement means ev… libs/cua-bench/tasks/winarena_adapter/i…:8
MED MINED124 [MINED124] requirements.txt: `numpy` has no version pin: Unpinned pip requirement means e… libs/cua-bench/tasks/winarena_adapter/i…:7
MED MINED124 [MINED124] requirements.txt: `flask` has no version pin: Unpinned pip requirement means e… libs/cua-bench/tasks/winarena_adapter/i…:6
MED MINED124 [MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement mean… libs/cua-bench/tasks/winarena_adapter/i…:5
MED DKR018 Database dump or local database file is included in Docker build context .dockerignore
MED DKR001 Docker final stage has no non-root USER libs/qemu-docker/windows/Dockerfile:14
MED DKR001 Docker final stage has no non-root USER libs/qemu-docker/linux/Dockerfile:1
MED DKR001 Docker final stage has no non-root USER libs/lumier/Dockerfile:2
MED DKR001 Docker final stage has no non-root USER libs/cua-bench/cua_bench/templates/agen…:2
MED DKR001 Docker final stage has no non-root USER libs/cua-bench/cua_bench/cli/templates/…:1
MED DKR001 Docker final stage has no non-root USER Dockerfile:1
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore libs/cua-bench/cua_bench/cli/templates/…:15
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore Dockerfile:33
MED JRN003 Frontend API reference is not matched by discovered backend routes libs/cua-bench/cua_bench/www/environmen…:429
MED JRN003 Frontend API reference is not matched by discovered backend routes libs/cua-bench/cua_bench/www/environmen…:394
MED JRN003 Frontend API reference is not matched by discovered backend routes libs/cua-bench/cua_bench/www/environmen…:244
MED JRN003 Frontend API reference is not matched by discovered backend routes libs/cua-bench/cua_bench/www/environmen…:751
MED JRN003 Frontend API reference is not matched by discovered backend routes libs/cua-bench/cua_bench/www/environmen…:715
MED JRN003 Frontend API reference is not matched by discovered backend routes libs/cua-bench/cua_bench/www/environmen…:548
MED JRN003 Frontend API reference is not matched by discovered backend routes libs/cua-bench/cua_bench/www/environmen…:500
MED JRN003 Frontend API reference is not matched by discovered backend routes libs/cua-bench/cua_bench/www/environmen…:457
MED JRN003 Frontend API reference is not matched by discovered backend routes libs/cua-bench/cua_bench/www/environmen…:420
MED JRN003 Frontend API reference is not matched by discovered backend routes libs/cua-bench/cua_bench/www/environmen…:391
MED JRN003 Frontend API reference is not matched by discovered backend routes docs/src/lib/copilotkit-fetch-patch.ts:61
MED JRN003 Frontend API reference is not matched by discovered backend routes docs/src/app/api/copilotkit/route.ts:519
MED JRN003 Frontend API reference is not matched by discovered backend routes docs/src/app/api/copilotkit/route.ts:509
MED JRN003 Frontend API reference is not matched by discovered backend routes docs/src/app/(docs)/[...slug]/page.tsx:231
MED JRN003 Frontend API reference is not matched by discovered backend routes docs/src/app/(docs)/[...slug]/page.tsx:230
MED AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 33.3% of discovered …
MED AGT012 Agent control bridge may listen on a network interface without visible auth docs/scripts/docs-mcp-server/main.py:15
MED AGT015 Remote install command pipes network code directly to a shell docs/content/docs/lume/reference/v0.2/h…:25
MED AGT015 Remote install command pipes network code directly to a shell docs/content/docs/lume/reference/http-a…:22
MED AGT015 Remote install command pipes network code directly to a shell docs/content/docs/lume/examples/claude-…:70
MED AGT015 Remote install command pipes network code directly to a shell docs/content/docs/cua-driver/reference/…:21
MED AGT015 Remote install command pipes network code directly to a shell docs/content/docs/cua/reference/mcp-ser…:22
MED AGT015 Remote install command pipes network code directly to a shell docs/content/docs/cua/guide/sandbox/ima…:134
MED AGT015 Remote install command pipes network code directly to a shell docs/content/docs/cua/guide/get-started…:38
MED AGT015 Remote install command pipes network code directly to a shell blog/introducing-cua-cli.md:49
MED AGT015 Remote install command pipes network code directly to a shell .github/workflows/cd-ts-cli.yml:135
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … docs/src/app/llms.mdx/[[...slug]]/route…:8
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … docs/src/app/api/cron/prompt-digest/rou…:6
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … docs/src/app/llms.txt/route.ts:7
LOW COMP001 [COMP001] High cognitive complexity: Function `crawl_page` has cognitive complexity 12 (S… docs/scripts/crawl_docs.py:117
LOW COMP001 [COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSou… .github/scripts/get_pyproject_version.py:22
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:40
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:23
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:19
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:18
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:31
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:30
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:19
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:51
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:18
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:19
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:18
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/datasets/cua-bench-basic…:24
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/workers/worker…:19
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/workers/worker…:18
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/processors/gui…:150
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/desktop.py:127
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/computers/webt…:276
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/computers/webt…:275
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/computers/webt…:159
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/computers/remo…:244
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/apps/reminders…:209
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/apps/notes.py:172
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/agents/qwen3vl…:130
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/agents/qwen3vl…:45
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/agents/qwen3vl…:5
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/agents/qwen35_…:45
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/agents/qwen35_…:5
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/agents/opencua…:5
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/agents/gemini.…:222
LOW AIC003 Duplicated implementation block across source files libs/cua-bench/cua_bench/actions.py:4
LOW DKR010 Dockerfile leaves apt package indexes in the image layer libs/qemu-docker/android/Dockerfile:6
LOW DKR010 Dockerfile leaves apt package indexes in the image layer libs/cuabot/Dockerfile:36
LOW DKR010 Dockerfile leaves apt package indexes in the image layer libs/cuabot/Dockerfile:26
LOW DKR010 Dockerfile leaves apt package indexes in the image layer libs/cuabot/Dockerfile:11
LOW DKR012 Dockerfile keeps pip download cache libs/xfce/Dockerfile.dev:147
LOW DKR012 Dockerfile keeps pip download cache libs/xfce/Dockerfile.dev:143
LOW DKR011 Dockerfile installs recommended OS packages libs/xfce/Dockerfile.dev:131
LOW DKR012 Dockerfile keeps pip download cache libs/xfce/Dockerfile.dev:127
LOW DKR011 Dockerfile installs recommended OS packages libs/xfce/Dockerfile.dev:106
LOW DKR012 Dockerfile keeps pip download cache libs/xfce/Dockerfile.dev:79
LOW DKR011 Dockerfile installs recommended OS packages libs/xfce/Dockerfile.dev:79
LOW DKR011 Dockerfile installs recommended OS packages libs/xfce/Dockerfile.dev:19
LOW DKR012 Dockerfile keeps pip download cache libs/xfce/Dockerfile:147
LOW DKR012 Dockerfile keeps pip download cache libs/xfce/Dockerfile:143
LOW DKR011 Dockerfile installs recommended OS packages libs/xfce/Dockerfile:131
LOW DKR012 Dockerfile keeps pip download cache libs/xfce/Dockerfile:128
LOW DKR011 Dockerfile installs recommended OS packages libs/xfce/Dockerfile:108
LOW DKR012 Dockerfile keeps pip download cache libs/xfce/Dockerfile:79
LOW DKR011 Dockerfile installs recommended OS packages libs/xfce/Dockerfile:79
LOW DKR011 Dockerfile installs recommended OS packages libs/xfce/Dockerfile:19
LOW DKR011 Dockerfile installs recommended OS packages libs/qemu-docker/android/Dockerfile:43
LOW DKR011 Dockerfile installs recommended OS packages libs/qemu-docker/android/Dockerfile:6
LOW DKR011 Dockerfile installs recommended OS packages libs/lumier/Dockerfile:18
LOW DKR012 Dockerfile keeps pip download cache libs/kasm/Dockerfile:68
LOW DKR012 Dockerfile keeps pip download cache libs/kasm/Dockerfile:58
LOW DKR012 Dockerfile keeps pip download cache libs/kasm/Dockerfile:55
LOW DKR012 Dockerfile keeps pip download cache libs/kasm/Dockerfile:52
LOW DKR011 Dockerfile installs recommended OS packages libs/kasm/Dockerfile:12
LOW DKR011 Dockerfile installs recommended OS packages libs/cuabot/Dockerfile:122
LOW DKR011 Dockerfile installs recommended OS packages libs/cuabot/Dockerfile:106
LOW DKR011 Dockerfile installs recommended OS packages libs/cuabot/Dockerfile:42
LOW DKR011 Dockerfile installs recommended OS packages libs/cuabot/Dockerfile:36
LOW DKR011 Dockerfile installs recommended OS packages libs/cuabot/Dockerfile:26
LOW DKR011 Dockerfile installs recommended OS packages libs/cuabot/Dockerfile:11
LOW DKR012 Dockerfile keeps pip download cache docs/scripts/docs-mcp-server/Dockerfile:19
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
INFO MINED055 [MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versi… scripts/playground.sh:209
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. scripts/playground.sh:268
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. docs/src/components/iou.tsx:64
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… docs/src/components/mermaid.tsx:43
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… docs/src/app/layout.tsx:39
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… docs/scripts/generate_sqlite.py:63
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … docs/src/components/doc-actions-menu.tsx:40
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … docs/src/app/api/cron/prompt-digest/rou…:37
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … docs/scripts/check-links.ts:96
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `trycua/cua`

**Score: 64/100 (A-)**  ·  319 findings  ·  scanned 2026-05-24 01:23 UTC  ·  306,963 LOC

| Severity | Count |
|---|---|
| CRITICAL | 16 |
| HIGH | 113 |
| MEDIUM | 74 |
| LOW | 68 |

📊 [Full filterable report](https://www.repobility.com/scan/1ca50965-4f85-4a66-89b3-c1d72003efb2/)  ·  ![scorecard](https://www.repobility.com/scan/1ca50965-4f85-4a66-89b3-c1d72003efb2/report.png?v=1779585808-s2)

### Top findings

1. **HIGH** `MINED115` — Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses
   `.github/workflows/cd-swift-cua-driver.yml:239` · ✓ Repobility
2. **HIGH** `MINED115` — Action `actions/checkout` pinned to mutable ref `@v4`: `uses
   `.github/workflows/cd-swift-cua-driver.yml:58` · ✓ Repobility
3. **HIGH** `MINED115` — Action `pdm-project/setup-pdm` pinned to mutable ref `@v3`: `uses
   `.github/workflows/py-reusable-publish.yml:61` · ✓ Repobility
4. **HIGH** `MINED115` — Action `actions/setup-python` pinned to mutable ref `@v4`: `uses
   `.github/workflows/py-reusable-publish.yml:51` · ✓ Repobility
5. **HIGH** `MINED115` — Action `actions/checkout` pinned to mutable ref `@v4`: `uses
   `.github/workflows/py-reusable-publish.yml:38` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://www.repobility.com/scan/1ca50965-4f85-4a66-89b3-c1d72003efb2/_
Already filed
Repobility already filed issue #1510 on this repo on 2026-05-17. Filing again would be duplicate spam.
View existing issue
Megaproject â high spam risk
Could not determine 'trycua/cua' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Already filed
146/329 findings (44%) on this scan are already flagged as test-file, won't-fix, or suppressed. The scan is too noisy to file as a single issue. Curate down to specific actionable findings, or address the FP source first.
I read the warnings â override Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.