bytedance/deer-flow

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

186 of your 286 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 28.8s · analysis 12.39s · 28.5 MB · GitHub API rate-limit (preflight)

https://github.com/bytedance/deer-flow · scanned 2026-06-05 08:31 UTC (5 days, 20 hours ago) · 10 languages

964 raw signals (266 security + 698 graph) 11/13 scanners ran 68th percentile · Python · large (100-500K LoC) System graph score 51 (higher by 30)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 20 hours ago · v2 · 421 actionable findings from 2 signal sources. 193 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

100.0% cov · 302 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	40.0	0.15	6.00
`security_score`	100.0	0.25	25.00
`testing_score`	100.0	0.20	20.00
`documentation_score`	100.0	0.15	15.00
`practices_score`	65.0	0.15	9.75
`code_quality`	57.0	0.10	5.70
Overall		1.00	81.5

security_score may be inflated — optional security scanners were skipped on this fast scan

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 4 High 89 Medium 32 Low 178 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 119 System graph 302 Crowd 0 Layer: Quality 197 Security 63 Cicd 9 Software 76 Frontend 13 Hardware 6 Api 57

Exclude dismissed / FP Exclude test files

Bug-class explainers. Each card groups findings of the same shape — these are the patterns most likely to ship to prod and reappear in future scans unless you systematically fix the cause, not just the instance.

Duplicates & near-duplicates 4 findings

What it is: Same function copy-pasted into multiple modules with minor variations.

Why it matters: Each copy drifts independently — bug fixes apply to one, miss the others.

How AI causes it: AI completes the same pattern in each file rather than refactoring to a shared helper.

Fix approach: Extract the duplicated logic into the most general module both call sites already import. Add tests at the helper level.

4 matching findings on this repo

low Near-duplicate function bodies in 2 places repo-level
low Near-duplicate function bodies in 3 places repo-level
low Near-duplicate function bodies in 4 places
low Near-duplicate function bodies in 5 places

View all duplicates & near-duplicates findings →

Legacy markers 3 findings

What it is: TODO, FIXME, XXX, HACK comments. Often indicate a known-broken path the author meant to fix.

Why it matters: Each marker is an unfinished thought. Production code shouldn't ship with debt that's documented but not tracked.

How AI causes it: AI mirrors the style of the codebase, so existing TODOs propagate into new code.

Fix approach: Convert each into a ticket. Delete the comment when the ticket lands. Use a pre-commit hook to block new TODOs without an issue link.

3 matching findings on this repo

high [MINED106] Phantom test coverage: test_no_legacy_memory_is_noop: Test function … backend/tests/test_migration_user_isolation.py:124
low Old/deprecated-named symbol `test_thread_dir_no_user_id_falls_back_to_legacy` i…
low Old/deprecated-named symbol `legacy_backup` in backend/scripts/migrate_user_iso…

View all legacy markers findings →

Commented-out code 46 findings

What it is: Lines of source that were intentionally disabled but never deleted.

Why it matters: Git already remembers history — commented code rots, becomes wrong, and adds noise to diffs.

How AI causes it: AI sometimes comments out broken code instead of fixing it. Reviewers approve out of inertia.

Fix approach: Delete. Trust `git log`. If you really need to remember, save it in a notes file under `docs/`.

12 matching findings on this repo

info Commented-code block (6 lines) in frontend/tests/unit/core/agents/api.test.ts:1…
info Commented-code block (6 lines) in frontend/src/components/workspace/chats/chat-…
info Commented-code block (5 lines) in frontend/src/components/workspace/chats/use-t…
info Commented-code block (5 lines) in frontend/src/app/workspace/chats/[thread_id]/…
info Commented-code block (9 lines) in frontend/src/app/workspace/agents/new/page.ts…
info Commented-code block (5 lines) in frontend/src/core/threads/hooks.ts:81
info Commented-code block (5 lines) in frontend/src/core/threads/export.ts:156
info Commented-code block (5 lines) in frontend/src/core/messages/utils.ts:285
info Commented-code block (5 lines) in skills/public/skill-creator/scripts/improve_d…
info Commented-code block (6 lines) in backend/tests/test_todo_middleware.py:301
info Commented-code block (5 lines) in backend/tests/test_safety_termination_detecto…
info Commented-code block (8 lines) in backend/tests/conftest.py:21

View all commented-out code findings →

Config drift 25 findings

What it is: Settings duplicated across env files, Docker compose, K8s, and code defaults, all with slightly different values.

Why it matters: Production behaviour depends on whichever copy your loader reads first. Subtle bugs in staging that don't reproduce in dev.

How AI causes it: AI writes new config from memory rather than reading the existing source.

Fix approach: Pick one source of truth (env vars + a settings module). Have every other place import from there. Lint for duplicates in CI.

12 matching findings on this repo

high [MINED112] FastAPI PUT /mcp/config has no auth: Handler `update_mcp_configurati… backend/app/gateway/routers/mcp.py:198
high [MINED112] FastAPI PUT /api/mcp/config has no auth: Handler `mcp_put` is regist… backend/tests/test_auth_middleware.py:113
high [MINED106] Phantom test coverage: test_auth_config_token_expiry_zero_raises: Te… backend/tests/test_auth_type_system.py:357
high [MINED106] Phantom test coverage: test_auth_config_missing_jwt_secret_raises: T… backend/tests/test_auth_type_system.py:351
high [MINED106] Phantom test coverage: test_wait_for_kubeconfig_accepts_file: Test f… backend/tests/test_provisioner_kubeconfig.py:20
high [MINED106] Phantom test coverage: test_build_run_config_rejects_non_mapping_con… backend/tests/test_gateway_services.py:507
high [MINED106] Phantom test coverage: test_acp_agent_config_missing_description_rai… backend/tests/test_acp_config.py:113
high [MINED106] Phantom test coverage: test_acp_agent_config_missing_command_raises:… backend/tests/test_acp_config.py:108
low Possibly dead Python function: set_memory_config backend/packages/harness/deerflow/config/memory_c…
low Possibly dead Python function: peek_current_app_config backend/packages/harness/deerflow/config/app_conf…
low Possibly dead Python function: set_summarization_config backend/packages/harness/deerflow/config/summariz…
low Possibly dead Python function: set_stream_bridge_config backend/packages/harness/deerflow/config/stream_b…

View all config drift findings →

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/1fdceb83-a5ff-4bdd-8861-e896a260c55c/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/1fdceb83-a5ff-4bdd-8861-e896a260c55c/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.