← Back to scan
File as GitHub Issue repo: bytedance/deer-flow

Push this scan report to bytedance/deer-flow

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

`self.path` used but never assigned in __init__

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
HIGH MINED108 [MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of cla… skills/public/skill-creator/eval-viewer…:347
HIGH MINED108 [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of cla… skills/public/skill-creator/eval-viewer…:346
HIGH MINED108 [MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of cla… skills/public/skill-creator/eval-viewer…:345
HIGH MINED108 [MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of c… skills/public/skill-creator/eval-viewer…:344
HIGH MINED108 [MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `Rev… skills/public/skill-creator/eval-viewer…:333
HIGH MINED108 [MINED108] `self.get_contributors` used but never assigned in __init__: Method `summarize… skills/public/github-deep-research/scri…:268
HIGH MINED108 [MINED108] `self.get_releases` used but never assigned in __init__: Method `summarize_rep… skills/public/github-deep-research/scri…:275
HIGH MINED108 [MINED108] `self.get_contributors` used but never assigned in __init__: Method `summarize… skills/public/github-deep-research/scri…:265
HIGH MINED108 [MINED108] `self.get_languages` used but never assigned in __init__: Method `summarize_re… skills/public/github-deep-research/scri…:259
HIGH MINED108 [MINED108] `self.get_repo_info` used but never assigned in __init__: Method `summarize_re… skills/public/github-deep-research/scri…:237
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_code_frequency` o… skills/public/github-deep-research/scri…:203
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_commit_activity` … skills/public/github-deep-research/scri…:199
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `search_issues` of cla… skills/public/github-deep-research/scri…:195
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_tags` of class `G… skills/public/github-deep-research/scri…:188
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_releases` of clas… skills/public/github-deep-research/scri…:182
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_pull_requests` of… skills/public/github-deep-research/scri…:175
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_issues` of class … skills/public/github-deep-research/scri…:169
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_recent_commits` o… skills/public/github-deep-research/scri…:149
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_contributors` of … skills/public/github-deep-research/scri…:130
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_languages` of cla… skills/public/github-deep-research/scri…:126
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_file_content` of … skills/public/github-deep-research/scri…:117
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_tree` of class `G… skills/public/github-deep-research/scri…:111
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_tree` of class `G… skills/public/github-deep-research/scri…:107
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_readme` of class … skills/public/github-deep-research/scri…:95
HIGH MINED108 [MINED108] `self._get` used but never assigned in __init__: Method `get_repo_info` of cla… skills/public/github-deep-research/scri…:90
HIGH MINED110 [MINED110] Blocking call `time.sleep` inside async function `create_sandbox`: `time.sleep… docker/provisioner/app.py:491
HIGH MINED110 [MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (… backend/debug.py:125
HIGH MINED012 [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code. scripts/check.sh:47
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… frontend/src/core/artifacts/preview.ts:172
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… frontend/src/components/workspace/messa…:47
HIGH SEC085 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived in… frontend/src/components/workspace/citat…:14
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… backend/packages/harness/deerflow/model…:81
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … skills/public/video-generation/scripts/…:36
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … skills/public/podcast-generation/script…:81
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/frontend-unit-tests.y…:24
HIGH MINED115 [MINED115] Action `actions/labeler` pinned to mutable ref `@v5`: `uses: actions/labeler@v… .github/workflows/pr-labeler.yml:25
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/u… .github/workflows/e2e-tests.yml:58
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-… .github/workflows/e2e-tests.yml:33
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/e2e-tests.yml:30
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-… .github/workflows/lint-check.yml:41
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/lint-check.yml:38
HIGH MINED115 [MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setu… .github/workflows/lint-check.yml:24
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setu… .github/workflows/lint-check.yml:19
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/lint-check.yml:16
HIGH MINED115 [MINED115] Action `actions/attest-build-provenance` pinned to mutable ref `@v2`: `uses: a… .github/workflows/container.yaml:97
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/container.yaml:69
HIGH MINED115 [MINED115] Action `actions/attest-build-provenance` pinned to mutable ref `@v2`: `uses: a… .github/workflows/container.yaml:50
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/container.yaml:22
HIGH MINED115 [MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setu… .github/workflows/backend-unit-tests.yml:32
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setu… .github/workflows/backend-unit-tests.yml:27
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/backend-unit-tests.yml:24
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/git… .github/workflows/pr-triage.yml:133
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/git… .github/workflows/pr-triage.yml:108
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/git… .github/workflows/pr-triage.yml:32
HIGH MINED115 [MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v3`: `uses: astral-sh/setu… .github/workflows/backend-blocking-io-t…:38
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setu… .github/workflows/backend-blocking-io-t…:33
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout… .github/workflows/backend-blocking-io-t…:30
HIGH MINED115 [MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setu… .github/workflows/label-sync.yml:32
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/label-sync.yml:29
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest: `FROM python… docker/provisioner/Dockerfile:1
HIGH MINED118 [MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` r… frontend/Dockerfile:38
HIGH MINED118 [MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` r… frontend/Dockerfile:10
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest: `FROM python… backend/Dockerfile:73
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest: `FROM python… backend/Dockerfile:11
HIGH JRN009 Secret-like setting is echoed into a password input value frontend/src/app/(auth)/login/page.tsx:168
HIGH MINED112 [MINED112] FastAPI POST /memory/facts has no auth: Handler `create_memory_fact_endpoint` … backend/app/gateway/routers/memory.py:199
HIGH MINED112 [MINED112] FastAPI DELETE /memory has no auth: Handler `clear_memory` is registered with … backend/app/gateway/routers/memory.py:182
HIGH MINED112 [MINED112] FastAPI POST /memory/reload has no auth: Handler `reload_memory` is registered… backend/app/gateway/routers/memory.py:162
HIGH MINED112 [MINED112] FastAPI POST /initialize has no auth: Handler `initialize_admin` is registered… backend/app/gateway/routers/auth.py:464
HIGH MINED112 [MINED112] FastAPI POST /change-password has no auth: Handler `change_password` is regist… backend/app/gateway/routers/auth.py:334
HIGH MINED112 [MINED112] FastAPI POST /logout has no auth: Handler `logout` is registered with router/a… backend/app/gateway/routers/auth.py:327
HIGH MINED112 [MINED112] FastAPI POST /register has no auth: Handler `register` is registered with rout… backend/app/gateway/routers/auth.py:306
HIGH MINED112 [MINED112] FastAPI PUT /mcp/config has no auth: Handler `update_mcp_configuration` is reg… backend/app/gateway/routers/mcp.py:198
HIGH MINED112 [MINED112] FastAPI DELETE /{thread_id}/runs/{run_id}/feedback/{feedback_id} has no auth: … backend/app/gateway/routers/feedback.py:171
HIGH MINED112 [MINED112] FastAPI POST /{thread_id}/runs/{run_id}/feedback has no auth: Handler `create_… backend/app/gateway/routers/feedback.py:114
HIGH MINED112 [MINED112] FastAPI DELETE /{thread_id}/runs/{run_id}/feedback has no auth: Handler `delet… backend/app/gateway/routers/feedback.py:94
HIGH MINED112 [MINED112] FastAPI PUT /{thread_id}/runs/{run_id}/feedback has no auth: Handler `upsert_f… backend/app/gateway/routers/feedback.py:63
HIGH MINED112 [MINED112] FastAPI POST /wait has no auth: Handler `stateless_wait` is registered with ro… backend/app/gateway/routers/runs.py:61
HIGH MINED112 [MINED112] FastAPI POST /stream has no auth: Handler `stateless_stream` is registered wit… backend/app/gateway/routers/runs.py:36
HIGH MINED112 [MINED112] FastAPI DELETE /api/sandboxes/{sandbox_id} has no auth: Handler `destroy_sandb… docker/provisioner/app.py:506
HIGH MINED112 [MINED112] FastAPI POST /api/sandboxes has no auth: Handler `create_sandbox` is registere… docker/provisioner/app.py:434
HIGH AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like p… frontend/src/app/mock/api/threads/[thre…:6
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/public/skill-creator/scripts/run…:223
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/public/skill-creator/scripts/pac…:106
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/public/skill-creator/scripts/ini…:259
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/public/skill-creator/scripts/ini…:232
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/public/skill-creator/scripts/ini…:217
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/public/github-deep-research/scri…:282
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/public/github-deep-research/scri…:270
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/public/github-deep-research/scri…:260
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/public/github-deep-research/scri…:121
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/public/github-deep-research/scri…:98
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… skills/public/github-deep-research/scri…:325
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/wizard/writer.py:264
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/doctor.py:518
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/doctor.py:613
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/doctor.py:527
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/doctor.py:437
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/doctor.py:375
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/doctor.py:334
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/doctor.py:280
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/doctor.py:269
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/doctor.py:242
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/doctor.py:229
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/doctor.py:68
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… backend/debug.py:160
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… backend/debug.py:89
MED SEC046 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning win… frontend/src/core/api/fetcher.ts:84
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … frontend/src/core/artifacts/preview.ts:172
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … frontend/src/components/workspace/messa…:47
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … frontend/src/components/workspace/citat…:14
MED SEC031 [SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like … backend/packages/harness/deerflow/skill…:15
MED SEC127 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as T… backend/packages/harness/deerflow/persi…:190
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… backend/packages/harness/deerflow/tools…:27
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… backend/app/gateway/routers/suggestions…:50
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … backend/app/gateway/csrf_middleware.py:27
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … backend/app/gateway/auth/jwt.py:21
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… backend/packages/harness/deerflow/tools…:197
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… backend/packages/harness/deerflow/runti…:30
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… backend/app/channels/slack.py:145
MED COMP001 [COMP001] High cognitive complexity: Function `start` has cognitive complexity 15 (SonarS… backend/app/channels/service.py:96
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED DKR001 Docker final stage has no non-root USER frontend/Dockerfile:38
MED DKR001 Docker final stage has no non-root USER docker/provisioner/Dockerfile:1
MED DKR001 Docker final stage has no non-root USER backend/Dockerfile:73
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/src/core/auth/AuthProvider.tsx:64
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/src/components/workspace/setti…:41
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/src/app/workspace/layout.tsx:46
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/src/app/api/memory/route.ts:34
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/src/app/api/memory/route.ts:30
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/src/app/(auth)/setup/page.tsx:116
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/src/app/(auth)/setup/page.tsx:75
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/src/app/(auth)/setup/page.tsx:39
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/src/app/(auth)/login/page.tsx:98
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/src/app/(auth)/login/page.tsx:97
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/src/app/(auth)/login/page.tsx:74
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/scripts/save-demo.js:11
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/next.config.js:56
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/next.config.js:48
MED JRN003 Frontend API reference is not matched by discovered backend routes frontend/next.config.js:37
MED AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 11.1% of discovered …
MED AGT014 Codex auth.json is read or copied without visible secret-file hardening backend/packages/harness/deerflow/model…:9
MED AGT012 Agent control bridge may listen on a network interface without visible auth docker/docker-compose.yaml:7
MED AGT015 Remote install command pipes network code directly to a shell backend/packages/harness/deerflow/agent…:32
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … frontend/src/app/mock/api/threads/[thre…:6
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … frontend/src/app/mock/api/threads/searc…:16
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … frontend/src/app/api/memory/[...path]/r…:50
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … frontend/src/app/api/memory/[...path]/r…:43
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … frontend/src/app/api/memory/[...path]/r…:36
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … frontend/src/app/api/memory/[...path]/r…:29
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … frontend/src/app/api/memory/route.ts:33
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … frontend/src/app/api/memory/route.ts:29
LOW COMP001 [COMP001] High cognitive complexity: Function `send` has cognitive complexity 14 (SonarSo… backend/app/channels/slack.py:98
LOW COMP001 [COMP001] High cognitive complexity: Function `_on_outbound` has cognitive complexity 11 … backend/app/channels/base.py:91
LOW AIC003 Duplicated implementation block across source files frontend/src/content/zh/_meta.ts:20
LOW AIC003 Duplicated implementation block across source files frontend/src/components/workspace/messa…:39
LOW AIC003 Duplicated implementation block across source files frontend/src/components/ai-elements/mes…:78
LOW AIC003 Duplicated implementation block across source files frontend/src/app/workspace/chats/[threa…:76
LOW AIC003 Duplicated implementation block across source files frontend/src/app/blog/tags/[tag]/page.t…:29
LOW AIC003 Duplicated implementation block across source files frontend/src/app/api/memory/route.ts:1
LOW AIC003 Duplicated implementation block across source files backend/packages/harness/deerflow/runti…:67
LOW AIC003 Duplicated implementation block across source files backend/packages/harness/deerflow/runti…:77
LOW AIC003 Duplicated implementation block across source files backend/packages/harness/deerflow/commu…:32
LOW AIC003 Duplicated implementation block across source files backend/packages/harness/deerflow/agent…:253
LOW AIC003 Duplicated implementation block across source files backend/app/gateway/routers/thread_runs…:115
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW DKR011 Dockerfile installs recommended OS packages backend/Dockerfile:27
LOW DKC010 Compose service lacks no-new-privileges hardening docker/docker-compose.yaml:118
LOW DKC010 Compose service lacks no-new-privileges hardening docker/docker-compose.yaml:64
LOW DKC010 Compose service lacks no-new-privileges hardening docker/docker-compose.yaml:45
LOW DKC006 Compose service does not declare a runtime user docker/docker-compose.yaml:118
LOW DKC006 Compose service does not declare a runtime user docker/docker-compose.yaml:64
LOW DKC006 Compose service does not declare a runtime user docker/docker-compose.yaml:45
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… frontend/src/components/ui/terminal.tsx:223
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… frontend/src/components/ai-elements/cod…:115
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … frontend/src/components/ai-elements/cod…:113
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … frontend/src/app/api/memory/route.ts:16
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … frontend/src/app/api/memory/[...path]/r…:16
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … frontend/src/components/ui/galaxy.jsx:209
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … frontend/src/components/landing/header.…:106
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … frontend/scripts/save-demo.js:26
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… skills/public/github-deep-research/scri…:81
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… backend/packages/harness/deerflow/commu…:106
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… backend/packages/harness/deerflow/commu…:31
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… backend/packages/harness/deerflow/commu…:19
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… backend/packages/harness/deerflow/commu…:42
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… backend/packages/harness/deerflow/commu…:22
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. scripts/wizard/ui.py:94
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. backend/packages/harness/deerflow/uploa…:59
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. backend/debug.py:125
INFO MINED065 [MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser o… backend/app/gateway/csrf_middleware.py:96
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. scripts/export_claude_code_oauth.py:139
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. backend/app/gateway/auth/reset_admin.py:73
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. backend/app/gateway/auth/config.py:76
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… backend/app/gateway/auth/providers.py:15
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… backend/app/channels/store.py:28
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… backend/app/channels/slack.py:146
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. backend/packages/harness/deerflow/agent…:15
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. backend/packages/harness/deerflow/agent…:14
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. backend/app/channels/message_bus.py:32
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `bytedance/deer-flow`

**Score: 62/100 (A-)**  ·  266 findings  ·  scanned 2026-06-05 08:31 UTC  ·  167,631 LOC

| Severity | Count |
|---|---|
| CRITICAL | 10 |
| HIGH | 99 |
| MEDIUM | 70 |
| LOW | 21 |

📊 [Full filterable report](https://repobility.com/scan/1fdceb83-a5ff-4bdd-8861-e896a260c55c/)  ·  ![scorecard](https://repobility.com/scan/1fdceb83-a5ff-4bdd-8861-e896a260c55c/report.png?v=1780648289-s2)

### Top findings

1. **HIGH** `MINED108` — `self.end_headers` used but never assigned in __init__
   `skills/public/skill-creator/eval-viewer/generate_review.py:347` · ✓ Repobility
2. **HIGH** `MINED108` — `self.send_header` used but never assigned in __init__
   `skills/public/skill-creator/eval-viewer/generate_review.py:346` · ✓ Repobility
3. **HIGH** `MINED108` — `self.send_header` used but never assigned in __init__
   `skills/public/skill-creator/eval-viewer/generate_review.py:345` · ✓ Repobility
4. **HIGH** `MINED108` — `self.send_response` used but never assigned in __init__
   `skills/public/skill-creator/eval-viewer/generate_review.py:344` · ✓ Repobility
5. **HIGH** `MINED108` — `self.path` used but never assigned in __init__
   `skills/public/skill-creator/eval-viewer/generate_review.py:333` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/1fdceb83-a5ff-4bdd-8861-e896a260c55c/_
Already filed
This repo publishes a SECURITY.md policy and the scan contains 20 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'bytedance/deer-flow' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Filing guard overridden Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.