Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
67 of your 84 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

langflow-ai/langflow

https://github.com/langflow-ai/langflow · scanned 2026-06-05 04:43 UTC (4 hours, 19 minutes ago) · 10 languages

2202 findings (78 legacy + 2124 scanner) 11/13 scanners ran 80th percentile · Javascript · small (2-20K LoC) Scanner says 61 (higher by 21)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 hours, 19 minutes ago · v2 · 1140 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
75.1
/100
Repobility
89
78 legacy
9-layer
61
100.0% cov · 1062 gaps
Critical
27
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 100.0 0.25 25.00
testing_score 70.0 0.20 14.00
documentation_score 60.0 0.15 9.00
practices_score 87.0 0.15 13.05
code_quality 80.0 0.10 8.00
Overall 1.00 81.8
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 27 High 137 Medium 181 Low 603 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 78 9-layer 1062 Crowd 0 Layer: Quality 312 Security 109 Software 125 Frontend 258 Network 4 Hardware 6 Cicd 274 Api 52
Scan summary Repository scanned at 61.2/100 with 100.0% coverage. It contains 33357 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 1062 findings — concentrated in quality (291), cicd (274), frontend (258). Risk profile is high: 5 critical, 106 high, 178 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 863 of 1140 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:325 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:269 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:72 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:450 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:302 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:270 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:377 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:376 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.DOCS_AWS_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCS_AWS_ACCESS_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/deploy-docs-draft.yml:178 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.DOCS_AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCS_AWS_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/deploy-docs-draft.yml:179 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:323 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:268 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:71 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.STORE_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.STORE_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:324 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.STORE_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.STORE_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:73 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.TAVILY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TAVILY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:326 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.TAVILY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TAVILY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yml:74 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.WS_APIKEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WS_APIKEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/mend.yml:50 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.WS_PRODUCTNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WS_PRODUCTNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/mend.yml:53 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.WS_PROJECTNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WS_PROJECTNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/mend.yml:54 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.WS_USERKEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WS_USERKEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/mend.yml:52 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.WS_WSS_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WS_WSS_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/mend.yml:51 dependencylegacy
critical 9-layer security owasp conf 1.00 Insecure pattern 'private_key_in_repo' in src/lfx/src/lfx/components/mongodb/mongodb_atlas.py:31
Found a known-risky pattern (private_key_in_repo). Review and replace if possible.
src/lfx/src/lfx/components/mongodb/mongodb_atlas.py:31 owaspprivate_key_in_repo
critical 9-layer security secrets conf 1.00 Possible secret in docs/docusaurus.config.js
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
docs/docusaurus.config.js:537 secrets
critical 9-layer security secrets conf 1.00 Possible secret in src/frontend/src/components/core/parameterRenderComponent/components/queryComponent/index.tsx
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
src/frontend/src/components/core/parameterRenderComponent/components/queryComponent/index.tsx:18 secrets
critical 9-layer security secrets conf 1.00 Possible secret in src/frontend/src/components/core/parameterRenderComponent/components/textAreaComponent/index.tsx
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
src/frontend/src/components/core/parameterRenderComponent/components/textAreaComponent/index.tsx:21 secrets
critical 9-layer security secrets conf 1.00 Possible secret in src/lfx/src/lfx/schema/table.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
src/lfx/src/lfx/schema/table.py:114 secrets
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/lint-js.yml:38 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-v2.yml:453 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-v2.yml:382 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-v2.yml:307 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-v2.yml:236 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-v2.yml:165 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-v2.yml:112 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-v2.yml:66 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/lint-js.yml:25 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/style-check-py.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/codeql.yml:33 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/download-artifact@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/create-release.yml:23 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/lint-js.yml:32 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v6`: `uses: astral-sh/setup-uv@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: astral-sh/setup-uv@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-v2.yml:117 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v6`: `uses: astral-sh/setup-uv@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: astral-sh/setup-uv@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-v2.yml:71 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v6`: `uses: astral-sh/setup-uv@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: astral-sh/setup-uv@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/style-check-py.yml:21 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v3`: `uses: github/codeql-action/analyze@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: github/codeql-action/analyze@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/codeql.yml:64 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v3`: `uses: github/codeql-action/autobuild@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: github/codeql-action/autobuild@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/codeql.yml:51 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v3`: `uses: github/codeql-action/init@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: github/codeql-action/init@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/codeql.yml:37 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `ncipollo/release-action` pinned to mutable ref `@v1`: `uses: ncipollo/release-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: ncipollo/release-action@<40-char-sha> # v1` and let Dependabot bump it on a scheduled cadence.
.github/workflows/create-release.yml:28 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `tibdex/auto-update` pinned to mutable ref `@v2`: `uses: tibdex/auto-update@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: tibdex/auto-update@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
.github/workflows/auto-update.yml:13 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `langflowai/langflow:latest` unpinned: `container/services image: langflowai/langflow:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `langflowai/langflow:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/db-migration-validation.yml:309 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `postgres:16` unpinned: `container/services image: postgres:16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `postgres:16@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/migration-validation.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `postgres:16` unpinned: `container/services image: postgres:16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `postgres:16@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/db-migration-validation.yml:324 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `postgres:16` unpinned: `container/services image: postgres:16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `postgres:16@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/db-migration-validation.yml:33 dependencylegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
docs/src/components/CopyPageButton.tsx:88 xsslegacy
high 9-layer quality integrity conf 1.00 Blocking `httpx.post(...)` inside `async def like_component` — src/backend/base/langflow/services/store/service.py:480
Sync I/O inside an async function blocks the event loop. While `httpx.post(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
src/backend/base/langflow/services/store/service.py:480 integritysync-io-in-asyncperformance
high 9-layer quality integrity conf 1.00 Blocking `httpx.post(...)` inside `async def upload` — src/backend/base/langflow/services/store/service.py:378
Sync I/O inside an async function blocks the event loop. While `httpx.post(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
src/backend/base/langflow/services/store/service.py:378 integritysync-io-in-asyncperformance
high 9-layer quality integrity conf 1.00 Blocking `time.sleep(...)` inside `async def _save_to_google_apps` — src/lfx/src/lfx/components/files_and_knowledge/save_file.py:755
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
src/lfx/src/lfx/components/files_and_knowledge/save_file.py:755 integritysync-io-in-asyncperformance
high 9-layer quality integrity conf 1.00 Blocking `time.sleep(...)` inside `async def _save_to_google_apps` — src/lfx/src/lfx/components/files_and_knowledge/save_file.py:804
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
src/lfx/src/lfx/components/files_and_knowledge/save_file.py:804 integritysync-io-in-asyncperformance
high 9-layer api wiring conf 1.00 Dangling fetch: POST /api/v1/flows/${fid}/events (src/frontend/tests/core/features/flow-agent-events.spec.ts:27)
`src/frontend/tests/core/features/flow-agent-events.spec.ts:27` calls `POST /api/v1/flows/${fid}/events` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/flows/<p>/events` If this points at an external API, prefix …
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /api/v1/flows/${fid}/events (src/frontend/tests/core/features/flow-agent-events.spec.ts:44)
`src/frontend/tests/core/features/flow-agent-events.spec.ts:44` calls `POST /api/v1/flows/${fid}/events` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/flows/<p>/events` If this points at an external API, prefix …
wiringdangling-fetchfetch
high 9-layer security auth conf 1.00 FastAPI DELETE `clear_default_model` without auth dependency — src/backend/base/langflow/api/v1/models.py:825
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/models.py:825 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_all_files` without auth dependency — src/backend/base/langflow/api/v2/files.py:781
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/files.py:781 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_all_files` without auth dependency — src/backend/base/langflow/api/v2/files.py:782
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/files.py:782 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_api_key_route` without auth dependency — src/backend/base/langflow/api/v1/api_key.py:43
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/api_key.py:43 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_deployment` without auth dependency — src/backend/base/langflow/api/v1/deployments.py:1431
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/deployments.py:1431 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_file` without auth dependency — src/backend/base/langflow/api/v1/files.py:286
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/files.py:286 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_file` without auth dependency — src/backend/base/langflow/api/v2/files.py:712
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/files.py:712 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_files_batch` without auth dependency — src/backend/base/langflow/api/v2/files.py:435
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/files.py:435 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_flow` without auth dependency — src/backend/base/langflow/api/v1/flows.py:344
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flows.py:344 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_folder_redirect` without auth dependency — src/backend/base/langflow/api/v1/folders.py:72
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/folders.py:72 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_knowledge_base` without auth dependency — src/backend/base/langflow/api/v1/knowledge_bases.py:644
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/knowledge_bases.py:644 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_knowledge_bases_bulk` without auth dependency — src/backend/base/langflow/api/v1/knowledge_bases.py:665
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/knowledge_bases.py:665 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_knowledge_bases_bulk` without auth dependency — src/backend/base/langflow/api/v1/knowledge_bases.py:666
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/knowledge_bases.py:666 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_multiple_flows` without auth dependency — src/backend/base/langflow/api/v1/flows.py:464
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flows.py:464 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_project` without auth dependency — src/backend/base/langflow/api/v1/projects.py:439
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/projects.py:439 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_provider_account` without auth dependency — src/backend/base/langflow/api/v1/deployments.py:388
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/deployments.py:388 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_server` without auth dependency — src/backend/base/langflow/api/v2/mcp.py:365
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/mcp.py:365 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_variable` without auth dependency — src/backend/base/langflow/api/v1/variable.py:241
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/variable.py:241 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_version_entry` without auth dependency — src/backend/base/langflow/api/v1/flow_version.py:295
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flow_version.py:295 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `patch_user` without auth dependency — src/backend/base/langflow/api/v1/users.py:84
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/users.py:84 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `reset_password` without auth dependency — src/backend/base/langflow/api/v1/users.py:115
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/users.py:115 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `update_deployment` without auth dependency — src/backend/base/langflow/api/v1/deployments.py:1316
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/deployments.py:1316 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `update_flow` without auth dependency — src/backend/base/langflow/api/v1/flows.py:211
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flows.py:211 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `update_folder_redirect` without auth dependency — src/backend/base/langflow/api/v1/folders.py:63
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/folders.py:63 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `update_project_mcp_settings` without auth dependency — src/backend/base/langflow/api/v1/mcp_projects.py:482
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/mcp_projects.py:482 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `update_project` without auth dependency — src/backend/base/langflow/api/v1/projects.py:283
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/projects.py:283 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `update_provider_account` without auth dependency — src/backend/base/langflow/api/v1/deployments.py:423
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/deployments.py:423 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `update_server_endpoint` without auth dependency — src/backend/base/langflow/api/v2/mcp.py:345
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/mcp.py:345 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `update_snapshot` without auth dependency — src/backend/base/langflow/api/v1/deployments.py:1021
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/deployments.py:1021 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `update_variable` without auth dependency — src/backend/base/langflow/api/v1/variable.py:192
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/variable.py:192 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `activate_version` without auth dependency — src/backend/base/langflow/api/v1/flow_version.py:227
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flow_version.py:227 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `add_server` without auth dependency — src/backend/base/langflow/api/v2/mcp.py:324
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/mcp.py:324 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `add_user` without auth dependency — src/backend/base/langflow/api/v1/users.py:21
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/users.py:21 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `assist_stream` without auth dependency — src/backend/base/langflow/agentic/api/router.py:276
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/agentic/api/router.py:276 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `assist` without auth dependency — src/backend/base/langflow/agentic/api/router.py:252
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/agentic/api/router.py:252 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `build_flow` without auth dependency — src/backend/base/langflow/api/v1/chat.py:163
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/chat.py:163 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `build_public_tmp` without auth dependency — src/backend/base/langflow/api/v1/chat.py:640
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/chat.py:640 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `build_vertex` without auth dependency — src/backend/base/langflow/api/v1/chat.py:321
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/chat.py:321 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `cancel_build_public` without auth dependency — src/backend/base/langflow/api/v1/chat.py:777
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/chat.py:777 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `cancel_build` without auth dependency — src/backend/base/langflow/api/v1/chat.py:279
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/chat.py:279 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `cancel_ingestion` without auth dependency — src/backend/base/langflow/api/v1/knowledge_bases.py:711
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/knowledge_bases.py:711 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_api_key_route` without auth dependency — src/backend/base/langflow/api/v1/api_key.py:30
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/api_key.py:30 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_deployment_run` without auth dependency — src/backend/base/langflow/api/v1/deployments.py:808
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/deployments.py:808 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_deployment` without auth dependency — src/backend/base/langflow/api/v1/deployments.py:481
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/deployments.py:481 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_flow_event` without auth dependency — src/backend/base/langflow/api/v1/flow_events.py:62
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flow_events.py:62 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_flow` without auth dependency — src/backend/base/langflow/api/v1/flows.py:89
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flows.py:89 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_flows` without auth dependency — src/backend/base/langflow/api/v1/flows.py:368
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flows.py:368 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_folder_redirect` without auth dependency — src/backend/base/langflow/api/v1/folders.py:22
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/folders.py:22 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_knowledge_base` without auth dependency — src/backend/base/langflow/api/v1/knowledge_bases.py:81
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/knowledge_bases.py:81 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_knowledge_base` without auth dependency — src/backend/base/langflow/api/v1/knowledge_bases.py:82
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/knowledge_bases.py:82 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_project` without auth dependency — src/backend/base/langflow/api/v1/projects.py:61
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/projects.py:61 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_provider_account` without auth dependency — src/backend/base/langflow/api/v1/deployments.py:313
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/deployments.py:313 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_response` without auth dependency — src/backend/base/langflow/api/v1/openai_responses.py:590
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/openai_responses.py:590 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_snapshot` without auth dependency — src/backend/base/langflow/api/v1/flow_version.py:196
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flow_version.py:196 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_upload_file` without auth dependency — src/backend/base/langflow/api/v1/endpoints.py:1010
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/endpoints.py:1010 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_variable` without auth dependency — src/backend/base/langflow/api/v1/variable.py:102
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/variable.py:102 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `custom_component_update` without auth dependency — src/backend/base/langflow/api/v1/endpoints.py:1101
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/endpoints.py:1101 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `custom_component` without auth dependency — src/backend/base/langflow/api/v1/endpoints.py:1060
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/endpoints.py:1060 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `detect_env_vars` without auth dependency — src/backend/base/langflow/api/v1/variable.py:306
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/variable.py:306 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `download_files_batch` without auth dependency — src/backend/base/langflow/api/v2/files.py:532
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/files.py:532 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `download_multiple_file` without auth dependency — src/backend/base/langflow/api/v1/flows.py:503
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flows.py:503 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `execute_named_flow` without auth dependency — src/backend/base/langflow/agentic/api/router.py:133
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/agentic/api/router.py:133 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `execute_workflow` without auth dependency — src/backend/base/langflow/api/v2/workflow.py:101
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/workflow.py:101 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `handle_messages` without auth dependency — src/backend/base/langflow/api/v1/mcp.py:146
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/mcp.py:146 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `handle_project_messages` without auth dependency — src/backend/base/langflow/api/v1/mcp_projects.py:404
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/mcp_projects.py:404 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `ingest_files_to_knowledge_base` without auth dependency — src/backend/base/langflow/api/v1/knowledge_bases.py:282
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/knowledge_bases.py:282 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `install_mcp_config` without auth dependency — src/backend/base/langflow/api/v1/mcp_projects.py:693
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/mcp_projects.py:693 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `preview_chunks` without auth dependency — src/backend/base/langflow/api/v1/knowledge_bases.py:173
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/knowledge_bases.py:173 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `process` without auth dependency — src/backend/base/langflow/api/v1/endpoints.py:976
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/endpoints.py:976 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `process` without auth dependency — src/backend/base/langflow/api/v1/endpoints.py:981
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/endpoints.py:981 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `refresh_token` without auth dependency — src/backend/base/langflow/api/v1/login.py:145
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/login.py:145 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `run_flow` without auth dependency — src/lfx/src/lfx/cli/serve_app.py:415
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/lfx/src/lfx/cli/serve_app.py:415 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `save_store_api_key` without auth dependency — src/backend/base/langflow/api/v1/api_key.py:56
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/api_key.py:56 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `set_default_model` without auth dependency — src/backend/base/langflow/api/v1/models.py:750
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/models.py:750 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `stop_workflow` without auth dependency — src/backend/base/langflow/api/v2/workflow.py:645
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/workflow.py:645 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `stream_flow` without auth dependency — src/lfx/src/lfx/cli/serve_app.py:484
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/lfx/src/lfx/cli/serve_app.py:484 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `update_enabled_models` without auth dependency — src/backend/base/langflow/api/v1/models.py:605
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/models.py:605 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `upload_file_redirect` without auth dependency — src/backend/base/langflow/api/v1/folders.py:92
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/folders.py:92 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `upload_file` without auth dependency — src/backend/base/langflow/api/v1/files.py:76
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/files.py:76 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `upload_file` without auth dependency — src/backend/base/langflow/api/v1/flows.py:406
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flows.py:406 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `upload_file` without auth dependency — src/backend/base/langflow/api/v1/projects.py:508
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/projects.py:508 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `upload_user_file` without auth dependency — src/backend/base/langflow/api/v2/files.py:130
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/files.py:130 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `upload_user_file` without auth dependency — src/backend/base/langflow/api/v2/files.py:131
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/files.py:131 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `validate_provider` without auth dependency — src/backend/base/langflow/api/v1/models.py:321
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/models.py:321 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `edit_file_name` without auth dependency — src/backend/base/langflow/api/v2/files.py:691
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v2/files.py:691 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `upsert_flow` without auth dependency — src/backend/base/langflow/api/v1/flows.py:263
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
src/backend/base/langflow/api/v1/flows.py:263 authowaspauth.fastapi.unauth_mutation
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
Wandalen/wretry.action@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:257 supply-chaingithub-actionspinned-dependencies
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
Wandalen/wretry.action@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:277 supply-chaingithub-actionspinned-dependencies
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
Wandalen/wretry.action@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:364 supply-chaingithub-actionspinned-dependencies
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in src/backend/base/langflow/agentic/flows/LangflowAssistant.json:890
Found a known-risky pattern (eval_used). Review and replace if possible.
src/backend/base/langflow/agentic/flows/LangflowAssistant.json:890 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in src/backend/base/langflow/agentic/helpers/code_security.py:13
Found a known-risky pattern (eval_used). Review and replace if possible.
src/backend/base/langflow/agentic/helpers/code_security.py:13 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in src/lfx/src/lfx/components/llm_operations/lambda_filter.py:242
Found a known-risky pattern (eval_used). Review and replace if possible.
src/lfx/src/lfx/components/llm_operations/lambda_filter.py:242 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in src/lfx/src/lfx/custom/code_parser/code_parser.py:164
Found a known-risky pattern (eval_used). Review and replace if possible.
src/lfx/src/lfx/custom/code_parser/code_parser.py:164 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in src/lfx/src/lfx/io/schema.py:272
Found a known-risky pattern (eval_used). Review and replace if possible.
src/lfx/src/lfx/io/schema.py:272 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in src/backend/base/langflow/agentic/flows/LangflowAssistant.json:890
Found a known-risky pattern (exec_used). Review and replace if possible.
src/backend/base/langflow/agentic/flows/LangflowAssistant.json:890 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in src/backend/base/langflow/agentic/helpers/code_security.py:12
Found a known-risky pattern (exec_used). Review and replace if possible.
src/backend/base/langflow/agentic/helpers/code_security.py:12 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in src/lfx/src/lfx/components/tools/python_code_structured_tool.py:152
Found a known-risky pattern (exec_used). Review and replace if possible.
src/lfx/src/lfx/components/tools/python_code_structured_tool.py:152 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in src/lfx/src/lfx/custom/code_parser/code_parser.py:144
Found a known-risky pattern (exec_used). Review and replace if possible.
src/lfx/src/lfx/custom/code_parser/code_parser.py:144 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in src/lfx/src/lfx/custom/validate.py:67
Found a known-risky pattern (exec_used). Review and replace if possible.
src/lfx/src/lfx/custom/validate.py:67 owaspexec_used
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
medium Legacy quality practices conf 1.00 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
Add a .gitignore appropriate for your language/framework.
practiceslegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
docs/docs/API-Reference/python-examples/api-openai-responses/additional-configuration-for-openai-client-libraries.py:26 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
docs/docs/API-Reference/python-examples/api-openai-responses/additional-configuration-for-openai-client-libraries.py:20 qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt qualitylegacy
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/frontend/src/components/common/sanitizedHTMLWrapper/index.tsx:16
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/frontend/src/components/core/parameterRenderComponent/components/mustachePromptComponent/__tests__/mustachePromptComponent.test.tsx:48
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/frontend/src/modals/mustachePromptModal/__tests__/mustachePromptModal.test.tsx:66
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/frontend/src/utils/stringManipulation.ts:223
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — docs/src/theme/DownloadableJsonFile.js:4
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/frontend/src/controllers/API/queries/file-management/use-duplicate-file.ts:22
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/frontend/src/controllers/API/queries/file-management/use-get-download-file.ts:21
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/frontend/src/controllers/API/queries/file-management/use-get-download-files.ts:21
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/frontend/src/controllers/API/queries/files/use-download-files.ts:19
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/frontend/src/controllers/API/queries/flows/use-get-download-flows.ts:34
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — src/frontend/src/modals/apiModal/utils/__tests__/get-js-api-code.test.ts:60
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer frontend frontend-quality conf 1.00 Custom React Flow node registered without explicit width/height — src/frontend/src/pages/FlowPage/components/UpdateAllComponents/__tests__/index.test.tsx:214
When you register a custom node type via `nodeTypes`, the RFNode object you build must include `width` and `height` props. Without them, MiniMap renders ZERO mini-nodes for that type and `fitView` underestimates the bounds (cuts off lane labels, etc.). Add `width: …, height: …` to the node object. …
frontend-qualityfq.rfnode.no-dims
medium 9-layer frontend frontend-quality conf 1.00 Custom React Flow node registered without explicit width/height — src/frontend/src/utils/__tests__/cleanEdges.test.ts:301
When you register a custom node type via `nodeTypes`, the RFNode object you build must include `width` and `height` props. Without them, MiniMap renders ZERO mini-nodes for that type and `fitView` underestimates the bounds (cuts off lane labels, etc.). Add `width: …, height: …` to the node object. …
frontend-qualityfq.rfnode.no-dims
medium 9-layer hardware supply-chain conf 1.00 Docker base image uses a mutable or implicit tag: langflowai/langflow:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker_example/Dockerfile:1 supply-chaindockerpinned-dependencies
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: docker_example/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer quality integrity conf 1.00 Frontend route `/dashboard` has no Link/navigate to it — src/frontend/src/hooks/__tests__/use-sanitize-redirect-url.test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `/playground/:id/` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `account` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `admin` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `all/` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `api-keys` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `components/` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `delete` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `flow/:id/` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `flows/` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `folder/:folderId/` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `folder/:folderId` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `general/:scrollId?` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `global-variables` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `knowledge-bases/:sourceId/chunks` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `knowledge-bases` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `login/admin` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `login` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `mcp-client` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `mcp-servers` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `mcp/` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `messages` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `model-providers` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `settings` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `shortcuts` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `signup` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `store/:id/` has no Link/navigate to it — src/frontend/src/customization/utils/custom-routes-store-pages.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `store` has no Link/navigate to it — src/frontend/src/customization/utils/custom-routes-store-pages.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer quality integrity conf 1.00 Frontend route `view` has no Link/navigate to it — src/frontend/src/routes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
ncipollo/release-action@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/create-release.yml:28 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/init@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql.yml:37 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/autobuild@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql.yml:51 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/analyze@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql.yml:64 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/style-check-py.yml:21 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:71 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:117 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:182 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:185 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:191 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:198 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:210 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:253 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:256 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:262 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:269 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:281 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:324 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:327 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build-v2.yml:333 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/nightly_build.yml:98 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release_bundles.yml:41 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release_bundles.yml:121 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release_bundles.yml:191 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release_nightly.yml:70 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release_nightly.yml:163 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release_nightly.yml:263 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release_nightly.yml:410 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release_nightly.yml:438 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peaceiris/actions-gh-pages@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deploy_gh-pages.yml:36 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
dorny/paths-filter@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:228 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:358 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
codecov/codecov-action@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:451 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/db-migration-validation.yml:53 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
Namchee/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/conventional-labels.yml:16 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/create-pull-request@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/gp-download.yml:79 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:194 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:247 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:296 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:346 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:416 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:485 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:595 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:64 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:100 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:103 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:109 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:116 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:129 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:160 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:195 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:198 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:204 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:211 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:224 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:255 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:290 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:293 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:299 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-nightly-build.yml:306 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/lint-py.yml:34 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/py_autofix.yml:21 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/py_autofix.yml:39 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/py_autofix.yml:90 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-lfx.yml:51 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-lfx.yml:101 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-lfx.yml:132 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-qemu-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-lfx.yml:215 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-lfx.yml:232 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-lfx.yml:235 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-lfx.yml:241 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/metadata-action@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-lfx.yml:249 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-lfx.yml:264 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
softprops/action-gh-release@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-lfx.yml:337 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:213 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:242 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:251 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:270 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:337 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:347 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:354 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:392 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/create-or-update-comment@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deploy-docs-draft.yml:150 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/create-or-update-comment@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deploy-docs-draft.yml:158 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/find-comment@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deploy-docs-draft.yml:169 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/create-or-update-comment@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deploy-docs-draft.yml:258 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/migration-validation.yml:39 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/lint-js.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/nightly_build.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/deploy-storybook.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/gp-download.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-lfx.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/docker-build.yml supply-chaingithub-actionsleast-privilege

Showing first 300 of 863. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/21f5a3bf-888a-438b-82df-af3a9dc3f48f/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/21f5a3bf-888a-438b-82df-af3a9dc3f48f/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.