Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
269 of your 4448 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 18.97s · analysis 20.52s · 49.8 MB · GitHub API rate-limit (preflight)

google/oss-fuzz

https://github.com/google/oss-fuzz · scanned 2026-06-05 14:28 UTC (5 days, 4 hours ago) · 10 languages

10219 raw signals (4417 security + 5802 graph) 11/13 scanners ran 41st percentile · Python · large (100-500K LoC) System graph score 54 (higher by 19)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 4 hours ago · v2 · 1638 actionable findings from 2 signal sources. 5654 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
62.7
/100
Security checks
71
134 findings
System graph
54
100.0% cov · 1504 findings
Critical
8
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 46.0 0.20 9.20
documentation_score 100.0 0.15 15.00
practices_score 79.0 0.15 11.85
code_quality 61.0 0.10 6.10
Overall 1.00 73.1
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 8 High 38 Medium 1400 Low 115 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 134 System graph 1504 Crowd 0 Layer: Software 41 Quality 178 Cicd 17 Security 23 Frontend 12 Network 4 Hardware 1358 Api 5
Scan summary Quality grade B (73/100). Dimensions: security 100, maintainability 40. 4417 findings (97 security). 145,983 lines analyzed.

Showing 1553 of 1638 actionable findings. 7292 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED007] Sql String Concat: cursor.execute(f"... {user_input} ...") — SQL injection.
Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context.
infra/bisector.py:146
critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
projects/multidict/fuzz_md.py:101
high Security checks quality Quality conf 1.00 ✓ Repobility 15 occurrences [MINED107] Missing import: `string` used but not imported: The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
Add `import string` at the top of the file.
12 files, 13 locations
projects/msal/fuzz_tokencache.py:24, 26 (2 hits)
infra/utils.py:202
projects/flask/cors_fuzz_flask.py:115
projects/gitdb/fuzz_gitdb.py:55
projects/jinja2/fuzz_jinja_compile_templates.py:27
projects/olefile/fuzz_reader.py:36
projects/opencensus-python/fuzz_trace.py:52
projects/oscrypto/fuzz_asymmetric_load.py:26
critical Security checks quality Quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
projects/multidict/fuzz_md.py:101
critical Security checks security Deserialization conf 1.00 [SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE.
Avoid native Java serialization entirely. Use JSON (Jackson with default-typing OFF) or a length-limited Protobuf. If you must, set up a SerialKiller / lookahead-deserializer with a class allowlist.
projects/apache-commons-lang/SerializationUtilsFuzzer.java:38
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 2 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 32, 46
.github/workflows/cflite_pr.yml:32, 46 (2 hits)
CI/CD securityworkflow secretsGitHub Actions
critical System graph security Secrets conf 1.00 Possible secret in projects/spring-security/InMemoryUserDetailsManagerChangePasswordFuzzer.java
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
projects/spring-security/InMemoryUserDetailsManagerChangePasswordFuzzer.java:34
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
projects/digest/fuzz_digest.py:29
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.
infra/base-images/base-builder/install_rust.sh:18
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.
Review and fix per the pattern semantics. See CWE-78 / for context.
infra/experimental/SystemSan/target.cpp:26
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED036] Python Os System Call: os.system() invokes shell with no escaping.
Review and fix per the pattern semantics. See CWE-78 / for context.
projects/github_scarecrow/shell_injection_poc_fuzzer.py:32
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_add_secret_version: Test function `test_add_secret_version` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/g-api-secret-manager/fuzz_client.py:30
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_checksum: Test function `test_checksum` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/g-api-resumable-media-python/fuzz_uploader.py:58
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_create_tag_value: Test function `test_create_tag_value` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/g-api-resource-manager/fuzz_tag_values_client.py:54
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_decoding: Test function `test_decoding` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/pyjwt/fuzz_jwt.py:25
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_delete_tag_value: Test function `test_delete_tag_value` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/g-api-resource-manager/fuzz_tag_values_client.py:75
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_flatten: Test function `test_flatten` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/glom/fuzz_reduction.py:23
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_get_iam_policy: Test function `test_get_iam_policy` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/g-api-resource-manager/fuzz_tag_values_client.py:85
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_get_tag_value: Test function `test_get_tag_value` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/g-api-resource-manager/fuzz_tag_values_client.py:35
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_merge: Test function `test_merge` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/glom/fuzz_reduction.py:33
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_multipart: Test function `test_multipart` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/g-api-resumable-media-python/fuzz_uploader.py:27
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_one: Test function `test_one` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/httpretty/fuzz_httpretty_e2e.py:22
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_one_input: Test function `test_one_input` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/tomlkit/fuzz_dumps.py:21
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_set_iam_policy: Test function `test_set_iam_policy` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/g-api-resource-manager/fuzz_tag_values_client.py:98
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_simple: Test function `test_simple` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/g-api-resumable-media-python/fuzz_uploader.py:23
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_update_tag_value: Test function `test_update_tag_value` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
projects/g-api-resource-manager/fuzz_tag_values_client.py:64
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED110] Blocking call `time.sleep` inside async function `run_agent_loop`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.
Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`.
infra/experimental/mcp/client.py:204
high Security checks software dependencies conf 0.90 ✓ Repobility 25 occurrences [MINED118] Dockerfile FROM `gcr.io/oss-fuzz-base/base-builder-python:v1` not pinned by digest: `FROM gcr.io/oss-fuzz-base/base-builder-python:v1` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM gcr.io/oss-fuzz-base/base-builder-python:v1@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
12 files, 12 locations
.clusterfuzzlite/Dockerfile:14
infra/build_fuzzers.Dockerfile:18
infra/build_fuzzers.ubuntu-24-04.Dockerfile:18
infra/run_fuzzers.Dockerfile:18
infra/run_fuzzers.ubuntu-24-04.Dockerfile:18
projects/angular/Dockerfile:16
projects/cubefs/Dockerfile:16
projects/dropbear/Dockerfile:16
high Security checks software dependencies conf 0.90 ✓ Repobility 25 occurrences [MINED119] Dockerfile `ADD https://raw.githubusercontent.com/google/fuzzing/master/dictionaries/png.dict`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers — or if the URL serves a different file later — malicious content gets baked into the image.
Download the file in CI with a known checksum, vendor it into the repo, and COPY it during the build. Or use `RUN curl -sSL URL | sha256sum -c <(echo '<expected> -')` to verify.
12 files, 22 locations
projects/suricata/Dockerfile:21, 22, 23, 25, 29 (5 hits)
projects/libraw/Dockerfile:21, 23, 24 (3 hits)
projects/ntopng/Dockerfile:36, 39, 41 (3 hits)
projects/cairo/Dockerfile:26, 28 (2 hits)
projects/dlplibs/Dockerfile:22, 30 (2 hits)
projects/ecc-diff-fuzzer/Dockerfile:43
projects/fuzzing-puzzles/Dockerfile:19
projects/gonids/Dockerfile:19
high Security checks security path traversal conf 0.80 3 occurrences [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
3 files, 3 locations
infra/base-images/base-runner/profraw_update.py:168
projects/giflib/dgif_fuzz_common.cc:28
projects/nfstream/pcap_fuzzer.py:26
high Security checks software Xxe conf 1.00 3 occurrences [SEC024] XML External Entity (XXE) — Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack.
Disable DTDs and external entities before parsing: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities"…
3 files, 3 locations
projects/apache-commons-jxpath/JXPathFuzzer.java:39
projects/dom4j/DOMReaderFuzzer.java:36
projects/hamcrest/HamcrestFuzzer.java:273
high Security checks security Deserialization conf 1.00 3 occurrences [SEC102] Jackson default typing / polymorphic deserialization enabled: Jackson with default typing enabled allows attacker-supplied JSON to instantiate arbitrary classes. Pattern behind many SpringBoot RCEs.
Disable default typing. If polymorphism is needed, use JsonTypeInfo.Id.NAME with explicit @JsonSubTypes annotations or PolymorphicTypeValidator. Never use Id.CLASS or Id.MINIMAL_CLASS.
3 files, 3 locations
projects/jackson-datatype-joda/JodaDeserializerFuzzer.java:117
projects/jackson-datatypes-collections/EclipseCollectionsSerializerFuzzer.java:173
projects/jackson-datatypes-collections/GuavaDeserializerFuzzer.java:121
high Security checks cicd CI/CD security conf 0.92 8 occurrences Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
8 files, 8 locations
projects/cloud-custodian/Dockerfile:20
projects/connectedhomeip/Dockerfile:27
projects/cryptography/Dockerfile:22
projects/jsch/Dockerfile:50
projects/libcst/Dockerfile:20
projects/nbclassic/Dockerfile:18
projects/orjson/Dockerfile:25
projects/unblob/Dockerfile:20
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 32 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
9 files, 32 locations
.github/workflows/pr_helper.yml:19, 21, 34, 49, 62 (9 hits)
.github/workflows/infra_tests.yml:21, 28, 34 (5 hits)
.github/workflows/check_base_os.yml:29, 45 (4 hits)
.github/workflows/index_build_tests.yml:21, 28 (3 hits)
.github/workflows/presubmit.yml:20, 28 (3 hits)
.github/workflows/project_tests.yml:56, 74 (3 hits)
.github/workflows/codeql-analysis.yml:26 (2 hits)
.github/workflows/ubuntu_version_sync.yml:32 (2 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 11 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `google/clusterfuzzlite/actions/build_fuzzers` pinned to mutable ref `@v1`: `uses: google/clusterfuzzlite/actions/build_fuzzers@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) insta…
3 files, 11 locations
.github/workflows/codeql-analysis.yml:30, 41, 55 (6 hits)
.github/workflows/cflite_pr.yml:24, 37 (4 hits)
.github/workflows/infra_tests.yml:45
CI/CD securitySupply chainGitHub Actions
high System graph quality Integrity conf 1.00 Blocking `time.sleep(...)` inside `async def run_agent_loop` — infra/experimental/mcp/client.py:204
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
infra/experimental/mcp/client.py:204 Sync io in asyncPerformance
high System graph hardware Supply chain conf 1.00 8 occurrences Dockerfile pipes a remote installer into a shell
Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.
8 files, 8 locations
projects/cloud-custodian/Dockerfile:20
projects/connectedhomeip/Dockerfile:27
projects/cryptography/Dockerfile:22
projects/jsch/Dockerfile:50
projects/libcst/Dockerfile:20
projects/nbclassic/Dockerfile:18
projects/orjson/Dockerfile:25
projects/unblob/Dockerfile:20
containersRemote installer
high System graph security auth conf 1.00 Flask mutation route `post_json` without `@login_required` — projects/flask/fuzz_json.py:35
Flask route declares POST/PUT/DELETE/PATCH methods without an auth decorator. Add `@login_required` (Flask-Login) or equivalent.
projects/flask/fuzz_json.py:35 securityAuth flask unauth route
high System graph security security conf 1.00 Insecure pattern 'eval_used' in projects/asteval/fuzz_eval.py:31
Found a known-risky pattern (eval_used). Review and replace if possible.
projects/asteval/fuzz_eval.py:31 Eval used
low Security checks quality Error handling conf 1.00 3 occurrences [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
3 files, 3 locations
infra/base-images/base-builder/sanitizers/pysecsan/pysecsan/yaml_deserialization.py:23
infra/chronos/integrity_validator_check_replay.py:47
projects/cloud-custodian/fuzz_query_parser.py:35
medium Security checks quality Error handling conf 1.00 3 occurrences [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
3 files, 3 locations
projects/angular/compiler/fuzz_tests/fuzz_parse_template.js:27
projects/angular/compiler/fuzz_tests/fuzz_parser.js:59
projects/node-xml2js/fuzz_parseString.js:50
medium Security checks software dependencies conf 0.90 ✓ Repobility [MINED124] requirements.txt: `logfire` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `logfire` with `logfire==<version>` and manage upgrades through PRs / Dependabot.
infra/experimental/mcp/requirements.txt:3
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
projects/multidict/fuzz_md.py:101
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
projects/js-yaml/fuzz.js:28
medium Security checks security path traversal conf 1.00 3 occurrences [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
3 files, 3 locations
infra/base-images/base-builder/python_coverage_helper.py:64
infra/cifuzz/filestore/github_actions/__init__.py:133
infra/cifuzz/http_utils.py:59
medium Security checks quality Quality conf 1.00 [SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces — exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0).
Bind to `127.0.0.1:PORT` and front with a reverse proxy.
projects/grpc-go/fuzz_hello.go:27
medium Security checks quality Quality conf 1.00 [SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Ported from gosec G301 / G302 / G306 (Apache-2.0).
Use 0600 for files, 0700 for dirs that should be private.
projects/fabric/persistence_fuzzer.go:36
medium Security checks security Security conf 1.00 [SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.
Use 0600 (owner rw only) for secrets, 0644 for general files, 0700 for directories with secrets. Java: `setReadable(true, true)` (owner-only).
infra/base-images/base-builder/make_build_replayable.py:59
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
projects/hsqldb/build.sh:19
low Security checks quality Error handling conf 0.55 ✓ Repobility 25 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
12 files, 14 locations
infra/retry.py:81, 98 (2 hits)
projects/flask-restx/fuzz_reqparse.py:30, 42 (2 hits)
infra/pr_helper.py:54
projects/aiohttp/fuzz_web_request.py:34
projects/asttokens/fuzz_asttokens.py:26
projects/decorator/fuzz_funcmarker.py:35
projects/flask/cors_fuzz_flask.py:78
projects/g-api-python-bigquery-storage/fuzz_avroparser.py:32
Error handlingquality
high Security checks cicd CI/CD security conf 0.82 1337 occurrences Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
12 files, 12 locations
.clusterfuzzlite/Dockerfile:15
infra/base-images/base-builder-fuzzbench/Dockerfile:17
infra/base-images/base-builder-go/Dockerfile:17
infra/base-images/base-builder-javascript/Dockerfile:17
infra/base-images/base-builder-jvm/Dockerfile:59
infra/base-images/base-builder-python/Dockerfile:17
infra/base-images/base-builder-ruby/Dockerfile:17
infra/base-images/base-builder-rust/Dockerfile:17
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.84 52 occurrences Dockerfile ADD downloads remote content
Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files.
12 files, 34 locations
projects/suricata/Dockerfile:21, 22, 23, 25, 30 (5 hits)
infra/base-images/base-builder/Dockerfile:193, 194, 195, 196 (4 hits)
projects/ntopng/Dockerfile:37, 39, 41, 43 (4 hits)
projects/gdk-pixbuf/Dockerfile:39, 40, 41 (3 hits)
projects/libraw/Dockerfile:22, 23, 24 (3 hits)
projects/zydis/Dockerfile:19, 21, 23 (3 hits)
projects/cairo/Dockerfile:27, 28 (2 hits)
projects/dlplibs/Dockerfile:22, 30 (2 hits)
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.94 Dockerfile base image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
projects/joda-convert/Dockerfile:17 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 8 occurrences Dockerfile copies broad context with incomplete .dockerignore
Tighten .dockerignore or replace COPY . with explicit COPY statements.
8 files, 8 locations
.clusterfuzzlite/Dockerfile:16
infra/build/functions/trial_build/Dockerfile:20
infra/cifuzz/test_data/external-project/.clusterfuzzlite/Dockerfile:20
infra/experimental/SystemSan/PoEs/node-shell-quote-v1.7.3/Dockerfile:32
infra/experimental/SystemSan/PoEs/pytorch-lightning-1.5.10/Dockerfile:29
infra/indexer/Dockerfile:5
projects/spring-boot/Dockerfile:32
projects/spring-framework/Dockerfile:36
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Dockerfile installs dependencies after copying the full source tree
Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree.
infra/cifuzz/cifuzz-base/Dockerfile:39 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Dockerfile installs dependencies after copying the full source tree
Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree.
infra/build/functions/trial_build/Dockerfile:21 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.86 24 occurrences Dockerfile separates apt update from install
Combine update and install in the same RUN instruction and clean package indexes in that layer.
12 files, 12 locations
infra/uploader/Dockerfile:3
projects/bincode/Dockerfile:17
projects/cloud-hypervisor/Dockerfile:19
projects/envoy/Dockerfile:23
projects/esp-v2/Dockerfile:21
projects/inih/Dockerfile:17
projects/iroha/Dockerfile:19
projects/jetty/Dockerfile:43
CI/CD securitycontainers
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
projects/bignum-fuzzer/build.sh:19
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
infra/base-images/base-builder/install_rust.sh:18
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: gcr.io/cloud-builders/gcloud
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
infra/experimental/chronos/Dockerfile:16 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 449 occurrences Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-builder
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
12 files, 12 locations
infra/base-images/base-builder-fuzzbench/Dockerfile:16
infra/base-images/base-builder-go/Dockerfile:16
infra/base-images/base-builder-javascript/Dockerfile:16
infra/base-images/base-builder-jvm/Dockerfile:16
infra/base-images/base-builder-python/Dockerfile:16
infra/base-images/base-builder-ruby/Dockerfile:16
infra/base-images/base-builder-rust/Dockerfile:16
infra/base-images/base-builder-swift/Dockerfile:16
containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 129 occurrences Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-builder-go
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
12 files, 12 locations
projects/atomic/Dockerfile:16
projects/blackfriday/Dockerfile:16
projects/boringssl/Dockerfile:16
projects/burntsushi-toml/Dockerfile:16
projects/caddy/Dockerfile:16
projects/cascadia/Dockerfile:16
projects/cel-go/Dockerfile:16
projects/cert-manager/Dockerfile:16
containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 27 occurrences Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-builder-javascript
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
12 files, 12 locations
projects/angular/Dockerfile:16
projects/canvg/Dockerfile:16
projects/closure-library/Dockerfile:16
projects/d3/Dockerfile:16
projects/fast-xml-parser/Dockerfile:16
projects/fastify/Dockerfile:16
projects/javascript-example/Dockerfile:16
projects/jimp/Dockerfile:16
containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 190 occurrences Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-builder-jvm
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
12 files, 12 locations
projects/angus-mail/Dockerfile:16
projects/antlr3-java/Dockerfile:16
projects/antlr4-java/Dockerfile:16
projects/apache-axis2/Dockerfile:16
projects/apache-commons-bcel/Dockerfile:16
projects/apache-commons-beanutils/Dockerfile:16
projects/apache-commons-cli/Dockerfile:16
projects/apache-commons-codec/Dockerfile:16
containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-builder-jvm:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
projects/joda-convert/Dockerfile:16 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 237 occurrences Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-builder-python
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
12 files, 12 locations
infra/experimental/SystemSan/PoEs/pytorch-lightning-1.5.10/Dockerfile:16
projects/abseil-py/Dockerfile:15
projects/adal/Dockerfile:16
projects/aiohttp/Dockerfile:16
projects/airflow/Dockerfile:16
projects/aniso8601/Dockerfile:15
projects/argcomplete/Dockerfile:15
projects/arrow-py/Dockerfile:16
containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-builder-ruby
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
projects/ox-ruby/Dockerfile:16 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-builder-ruby
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
infra/base-images/base-runner/Dockerfile:26 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 83 occurrences Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-builder-rust
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
12 files, 12 locations
projects/anise/Dockerfile:16
projects/askama/Dockerfile:16
projects/bincode/Dockerfile:16
projects/bls-signatures/Dockerfile:16
projects/bson-rust/Dockerfile:16
projects/chrono/Dockerfile:16
projects/clamav/Dockerfile:16
projects/cloud-hypervisor/Dockerfile:16
containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-clang
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
infra/base-images/base-builder/Dockerfile:16 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-clang
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
infra/base-images/base-runner/Dockerfile:25 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-clang-full
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
infra/indexer/Dockerfile:1 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 3 occurrences Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-image
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
2 files, 3 locations
infra/base-images/base-runner/Dockerfile:19, 34 (2 hits)
infra/base-images/base-clang/Dockerfile:18
containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-runner
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
infra/base-images/base-runner-debug/Dockerfile:16 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: gcr.io/oss-fuzz-base/base-runner
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
infra/cifuzz/cifuzz-base/Dockerfile:16 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 52 occurrences Dockerfile ADD downloads remote content without checksum
Remote build inputs can change or be replaced upstream. Use Dockerfile ADD --checksum or download with an explicit digest/signature verification step.
12 files, 34 locations
projects/suricata/Dockerfile:21, 22, 23, 25, 29 (5 hits)
infra/base-images/base-builder/Dockerfile:193, 194, 195, 196 (4 hits)
projects/ntopng/Dockerfile:36, 39, 41, 43 (4 hits)
projects/gdk-pixbuf/Dockerfile:38, 40, 41 (3 hits)
projects/libraw/Dockerfile:21, 23, 24 (3 hits)
projects/zydis/Dockerfile:18, 21, 23 (3 hits)
projects/cairo/Dockerfile:26, 28 (2 hits)
projects/dlplibs/Dockerfile:22, 30 (2 hits)
containersChecksum
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-builder-fuzzbench/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-builder-go/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-builder-javascript/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-builder-python/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-builder-ruby/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-builder-rust/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-builder-swift/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-builder/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-clang/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-image/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-runner-debug/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/base-images/base-runner/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/cifuzz/cifuzz-base/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/experimental/chronos/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/experimental/SystemSan/PoEs/node-shell-quote-v1.7.3/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/experimental/SystemSan/PoEs/pytorch-lightning-1.5.10/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/indexer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: infra/uploader/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/abseil-cpp/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/abseil-py/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/ada-url/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/adal/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/aiohttp/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/airflow/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/alembic/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/ampproject/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/angle/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/angular/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/angus-mail/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/anise/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/aniso8601/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/ansible/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/antlr3-java/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/antlr4-java/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-axis2/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-bcel/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-beanutils/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-cli/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-codec/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-collections/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-compress/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-configuration/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-csv/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-fileupload/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-geometry/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-imaging/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-io/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-jxpath/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-lang/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-logging/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-math/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-net/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-text/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-commons-validator/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-cxf/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-felix-dev/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-httpd/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-logging-log4cxx/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-poi/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/apache-tika/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/aptos-core/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/archaius-core/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/arduinojson/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/argcomplete/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/argo/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/args/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/args4j/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/arrow-java/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/arrow-py/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/arrow/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/askama/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/asn1crypto/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/aspectj/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/aspell/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/assimp/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/astc-encoder/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/asteval/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/astro-compiler/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/astroid/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/asttokens/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/async-http-client/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/atomic/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/attrs/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/augeas/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/autoflake/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/autopep8/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/avahi/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/avro/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/azure-sdk-for-python/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/babel/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bad_example/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bazel-rules-fuzzing-test-java/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bazel-rules-fuzzing-test/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bc-gh/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bc-java/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bearssl/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/behaviortreecpp/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bignum-fuzzer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bincode/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bind9/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/binutils/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bios-bmc-smm-error-logger/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bitcoin-core/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/black/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/blackfriday/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bleach/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bloaty/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bls-signatures/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bluez/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bmcweb/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/boost-beast/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/boost-json/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/boost/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/boringssl/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/botan/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/botocore/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bottleneck/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/brotli-java/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/brotli/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/brpc/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/brunsli/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bs4/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bson-rust/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/burntsushi-toml/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bz2file/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/bzip2/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/c-ares/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/c-blosc/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/c-blosc2/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cachetools/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/caddy/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/caffeine/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cairo/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/calcite-avatica/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/calcite/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/canvg/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/capnproto/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/capstone/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cascadia/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/casync/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cbor-java/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cbor2/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cctz/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cel-cpp/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cel-go/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cert-manager/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cfengine/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cffi/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cgif/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cglib/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/chardet/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/charset_normalizer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/checker-framework/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/checkstyle/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/chrono/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cifuzz-example/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cilium/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/circl/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/civetweb/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cjson/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/clamav/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/clib/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/click/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/clickhouse/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/clock/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/closure-compiler/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/closure-library/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cloud-custodian/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cloud-hypervisor/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cmake/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cmark/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cockroachdb/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/compress/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/config-validator/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/configparser/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/connectedhomeip/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/connexion/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/containerd/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cosign/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cosmos-sdk/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/coturn/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/coveragepy/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cpp-httplib/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cppcheck/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cppitertools/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cpuinfo/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cpython3/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cras/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cri-o/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/croaring/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cron-utils/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/croniter/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/crossplane/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/crosvm/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/crow/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cryptofuzz/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cryptography/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cryptsetup/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cssselect/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cubefs/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cups-filters/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cups/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/curl/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/curvesapi/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cxxopts/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/cyclonedds/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/d3/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/dapr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/dart/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/dask/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/data-encoding/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/dateparser/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/dav1d/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/dbus-broker/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/dcmtk/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/decorator/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/defusedxml/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/demangle/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/deno/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/dgraph/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/digest/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/dill/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: projects/distlib/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container

Showing first 300 of 1553. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/22b9aba9-65f4-441a-acc2-731e6f06fa5a/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/22b9aba9-65f4-441a-acc2-731e6f06fa5a/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.