Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
92 of your 110 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.58s · analysis 1.41s · 5.3 MB · GitHub API rate-limit (preflight)

Thysrael/Horizon

https://github.com/Thysrael/Horizon · scanned 2026-05-24 01:19 UTC (1 week, 5 days ago) · 10 languages

246 findings (106 legacy + 140 scanner) 98th percentile · Python · small (2-20K LoC) Scanner says 85 (higher by 7)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 5 days ago · v5 · 137 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
91.1
/100
Repobility
97
106 legacy
9-layer
85
100.0% cov · 31 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 98.8 0.25 24.70
testing_score 100.0 0.20 20.00
documentation_score 99.0 0.15 14.85
practices_score 77.0 0.15 11.55
code_quality 57.6 0.10 5.76
Overall 1.00 91.9
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 87 Medium 11 Low 27 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 106 9-layer 31 Crowd 0 Layer: Quality 102 Software 17 Cicd 12 Api 1 Hardware 3 Frontend 1 Security 1
Scan summary Repository scanned at 85.3/100 with 100.0% coverage. It contains 731 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 31 findings — concentrated in quality (9), software (8), cicd (8). Risk profile is low: 0 critical, 0 high, 7 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 95 of 137 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `platform` used but not imported
The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.
src/services/webhook.py:191 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `warnings` used but not imported
The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
src/mcp/service.py:184 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
src/ai/utils.py:18 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
src/services/webhook_cli.py:206 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
src/main.py:74 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED020] Logging Credential Via Fstring: logger.error(f"failed for {api_key}") — secrets end up in log aggregators / sentry.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
src/services/email.py:46 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._analyze_content` used but never assigned in __init__
Method `run` of class `HorizonOrchestrator` reads `self._analyze_content`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:90 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._determine_time_window` used but never assigned in __init__
Method `run` of class `HorizonOrchestrator` reads `self._determine_time_window`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:70 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._enrich_important_items` used but never assigned in __init__
Method `run` of class `HorizonOrchestrator` reads `self._enrich_important_items`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:127 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._expand_twitter_discussion` used but never assigned in __init__
Method `run` of class `HorizonOrchestrator` reads `self._expand_twitter_discussion`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:115 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._fetch_with_progress` used but never assigned in __init__
Method `fetch_all_sources` of class `HorizonOrchestrator` reads `self._fetch_with_progress`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:280 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._fetch_with_progress` used but never assigned in __init__
Method `fetch_all_sources` of class `HorizonOrchestrator` reads `self._fetch_with_progress`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:275 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._fetch_with_progress` used but never assigned in __init__
Method `fetch_all_sources` of class `HorizonOrchestrator` reads `self._fetch_with_progress`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:270 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._fetch_with_progress` used but never assigned in __init__
Method `fetch_all_sources` of class `HorizonOrchestrator` reads `self._fetch_with_progress`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:265 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._fetch_with_progress` used but never assigned in __init__
Method `fetch_all_sources` of class `HorizonOrchestrator` reads `self._fetch_with_progress`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:260 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._fetch_with_progress` used but never assigned in __init__
Method `fetch_all_sources` of class `HorizonOrchestrator` reads `self._fetch_with_progress`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:255 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._fetch_with_progress` used but never assigned in __init__
Method `fetch_all_sources` of class `HorizonOrchestrator` reads `self._fetch_with_progress`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:250 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._fetch_with_progress` used but never assigned in __init__
Method `fetch_all_sources` of class `HorizonOrchestrator` reads `self._fetch_with_progress`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:245 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._sub_source_label` used but never assigned in __init__
Method `_fetch_with_progress` of class `HorizonOrchestrator` reads `self._sub_source_label`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:313 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._sub_source_label` used but never assigned in __init__
Method `run` of class `HorizonOrchestrator` reads `self._sub_source_label`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:120 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.fetch_all_sources` used but never assigned in __init__
Method `run` of class `HorizonOrchestrator` reads `self.fetch_all_sources`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:74 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.merge_cross_source_duplicates` used but never assigned in __init__
Method `run` of class `HorizonOrchestrator` reads `self.merge_cross_source_duplicates`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:82 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.merge_topic_duplicates` used but never assigned in __init__
Method `run` of class `HorizonOrchestrator` reads `self.merge_topic_duplicates`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/orchestrator.py:106 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/deploy-docs.yml:18 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/daily-summary.yml:16 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v5`
`uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/daily-summary.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `astral-sh/setup-uv` pinned to mutable ref `@v3`
`uses: astral-sh/setup-uv@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/daily-summary.yml:24 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`
`uses: peaceiris/actions-gh-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/deploy-docs.yml:21 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v4`
`uses: peaceiris/actions-gh-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/daily-summary.yml:43 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Dockerfile FROM `python:3.11-slim` not pinned by digest
`FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Dockerfile:2 dependencylegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
src/services/webhook_cli.py:29 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/setup/ai_recommend.py:44 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/search.py:19 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
src/ai/enricher.py:75 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/ai/analyzer.py:53 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/ai/enricher.py:52 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/ai/enricher.py:128 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/ai/enricher.py:85 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/ai/client.py:319 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/ai/client.py:186 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/scrapers/rss.py:142 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/mcp/service.py:585 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/mcp/server.py:389 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/mcp/server.py:367 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/mcp/server.py:345 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/mcp/server.py:323 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/mcp/server.py:301 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/mcp/server.py:117 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/mcp/server.py:101 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/services/webhook_cli.py:209 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/setup/ai_recommend.py:49 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/main.py:66 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/main.py:77 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/search.py:48 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/search.py:23 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/orchestrator.py:502 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/orchestrator.py:171 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/orchestrator.py:432 qualitylegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
Dockerfile:2 dockerlegacy
high Legacy quality quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
docs/assets/js/horizon.js:109 qualitylegacy
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/daily-summary.yml:24 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peaceiris/actions-gh-pages@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/daily-summary.yml:43 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peaceiris/actions-gh-pages@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deploy-docs.yml:21 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/daily-summary.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/deploy-docs.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
docker-compose.yml:1 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml:1 dockerlegacy
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.11-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:2 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/ai/prompts.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/setup/prompts.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/conftest.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/daily-summary.yml:16 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/daily-summary.yml:19 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deploy-docs.yml:18 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `model_copy` in src/mcp/horizon_adapter.py:197
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `model_copy` in src/services/webhook_cli.py:98
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `model_copy` in src/setup/wizard.py:304
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/ai/summarizer.py:generate_summary, src/ai/summarizer.py:generate_webhook_overview This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/services/webhook.py:print, src/services/email.py:print This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/services/webhook.py:build_daily_summary_messages, src/services/webhook.py:send_daily_summary This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're se…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 5 places
Functions with the same first-5-line body hash: src/ai/client.py:complete, src/ai/client.py:complete, src/ai/client.py:complete, src/ai/client.py:complete This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why …
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: collect_sources_from_domains
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/setup/presets.py:181 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: match_domains
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/setup/presets.py:137 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: reset_usage
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/ai/tokens.py:64 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: resolve_tag_alias
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/setup/tag_aliases.py:116 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: search_related
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/search.py:66 dead-code
low 9-layer quality complexity conf 1.00 Very large file: tests/test_webhook.py (1622 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
src/services/email.py:49 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
src/mcp/run_store.py:24 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
src/mcp/horizon_adapter.py:31 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
src/mcp/errors.py:9 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/232cd5aa-f1f3-48cd-a1c5-3b1fd6cfbaab/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/232cd5aa-f1f3-48cd-a1c5-3b1fd6cfbaab/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.