Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Top 5 patterns to fix first

Sorted by anomaly — patterns where this repo ranks worst against the corpus, weighted by severity. Fixing these brings the biggest improvement to your corpus percentile.

high 90th percentile (worse) self.attribute used but never assigned in __init__
25 instances in this repo · corpus median for python repos: 4 · seen in src/flask/config.py:124, src/flask/wrappers.py:206, src/flask/wrappers.py:205, …
high 75th percentile (worse) Phantom test coverage (assertion-free test)
25 instances in this repo · corpus median for python repos: 8 · seen in tests/test_cli.py:217, tests/test_config.py:132, tests/test_config.py:110, …
medium below median Bare except continues silently
4 instances in this repo · corpus median for python repos: 2 · seen in src/flask/cli.py:650, src/flask/cli.py:956, src/flask/app.py:1598, …
high top 10% FastAPI POST/PUT/DELETE/PATCH endpoint without auth
6 instances in this repo · corpus median for python repos: 63 · seen in examples/celery/src/task_app/views.py:30, examples/celery/src/task_app/views.py:36, examples/celery/src/task_app/views.py:22, …
high top 10% Weak Crypto
1 instance in this repo · corpus median for python repos: 4 · seen in src/flask/sessions.py:277
70 of your 88 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.89s · analysis 2.23s · 1.8 MB · GitHub preflight 425ms

pallets/flask

https://github.com/pallets/flask.git · scanned 2026-05-19 19:33 UTC (2 weeks, 2 days ago) · 10 languages

640 findings (88 legacy + 552 scanner) 92nd percentile · Python · small (2-20K LoC) Scanner says 68 (higher by 20)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 2 days ago · v8 · 157 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
80.1
/100
Repobility
93
88 legacy
9-layer
68
88.9% cov · 69 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 90.4 0.25 22.60
testing_score 100.0 0.20 20.00
documentation_score 73.0 0.15 10.95
practices_score 82.0 0.15 12.30
code_quality 64.0 0.10 6.40
Overall 1.00 87.2
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 64 Medium 9 Low 63 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 88 9-layer 69 Crowd 0 Layer: Quality 108 Security 10 Software 23 Frontend 1 Cicd 1 Api 14
Scan summary Repository scanned at 67.7/100 with 88.9% coverage. It contains 1513 nodes across 14 cross-layer flows, written primarily in mixed languages. Engine surfaced 69 findings — concentrated in quality (25), software (23), api (14). Risk profile is high: 0 critical, 3 high, 3 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 89 of 157 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy quality quality conf 1.00 ✓ Repobility 90th percentile (worse) `self.blueprint` used but never assigned in __init__
Method `blueprints` of class `Request` reads `self.blueprint`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/flask/wrappers.py:190 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility 90th percentile (worse) `self.endpoint` used but never assigned in __init__
Method `blueprint` of class `Request` reads `self.endpoint`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/flask/wrappers.py:173 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility 90th percentile (worse) `self.files` used but never assigned in __init__
Method `_load_form_data` of class `Request` reads `self.files`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/flask/wrappers.py:206 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility 90th percentile (worse) `self.from_pyfile` used but never assigned in __init__
Method `from_envvar` of class `Config` reads `self.from_pyfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/flask/config.py:124 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility 90th percentile (worse) `self.mimetype` used but never assigned in __init__
Method `_load_form_data` of class `Request` reads `self.mimetype`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
src/flask/wrappers.py:205 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility 90th percentile (worse) `self.run` used but never assigned in __init__
Method `__call__` of class `FlaskTask` reads `self.run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
examples/celery/src/task_app/__init__.py:33 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
src/flask/config.py:209 qualitylegacy
high 9-layer security auth conf 1.00 Flask mutation route `<anonymous>` without `@login_required` — src/flask/sansio/app.py:626
Flask route declares POST/PUT/DELETE/PATCH methods without an auth decorator. Add `@login_required` (Flask-Login) or equivalent.
src/flask/sansio/app.py:626 authowaspauth.flask.unauth_route
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in src/flask/cli.py:1023
Found a known-risky pattern (eval_used). Review and replace if possible.
src/flask/cli.py:1023 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in src/flask/config.py:209
Found a known-risky pattern (exec_used). Review and replace if possible.
src/flask/config.py:209 owaspexec_used
high Legacy quality quality conf 1.00 ✓ Repobility below median Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/flask/cli.py:650 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility below median Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/flask/cli.py:956 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility below median Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/flask/app.py:1598 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility below median Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
src/flask/app.py:1017 qualitylegacy
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
authlegacy
high Legacy security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 20.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 20.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
authlegacy
medium Legacy quality quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
src/flask/config.py:65 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
src/flask/app.py:663 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident.
Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly.
src/flask/sansio/scaffold.py:220 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident.
Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly.
src/flask/sansio/app.py:476 qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt qualitylegacy
medium 9-layer security auth conf 1.00 Django CBV `MethodView` lacks `LoginRequiredMixin` — src/flask/views.py:138
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
src/flask/views.py:138 authauth.django.unauth_view
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/publish.yaml supply-chaingithub-actionsleast-privilege
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
low Legacy quality quality conf 1.00 ✓ Repobility top 10% [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
src/flask/cli.py:1036 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility top 10% [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
src/flask/sessions.py:277 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility top 10% FastAPI POST /add has no auth
Handler `add` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
examples/celery/src/task_app/views.py:22 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility top 10% FastAPI POST /block has no auth
Handler `block` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
examples/celery/src/task_app/views.py:30 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility top 10% FastAPI POST /process has no auth
Handler `process` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
examples/celery/src/task_app/views.py:36 qualitylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: examples/celery/make_celery.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/flask/__main__.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/flask/signals.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/flask/typing.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_apps/cliapp/app.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_apps/cliapp/importerrorapp.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_apps/cliapp/inner1/inner2/flask.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_apps/cliapp/multiapp.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_apps/helloworld/wsgi.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: examples/tutorial/flaskr/auth.py:login_required, examples/tutorial/flaskr/auth.py:login This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/wrappers.py:max_content_length, src/flask/wrappers.py:max_content_length This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/wrappers.py:max_form_memory_size, src/flask/wrappers.py:max_form_memory_size This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/wrappers.py:max_form_parts, src/flask/wrappers.py:max_form_parts This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/views.py:dispatch_request, src/flask/views.py:dispatch_request This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/views.py:view, src/flask/views.py:view This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/ctx.py:pop, src/flask/ctx.py:pop This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/ctx.py:copy_current_request_context, src/flask/ctx.py:copy This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/ctx.py:has_request_context, src/flask/ctx.py:has_request This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/app.py:wrapper, src/flask/app.py:wrapper This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/app.py:get_send_file_max_age, src/flask/blueprints.py:get_send_file_max_age This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/app.py:send_static_file, src/flask/blueprints.py:send_static_file This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/cli.py:decorator, src/flask/cli.py:decorator This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/cli.py:convert, src/flask/cli.py:convert This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/sessions.py:permanent, src/flask/sessions.py:permanent This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/sessions.py:open_session, src/flask/sessions.py:open_session This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/sessions.py:save_session, src/flask/sessions.py:save_session This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/flask/json/__init__.py:dumps, src/flask/json/__init__.py:dump This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/flask/cli.py:locate_app, src/flask/cli.py:locate_app, src/flask/cli.py:locate_app This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/flask/helpers.py:stream_with_context, src/flask/helpers.py:stream_with_context, src/flask/helpers.py:stream_with_context This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidat…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: close_db
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/tutorial/flaskr/db.py:23 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: from_blueprint
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/flask/sansio/blueprints.py:664 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: github_link
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docs/conf.py:72 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: has_app_context
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/flask/ctx.py:235 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: open_instance_resource
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/flask/app.py:447 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: register_template_filter
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/flask/sansio/blueprints.py:492 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: register_template_global
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/flask/sansio/blueprints.py:608 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: register_template_test
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/flask/sansio/blueprints.py:550 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: select_jinja_autoescape
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/flask/sansio/app.py:533 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: setup
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docs/conf.py:100 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: wrapper
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/flask/ctx.py:201 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: wrapper
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/flask/app.py:98 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: wrapper
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/flask/sansio/blueprints.py:240 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: wrapper_func
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
src/flask/sansio/scaffold.py:45 dead-code
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /
`examples/celery/src/task_app/__init__.py` declares `ANY /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /<any(xhr, jquery, fetch):js>
`examples/javascript/js_example/views.py` declares `ANY /<any(xhr, jquery, fetch):js>` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /<int:id>/delete
`examples/tutorial/flaskr/blog.py` declares `ANY /<int:id>/delete` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /<int:id>/update
`examples/tutorial/flaskr/blog.py` declares `ANY /<int:id>/update` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /add
`examples/javascript/js_example/views.py` declares `ANY /add` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /create
`examples/tutorial/flaskr/blog.py` declares `ANY /create` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /hello
`examples/tutorial/flaskr/__init__.py` declares `ANY /hello` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /login
`examples/tutorial/flaskr/auth.py` declares `ANY /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /logout
`examples/tutorial/flaskr/auth.py` declares `ANY /logout` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: ANY /register
`examples/tutorial/flaskr/auth.py` declares `ANY /register` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /result/<id>
`examples/celery/src/task_app/views.py` declares `GET /result/<id>` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /add
`examples/celery/src/task_app/views.py` declares `POST /add` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /block
`examples/celery/src/task_app/views.py` declares `POST /block` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /process
`examples/celery/src/task_app/views.py` declares `POST /process` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer quality complexity conf 1.00 Very large file: src/flask/app.py (1625 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: tests/test_basic.py (1970 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility top 10% [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
src/flask/config.py:331 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/236d5297-cc82-4271-839f-d82abeafbe5c/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/236d5297-cc82-4271-839f-d82abeafbe5c/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.