pallets/flask

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

Top 5 patterns to fix first

Sorted by anomaly — patterns where this repo ranks worst against the corpus, weighted by severity. Fixing these brings the biggest improvement to your corpus percentile.

high 90th percentile (worse) self.attribute used but never assigned in __init__

25 instances in this repo · corpus median for python repos: 4 · seen in src/flask/config.py:124, src/flask/wrappers.py:206, src/flask/wrappers.py:205, …

high 75th percentile (worse) Phantom test coverage (assertion-free test)

25 instances in this repo · corpus median for python repos: 8 · seen in tests/test_cli.py:217, tests/test_config.py:132, tests/test_config.py:110, …

medium below median Bare except continues silently

4 instances in this repo · corpus median for python repos: 2 · seen in src/flask/cli.py:650, src/flask/cli.py:956, src/flask/app.py:1598, …

high top 10% FastAPI POST/PUT/DELETE/PATCH endpoint without auth

6 instances in this repo · corpus median for python repos: 63 · seen in examples/celery/src/task_app/views.py:30, examples/celery/src/task_app/views.py:36, examples/celery/src/task_app/views.py:22, …

high top 10% Weak Crypto

1 instance in this repo · corpus median for python repos: 4 · seen in src/flask/sessions.py:277

70 of your 88 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.89s · analysis 2.23s · 1.8 MB · GitHub preflight 425ms

https://github.com/pallets/flask.git · scanned 2026-05-19 19:33 UTC (2 weeks, 2 days ago) · 10 languages

640 findings (88 legacy + 552 scanner) 94th percentile · Python · small (2-20K LoC) Scanner says 68 (higher by 20)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 2 days ago · v8 · 157 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	100.0	0.15	15.00
`security_score`	90.4	0.25	22.60
`testing_score`	100.0	0.20	20.00
`documentation_score`	73.0	0.15	10.95
`practices_score`	82.0	0.15	12.30
`code_quality`	64.0	0.10	6.40
Overall		1.00	87.2

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 0 High 64 Medium 9 Low 63 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 88 9-layer 69 Crowd 0 Layer: Quality 108 Security 10 Software 23 Frontend 1 Cicd 1 Api 14

Exclude dismissed / FP Exclude test files

Top 10 actions, ranked by impact × ease. Severity drives impact; tag-based fix-clarity drives ease.

Flask mutation route `<anonymous>` without `@login_required` — src/flask/sansio/app.py:626

GapSeverity.HIGH Layer.SECURITY score 0.525

Why: high severity · OWASP-class risk

Fix: Add `@login_required` decorator above the route function in src/flask/sansio/app.py:626.

src/flask/sansio/app.py:626

Insecure pattern 'exec_used' in src/flask/config.py:209

GapSeverity.HIGH Layer.SECURITY score 0.413

Why: high severity · OWASP-class risk

src/flask/config.py:209

Insecure pattern 'eval_used' in src/flask/cli.py:1023

GapSeverity.HIGH Layer.SECURITY score 0.413

Why: high severity · OWASP-class risk

src/flask/cli.py:1023

Django CBV `MethodView` lacks `LoginRequiredMixin` — src/flask/views.py:138

GapSeverity.MEDIUM Layer.SECURITY score 0.349

Why: medium severity

Fix: Add `@login_required` (function view) or `LoginRequiredMixin` (CBV) in src/flask/views.py:138.

src/flask/views.py:138

No auth library detected

GapSeverity.MEDIUM Layer.SECURITY score 0.338

Why: medium severity

GitHub Actions workflow grants broad write permissions

GapSeverity.MEDIUM Layer.CICD score 0.225

Why: medium severity

.github/workflows/publish.yaml

Possibly dead Python function: github_link

GapSeverity.LOW Layer.SOFTWARE score 0.140

Why: low severity · clean removal is a safe PR

Fix: If genuinely unused, remove the function in docs/conf.py:72; if framework-registered, add a docstring.

docs/conf.py:72

Possibly dead Python function: setup

GapSeverity.LOW Layer.SOFTWARE score 0.140

Why: low severity · clean removal is a safe PR

Fix: If genuinely unused, remove the function in docs/conf.py:100; if framework-registered, add a docstring.

docs/conf.py:100

Possibly dead Python function: close_db

GapSeverity.LOW Layer.SOFTWARE score 0.140

Why: low severity · clean removal is a safe PR

Fix: If genuinely unused, remove the function in examples/tutorial/flaskr/db.py:23; if framework-registered, add a docstring.

examples/tutorial/flaskr/db.py:23

#10

Possibly dead Python function: wrapper

GapSeverity.LOW Layer.SOFTWARE score 0.140

Why: low severity · clean removal is a safe PR

Fix: If genuinely unused, remove the function in src/flask/ctx.py:201; if framework-registered, add a docstring.

src/flask/ctx.py:201

Click "Find this gap" on any action above to jump to it on the Findings tab. Adjust the chip bar to filter by impact (severity), layer, or source.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/236d5297-cc82-4271-839f-d82abeafbe5c/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/236d5297-cc82-4271-839f-d82abeafbe5c/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.