Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 2.11s · analysis 23.64s · 14.6 MB · GitHub API rate-limit (preflight)

ansible-collections/community.general

https://github.com/ansible-collections/community.general · scanned 2026-05-31 01:24 UTC (5 days, 6 hours ago) · 10 languages

1015 findings (291 legacy + 724 scanner) 24th percentile · Python · large (100-500K LoC) Scanner says 75 (lower by 11)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 6 hours ago · v2 · last Δ -0.1 (diff) · 655 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
58.2
/100
Repobility
42
291 legacy
9-layer
75
100.0% cov · 364 gaps
Critical
102
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 21.2 0.25 5.30
testing_score 100.0 0.20 20.00
documentation_score 100.0 0.15 15.00
practices_score 89.0 0.15 13.35
code_quality 41.9 0.10 4.19
Overall 1.00 63.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 102 High 191 Medium 69 Low 144 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 291 9-layer 364 Crowd 0 Layer: Security 122 Quality 385 Software 104 Cicd 29 Api 1 Network 12 Hardware 1 Frontend 1
Scan summary Repository scanned at 74.8/100 with 100.0% coverage. It contains 14062 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 364 findings — concentrated in quality (176), security (101), software (62). Risk profile is high: 89 critical, 9 high, 31 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 370 of 655 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED007] Sql String Concat: cursor.execute(f"... {user_input} ...") — SQL injection.
Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context.
plugins/modules/vertica_role.py:130 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED007] Sql String Concat: cursor.execute(f"... {user_input} ...") — SQL injection.
Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context.
plugins/modules/vertica_configuration.py:128 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED007] Sql String Concat: cursor.execute(f"... {user_input} ...") — SQL injection.
Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context.
plugins/modules/mssql_db.py:120 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.
Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context.
docs/docsite/reformat-yaml.py:17 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
plugins/cache/pickle.py:60 qualitylegacy
critical Legacy quality quality conf 1.00 [SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3).
Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`.
docs/docsite/reformat-yaml.py:17 qualitylegacy
critical Legacy quality quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
plugins/cache/pickle.py:60 qualitylegacy
critical Legacy security deserialization conf 1.00 [SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes — direct RCE on untrusted input. `unsafe_load` is even more dangerous.
Use `YAML.safe_load(input, permitted_classes: [Date])` — explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead.
docs/docsite/reformat-yaml.py:17 deserializationlegacy
critical Legacy software dependency conf 0.90 ✓ Repobility Hardcoded Microsoft Teams webhook URL in source
File contains a hardcoded `Microsoft Teams` webhook URL: `https://outlook.office.com/webhook/GUID/IncomingWebhook/GUID...`. Webhook URLs are unauthenticated POST endpoints — anyone with the URL can send messages. They are also a common data-exfiltration channel for compromised packages (malicious p…
plugins/modules/office_365_connector_card.py:68 dependencylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `array` used but not imported
The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes.
plugins/modules/vexata_eg.py:89 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `array` used but not imported
The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes.
plugins/modules/vexata_volume.py:87 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `copy` used but not imported
The file uses `copy.something(...)` but never imports `copy`. This raises NameError at runtime the first time the line executes.
plugins/modules/imc_rest.py:323 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `email` used but not imported
The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes.
plugins/modules/jira.py:709 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `string` used but not imported
The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
plugins/lookup/dnstxt.py:96 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `string` used but not imported
The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
plugins/modules/logstash_plugin.py:95 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `string` used but not imported
The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
plugins/modules/iptables_state.py:329 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `string` used but not imported
The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
plugins/modules/kibana_plugin.py:125 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `string` used but not imported
The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
plugins/modules/archive.py:233 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `string` used but not imported
The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
plugins/modules/elasticsearch_plugin.py:123 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `xml` used but not imported
The file uses `xml.something(...)` but never imports `xml`. This raises NameError at runtime the first time the line executes.
plugins/modules/maven_artifact.py:402 qualitylegacy
critical 9-layer security secrets conf 1.00 Possible secret in plugins/become/doas.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/become/doas.py:132 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/become/dzdo.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/become/dzdo.py:92 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/become/machinectl.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/become/machinectl.py:104 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/become/pbrun.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/become/pbrun.py:91 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/become/pmrun.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/become/pmrun.py:68 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/become/run0.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/become/run0.py:91 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/become/sesu.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/become/sesu.py:80 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/become/sudosu.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/become/sudosu.py:99 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/lookup/keyring.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/lookup/keyring.py:35 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/lookup/onepassword_raw.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/lookup/onepassword_raw.py:43 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/lookup/passwordstore.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/lookup/passwordstore.py:184 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/lookup/passwordstore.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/lookup/passwordstore.py:190 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/lookup/tss.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/lookup/tss.py:139 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/lookup/tss.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/lookup/tss.py:161 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/lookup/tss.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/lookup/tss.py:249 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/lookup/tss.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/lookup/tss.py:272 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/datadog_downtime.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/datadog_downtime.py:109 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/datadog_monitor.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/datadog_monitor.py:207 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/datadog_monitor.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/datadog_monitor.py:214 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/datadog_monitor.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/datadog_monitor.py:222 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/datadog_monitor.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/datadog_monitor.py:229 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/datadog_monitor.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/datadog_monitor.py:237 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/etcd3.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/etcd3.py:100 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/github_deploy_key.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/github_deploy_key.py:101 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/github_deploy_key.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/github_deploy_key.py:111 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/github_deploy_key.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/github_deploy_key.py:130 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/github_deploy_key.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/github_deploy_key.py:139 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/github_deploy_key.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/github_deploy_key.py:151 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/gitlab_group.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/gitlab_group.py:191 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/gitlab_group.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/gitlab_group.py:202 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/gitlab_group.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/gitlab_group.py:214 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/gitlab_project.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/gitlab_project.py:357 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/gitlab_project.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/gitlab_project.py:371 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/gitlab_user.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/gitlab_user.py:164 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/hponcfg.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/hponcfg.py:54 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/htpasswd.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/htpasswd.py:81 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/icinga2_host.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/icinga2_host.py:116 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/imc_rest.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/imc_rest.py:381 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/jenkins_credential.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/jenkins_credential.py:193 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/keycloak_authentication_required_actions.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/keycloak_authentication_required_actions.py:90 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/keycloak_authentication_required_actions.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/keycloak_authentication_required_actions.py:105 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/keycloak_authentication_required_actions.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/keycloak_authentication_required_actions.py:118 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/ldap_entry.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/ldap_entry.py:99 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/linode.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/linode.py:184 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/linode.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/linode.py:201 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/linode.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/linode.py:236 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/linode.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/linode.py:252 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/linode.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/linode.py:260 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/linode.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
plugins/modules/linode.py:268 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/linode.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/linode.py:189 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/linode.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/linode.py:207 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/linode.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/linode.py:241 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_alert_profiles.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_alert_profiles.py:67 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_alert_profiles.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_alert_profiles.py:77 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_alerts.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_alerts.py:84 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_alerts.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_alerts.py:111 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_alerts.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_alerts.py:121 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_group.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_group.py:97 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_group.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_group.py:108 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_group.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_group.py:134 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_group.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_group.py:144 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_policies.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_policies.py:83 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_policies.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_policies.py:96 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_policies_info.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_policies_info.py:64 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_provider.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_provider.py:318 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_provider.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_provider.py:350 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_provider.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_provider.py:362 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_provider.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_provider.py:389 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_provider.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_provider.py:399 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_provider.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_provider.py:408 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_provider.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_provider.py:421 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_provider.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_provider.py:438 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_provider.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_provider.py:442 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_provider.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_provider.py:454 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_provider.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_provider.py:478 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_tags.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_tags.py:86 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_tags.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_tags.py:101 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_tags.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_tags.py:117 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_tags_info.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_tags_info.py:62 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_tenant.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_tenant.py:79 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_tenant.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_tenant.py:90 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_tenant.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_tenant.py:101 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_tenant.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_tenant.py:115 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_user.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_user.py:68 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_user.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_user.py:74 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_user.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_user.py:81 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_user.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_user.py:96 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/manageiq_user.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/manageiq_user.py:115 secrets
critical 9-layer security secrets conf 1.00 Possible secret in plugins/modules/sudoers.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
plugins/modules/sudoers.py:220 secrets
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
plugins/cache/redis.py:166 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
plugins/action/shutdown.py:28 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
plugins/action/iptables_state.py:170 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
plugins/modules/jboss.py:141 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
plugins/modules/iso_extract.py:199 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
plugins/modules/bitbucket_pipeline_known_host.py:131 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
plugins/modules/vertica_info.py:295 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
plugins/modules/vertica_configuration.py:191 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
plugins/callback/logentries.py:164 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
plugins/module_utils/_ssh.py:18 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
plugins/inventory/scaleway.py:320 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
plugins/inventory/opennebula.py:126 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED040] Python Yaml Load Unsafe: yaml.load(stream) without SafeLoader can deserialize arbitrary classes.
Review and fix per the pattern semantics. See CWE-502 / for context.
docs/docsite/reformat-yaml.py:17 qualitylegacy
high Legacy security injection conf 0.50 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
plugins/modules/redis_data.py:188 injectionlegacy
high Legacy security injection conf 0.50 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
plugins/modules/mssql_db.py:120 injectionlegacy
high Legacy security injection conf 0.50 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
plugins/modules/ipwcli_dns.py:255 injectionlegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
plugins/lookup/cyberarkpassword.py:142 path_traversallegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
plugins/modules/packet_sshkey.py:156 path_traversallegacy
high Legacy software file_upload conf 1.00 [SEC032] Unrestricted File Upload — no extension/MIME validation: File upload accepts the user's filename without validating extension, content-type, or magic bytes. Attackers upload `.php`, `.jsp`, or executable files to a web-served directory, then visit the URL to trigger RCE. CWE-434. Examples: Apache Struts (CVE-2017-9805), countless WordPress plugin RCEs.
Validate THREE things server-side: 1. Extension allowlist: ALLOWED = {'.png', '.jpg', '.pdf'} ext = Path(file.filename).suffix.lower() if ext not in ALLOWED: abort(400) 2. Magic-byte check (don't trust the extension): import magic mime = magic.from_buffer(file…
plugins/modules/kernel_blacklist.py:72 file_uploadlegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
plugins/modules/aix_lvol.py:166 injectionlegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
plugins/module_utils/_consul.py:86 injectionlegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
.azure-pipelines/scripts/combine-coverage.py:40 injectionlegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docs.yml:28 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/nox.yml:24 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/codeql-analysis.yml:27 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `ansible-community/antsibull-nox` pinned to mutable ref `@main`
`uses: ansible-community/antsibull-nox@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docs.yml:32 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `ansible-community/antsibull-nox` pinned to mutable ref `@main`
`uses: ansible-community/antsibull-nox@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/nox.yml:28 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `github/codeql-action/analyze` pinned to mutable ref `@v4`
`uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/codeql-analysis.yml:38 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `github/codeql-action/init` pinned to mutable ref `@v4`
`uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/codeql-analysis.yml:33 dependencylegacy
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
ansible-community/antsibull-nox@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/nox.yml:28 supply-chaingithub-actionspinned-dependencies
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
ansible-community/antsibull-nox@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs.yml:32 supply-chaingithub-actionspinned-dependencies
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in plugins/modules/ali_instance.py:862
Found a known-risky pattern (eval_used). Review and replace if possible.
plugins/modules/ali_instance.py:862 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in plugins/modules/memset_dns_reload.py:159
Found a known-risky pattern (eval_used). Review and replace if possible.
plugins/modules/memset_dns_reload.py:159 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in plugins/modules/memset_zone_domain.py:229
Found a known-risky pattern (eval_used). Review and replace if possible.
plugins/modules/memset_zone_domain.py:229 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in plugins/modules/memset_zone_record.py:354
Found a known-risky pattern (eval_used). Review and replace if possible.
plugins/modules/memset_zone_record.py:354 owaspeval_used
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
plugins/modules/hwc_smn_topic.py:259 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
plugins/modules/bzr.py:91 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
plugins/module_utils/_ldap.py:101 error_handlinglegacy
low Legacy security deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
plugins/cache/pickle.py:60 deserializationlegacy
low Legacy security deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
docs/docsite/reformat-yaml.py:17 deserializationlegacy
medium Legacy security crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
plugins/modules/irc.py:252 cryptolegacy
medium Legacy security crypto conf 1.00 [SEC107] Weak TLS version requested (TLSv1.0, TLSv1.1, SSLv3, SSLv2): TLS 1.0 and 1.1 were deprecated by IETF in 2021 (RFC 8996). Most browsers no longer support them. Code requesting these protocols is talking to an attacker-controllable downgrade target.
Use TLSv1.2 minimum, TLSv1.3 preferred. Java: `SSLContext.getInstance("TLSv1.2")`. Python: `ssl.PROTOCOL_TLS_CLIENT` + `MinimumVersion = TLSVersion.TLSv1_2`. Go: `MinVersion: tls.VersionTLS12`.
plugins/modules/mqtt.py:149 cryptolegacy
medium Legacy quality quality conf 1.00 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident.
Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly.
plugins/module_utils/_mh/base.py:58 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
plugins/modules/gitlab_project_badge.py:86 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
plugins/module_utils/_gitlab.py:62 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
plugins/lookup/etcd.py:131 qualitylegacy
high Legacy quality quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
plugins/modules/nmcli.py:152 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/mail.py:409 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/capabilities.py:162 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/utm_proxy_frontend_info.py:138 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/datadog_monitor.py:498 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/datadog_monitor.py:485 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/datadog_monitor.py:462 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/datadog_monitor.py:417 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/datadog_monitor.py:384 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/datadog_monitor.py:249 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/utm_network_interface_address.py:129 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/ipa_hbacrule.py:432 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/runit.py:204 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/btrfs_subvolume.py:273 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/consul.py:625 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/manageiq_group.py:484 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/manageiq_group.py:394 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/manageiq_group.py:315 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/gitlab_project_approvals.py:146 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
plugins/modules/gitlab_project_approvals.py:131 qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt qualitylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `andebox` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
.devcontainer/requirements-dev.txt:10 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `ansible-core` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
.devcontainer/requirements-dev.txt:9 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `antsibull-nox` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
.devcontainer/requirements-dev.txt:7 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `nox` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
.devcontainer/requirements-dev.txt:5 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `pre-commit` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
.devcontainer/requirements-dev.txt:8 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `ruff` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
.devcontainer/requirements-dev.txt:6 dependencylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
A file created as a fixed/new/final/copy variant is not referenced by imports or path-like strings in the rest of the repository. This is a strong sign that an agent produced code beside the active application path.
plugins/modules/scaleway_database_backup.py:1 qualitylegacy
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/init@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql-analysis.yml:33 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/analyze@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql-analysis.yml:38 supply-chaingithub-actionspinned-dependencies
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in plugins/modules/cronvar.py:167
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
plugins/modules/cronvar.py:167 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in plugins/modules/keyring.py:107
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
plugins/modules/keyring.py:107 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in plugins/modules/keyring_info.py:86
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
plugins/modules/keyring_info.py:86 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in plugins/modules/openbsd_pkg.py:252
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
plugins/modules/openbsd_pkg.py:252 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in plugins/modules/portinstall.py:75
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
plugins/modules/portinstall.py:75 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in plugins/modules/keycloak_user_federation.py:796
Found a known-risky pattern (weak_hash). Review and replace if possible.
plugins/modules/keycloak_user_federation.py:796 owaspweak_hash
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in plugins/modules/nsupdate.py:242
Found a known-risky pattern (weak_hash). Review and replace if possible.
plugins/modules/nsupdate.py:242 owaspweak_hash
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — plugins/connection/chroot.py:152
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — plugins/connection/iocage.py:67
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — plugins/connection/jail.py:122
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — plugins/connection/qubes.py:95
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — plugins/connection/zone.py:89
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — plugins/lookup/onepassword.py:159
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — plugins/lookup/passwordstore.py:264
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — plugins/module_utils/_gitlab.py:118
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — plugins/module_utils/_lxc.py:62
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — plugins/modules/circonus_annotation.py:180
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer network security conf 1.00 Privileged port 587 in use
Port 587 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
plugins/modules/mail.py securityports
low Legacy software race_condition conf 1.00 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.
Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.
plugins/modules/lvm_pv.py:101 race_conditionlegacy
low Legacy software race_condition conf 1.00 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.
Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.
plugins/modules/gunicorn.py:120 race_conditionlegacy
low Legacy software race_condition conf 1.00 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.
Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.
plugins/module_utils/_stormssh.py:113 race_conditionlegacy
low Legacy quality quality conf 0.64 Duplicate top-level symbol appears in a patch-style file
A generated replacement file defining the same public function or class name as another module can mean the new logic is not actually wired into the running code.
plugins/modules/scaleway_database_backup.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/django_loaddata.py:43 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/django_loaddata.py:40 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/django_loaddata.py:36 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/django_createcachetable.py:27 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/datadog_monitor.py:228 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/datadog_monitor.py:10 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/consul_token.py:11 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/consul_binding_rule.py:11 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/consul_binding_rule.py:9 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/consul_auth_method.py:11 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/cobbler_system.py:14 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/btrfs_subvolume.py:153 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/bitbucket_pipeline_variable.py:18 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/bitbucket_pipeline_variable.py:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/bitbucket_pipeline_known_host.py:15 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/modules/bitbucket_pipeline_key_pair.py:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/module_utils/_scaleway.py:135 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/lookup/onepassword_ssh_key.py:72 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/lookup/onepassword_ssh_key.py:69 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/lookup/onepassword_raw.py:46 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/lookup/onepassword_doc.py:48 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/lookup/onepassword_raw.py:53 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/filter/remove_keys.py:21 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/connection/zone.py:137 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/connection/zone.py:110 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/connection/lxd.py:45 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/connection/jail.py:91 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/cache/yaml.py:19 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/cache/redis.py:19 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
plugins/become/run0.py:77 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area.
plugins/modules/scaleway_database_backup.py:1 qualitylegacy
low 9-layer quality maintenance conf 1.00 148 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: plugins/module_utils/_emc_vnx.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: plugins/module_utils/_module_helper.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: plugins/module_utils/_version.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: plugins/modules/shutdown.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/django_command/files/base_test/1045-single-app-project/single_app_project/core/settings.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/django_command/files/base_test/simple_project/p1/p1/settings.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/django_command/files/base_test/simple_project/p1/p1/urls.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/django_manage/files/base_test/1045-single-app-project/single_app_project/core/settings.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/django_manage/files/base_test/simple_project/p1/p1/settings.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/django_manage/files/base_test/simple_project/p1/p1/urls.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/java_cert/files/setupSSLServer.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/keycloak_authz_custom_policy/policy/policy-1.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/keycloak_authz_custom_policy/policy/policy-2.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/launchd/files/ansible_test_service.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/lookup_lmdb_kv/test_db.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/mail/files/smtpserver.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/integration/targets/supervisorctl/files/sendProcessStdin.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/oneview_module_loader.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_cpanm.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_django_check.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_django_command.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_django_createcachetable.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_django_dumpdata.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_django_loaddata.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_facter_facts.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_gconftool2.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_gconftool2_info.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_gio_mime.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_kopia_repository.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_kopia_repository_info.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_krb_ticket.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_npm.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_opkg.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_pacemaker_cluster.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_pacemaker_info.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_puppet.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_snap.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_xdg_mime.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_xfconf.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/unit/plugins/modules/test_xfconf_info.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql-analysis.yml:27 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/nox.yml:24 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs.yml:28 supply-chaingithub-actionspinned-dependencies
low 9-layer security owasp conf 1.00 Insecure pattern 'debug_true' in plugins/callback/elastic.py:286
Found a known-risky pattern (debug_true). Review and replace if possible.
plugins/callback/elastic.py:286 owaspdebug_true
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_brew_cask_command_is_deprecated` in plugins/modules/homebrew_cask.py:411
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `b_old` in plugins/modules/dpkg_divert.py:330
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `changeset_copy` in plugins/modules/keycloak_component.py:228
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `changeset_copy` in plugins/modules/keycloak_realm_key.py:884
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `changeset_copy` in plugins/modules/keycloak_userprofile.py:728
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `checksum_old` in plugins/modules/jenkins_plugin.py:582
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `desired_copy` in plugins/modules/keycloak_user_federation.py:1083
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `inc_legacy` in plugins/modules/ldap_inc.py:142
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `keycloak_authentication_v2` in plugins/modules/keycloak_authentication_v2.py:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `keystore_backup` in plugins/modules/java_keystore.py:467
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `mock_preserved_copy` in tests/unit/plugins/modules/test_java_keystore.py:36
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `preserved_copy` in plugins/modules/jboss.py:155
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `rename_copy` in plugins/modules/logrotate.py:125
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `rename_copy` in tests/unit/plugins/modules/test_logrotate.py:516
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `scaleway_database_backup` in plugins/modules/scaleway_database_backup.py:13
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `scopes_copy` in plugins/modules/keycloak_clientscope_type.py:205
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code

Showing first 300 of 370. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/29433b5c-fbf4-4b2b-a41c-fe10525cb172/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/29433b5c-fbf4-4b2b-a41c-fe10525cb172/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.