Gini-Eddie/ai-recruitment-intelligence-system

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

Gini-Eddie/ai-recruitment-intelligence-system

https://github.com/Gini-Eddie/ai-recruitment-intelligence-system.git · scanned 2026-05-16 20:30 UTC (1 day, 1 hour ago) · 10 languages

26 findings (10 legacy + 16 scanner) 0th percentile · Python · tiny (<2K LoC) Scanner says 83 (lower by 36)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 day, 1 hour ago · v2 · 18 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON

{# ── 2026-05-17 R27 #5: score breakdown panel ────────────────────── Surfaces the score_breakdown JSON that's been silently stored on Repository for months. Turns hidden math into a trust signal. #}

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Scan summary Repository scanned at 83.1/100 with 77.8% coverage. It contains 24 nodes across 1 cross-layer flows, written primarily in mixed languages. Engine surfaced 8 findings — concentrated in software (2), security (2), frontend (1). Risk profile is high: 0 critical, 1 high, 3 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 18 of 18 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy quality testing No test files found

Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions.

testinglegacy

high 9-layer security auth conf 1.00 FastAPI POST `parse_cv` without auth dependency — backend/main.py:11

`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.

backend/main.py:11 authowaspauth.fastapi.unauth_mutation

medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

authlegacy

medium Legacy security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

authlegacy

medium Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/v1/parse-cv.

A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/v1/parse-cv.

backend/main.py:11 authlegacy

medium Legacy security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.

FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.

authlegacy

medium Legacy quality practices No CI/CD configuration found

Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request.

practiceslegacy

medium Legacy quality documentation No README file found

Create a README.md with: project name and description, installation instructions, usage examples, configuration options, and contribution guidelines.

documentationlegacy

medium Legacy quality quality conf 0.78 Public web service has no security.txt

security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.

.well-known/security.txt qualitylegacy

medium 9-layer security coverage conf 1.00 No auth library detected

The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.

coverageauth

medium 9-layer cicd coverage conf 1.00 No CI/CD pipelines detected

No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.

coverage

medium 9-layer quality tests conf 1.00 Very low test-to-source ratio

0 test file(s) for 8 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.

testscoverage

low Legacy security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.

No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.

authlegacy

low Legacy quality documentation No LICENSE file

Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft).

documentationlegacy

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: frontend/app.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

dead-code-candidate

low 9-layer software dead-code conf 1.00 Possibly dead Python function: send_acknowledgement_email

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

backend/services/email_service.py:10 dead-code

low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/v1/parse-cv

`backend/main.py` declares `POST /api/v1/parse-cv` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

wiringunused-endpoint

info 9-layer frontend coverage conf 1.00 No frontend routes/components detected

No React/Vue/Next routes were found. This is fine for backend-only repos.

coverage

{# ── 2026-05-17 Round 14: AI-agent bridge footer ────────────────────── Discoverability: the /agents/voting/ guide + MCP manifest exist but aren't linked from anywhere users actually land. Small, opt-in footer. #}

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/2a208199-5a16-45e1-9e5e-a68d9101e4fd/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/2a208199-5a16-45e1-9e5e-a68d9101e4fd/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.