Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

superset-sh/superset

https://github.com/superset-sh/superset · scanned 2026-05-14 22:55 UTC (3 weeks ago) · 10 languages

577 findings (45 legacy + 532 scanner) 6th percentile · Typescript · large (100-500K LoC) Scanner says 63 (lower by 4)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 weeks ago · v1 · 41 findings from 1 source. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
61.3
/100
Repobility
59
41 legacy
9-layer
63
100.0% cov · 0 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-17-v4 calibration-aware
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 58.4 0.25 14.60
testing_score 30.0 0.20 6.00
documentation_score 90.0 0.15 13.50
practices_score 65.0 0.15 9.75
code_quality 60.0 0.10 6.00
Overall 1.00 58.9
Calibrated penalty buckets (security_score): authz: 12.7 · docker: 4.0 · journey: 33.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 33 Medium 6 Low 2 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 41 9-layer 0 Crowd 0 Layer: Quality 22 Security 16 Cicd 3
Scan summary Repository scanned at 63.4/100 with 100.0% coverage. It contains 15214 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 0 findings. Risk profile is low: 0 critical, 0 high, 0 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 41 of 41 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy security auth conf 0.88 Token handoff appears to use a callback URL or fragment
A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete.
packages/workspace-client/src/lib/eventBus.ts:71 authlegacy
high Legacy security auth conf 0.88 Token handoff appears to use a callback URL or fragment
A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete.
apps/web/src/app/auth/desktop/success/page.tsx:82 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /src/app/api/automations/dispatch/:id/route.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /src/app/api/automations/dispatch/:id/route.
apps/api/src/app/api/automations/dispatch/[id]/route.ts:23 authlegacy
high Legacy security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence.
apps/desktop/src/lib/trpc/routers/workspaces/utils/git.ts:1169 authlegacy
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
authlegacy
high Legacy security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 31.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 31.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/linear/callback/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/linear/callback/route.
apps/api/src/app/api/integrations/linear/callback/route.ts:17 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/linear/connect/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/linear/connect/route.
apps/api/src/app/api/integrations/linear/connect/route.ts:7 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/slack/callback/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/slack/callback/route.
apps/api/src/app/api/integrations/slack/callback/route.ts:15 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/slack/link/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /src/app/api/integrations/slack/link/route.
apps/api/src/app/api/integrations/slack/link/route.ts:10 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/jobs/initial-sync/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/jobs/initial-sync/route.
apps/api/src/app/api/integrations/linear/jobs/initial-sync/route.ts:25 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/jobs/refresh-tokens/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/jobs/refresh-tokens/route.
apps/api/src/app/api/integrations/linear/jobs/refresh-tokens/route.ts:13 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/jobs/sync-task/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/jobs/sync-task/route.
apps/api/src/app/api/integrations/linear/jobs/sync-task/route.ts:246 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/webhook/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/linear/webhook/route.
apps/api/src/app/api/integrations/linear/webhook/route.ts:22 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/slack/interactions/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/slack/interactions/route.
apps/api/src/app/api/integrations/slack/interactions/route.ts:21 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/stripe/jobs/notify-slack/route.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /src/app/api/integrations/stripe/jobs/notify-slack/route.
apps/api/src/app/api/integrations/stripe/jobs/notify-slack/route.ts:119 authlegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
apps/desktop/src/renderer/routes/error.tsx:33 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
apps/relay/src/tunnel.ts:335 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
apps/relay/src/synthetic.ts:16 error_handlinglegacy
medium Legacy cicd docker conf 0.86 Database dump or local database file is included in Docker build context
Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions.
.dockerignore dockerlegacy
medium Legacy cicd docker conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
apps/relay/Dockerfile:6 dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/api/src/app/api/integrations/linear/connect/route.ts:9 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/api/src/app/api/github/sync/route.ts:55 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/api/src/app/.well-known/oauth-protected-resource/route.ts:9 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/api/next.config.ts:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/admin/src/app/(dashboard)/components/WAUTrendChart/WAUTrendChart.tsx:88 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/admin/src/app/(dashboard)/components/WAUTrendChart/WAUTrendChart.tsx:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/admin/src/app/(dashboard)/components/WAUTrendChart/WAUTrendChart.tsx:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/admin/src/app/(dashboard)/components/TrafficSourcesChart/TrafficSourcesChart.tsx:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/admin/src/app/(dashboard)/components/SignupsTrendChart/SignupsTrendChart.tsx:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/admin/src/app/(dashboard)/components/SignupsTrendChart/SignupsTrendChart.tsx:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/admin/src/app/(dashboard)/components/RevenueTrendChart/RevenueTrendChart.tsx:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
apps/admin/src/app/(dashboard)/components/LeaderboardTable/LeaderboardTable.tsx:46 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
packages/trpc/src/lib/integrations/sync/tasks.ts:10 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
packages/sdk/src/client.ts:491 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
packages/sdk/src/client.ts:472 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
apps/api/src/app/api/trpc/[trpc]/route.ts:9 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
apps/api/src/app/api/chat/[sessionId]/route.ts:125 qualitylegacy
low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore dockerlegacy
low Legacy quality quality conf 0.68 Multiple AI-agent scaffold marker files are present
Repositories with several agent instruction, progress, or completion marker files are often generated scaffolds. They are not automatically wrong, but they deserve a reachability and ownership review before users treat the code as production-ready.
AGENTS.md:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area.
apps/desktop/src/renderer/stores/new-workspace-draft.ts:1 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/2e0fa7f3-3230-4398-84eb-683fa0568119/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/2e0fa7f3-3230-4398-84eb-683fa0568119/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.