Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
70 of your 97 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

strapi/documentation

https://github.com/strapi/documentation · scanned 2026-06-05 14:25 UTC (5 days, 5 hours ago) · 10 languages

87 findings 11/13 scanners ran 39th percentile · Javascript · small (2-20K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

25 actionable findings from 1 signal source. 62 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

Deeper analysis is still running. Current findings may grow as the 9-layer scanner finishes. This page refreshes automatically so the final totals replace the partial view.
Combined
65.7
/100
Security checks
66
25 findings
System graph
—% cov · 0 findings
Critical
5
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 0.0 0.20 0.00
documentation_score 61.0 0.15 9.15
practices_score 59.0 0.15 8.85
code_quality 80.0 0.10 8.00
Overall 1.00 57.0
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: info × excluding tests × Reset all
Severity: Critical 5 High 1 Medium 3 Low 2 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 25 System graph 0 Crowd 0 Layer: Quality 14 Security 2 Cicd 4 Software 5

Showing 14 of 25 actionable findings. 87 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

info Security checks quality Quality conf 1.00 3 occurrences [SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).
Use static imports or a static mapping `const modules = { foo: require('./foo') }`.
3 files, 3 locations
docusaurus/plugins/llms-generator-plugin.js:12
docusaurus/scripts/generate-llms.js:57
docusaurus/scripts/redirects-utilities/check-redirections-existence/check-redirects.js:74
info Security checks software Ssrf conf 1.00 3 occurrences [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
3 files, 3 locations
docusaurus/scripts/generate-llms.js:125
docusaurus/src/components/AiToolbar/utils/docContext.js:82
docusaurus/src/theme/DocSidebarItem/Link/index.js:23
info Security checks software Xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
docusaurus/src/components/AiToolbar/utils/docContext.js:92
info Security checks quality Quality conf 1.00 3 occurrences [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes — DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production.
Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint.
3 files, 3 locations
docusaurus/src/theme/SearchBar/index.js:49
docusaurus/static/js/ball.js:104
docusaurus/static/js/firework.js:59
info Security checks quality Testing No test files found
Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions.
info Security checks security Security conf 1.00 3 occurrences [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
3 files, 3 locations
docusaurus/src/components/AiToolbar/actions/navigate.js:10
docusaurus/src/components/AiToolbar/actions/openLLM.js:50
docusaurus/src/components/MermaidWithFallback.js:35
info Security checks security Injection conf 1.00 3 occurrences [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection).
For literal data structures: use ast.literal_eval(text) — only parses literals, raises on code. For formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists). For Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec'). If you genuinely need to execute admin-st…
3 files, 3 locations
docusaurus/scripts/redirects-utilities/docusaurus-vercel-converter/docusaurus-vercel-converter.js:58
docusaurus/scripts/redirects-utilities/redirects-organizer/redirects-organizer.js:87
docusaurus/scripts/redirects-utilities/remove-redirects-vercel-duplicates/compare-redirects-and-vercel.js:24
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
docusaurus/src/theme/AskAiIcon.js:7
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
Review and fix per the pattern semantics. See CWE-532 / for context.
3 files, 3 locations
docusaurus/plugins/llms-generator-plugin.js:8
docusaurus/scripts/all-urls-extractor/extract-urls.js:55
docusaurus/scripts/debug-kapa-auth.js:9
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.
Review and fix per the pattern semantics.
docusaurus/src/components/AiToolbar/config/aiPromptTemplates.js:18
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
docusaurus/scripts/debug-kapa-auth.js:16
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
Review and fix per the pattern semantics. See CWE-682 / for context.
3 files, 3 locations
docusaurus/src/components/HomepageFeatures/index.js:58
docusaurus/src/components/NewsTicker/index.js:53
docusaurus/src/theme/DocSidebarItem/Html/index.js:22
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context.
3 files, 3 locations
docusaurus/src/components/InfoIcon/index.js:10
docusaurus/src/components/SideBySide/SideBySideContainer/SideBySideContainer.jsx:11
docusaurus/src/pages/home/Home.jsx:79
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions.
Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`).
docusaurus/static/js/particleProfiles.js:60
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/2f094150-e2b7-464c-8b2b-7a9e8b3f697c/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/2f094150-e2b7-464c-8b2b-7a9e8b3f697c/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.