yashwanththatavarti/skills-getting-started-with-github-copilot

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

Scan timing: clone 3.0s · analysis 0.1s · 2.6 MB · GitHub preflight 483ms

yashwanththatavarti/skills-getting-started-with-github-copilot

https://github.com/yashwanththatavarti/skills-getting-started-with-github-copilot.git · scanned 2026-05-28 22:18 UTC (2 weeks, 1 day ago) · 10 languages

172 raw signals (38 security + 134 graph) 85th percentile · Javascript · tiny (<2K LoC) System graph score 84 (lower by 5)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 1 day ago · v2 · 19 actionable findings from 2 signal sources. 86 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

66.7% cov · 9 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	70.0	0.15	10.50
`security_score`	95.5	0.25	23.88
`testing_score`	70.0	0.20	14.00
`documentation_score`	75.0	0.15	11.25
`practices_score`	77.0	0.15	11.55
`code_quality`	80.0	0.10	8.00
Overall		1.00	79.2

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 0 High 3 Medium 9 Low 3 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 10 System graph 9 Crowd 0 Layer: Quality 5 Security 5 Software 2 Cicd 5 Frontend 1 Api 1

Exclude dismissed / FP Exclude test files

Scan summary Quality grade B+ (79/100). Dimensions: security 96, maintainability 70. 38 findings (32 security). 153 lines analyzed.

Showing 15 of 19 actionable findings. 105 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /activities/{activity_name}/signup has no auth

Handler `signup_for_activity` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

src/app.py:56

high System graph cicd CI/CD security conf 1.00 tj-actions/changed-files is tag-pinned instead of SHA-pinned

The tj-actions/changed-files incident showed that mutable action tags can execute credential-stealing code across many repositories. Pin this action to a reviewed commit SHA.

.github/workflows/3-step.yml:63 CI/CD securitySupply chainGithub actions

medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 33.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

Only 33.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

medium Security checks security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.

FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.

medium Security checks quality Quality conf 0.78 Public web service has no security.txt

security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.

.well-known/security.txt

medium Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences requirements.txt: `fastapi` has no version pin

Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.

lines 1, 2, 3, 4

requirements.txt:1, 2, 3, 4 (4 hits)

medium System graph cicd CI/CD security conf 1.00 55 occurrences GitHub Action is tag-pinned rather than SHA-pinned

skills/exercise-toolkit/.github/workflows/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

6 files, 55 locations

.github/workflows/1-step.yml:20, 43, 50, 63, 73, 112, 121, 128 (16 hits)

.github/workflows/2-step.yml:20, 43, 50, 63, 71, 108, 117, 124 (13 hits)

.github/workflows/4-step.yml:19, 42, 49, 62, 80, 121, 130, 137 (8 hits)

.github/workflows/5-step.yml:21, 43, 50, 64 (8 hits)

.github/workflows/3-step.yml:21, 44, 51, 101, 142, 151, 158 (7 hits)

.github/workflows/0-start-exercise.yml:21, 48, 58 (3 hits)

CI/CD securitySupply chainGitHub Actions

medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/5-step.yml CI/CD securitySupply chainGithub actions

medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/0-start-exercise.yml CI/CD securitySupply chainGithub actions

medium System graph security Coverage conf 1.00 No auth library detected

The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.

auth

medium System graph quality Tests conf 1.00 Very low test-to-source ratio

0 test file(s) for 2 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.

Coverage

low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.

No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.

low System graph cicd CI/CD security conf 1.00 30 occurrences GitHub Action is tag-pinned rather than SHA-pinned

actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

6 files, 30 locations

.github/workflows/1-step.yml:32, 35, 102, 105 (8 hits)

.github/workflows/2-step.yml:32, 35, 98, 101 (6 hits)

.github/workflows/3-step.yml:33, 36, 73, 88, 132, 135 (6 hits)

.github/workflows/4-step.yml:31, 34, 111, 114 (4 hits)

.github/workflows/5-step.yml:33, 36 (4 hits)

.github/workflows/0-start-exercise.yml:36, 41 (2 hits)

CI/CD securitySupply chainGitHub Actions

low System graph api Wiring conf 1.00 Unused endpoint: GET /

`src/app.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.

Unused endpoint

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/30132c89-f2e0-43dc-b024-eab4c3e46ef2/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/30132c89-f2e0-43dc-b024-eab4c3e46ef2/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.