Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 4.98s · analysis 3.83s · 5.4 MB · GitHub API rate-limit (preflight)

CERT-Polska/Artemis

https://github.com/CERT-Polska/Artemis · scanned 2026-05-31 01:25 UTC (1 week, 6 days ago) · 10 languages

449 raw signals (191 security + 258 graph) 43rd percentile · Python · medium (20-100K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 6 days ago · v2 · last Δ +0.1 (diff) · 201 actionable findings from 2 signal sources. 119 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
54.4
/100
Security checks
47
107 findings
System graph
61
100.0% cov · 94 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 22.3 0.25 5.58
testing_score 90.0 0.20 18.00
documentation_score 71.6 0.15 10.74
practices_score 71.0 0.15 10.65
code_quality 56.8 0.10 5.68
Overall 1.00 59.6
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 57 Medium 24 Low 76 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 107 System graph 94 Crowd 0 Layer: Security 44 Quality 84 Cicd 15 Software 14 Hardware 9 Frontend 1 Api 34
Scan summary Quality grade C (60/100). Dimensions: security 22, maintainability 60. 191 findings (59 security). 30,298 lines analyzed.

Showing 152 of 201 actionable findings. 320 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks cicd CI/CD security conf 0.96 Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
docker-compose.yaml:48 CI/CD securitycontainers
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences Missing import: `queue` used but not imported
The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes.
3 files, 3 locations
artemis/karton_utils.py:30
artemis/reporting/export/main.py:79
artemis/reporting/modules/mail_dns_scanner/reporter.py:115
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /analysis/get-pending-tasks/{analysis_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /analysis/get-pending-tasks/{analysis_id}.
artemis/frontend.py:415
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /analysis/{root_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /analysis/{root_id}.
artemis/frontend.py:500
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /export/download-zip/{id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /export/download-zip/{id}.
artemis/api.py:248
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /export/download-zip/{id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /export/download-zip/{id}.
artemis/frontend.py:358
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /export/view/{id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /export/view/{id}.
artemis/frontend.py:280
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /task/{task_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /task/{task_id}.
artemis/frontend.py:543
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /analysis/remove-pending-tasks/{analysis_id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /analysis/remove-pending-tasks/{analysis_id}.
artemis/frontend.py:399
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /export/confirm-delete/{id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /export/confirm-delete/{id}.
artemis/frontend.py:332
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /export/delete/{id}.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /export/delete/{id}.
artemis/api.py:254
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
artemis/crawling.py:99
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
scripts/create_development_docker_compose.py:80
high Security checks quality Quality conf 1.00 [SEC082] Python: paramiko AutoAddPolicy or no host-key verification: AutoAddPolicy / WarningPolicy disables SSH host-key verification — vulnerable to MITM. Ported from bandit B507 / dlint DUO133 (Apache-2.0 / BSD-3).
Use `paramiko.RejectPolicy()` and pre-populate known_hosts via `client.load_system_host_keys()`.
artemis/modules/ssh_bruter.py:64
high Security checks quality Quality conf 1.00 [SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification — MITM risk. Ported from gosec G402 (Apache-2.0).
Remove the option. If self-signed certs are required, pin via RootCAs.
artemis/modules/utils/wappalyzer/main.go:26
high Security checks security Crypto conf 1.00 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`.
Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`.
artemis/reporting/modules/vcs/reporter.py:192
high Security checks security Crypto conf 1.00 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`.
Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`.
artemis/modules/ssh_bruter.py:64
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.value` used but never assigned in __init__
Method `as_dict` of class `TaskFilter` reads `self.value`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
5 files, 25 locations
artemis/db.py:52, 250, 281, 311, 355, 384, 388, 423, +11 more (19 hits)
artemis/http_requests.py:55, 59 (2 hits)
artemis/resource_lock.py:110, 113 (2 hits)
artemis/karton_logger.py:27
artemis/placeholder_page_detector.py:36
high Security checks software dependencies conf 0.90 ✓ Repobility 7 occurrences Dockerfile FROM `python:3.13.3-alpine3.20` not pinned by digest
`FROM python:3.13.3-alpine3.20` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
7 files, 7 locations
docker/Dockerfile:2
test/data/dast_vuln_app/Dockerfile:2
test/data/flask_vulnerable_api/Dockerfile:2
test/data/ssh_bad_keys/Dockerfile:1
test/images/nginx-with-sni-tls/Dockerfile:1
test/images/php-mysql/Dockerfile:1
test/images/php-postgres/Dockerfile:1
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /add has no auth
Handler `add` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
artemis/api.py:78
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /archive-tag has no auth
Handler `archive_tag` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
artemis/api.py:216
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /build-html-message has no auth
Handler `post_build_html_message` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
artemis/reporting/api.py:21
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /build-html-message has no auth
Handler `post_build_html_message` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
artemis/api.py:264
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /export has no auth
Handler `post_export` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
artemis/api.py:279
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /export/delete/{id} has no auth
Handler `post_export_delete` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
artemis/api.py:255
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /login has no auth
Handler `post_login` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
artemis/frontend.py:120
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /logout has no auth
Handler `post_logout` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
artemis/frontend.py:140
high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /stop-and-delete-analysis has no auth
Handler `stop_and_delete_analysis` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
artemis/api.py:202
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 23 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
9 files, 23 locations
.github/workflows/check_no_translations_to_update.yml:12, 14 (4 hits)
.github/workflows/liccheck.yml:12, 14 (4 hits)
.github/workflows/lint.yml:12, 14 (4 hits)
.github/workflows/docker_nightly.yml:17 (2 hits)
.github/workflows/docker_release.yml:14 (2 hits)
.github/workflows/test-e2e.yml:12 (2 hits)
.github/workflows/test-unit.yml:12 (2 hits)
.github/workflows/test_long_running.yml:14 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.90 ✓ Repobility 5 occurrences pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`
`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v6.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
lines 2, 10, 15, 20, 58
.pre-commit-config.yaml:2, 10, 15, 20, 58 (5 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility requirements.txt installs from `libmailgoose @ git+https://github.com/CERT-Polska/...` (git/URL)
Pip requirement points to a VCS URL or direct download. Bypasses PyPI's integrity check + scanning. If the host or branch tip changes, the next `pip install` pulls a different package — no diff visible to reviewers.
docs/requirements.txt:63
high Security checks software dependencies conf 0.90 ✓ Repobility requirements.txt installs from `libmailgoose @ git+https://github.com/CERT-Polska/...` (git/URL)
Pip requirement points to a VCS URL or direct download. Bypasses PyPI's integrity check + scanning. If the host or branch tip changes, the next `pip install` pulls a different package — no diff visible to reviewers.
requirements.txt:60
high Security checks software dependencies conf 0.90 ✓ Repobility Workflow container/services image `python:3.13-alpine3.20` unpinned
`container/services image: python:3.13-alpine3.20` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
.github/workflows/fix_dependabot_pull_requests.yml:12
high System graph security auth conf 1.00 FastAPI POST `post_add` without auth dependency — artemis/frontend.py:186
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
artemis/frontend.py:186 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `post_build_html_message` without auth dependency — artemis/reporting/api.py:20
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
artemis/reporting/api.py:20 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `post_export_delete` without auth dependency — artemis/frontend.py:332
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
artemis/frontend.py:332 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `post_export` without auth dependency — artemis/frontend.py:363
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
artemis/frontend.py:363 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `post_login` without auth dependency — artemis/frontend.py:119
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
artemis/frontend.py:119 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `post_logout` without auth dependency — artemis/frontend.py:139
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
artemis/frontend.py:139 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `post_remove_finished_analyses` without auth dependency — artemis/frontend.py:383
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
artemis/frontend.py:383 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `post_remove_pending_tasks` without auth dependency — artemis/frontend.py:399
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
artemis/frontend.py:399 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `post_restart_crashed_tasks` without auth dependency — artemis/frontend.py:451
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
artemis/frontend.py:451 securityAuth fastapi unauth mutation
high System graph security security conf 1.00 Insecure pattern 'tls_verify_false' in artemis/http_requests.py:113
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
artemis/http_requests.py:113 Tls verify false
high System graph security security conf 1.00 Insecure pattern 'tls_verify_false' in artemis/modules/admin_panel_login_bruter.py:105
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
artemis/modules/admin_panel_login_bruter.py:105 Tls verify false
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 15.8% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 15.8% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /add.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /add.
artemis/frontend.py:169
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /export.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /export.
artemis/frontend.py:268
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /export/download-zip/{id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /export/download-zip/{id}.
artemis/frontend.py:358
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /export/view/{id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /export/view/{id}.
artemis/frontend.py:280
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /exports.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /exports.
artemis/frontend.py:256
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /frontend-api/task-results-table.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /frontend-api/task-results-table.
artemis/frontend.py:645
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /add.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /add.
artemis/frontend.py:186
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /export.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /export.
artemis/frontend.py:363
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /export/confirm-delete/{id}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /export/confirm-delete/{id}.
artemis/frontend.py:332
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /remove-finished-analyses.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /remove-finished-analyses.
artemis/frontend.py:383
medium Security checks security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
artemis/modules/mysql_bruter.py:54
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
artemis/modules/postgresql_bruter.py:54
medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
artemis/modules/ftp_bruter.py:68
medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
artemis/http_requests.py:113
low Security checks quality Quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
artemis/reporting/modules/vcs/reporter.py:117
low Security checks quality Error handling conf 0.55 ✓ Repobility 11 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
7 files, 11 locations
artemis/modules/dangling_dns_detector.py:34, 45, 66 (3 hits)
artemis/crawling.py:48, 53 (2 hits)
artemis/reporting/modules/vcs/reporter.py:122, 143 (2 hits)
artemis/module_base.py:851
artemis/modules/bruter.py:81
artemis/modules/port_scanner.py:244
artemis/retrying_resolver.py:29
Error handlingquality
medium Security checks cicd CI/CD security conf 0.94 Compose service `s3mock` image uses the latest tag
The latest tag is mutable and can change without a code review, producing different images from the same source.
docker-compose.yaml:30 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.88 Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
docker-compose.yaml:48 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 7 occurrences Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
7 files, 7 locations
docker/Dockerfile:2
test/data/dast_vuln_app/Dockerfile:2
test/data/flask_vulnerable_api/Dockerfile:2
test/data/ssh_bad_keys/Dockerfile:1
test/images/nginx-with-sni-tls/Dockerfile:1
test/images/php-mysql/Dockerfile:1
test/images/php-postgres/Dockerfile:1
CI/CD securitycontainers
medium Security checks quality Quality conf 1.00 ✓ Repobility Mutable default argument in `_scan` (list)
`def _scan(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
artemis/modules/nuclei.py:444
medium Security checks quality Quality conf 1.00 ✓ Repobility Mutable default argument in `create_report_generation_task` (dict)
`def create_report_generation_task(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
artemis/db.py:588
medium Security checks quality Quality conf 1.00 ✓ Repobility Mutable default argument in `create_tasks` (list)
`def create_tasks(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
artemis/producer.py:15
medium Security checks quality Quality conf 1.00 ✓ Repobility Mutable default argument in `export` (dict)
`def export(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
artemis/reporting/export/main.py:214
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: test/images/nginx-with-sni-tls/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: test/images/php-mysql/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: test/images/php-postgres/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 8 occurrences GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-qemu-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
2 files, 8 locations
.github/workflows/docker_nightly.yml:22, 25, 28, 35 (4 hits)
.github/workflows/docker_release.yml:19, 22, 25, 32 (4 hits)
CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/fix_dependabot_pull_requests.yml CI/CD securitySupply chainGithub actions
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — artemis/modules/humble.py:103
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — artemis/modules/port_scanner.py:121
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — artemis/output_redirector.py:21
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — artemis/utils.py:69
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — artemis/web_technology_identification.py:32
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
docker-compose.yaml:91 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yaml:91 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.78 3 occurrences Compose service performs heavy setup work on every startup
Running migrations, static asset collection, or equivalent setup inside the long-running service command can make containers slow to start and harder to roll back.
lines 61, 70, 83
docker-compose.yaml:61, 70, 83 (3 hits)
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.72 Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
docker-compose.yaml:21 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 5 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
5 files, 5 locations
artemis/modules/wordpress_plugins.py:350
artemis/reporting/modules/mysql_or_postgres_bruter/reporter.py:18
artemis/reporting/modules/wp_scanner/reporter.py:58
artemis/sql_injection_data.py:4
test/data/php_redirect_login/index.php:8
duplicationquality
low Security checks quality Quality conf 0.74 robots.txt does not advertise a sitemap
Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly.
artemis/crawling.py
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.13.3-alpine3.20
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/Dockerfile:2 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: artemis/main.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: artemis/reporting/base/language.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: artemis/reporting/export/common.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: artemis/reporting/modules/nuclei/translations/nuclei_messages/pl_PL.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: artemis/sql_injection_data.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/conf.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 18 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: migrations/versions/6400e98cdb63_.py:downgrade, migrations/versions/04113c48b828_.py:upgrade This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separa…
18 occurrences
repo-level (18 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: artemis/reporting/modules/joomla_scanner/reporter.py:normal_form_rule, artemis/reporting/modules/wp_scanner/reporter.py:normal_form_rule, artemis/reporting/modules/drupal_scanner/reporter.py:normal_form_rule This is *the* AI-coder failure mode (4× mo…
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 6 places
Functions with the same first-5-line body hash: scripts/create_development_docker_compose.py:process, scripts/create_development_docker_compose.py:process, scripts/create_development_docker_compose.py:process, scripts/create_development_docker_compose.py:process This is *the* AI-coder failure mode…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_all_reports_are_old` in artemis/reporting/export/deduplication.py:50
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_is_version_old` in artemis/modules/wp_scanner.py:35
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_stream_copy` in artemis/output_redirector.py:18
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `directory_backup` in artemis/modules/nuclei.py:42
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `directory_backup` in artemis/utils.py:34
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `directory_backup` in test/unit/test_directory_backup.py:8
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `joomla_version_is_too_old` in artemis/modules/joomla_scanner.py:58
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `joomla_version_is_too_old` in artemis/reporting/modules/joomla_scanner/reporter.py:26
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `joomla_version_is_too_old` in test/modules/test_joomla_scanner.py:75
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `mod_copy` in artemis/reporting/modules/nuclei/translations/nuclei_messages/pl_PL.py:124
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `wp_version_old` in artemis/reporting/modules/wp_scanner/reporter.py:37
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `wp_version_old` in test/modules/test_wp_scanner.py:32
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: setup
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docs/generate_module_list.py:16
low System graph software Dead code conf 1.00 Possibly dead Python function: setup
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
docs/generate_config_docs.py:15
low System graph quality Integrity conf 1.00 Stub function `process` (body is just `pass`/`return`) — artemis/modules/subdomain_enumeration.py:91
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `process` (body is just `pass`/`return`) — scripts/create_development_docker_compose.py:11
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph api Wiring conf 1.00 Unused endpoint: ANY /karton-dashboard/{path:path}
`artemis/frontend.py` declares `ANY /karton-dashboard/{path:path}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /
`artemis/frontend.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /add
`artemis/frontend.py` declares `GET /add` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /analyses
`artemis/api.py` declares `GET /analyses` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /analysis/get-pending-tasks/{analysis_id}
`artemis/frontend.py` declares `GET /analysis/get-pending-tasks/{analysis_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /analysis/{root_id}
`artemis/frontend.py` declares `GET /analysis/{root_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /docs
`artemis/frontend.py` declares `GET /docs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /export
`artemis/frontend.py` declares `GET /export` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /export/download-zip/{id}
`artemis/frontend.py` declares `GET /export/download-zip/{id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /export/view/{id}
`artemis/frontend.py` declares `GET /export/view/{id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /exports
`artemis/frontend.py` declares `GET /exports` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /frontend-api/analyses-table
`artemis/frontend.py` declares `GET /frontend-api/analyses-table` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /frontend-api/task-results-table
`artemis/frontend.py` declares `GET /frontend-api/task-results-table` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /get-modules-that-can-be-disabled
`artemis/api.py` declares `GET /get-modules-that-can-be-disabled` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /is-blocklisted/{domain}
`artemis/api.py` declares `GET /is-blocklisted/{domain}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /login
`artemis/frontend.py` declares `GET /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /num-queued-tasks
`artemis/api.py` declares `GET /num-queued-tasks` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /queue
`artemis/frontend.py` declares `GET /queue` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /restart-crashed-tasks
`artemis/frontend.py` declares `GET /restart-crashed-tasks` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /results
`artemis/frontend.py` declares `GET /results` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /task-results
`artemis/api.py` declares `GET /task-results` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: GET /task/{task_id}
`artemis/frontend.py` declares `GET /task/{task_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /add
`artemis/frontend.py` declares `POST /add` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /analysis/remove-pending-tasks/{analysis_id}
`artemis/frontend.py` declares `POST /analysis/remove-pending-tasks/{analysis_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /archive-tag
`artemis/api.py` declares `POST /archive-tag` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /build-html-message
`artemis/api.py` declares `POST /build-html-message` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /export
`artemis/frontend.py` declares `POST /export` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /export/confirm-delete/{id}
`artemis/frontend.py` declares `POST /export/confirm-delete/{id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /export/delete/{id}
`artemis/api.py` declares `POST /export/delete/{id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /login
`artemis/frontend.py` declares `POST /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /logout
`artemis/frontend.py` declares `POST /logout` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /remove-finished-analyses
`artemis/frontend.py` declares `POST /remove-finished-analyses` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /restart-crashed-tasks
`artemis/frontend.py` declares `POST /restart-crashed-tasks` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /stop-and-delete-analysis
`artemis/api.py` declares `POST /stop-and-delete-analysis` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: artemis/config.py (1227 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: artemis/reporting/modules/nuclei/translations/nuclei_messages/pl_PL.py (2679 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/3044c1af-bc64-4b76-bf2a-9139fd78645f/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/3044c1af-bc64-4b76-bf2a-9139fd78645f/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.