Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
101 of your 191 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 20.75s · analysis 7.55s · 33.5 MB · GitHub preflight 1043ms

tiangolo/fastapi

https://github.com/tiangolo/fastapi.git · scanned 2026-05-19 15:32 UTC (2 weeks, 2 days ago) · 10 languages

675 findings (191 legacy + 484 scanner) 10/12 scanners ran 91st percentile · Python · large (100-500K LoC) Scanner says 70 (higher by 15)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 2 days ago · v2 · 433 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
76.2
/100
Repobility
82
191 legacy
9-layer
71
88.9% cov · 242 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 75.0 0.15 11.25
practices_score 81.0 0.15 12.15
code_quality 80.0 0.10 8.00
Overall 1.00 85.4
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 243 Medium 26 Low 129 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 191 9-layer 242 Crowd 0 Layer: Quality 205 Security 141 Software 29 Frontend 2 Cicd 6 Api 50
Scan summary Repository scanned at 70.5/100 with 88.9% coverage. It contains 8345 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 242 findings — concentrated in security (108), quality (50), api (50). Risk profile is high: 0 critical, 108 high, 12 medium. Recommended next step: open the security layer findings first — that's where the highest-impact wins live.

Showing 341 of 433 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /items/{item_id}.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
fastapi/routing.py:3315 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /items/{item_id}.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
fastapi/applications.py:3034 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /items/{item_id}.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
docs_src/body_updates/tutorial002_py310.py:23 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /items/{item_id}.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
fastapi/param_functions.py:317 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /items/{item_id}.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
fastapi/exceptions.py:37 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /items/{item_id}.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
docs_src/body_updates/tutorial002_py310.py:28 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /items/{item_id}.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
fastapi/routing.py:2556 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /items/{item_id}.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
fastapi/applications.py:2283 authlegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
docs_src/dependencies/tutorial008c_an_py310.py:8 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
docs_src/dependencies/tutorial008b_py310.py:12 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
docs_src/dependencies/tutorial008b_an_py310.py:14 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._format_endpoint_context` used but never assigned in __init__: Method `__str__` of class `ValidationException` reads `self._format_endpoint_context`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._format_endpoint_context = <default>` in __init__, or add a class-level default.
fastapi/exceptions.py:208 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_api_route` used but never assigned in __init__: Method `api_route` of class `APIRouter` reads `self.add_api_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_api_route = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1450 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_api_route` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_api_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_api_route = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1762 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_api_websocket_route` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_api_websocket_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_api_websocket_route = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1812 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_api_websocket_route` used but never assigned in __init__: Method `websocket` of class `APIRouter` reads `self.add_api_websocket_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_api_websocket_route = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1562 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_api_websocket_route` used but never assigned in __init__: Method `websocket` of class `FastAPI` reads `self.add_api_websocket_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_api_websocket_route = <default>` in __init__, or add a class-level default.
fastapi/applications.py:1348 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_event_handler` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_event_handler`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_event_handler = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1825 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_event_handler` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_event_handler`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_event_handler = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1823 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_exception_handler` used but never assigned in __init__: Method `exception_handler` of class `FastAPI` reads `self.add_exception_handler`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_exception_handler = <default>` in __init__, or add a class-level default.
fastapi/applications.py:4688 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_middleware` used but never assigned in __init__: Method `middleware` of class `FastAPI` reads `self.add_middleware`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_middleware = <default>` in __init__, or add a class-level default.
fastapi/applications.py:4641 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_route` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_route = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1799 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_route` used but never assigned in __init__: Method `route` of class `APIRouter` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_route = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1325 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_route` used but never assigned in __init__: Method `setup` of class `FastAPI` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_route = <default>` in __init__, or add a class-level default.
fastapi/applications.py:1140 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_route` used but never assigned in __init__: Method `setup` of class `FastAPI` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_route = <default>` in __init__, or add a class-level default.
fastapi/applications.py:1154 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_route` used but never assigned in __init__: Method `setup` of class `FastAPI` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_route = <default>` in __init__, or add a class-level default.
fastapi/applications.py:1133 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_route` used but never assigned in __init__: Method `setup` of class `FastAPI` reads `self.add_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_route = <default>` in __init__, or add a class-level default.
fastapi/applications.py:1116 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_websocket_route` used but never assigned in __init__: Method `include_router` of class `APIRouter` reads `self.add_websocket_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_websocket_route = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1819 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.add_websocket_route` used but never assigned in __init__: Method `websocket_route` of class `APIRouter` reads `self.add_websocket_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.add_websocket_route = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1573 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.api_route` used but never assigned in __init__: Method `get` of class `APIRouter` reads `self.api_route`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.api_route = <default>` in __init__, or add a class-level default.
fastapi/routing.py:2181 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.default` used but never assigned in __init__: Method `__repr__` of class `Body` reads `self.default`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.default = <default>` in __init__, or add a class-level default.
fastapi/params.py:578 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.default` used but never assigned in __init__: Method `__repr__` of class `Param` reads `self.default`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.default = <default>` in __init__, or add a class-level default.
fastapi/params.py:134 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.openapi` used but never assigned in __init__: Method `setup` of class `FastAPI` reads `self.openapi`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.openapi = <default>` in __init__, or add a class-level default.
fastapi/applications.py:1106 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.routes` used but never assigned in __init__: Method `add_api_route` of class `APIRouter` reads `self.routes`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.routes = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1417 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.routes` used but never assigned in __init__: Method `add_api_websocket_route` of class `APIRouter` reads `self.routes`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.routes = <default>` in __init__, or add a class-level default.
fastapi/routing.py:1500 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.routes` used but never assigned in __init__: Method `openapi` of class `FastAPI` reads `self.routes`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.routes = <default>` in __init__, or add a class-level default.
fastapi/applications.py:1092 qualitylegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
docs/en/docs/js/termynal.js:226 xsslegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
docs_src/sql_databases/tutorial002_an_py310.py:71 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
docs_src/sql_databases/tutorial001_py310.py:50 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
docs_src/sql_databases/tutorial001_an_py310.py:54 qualitylegacy
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_hero` without auth dependency — docs_src/sql_databases/tutorial001_an_py310.py:66
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/sql_databases/tutorial001_an_py310.py:66 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI DELETE `delete_hero` without auth dependency — docs_src/sql_databases/tutorial002_an_py310.py:96
`@router.delete` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/sql_databases/tutorial002_an_py310.py:96 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `update_hero` without auth dependency — docs_src/sql_databases/tutorial002_an_py310.py:83
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/sql_databases/tutorial002_an_py310.py:83 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PATCH `update_item` without auth dependency — docs_src/body_updates/tutorial002_py310.py:28
`@router.patch` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_updates/tutorial002_py310.py:28 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `<anonymous>` without auth dependency — docs_src/path_operation_advanced_configuration/tutorial006_py310.py:17
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/path_operation_advanced_configuration/tutorial006_py310.py:17 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_author_items` without auth dependency — docs_src/dataclasses_/tutorial003_py310.py:22
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/dataclasses_/tutorial003_py310.py:22 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_cookie` without auth dependency — docs_src/response_cookies/tutorial001_py310.py:7
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/response_cookies/tutorial001_py310.py:7 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_cookie` without auth dependency — docs_src/response_cookies/tutorial002_py310.py:6
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/response_cookies/tutorial002_py310.py:6 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_file` without auth dependency — docs_src/request_files/tutorial001_02_an_py310.py:8
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_02_an_py310.py:8 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_file` without auth dependency — docs_src/request_files/tutorial001_02_py310.py:6
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_02_py310.py:6 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_file` without auth dependency — docs_src/request_files/tutorial001_03_an_py310.py:8
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_03_an_py310.py:8 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_file` without auth dependency — docs_src/request_files/tutorial001_03_py310.py:6
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_03_py310.py:6 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_file` without auth dependency — docs_src/request_files/tutorial001_an_py310.py:8
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_an_py310.py:8 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_file` without auth dependency — docs_src/request_files/tutorial001_py310.py:6
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_py310.py:6 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_file` without auth dependency — docs_src/request_forms_and_files/tutorial001_an_py310.py:8
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_forms_and_files/tutorial001_an_py310.py:8 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_file` without auth dependency — docs_src/request_forms_and_files/tutorial001_py310.py:6
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_forms_and_files/tutorial001_py310.py:6 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_files` without auth dependency — docs_src/request_files/tutorial002_an_py310.py:9
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial002_an_py310.py:9 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_files` without auth dependency — docs_src/request_files/tutorial002_py310.py:7
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial002_py310.py:7 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_files` without auth dependency — docs_src/request_files/tutorial003_an_py310.py:9
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial003_an_py310.py:9 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_files` without auth dependency — docs_src/request_files/tutorial003_py310.py:7
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial003_py310.py:7 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_hero` without auth dependency — docs_src/sql_databases/tutorial001_an_py310.py:40
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/sql_databases/tutorial001_an_py310.py:40 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_hero` without auth dependency — docs_src/sql_databases/tutorial002_an_py310.py:56
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/sql_databases/tutorial002_an_py310.py:56 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_index_weights` without auth dependency — docs_src/body_nested_models/tutorial009_py310.py:6
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_nested_models/tutorial009_py310.py:6 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_invoice` without auth dependency — docs_src/openapi_callbacks/tutorial001_py310.py:33
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/openapi_callbacks/tutorial001_py310.py:33 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/body/tutorial001_py310.py:15
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body/tutorial001_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/body/tutorial002_py310.py:15
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body/tutorial002_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/dataclasses_/tutorial001_py310.py:17
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/dataclasses_/tutorial001_py310.py:17 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/generate_clients/tutorial001_py310.py:16
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/generate_clients/tutorial001_py310.py:16 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/generate_clients/tutorial002_py310.py:21
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/generate_clients/tutorial002_py310.py:21 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/generate_clients/tutorial003_py310.py:27
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/generate_clients/tutorial003_py310.py:27 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/handling_errors/tutorial005_py310.py:23
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/handling_errors/tutorial005_py310.py:23 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/path_operation_advanced_configuration/tutorial004_py310.py:15
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/path_operation_advanced_configuration/tutorial004_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/path_operation_advanced_configuration/tutorial007_py310.py:13
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/path_operation_advanced_configuration/tutorial007_py310.py:13 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/path_operation_configuration/tutorial001_py310.py:15
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/path_operation_configuration/tutorial001_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/path_operation_configuration/tutorial002_py310.py:15
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/path_operation_configuration/tutorial002_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/path_operation_configuration/tutorial003_py310.py:15
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/path_operation_configuration/tutorial003_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/path_operation_configuration/tutorial004_py310.py:15
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/path_operation_configuration/tutorial004_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/path_operation_configuration/tutorial005_py310.py:15
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/path_operation_configuration/tutorial005_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/pydantic_v1_in_v2/tutorial002_an_py310.py:14
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/pydantic_v1_in_v2/tutorial002_an_py310.py:14 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/pydantic_v1_in_v2/tutorial003_an_py310.py:21
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/pydantic_v1_in_v2/tutorial003_an_py310.py:21 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/pydantic_v1_in_v2/tutorial004_an_py310.py:17
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/pydantic_v1_in_v2/tutorial004_an_py310.py:17 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/response_model/tutorial001_01_py310.py:15
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/response_model/tutorial001_01_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/response_model/tutorial001_py310.py:17
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/response_model/tutorial001_py310.py:17 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/response_status_code/tutorial001_py310.py:6
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/response_status_code/tutorial001_py310.py:6 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/response_status_code/tutorial002_py310.py:6
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/response_status_code/tutorial002_py310.py:6 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/separate_openapi_schemas/tutorial001_py310.py:13
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/separate_openapi_schemas/tutorial001_py310.py:13 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/separate_openapi_schemas/tutorial002_py310.py:13
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/separate_openapi_schemas/tutorial002_py310.py:13 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_item` without auth dependency — docs_src/strict_content_type/tutorial001_py310.py:12
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/strict_content_type/tutorial001_py310.py:12 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_multiple_images` without auth dependency — docs_src/body_nested_models/tutorial008_py310.py:12
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_nested_models/tutorial008_py310.py:12 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_offer` without auth dependency — docs_src/body_nested_models/tutorial007_py310.py:28
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_nested_models/tutorial007_py310.py:28 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_upload_file` without auth dependency — docs_src/request_files/tutorial001_02_an_py310.py:16
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_02_an_py310.py:16 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_upload_file` without auth dependency — docs_src/request_files/tutorial001_02_py310.py:14
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_02_py310.py:14 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_upload_file` without auth dependency — docs_src/request_files/tutorial001_03_an_py310.py:13
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_03_an_py310.py:13 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_upload_file` without auth dependency — docs_src/request_files/tutorial001_03_py310.py:11
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_03_py310.py:11 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_upload_file` without auth dependency — docs_src/request_files/tutorial001_an_py310.py:13
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_an_py310.py:13 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_upload_file` without auth dependency — docs_src/request_files/tutorial001_py310.py:11
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial001_py310.py:11 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_upload_files` without auth dependency — docs_src/request_files/tutorial002_an_py310.py:14
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial002_an_py310.py:14 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_upload_files` without auth dependency — docs_src/request_files/tutorial002_py310.py:12
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial002_py310.py:12 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_upload_files` without auth dependency — docs_src/request_files/tutorial003_an_py310.py:16
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial003_an_py310.py:16 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_upload_files` without auth dependency — docs_src/request_files/tutorial003_py310.py:14
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/request_files/tutorial003_py310.py:14 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_user` without auth dependency — docs_src/extra_models/tutorial001_py310.py:38
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/extra_models/tutorial001_py310.py:38 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_user` without auth dependency — docs_src/extra_models/tutorial002_py310.py:36
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/extra_models/tutorial002_py310.py:36 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_user` without auth dependency — docs_src/generate_clients/tutorial002_py310.py:34
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/generate_clients/tutorial002_py310.py:34 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_user` without auth dependency — docs_src/generate_clients/tutorial003_py310.py:40
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/generate_clients/tutorial003_py310.py:40 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_user` without auth dependency — docs_src/response_model/tutorial002_py310.py:15
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/response_model/tutorial002_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_user` without auth dependency — docs_src/response_model/tutorial003_01_py310.py:17
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/response_model/tutorial003_01_py310.py:17 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `create_user` without auth dependency — docs_src/response_model/tutorial003_py310.py:22
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/response_model/tutorial003_py310.py:22 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `post_data_in_out` without auth dependency — docs_src/json_base64_bytes/tutorial001_py310.py:44
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/json_base64_bytes/tutorial001_py310.py:44 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `post_data` without auth dependency — docs_src/json_base64_bytes/tutorial001_py310.py:32
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/json_base64_bytes/tutorial001_py310.py:32 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `send_notification` without auth dependency — docs_src/background_tasks/tutorial001_py310.py:12
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/background_tasks/tutorial001_py310.py:12 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `send_notification` without auth dependency — docs_src/background_tasks/tutorial002_an_py310.py:20
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/background_tasks/tutorial002_an_py310.py:20 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `send_notification` without auth dependency — docs_src/background_tasks/tutorial002_py310.py:18
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/background_tasks/tutorial002_py310.py:18 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `stream_chat` without auth dependency — docs_src/server_sent_events/tutorial005_py310.py:14
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/server_sent_events/tutorial005_py310.py:14 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `sum_numbers` without auth dependency — docs_src/custom_request_and_route/tutorial001_an_py310.py:34
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/custom_request_and_route/tutorial001_an_py310.py:34 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `sum_numbers` without auth dependency — docs_src/custom_request_and_route/tutorial001_py310.py:33
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/custom_request_and_route/tutorial001_py310.py:33 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `sum_numbers` without auth dependency — docs_src/custom_request_and_route/tutorial002_an_py310.py:28
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/custom_request_and_route/tutorial002_an_py310.py:28 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `sum_numbers` without auth dependency — docs_src/custom_request_and_route/tutorial002_py310.py:27
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/custom_request_and_route/tutorial002_py310.py:27 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI POST `update_admin` without auth dependency — docs_src/bigger_applications/app_an_py310/internal/admin.py:6
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/bigger_applications/app_an_py310/internal/admin.py:6 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `get_or_create_task` without auth dependency — docs_src/response_change_status_code/tutorial001_py310.py:8
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/response_change_status_code/tutorial001_py310.py:8 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `read_items` without auth dependency — docs_src/extra_data_types/tutorial001_an_py310.py:10
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/extra_data_types/tutorial001_an_py310.py:10 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `read_items` without auth dependency — docs_src/extra_data_types/tutorial001_py310.py:9
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/extra_data_types/tutorial001_py310.py:9 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/bigger_applications/app_an_py310/routers/items.py:28
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/bigger_applications/app_an_py310/routers/items.py:28 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body/tutorial003_py310.py:15
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body/tutorial003_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body/tutorial004_py310.py:15
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body/tutorial004_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_fields/tutorial001_an_py310.py:18
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_fields/tutorial001_an_py310.py:18 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_fields/tutorial001_py310.py:16
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_fields/tutorial001_py310.py:16 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_multiple_params/tutorial001_an_py310.py:16
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_multiple_params/tutorial001_an_py310.py:16 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_multiple_params/tutorial001_py310.py:14
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_multiple_params/tutorial001_py310.py:14 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_multiple_params/tutorial002_py310.py:19
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_multiple_params/tutorial002_py310.py:19 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_multiple_params/tutorial003_an_py310.py:21
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_multiple_params/tutorial003_an_py310.py:21 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_multiple_params/tutorial003_py310.py:19
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_multiple_params/tutorial003_py310.py:19 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_multiple_params/tutorial004_an_py310.py:21
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_multiple_params/tutorial004_an_py310.py:21 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_multiple_params/tutorial004_py310.py:19
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_multiple_params/tutorial004_py310.py:19 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_multiple_params/tutorial005_an_py310.py:16
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_multiple_params/tutorial005_an_py310.py:16 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_multiple_params/tutorial005_py310.py:14
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_multiple_params/tutorial005_py310.py:14 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_nested_models/tutorial001_py310.py:15
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_nested_models/tutorial001_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_nested_models/tutorial002_py310.py:15
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_nested_models/tutorial002_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_nested_models/tutorial003_py310.py:15
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_nested_models/tutorial003_py310.py:15 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_nested_models/tutorial004_py310.py:21
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_nested_models/tutorial004_py310.py:21 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_nested_models/tutorial005_py310.py:21
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_nested_models/tutorial005_py310.py:21 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_nested_models/tutorial006_py310.py:21
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_nested_models/tutorial006_py310.py:21 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/body_updates/tutorial001_py310.py:28
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/body_updates/tutorial001_py310.py:28 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/encoder/tutorial001_py310.py:19
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/encoder/tutorial001_py310.py:19 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `update_item` without auth dependency — docs_src/response_directly/tutorial001_py310.py:18
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/response_directly/tutorial001_py310.py:18 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `upsert_item` without auth dependency — docs_src/additional_status_codes/tutorial001_an_py310.py:11
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/additional_status_codes/tutorial001_an_py310.py:11 authowaspauth.fastapi.unauth_mutation
high 9-layer security auth conf 1.00 FastAPI PUT `upsert_item` without auth dependency — docs_src/additional_status_codes/tutorial001_py310.py:9
`@router.put` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
docs_src/additional_status_codes/tutorial001_py310.py:9 authowaspauth.fastapi.unauth_mutation
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
high Legacy security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
docs_src/websockets_/tutorial003_py310.py:66 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /info.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
docs_src/settings/app01_py310/main.py:8 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /info.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
docs_src/settings/app03_an_py310/main.py:16 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /info.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
docs_src/settings/tutorial001_py310.py:15 authlegacy
high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
docs_src/bigger_applications/app_an_py310/internal/admin.py:6 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /heroes/{hero_id}.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
docs_src/sql_databases/tutorial001_py310.py:62 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /heroes/{hero_id}.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
docs_src/sql_databases/tutorial002_an_py310.py:96 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /heroes/{hero_id}.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
docs_src/sql_databases/tutorial001_an_py310.py:66 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /heroes/{hero_id}.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
docs_src/sql_databases/tutorial002_py310.py:95 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
fastapi/routing.py:3315 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
fastapi/applications.py:3034 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
docs_src/websockets_/tutorial002_py310.py:59 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /items/.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
docs_src/header_params/tutorial003_py310.py:6 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /items/.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
docs_src/header_params/tutorial003_an_py310.py:8 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /chat/stream.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
docs_src/server_sent_events/tutorial005_py310.py:14 authlegacy
medium Legacy security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
Set docs_url=None, redoc_url=None, and openapi_url=None for production apps unless the docs are intentionally public and protected by routing, ingress, or an authenticated docs handler.
authlegacy
medium Legacy quality quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `read_items` (list): `def read_items(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def read_items(x=None): x = x or []`
docs_src/query_params_str_validations/tutorial012_an_py310.py:9 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `read_items` (list): `def read_items(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def read_items(x=None): x = x or []`
docs_src/query_params_str_validations/tutorial013_an_py310.py:9 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `validate` (dict): `def validate(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def validate(x=None): x = x or []`
fastapi/_compat/v2.py:173 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
fastapi/concurrency.py:30 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
fastapi/encoders.py:346 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
fastapi/routing.py:270 qualitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
scripts/docs.py:191 securitylegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
docs_src/security/tutorial002_py310.py:19 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
docs_src/security/tutorial002_an_py310.py:21 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
docs_src/python_types/tutorial011_py310.py:8 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks — exactly the surfaces that need tests — with no companion test file. AI agents rewrite handlers fluently but skip the test diff almost every time, leaving high-blast-radius code uncovered. Distinct from generic 'no tests' because we target sensitive surfaces where the absence of tests is itself a risk signal. CWE-1078 (missing test coverage of security-critica
Require a companion test file for any change to auth/admin/users/payments/webhooks paths. CI gate: if `src/auth/*.py` changed in a PR, fail if `tests/auth/*.py` did not also change. For migrations, require an explicit rollback (`op.execute('-- rollback ...')`) plus a test that exercises both direct…
docs_src/generate_clients/tutorial002_py310.py:34 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks — exactly the surfaces that need tests — with no companion test file. AI agents rewrite handlers fluently but skip the test diff almost every time, leaving high-blast-radius code uncovered. Distinct from generic 'no tests' because we target sensitive surfaces where the absence of tests is itself a risk signal. CWE-1078 (missing test coverage of security-critica
Require a companion test file for any change to auth/admin/users/payments/webhooks paths. CI gate: if `src/auth/*.py` changed in a PR, fail if `tests/auth/*.py` did not also change. For migrations, require an explicit rollback (`op.execute('-- rollback ...')`) plus a test that exercises both direct…
docs_src/extra_models/tutorial002_py310.py:36 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks — exactly the surfaces that need tests — with no companion test file. AI agents rewrite handlers fluently but skip the test diff almost every time, leaving high-blast-radius code uncovered. Distinct from generic 'no tests' because we target sensitive surfaces where the absence of tests is itself a risk signal. CWE-1078 (missing test coverage of security-critica
Require a companion test file for any change to auth/admin/users/payments/webhooks paths. CI gate: if `src/auth/*.py` changed in a PR, fail if `tests/auth/*.py` did not also change. For migrations, require an explicit rollback (`op.execute('-- rollback ...')`) plus a test that exercises both direct…
docs_src/extra_models/tutorial001_py310.py:38 qualitylegacy
medium Legacy quality quality conf 0.70 Public web app has no Content Security Policy
Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors.
index.html qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt qualitylegacy
medium Legacy quality quality conf 0.78 React interval is created without an explicit cleanup
Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant.
docs/en/docs/js/custom.js:139 qualitylegacy
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/contributors.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/sponsors.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/translate.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/people.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/topic-repos.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/publish.yml supply-chaingithub-actionsleast-privilege
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/contributors.py:285
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/docs.py:181
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/people.py:461
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/sponsors.py:193
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/topic_repos.py:59
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/translate.py:432
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/schema_extra_example/tutorial004_py310.py:13 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/schema_extra_example/tutorial004_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/schema_extra_example/tutorial004_an_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/response_model/tutorial006_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/response_model/tutorial003_py310.py:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/request_files/tutorial003_py310.py:13 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/request_files/tutorial003_py310.py:12 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/request_files/tutorial003_an_py310.py:16 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/request_files/tutorial002_py310.py:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/path_operation_configuration/tutorial005_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/path_operation_configuration/tutorial004_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/metadata/tutorial001_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/generate_clients/tutorial003_py310.py:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/extra_data_types/tutorial001_py310.py:12 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/dependencies/tutorial014_an_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/dependencies/tutorial008b_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/custom_request_and_route/tutorial002_py310.py:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/custom_request_and_route/tutorial001_py310.py:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/body_updates/tutorial002_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/body_nested_models/tutorial007_py310.py:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/body_nested_models/tutorial007_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/body_nested_models/tutorial006_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/body_nested_models/tutorial005_py310.py:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/body_multiple_params/tutorial004_py310.py:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/body_multiple_params/tutorial004_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/body_multiple_params/tutorial004_an_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/body_multiple_params/tutorial003_py310.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
docs_src/background_tasks/tutorial002_py310.py:1 qualitylegacy
low Legacy quality quality conf 0.64 Public docs site has no llms.txt
Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents.
llms.txt qualitylegacy
low Legacy quality quality conf 0.50 Public web app has no humans.txt
Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date.
humans.txt qualitylegacy
low Legacy quality quality conf 0.74 Public web app has no robots.txt
Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths.
robots.txt qualitylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: docs/en/docs/js/init_kapa_widget.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: docs_src/generate_clients/tutorial004_py310.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: docs_src/static_files/tutorial001_py310.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/__main__.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/logger.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/middleware/cors.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/middleware/gzip.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/middleware/httpsredirect.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/middleware/trustedhost.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/middleware/wsgi.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/openapi/constants.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/requests.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/staticfiles.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/templating.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/testclient.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/types.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: fastapi/websockets.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_modules_same_name_body/app/main.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_request_params/test_cookie/test_list.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_request_params/test_cookie/test_optional_list.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_request_params/test_path/test_list.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_request_params/test_path/test_optional_list.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/test_request_params/test_path/test_optional_str.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer quality integrity conf 1.00 Legacy-named symbol `annotation_is_pydantic_v1` in fastapi/_compat/__init__.py:2
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `annotation_is_pydantic_v1` in fastapi/_compat/shared.py:202
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `annotation_is_pydantic_v1` in fastapi/utils.py:14
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `model_copy` in docs_src/body_updates/tutorial002_py310.py:33
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_discriminator_pydantic_v2` in tests/test_union_body_discriminator.py:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_upload_file_invalid_pydantic_v2` in tests/test_datastructures.py:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `typing_deprecated` in fastapi/openapi/models.py:14
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 10 places
Functions with the same first-5-line body hash: scripts/playwright/separate_openapi_schemas/image05.py:run, scripts/playwright/separate_openapi_schemas/image03.py:run, scripts/playwright/separate_openapi_schemas/image01.py:run, scripts/playwright/separate_openapi_schemas/image02.py:run This is *th…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/contributors.py:get_graphql_response, scripts/sponsors.py:get_graphql_response This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/notify_translations.py:get_graphql_response, scripts/people.py:get_graphql_response This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separat…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/notify_translations.py:get_graphql_translation_discussion_comments_edges, scripts/notify_translations.py:get_graphql_translation_discussion_comments This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/docs.py:generate_readme_content, scripts/docs.py:generate_readme This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/docs.py:generate_docs_src_versions_for_file, scripts/docs.py:generate_docs_src_versions This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're sep…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/docs.py:add_permalinks_page, scripts/docs.py:add_permalinks This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/playwright/query_param_models/image01.py:run, scripts/playwright/cookie_param_models/image01.py:run This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: docs_src/security/tutorial002_py310.py:fake_decode_token, docs_src/security/tutorial002_an_py310.py:fake_decode_token This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or do…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: docs_src/security/tutorial002_py310.py:get_current_user, docs_src/security/tutorial002_an_py310.py:get_current_user This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or docu…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: docs_src/security/tutorial004_py310.py:get_current_user, docs_src/security/tutorial004_an_py310.py:get_current_user This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or docu…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: scripts/contributors.py:update_content, scripts/sponsors.py:update_content, scripts/people.py:update_content This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document wh…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: docs_src/security/tutorial002_py310.py:read_users_me, docs_src/security/tutorial002_an_py310.py:read_users_me, docs_src/security/tutorial003_py310.py:read_users_me This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see htt…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: docs_src/stream_data/tutorial002_py310.py:stream_image, docs_src/stream_data/tutorial002_py310.py:stream_image_no_async, docs_src/stream_data/tutorial002_py310.py:stream_image_no_annotation, docs_src/stream_data/tutorial002_py310.py:stream_image_no_as…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: docs_src/security/tutorial004_py310.py:verify_password, docs_src/security/tutorial004_an_py310.py:verify_password, docs_src/security/tutorial005_py310.py:verify_password, docs_src/security/tutorial005_an_py310.py:verify_password This is *the* AI-code…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: docs_src/security/tutorial004_py310.py:get_password_hash, docs_src/security/tutorial004_an_py310.py:get_password_hash, docs_src/security/tutorial005_py310.py:get_password_hash, docs_src/security/tutorial005_an_py310.py:get_password_hash This is *the*…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: docs_src/security/tutorial004_py310.py:authenticate_user, docs_src/security/tutorial004_an_py310.py:authenticate_user, docs_src/security/tutorial005_py310.py:authenticate_user, docs_src/security/tutorial005_an_py310.py:authenticate_user This is *the*…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: docs_src/security/tutorial004_py310.py:create_access_token, docs_src/security/tutorial004_an_py310.py:create_access_token, docs_src/security/tutorial005_py310.py:create_access_token, docs_src/security/tutorial005_an_py310.py:create_access_token This …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 6 places
Functions with the same first-5-line body hash: docs_src/settings/tutorial001_py310.py:info, docs_src/settings/app01_py310/main.py:info, docs_src/settings/app03_py310/main.py:info, docs_src/settings/app02_an_py310/main.py:info This is *the* AI-coder failure mode (4× more duplication in vibe-coded …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 6 places
Functions with the same first-5-line body hash: docs_src/security/tutorial004_py310.py:get_user, docs_src/security/tutorial003_an_py310.py:get_user, docs_src/security/tutorial004_an_py310.py:get_user, docs_src/security/tutorial005_py310.py:get_user This is *the* AI-coder failure mode (4× more dupl…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: complete_existing_lang
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/docs.py:122 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: handle_data
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/docs.py:85 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: lang_callback
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/docs.py:115 dead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — docs_src/generate_clients/tutorial004.js:29
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality integrity conf 1.00 Stub function `callback` (body is just `pass`/`return`) — scripts/translation_fixer.py:26
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `invoice_notification` (body is just `pass`/`return`) — docs_src/openapi_callbacks/tutorial001_py310.py:29
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `trace_item` (body is just `pass`/`return`) — fastapi/applications.py:4532
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `trace_item` (body is just `pass`/`return`) — fastapi/routing.py:4839
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer api wiring conf 1.00 Unused endpoint: GET /
`docs_src/custom_response/tutorial007_py310.py` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /app
`docs_src/sub_applications/tutorial001_py310.py` declares `GET /app` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /authors/
`docs_src/dataclasses_/tutorial003_py310.py` declares `GET /authors/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /data
`docs_src/json_base64_bytes/tutorial001_py310.py` declares `GET /data` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /elements/
`docs_src/path_operation_configuration/tutorial006_py310.py` declares `GET /elements/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /fastapi
`docs_src/custom_response/tutorial006b_py310.py` declares `GET /fastapi` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /generate
`docs_src/dependencies/tutorial014_an_py310.py` declares `GET /generate` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /image/stream
`docs_src/stream_data/tutorial002_py310.py` declares `GET /image/stream` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /image/stream-no-annotation
`docs_src/stream_data/tutorial002_py310.py` declares `GET /image/stream-no-annotation` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /image/stream-no-async
`docs_src/stream_data/tutorial002_py310.py` declares `GET /image/stream-no-async` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /image/stream-no-async-no-annotation
`docs_src/stream_data/tutorial002_py310.py` declares `GET /image/stream-no-async-no-annotation` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /image/stream-no-async-yield-from
`docs_src/stream_data/tutorial002_py310.py` declares `GET /image/stream-no-async-yield-from` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting wh…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /items/
`docs_src/security/tutorial001_an_py310.py` declares `GET /items/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /items/next
`docs_src/dataclasses_/tutorial002_py310.py` declares `GET /items/next` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /items/stream
`docs_src/stream_json_lines/tutorial001_py310.py` declares `GET /items/stream` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /items/stream-no-annotation
`docs_src/stream_json_lines/tutorial001_py310.py` declares `GET /items/stream-no-annotation` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting wh…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /items/stream-no-async
`docs_src/stream_json_lines/tutorial001_py310.py` declares `GET /items/stream-no-async` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who con…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /items/stream-no-async-no-annotation
`docs_src/stream_json_lines/tutorial001_py310.py` declares `GET /items/stream-no-async-no-annotation` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docum…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /items/{item_id}
`docs_src/app_testing/tutorial004_py310.py` declares `GET /items/{item_id}` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint

Showing first 300 of 341. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/3698120a-e08b-4304-8dd1-f2dcb9f557ea/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/3698120a-e08b-4304-8dd1-f2dcb9f557ea/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.