pallets/flask

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

64 of your 113 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.48s · analysis 16.75s · 1.8 MB · GitHub API rate-limit (preflight)

https://github.com/pallets/flask · scanned 2026-06-04 21:59 UTC (1 week, 1 day ago) · 10 languages

250 raw signals (112 security + 138 graph) 71st percentile · Python · small (2-20K LoC) System graph score 68 (higher by 10)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 1 day ago · v2 · 125 actionable findings from 2 signal sources. 45 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

88.9% cov · 49 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	100.0	0.15	15.00
`security_score`	50.1	0.25	12.53
`testing_score`	100.0	0.20	20.00
`documentation_score`	73.0	0.15	10.95
`practices_score`	82.0	0.15	12.30
`code_quality`	64.0	0.10	6.40
Overall		1.00	77.2

Severity distribution — click a segment to filter

Active filters: severity: high × excluding tests × Reset all

Severity: Critical 1 High 12 Medium 22 Low 51 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 76 System graph 49 Crowd 0 Layer: Quality 46 Security 8 Software 55 Frontend 1 Cicd 1 Api 14

Exclude dismissed / FP Exclude test files

Scan summary Quality grade B+ (77/100). Dimensions: security 50, maintainability 100. 112 findings (22 security). 18,337 lines analyzed.

Showing 11 of 125 actionable findings. 170 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility 14 occurrences `self.run` used but never assigned in __init__

Method `__call__` of class `FlaskTask` reads `self.run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

4 files, 14 locations

src/flask/testing.py:155, 162, 179, 196, 216, 220, 225, 228 (8 hits)

src/flask/wrappers.py:173, 190, 205, 206 (4 hits)

examples/celery/src/task_app/__init__.py:33

src/flask/config.py:124

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /add has no auth

Handler `add` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

examples/celery/src/task_app/views.py:22

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /block has no auth

Handler `block` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

examples/celery/src/task_app/views.py:30

high Security checks quality Quality conf 0.80 ✓ Repobility FastAPI POST /process has no auth

Handler `process` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.

examples/celery/src/task_app/views.py:36

high Security checks software dependencies conf 0.88 starlette: PYSEC-2026-161

BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks

uv.lock

high Security checks software dependencies conf 0.88 werkzeug: GHSA-2g68-c3qc-8985

Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain

examples/celery/requirements.txt

high Security checks software dependencies conf 0.88 werkzeug: PYSEC-2023-221

Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffe…

examples/celery/requirements.txt

high System graph security auth conf 1.00 Flask mutation route `<anonymous>` without `@login_required` — src/flask/sansio/app.py:626

Flask route declares POST/PUT/DELETE/PATCH methods without an auth decorator. Add `@login_required` (Flask-Login) or equivalent.

src/flask/sansio/app.py:626 securityAuth flask unauth route

high System graph security security conf 1.00 Insecure pattern 'eval_used' in src/flask/cli.py:1023

Found a known-risky pattern (eval_used). Review and replace if possible.

src/flask/cli.py:1023 Eval used

high System graph security security conf 1.00 Insecure pattern 'exec_used' in src/flask/config.py:209

Found a known-risky pattern (exec_used). Review and replace if possible.

src/flask/config.py:209 Exec used

high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 20.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

Only 20.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/36f0902f-1f35-47f9-80e0-336870c8415f/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/36f0902f-1f35-47f9-80e0-336870c8415f/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.