← Back to scan
File as GitHub Issue repo: esphome/esphome

Push this scan report to esphome/esphome

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Missing import: `stat` used but not imported

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT MINED107 [MINED107] Missing import: `glob` used but not imported: The file uses `glob.something(..… esphome/components/globals/__init__.py:93
CRIT MINED107 [MINED107] Missing import: `uuid` used but not imported: The file uses `uuid.something(..… esphome/components/esp32_ble_server/__i…:78
CRIT MINED107 [MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(..… esphome/dashboard/status/mdns.py:159
CRIT MINED107 [MINED107] Missing import: `platform` used but not imported: The file uses `platform.some… esphome/dashboard/web_server.py:1194
CRIT MINED107 [MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(..… esphome/dashboard/entries.py:294
CRIT MINED107 [MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(..… script/api_protobuf/api_protobuf.py:3327
CRIT MINED107 [MINED107] Missing import: `platform` used but not imported: The file uses `platform.some… tests/component_tests/conftest.py:76
CRIT MINED107 [MINED107] Missing import: `platform` used but not imported: The file uses `platform.some… script/build_codeowners.py:81
CRIT MINED107 [MINED107] Missing import: `string` used but not imported: The file uses `string.somethin… script/helpers.py:355
CRIT MINED107 [MINED107] Missing import: `platform` used but not imported: The file uses `platform.some… script/helpers.py:1206
CRIT MINED107 [MINED107] Missing import: `string` used but not imported: The file uses `string.somethin… esphome/helpers.py:164
CRIT MINED107 [MINED107] Missing import: `platform` used but not imported: The file uses `platform.some… esphome/storage_json.py:232
CRIT MINED107 [MINED107] Missing import: `platform` used but not imported: The file uses `platform.some… esphome/wizard.py:388
CRIT MINED107 [MINED107] Missing import: `platform` used but not imported: The file uses `platform.some… esphome/config.py:86
CRIT MINED018 [MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLo… esphome/components/dashboard_import/__i…:120
CRIT SEC116 [SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Mar… esphome/components/dashboard_import/__i…:120
CRIT SEC079 [SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader ca… esphome/components/dashboard_import/__i…:120
CRIT MINED116 [MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workfl… .github/workflows/ci.yml:249
HIGH MINED108 [MINED108] `self._add_file` used but never assigned in __init__: Method `_discover_compon… esphome/bundle.py:307
HIGH MINED108 [MINED108] `self._add_directory` used but never assigned in __init__: Method `_discover_c… esphome/bundle.py:305
HIGH MINED108 [MINED108] `self._add_directory` used but never assigned in __init__: Method `_discover_c… esphome/bundle.py:326
HIGH MINED108 [MINED108] `self._walk_config_for_files` used but never assigned in __init__: Method `_di… esphome/bundle.py:294
HIGH MINED108 [MINED108] `self._add_file` used but never assigned in __init__: Method `_discover_yaml_i… esphome/bundle.py:277
HIGH MINED108 [MINED108] `self._add_file` used but never assigned in __init__: Method `_add_directory` … esphome/bundle.py:248
HIGH MINED108 [MINED108] `self._relative_to_config_dir` used but never assigned in __init__: Method `_a… esphome/bundle.py:229
HIGH MINED108 [MINED108] `self._add_to_tar` used but never assigned in __init__: Method `create_bundle`… esphome/bundle.py:216
HIGH MINED108 [MINED108] `self._build_manifest` used but never assigned in __init__: Method `create_bun… esphome/bundle.py:199
HIGH MINED108 [MINED108] `self._build_filtered_secrets` used but never assigned in __init__: Method `cr… esphome/bundle.py:190
HIGH MINED108 [MINED108] `self.discover_files` used but never assigned in __init__: Method `create_bund… esphome/bundle.py:181
HIGH MINED108 [MINED108] `self._discover_component_files` used but never assigned in __init__: Method `… esphome/bundle.py:175
HIGH MINED108 [MINED108] `self._discover_yaml_includes` used but never assigned in __init__: Method `di… esphome/bundle.py:172
HIGH MINED108 [MINED108] `self._add_file` used but never assigned in __init__: Method `discover_files` … esphome/bundle.py:169
HIGH MINED108 [MINED108] `self.zeroconf` used but never assigned in __init__: Method `async_resolve_hos… esphome/zeroconf.py:280
HIGH MINED108 [MINED108] `self.update_device_mdns` used but never assigned in __init__: Method `_proces… esphome/zeroconf.py:169
HIGH MINED108 [MINED108] `self._process_service_info` used but never assigned in __init__: Method `_asy… esphome/zeroconf.py:151
HIGH MINED108 [MINED108] `self._async_process_service_info` used but never assigned in __init__: Method… esphome/zeroconf.py:141
HIGH MINED108 [MINED108] `self._process_service_info` used but never assigned in __init__: Method `brow… esphome/zeroconf.py:138
HIGH MINED108 [MINED108] `self._write_color_replace` used but never assigned in __init__: Method `write… esphome/util.py:211
HIGH MINED108 [MINED108] `self._write_color_replace` used but never assigned in __init__: Method `write… esphome/util.py:208
HIGH MINED108 [MINED108] `self._write_color_replace` used but never assigned in __init__: Method `write… esphome/util.py:201
HIGH MINED108 [MINED108] `self._write_color_replace` used but never assigned in __init__: Method `write… esphome/util.py:213
HIGH MINED108 [MINED108] `self.get_key` used but never assigned in __init__: Method `get_to_code` of cl… esphome/pins.py:102
HIGH MINED108 [MINED108] `self.get_key` used but never assigned in __init__: Method `validate` of class… esphome/pins.py:67
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). esphome/components/hmac_md5/hmac_md5.cpp:13
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). esphome/components/hmac_md5/__init__.py:3
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). esphome/components/globals/__init__.py:92
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… esphome/components/host/gpio.py:37
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… esphome/components/esp8266/gpio.py:57
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… esphome/components/esp32/gpio.py:88
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … esphome/components/epaper_spi/models/__…:67
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … esphome/components/debug/debug_esp32.cpp:58
HIGH MINED040 [MINED040] Python Yaml Load Unsafe: yaml.load(stream) without SafeLoader can deserialize … esphome/components/dashboard_import/__i…:120
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… esphome/components/bme68x_bsec2/__init_…:84
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… esphome/components/audio_http/audio_htt…:87
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… esphome/components/audio/audio_reader.c…:181
HIGH COMP001 [COMP001] High cognitive complexity: Function `main` has cognitive complexity 27 (SonarSo… docker/build.py:87
HIGH MINED118 [MINED118] Dockerfile FROM `ghcr.io/esphome/docker-base (no tag)` not pinned by digest: `… docker/Dockerfile:7
HIGH MINED118 [MINED118] Dockerfile FROM `ghcr.io/esphome/docker-base (no tag)` not pinned by digest: `… docker/Dockerfile:5
HIGH MINED118 [MINED118] Dockerfile FROM `ghcr.io/esphome/docker-base:debian-` not pinned by digest: `F… .devcontainer/Dockerfile:2
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-clang-format` pinned to… .pre-commit-config.yaml:49
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/adrienverge/yamllint.git` pinned to mutabl… .pre-commit-config.yaml:44
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/asottile/pyupgrade` pinned to mutable rev … .pre-commit-config.yaml:39
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mut… .pre-commit-config.yaml:29
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/PyCQA/flake8` pinned to mutable rev `7.3.0… .pre-commit-config.yaml:21
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… script/build_helpers.py:105
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… script/build_helpers.py:395
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… script/determine-jobs.py:297
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… script/analyze_component_buses.py:226
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… script/analyze_component_buses.py:168
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… script/analyze_component_buses.py:132
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… script/merge_component_configs.py:440
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… script/stress_test_connect.py:24
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… esphome/__main__.py:978
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… esphome/async_thread.py:48
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… esphome/storage_json.py:404
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… esphome/storage_json.py:375
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… esphome/storage_json.py:286
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… esphome/compiled_config.py:65
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… esphome/vscode.py:144
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… esphome/vscode.py:137
MED SEC007 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code. esphome/components/dashboard_import/__i…:120
MED COMP001 [COMP001] High cognitive complexity: Function `batch_demangle` has cognitive complexity 1… esphome/analyze_memory/demangle.py:86
MED COMP001 [COMP001] High cognitive complexity: Function `main` has cognitive complexity 21 (SonarSo… docker/generate_tags.py:35
MED DKR001 Docker final stage has no non-root USER docker/Dockerfile:97
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED AIC004 Suspicious implementation file appears unreferenced esphome/components/esp32_hosted/update/…:1
MED AIC004 Suspicious implementation file appears unreferenced esphome/components/esp32_hosted/update/…:1
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore docker/Dockerfile:100
MED AGT012 Agent control bridge may listen on a network interface without visible auth esphome/__main__.py:22
LOW AIC003 Duplicated implementation block across source files esphome/components/bmp3xx_base/__init__…:48
LOW AIC003 Duplicated implementation block across source files esphome/components/bmp3xx_base/__init__…:1
LOW AIC003 Duplicated implementation block across source files esphome/components/bmp280_base/bmp280_b…:3
LOW AIC003 Duplicated implementation block across source files esphome/components/bmp280_base/bmp280_b…:179
LOW AIC003 Duplicated implementation block across source files esphome/components/bmp280_base/__init__…:34
LOW AIC003 Duplicated implementation block across source files esphome/components/bme68x_bsec2/sensor.…:1
LOW AIC003 Duplicated implementation block across source files esphome/components/bme68x_bsec2/bme68x_…:129
LOW AIC003 Duplicated implementation block across source files esphome/components/bme680/sensor.py:54
LOW AIC003 Duplicated implementation block across source files esphome/components/ble_rssi/sensor.py:55
LOW AIC003 Duplicated implementation block across source files esphome/components/ble_rssi/ble_rssi_se…:3
LOW AIC003 Duplicated implementation block across source files esphome/components/ble_client/text_sens…:4
LOW AIC003 Duplicated implementation block across source files esphome/components/ble_client/text_sens…:8
LOW AIC003 Duplicated implementation block across source files esphome/components/ble_client/text_sens…:69
LOW AIC003 Duplicated implementation block across source files esphome/components/ble_client/text_sens…:48
LOW AIC003 Duplicated implementation block across source files esphome/components/ble_client/sensor/__…:84
LOW AIC003 Duplicated implementation block across source files esphome/components/ble_client/output/__…:25
LOW AIC003 Duplicated implementation block across source files esphome/components/bl0942/sensor.py:86
LOW AIC003 Duplicated implementation block across source files esphome/components/bl0942/sensor.py:43
LOW AIC003 Duplicated implementation block across source files esphome/components/b_parasite/sensor.py:34
LOW AIC003 Duplicated implementation block across source files esphome/components/audio_http/media_sou…:24
LOW AIC003 Duplicated implementation block across source files esphome/components/audio_http/audio_htt…:67
LOW AIC003 Duplicated implementation block across source files esphome/components/atm90e32/sensor.py:80
LOW AIC003 Duplicated implementation block across source files esphome/components/aqi/caqi_calculator.h:26
LOW AIC003 Duplicated implementation block across source files esphome/components/api/api_frame_helper…:85
LOW AIC003 Duplicated implementation block across source files esphome/components/api/api_frame_helper…:3
LOW AIC003 Duplicated implementation block across source files esphome/components/api/api_frame_helper…:6
LOW AIC003 Duplicated implementation block across source files esphome/components/anova/anova.cpp:59
LOW AIC003 Duplicated implementation block across source files esphome/components/am2320/sensor.py:1
LOW AIC003 Duplicated implementation block across source files esphome/components/adc/adc_sensor_libre…:3
LOW AIC003 Duplicated implementation block across source files .github/scripts/auto-label-pr/index.js:3
LOW DKR010 Dockerfile leaves apt package indexes in the image layer .devcontainer/Dockerfile:8
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW DKR012 Dockerfile keeps pip download cache .devcontainer/Dockerfile:28
LOW DKR012 Dockerfile keeps pip download cache .devcontainer/Dockerfile:26
LOW DKR012 Dockerfile keeps pip download cache .devcontainer/Dockerfile:12
LOW DKR011 Dockerfile installs recommended OS packages .devcontainer/Dockerfile:8
LOW AIC009 Multiple AI-agent scaffold marker files are present .github/copilot-instructions.md:1
LOW AIC005 Duplicate top-level symbol appears in a patch-style file esphome/components/http_request/update/…:1
LOW AIC002 Source file name looks like an AI patch artifact esphome/components/mqtt/mqtt_update.h:1
LOW AIC002 Source file name looks like an AI patch artifact esphome/components/mqtt/mqtt_update.cpp:1
LOW AIC002 Source file name looks like an AI patch artifact esphome/components/http_request/update/…:1
LOW AIC002 Source file name looks like an AI patch artifact esphome/components/http_request/update/…:1
LOW AIC002 Source file name looks like an AI patch artifact esphome/components/esp32_hosted/update/…:1
LOW AIC002 Source file name looks like an AI patch artifact esphome/components/esp32_hosted/update/…:1
LOW AIC002 Source file name looks like an AI patch artifact esphome/components/dallas_temp/dallas_t…:1
LOW AIC002 Source file name looks like an AI patch artifact esphome/components/dallas_temp/dallas_t…:1
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. esphome/components/micronova/__init__.py:18
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. esphome/components/i2s_audio/__init__.py:211
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. esphome/components/hub75/boards/__init_…:28
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… esphome/components/dashboard_import/__i…:113
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… esphome/components/bmp3xx_base/bmp3xx_b…:5
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… esphome/components/audio_http/audio_htt…:26
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… esphome/components/audio_file/__init__.…:75
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… esphome/components/esp32/gpio_esp32.py:59
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… esphome/components/esp32/gpio.py:89
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… esphome/components/adc/__init__.py:281
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… esphome/components/esp32_ble_client/ble…:48
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… esphome/components/esp32/preferences.cpp:106
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… esphome/components/ac_dimmer/hw_timer_e…:62
INFO MINED055 [MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versi… docker/ha-addon-rootfs/etc/cont-init.d/…:19
INFO MINED055 [MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versi… docker/ha-addon-rootfs/etc/cont-init.d/…:32
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … .github/scripts/auto-label-pr/reviews.js:129
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … .github/scripts/auto-label-pr/labels.js:7
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … .github/scripts/auto-label-pr/index.js:31
Reset to top 5 153 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `esphome/esphome`

**Score: 75/100 (A-)**  ·  188 findings  ·  scanned 2026-06-05 20:55 UTC  ·  625,386 LOC

| Severity | Count |
|---|---|
| CRITICAL | 18 |
| HIGH | 46 |
| MEDIUM | 25 |
| LOW | 46 |

📊 [Full filterable report](https://repobility.com/scan/3747b405-3caf-437f-b665-8b8eaa5a3be4/)  ·  ![scorecard](https://repobility.com/scan/3747b405-3caf-437f-b665-8b8eaa5a3be4/report.png?v=1780692902-s2)

### Top findings

1. **CRITICAL** `MINED107` — Missing import: `glob` used but not imported
   `esphome/components/globals/__init__.py:93` · ✓ Repobility
2. **CRITICAL** `MINED107` — Missing import: `uuid` used but not imported
   `esphome/components/esp32_ble_server/__init__.py:78` · ✓ Repobility
3. **CRITICAL** `MINED107` — Missing import: `stat` used but not imported
   `esphome/dashboard/status/mdns.py:159` · ✓ Repobility
4. **CRITICAL** `MINED107` — Missing import: `platform` used but not imported
   `esphome/dashboard/web_server.py:1194` · ✓ Repobility
5. **CRITICAL** `MINED107` — Missing import: `stat` used but not imported
   `esphome/dashboard/entries.py:294` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/3747b405-3caf-437f-b665-8b8eaa5a3be4/_
Megaproject â high spam risk
Could not determine 'esphome/esphome' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.