imakris/sintra — Repobility public scan

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

Sign up free Scan another repo

64 of your 86 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.59s · analysis 1.64s · 2.9 MB · GitHub preflight 410ms

imakris/sintra

http://github.com/imakris/sintra.git · scanned 2026-05-19 21:45 UTC (2 weeks, 2 days ago) · 10 languages

104 findings (86 legacy + 18 scanner) Scanner says 100 (lower by 22)

File as issue Image v2 schema

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 2 days ago · v2 · 95 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON

66.7% cov · 9 gaps

click to filter

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	55.0	0.15	8.25
`security_score`	96.0	0.25	24.00
`testing_score`	85.0	0.20	17.00
`documentation_score`	90.0	0.15	13.50
`practices_score`	70.0	0.15	10.50
`code_quality`	37.4	0.10	3.74
Overall		1.00	77.0

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 7 High 68 Medium 2 Low 5 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 86 9-layer 9 Crowd 0 Layer: Security 3 Quality 80 Software 10 Api 1 Frontend 1

Exclude dismissed / FP Exclude test files

Scan summary Repository scanned at 99.5/100 with 66.7% coverage. It contains 575 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 9 findings — concentrated in software (3), quality (3), api (1). Risk profile is low: 0 critical, 0 high, 2 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 14 of 95 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted cont…

.github/workflows/coverage.yml:150 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GIST_SECRET` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GIST_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted contex…

.github/workflows/build-windows.yml:196 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GIST_SECRET` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GIST_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted contex…

.github/workflows/build-windows.yml:182 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GIST_SECRET` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GIST_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted contex…

.github/workflows/build-linux.yml:184 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GIST_SECRET` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GIST_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted contex…

.github/workflows/build-linux.yml:170 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GIST_SECRET` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GIST_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted contex…

.github/workflows/build-macos.yml:136 dependencylegacy

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.GIST_SECRET` on a `pull_request` trigger

This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GIST_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted contex…

.github/workflows/build-macos.yml:122 dependencylegacy

medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — trigger_ci.py:29

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

integrityfragile-runtimerobustness

medium 9-layer security coverage conf 1.00 No auth library detected

The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.

coverageauth

low 9-layer software dead-code conf 1.00 Possibly dead Python function: code_repl

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

scripts/build_reference_site.py:195 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: image_repl

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

scripts/build_reference_site.py:218 dead-code

low 9-layer software dead-code conf 1.00 Possibly dead Python function: link_repl

No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.

scripts/build_reference_site.py:205 dead-code

low 9-layer quality complexity conf 1.00 Very large file: tests/run_tests.py (2874 lines)

Files with >800 lines often hide complexity hotspots and discourage tests.

complexity

low Legacy quality quality conf 1.00 ✓ Repobility [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.

Review and fix per the pattern semantics.

trigger_ci.py:16 qualitylegacy

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/3d8c0053-0017-479e-b4b2-c9cd42938fbb/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/3d8c0053-0017-479e-b4b2-c9cd42938fbb/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.