Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
22 of your 141 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.63s · analysis 7.19s · 5.5 MB · GitHub API rate-limit (preflight)

gma1k/podtrace

https://github.com/gma1k/podtrace · scanned 2026-06-05 19:02 UTC (4 days, 17 hours ago) · 10 languages

161 raw signals (133 security + 28 graph) 39th percentile · Go · large (100-500K LoC) System graph score 96 (lower by 25)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 17 hours ago · v2 · 100 actionable findings from 2 signal sources. 47 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
79.9
/100
Security checks
63
89 findings
System graph
97
100.0% cov · 11 findings
Critical
4
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 33.5 0.25 8.38
testing_score 85.0 0.20 17.00
documentation_score 88.0 0.15 13.20
practices_score 100.0 0.15 15.00
code_quality 50.7 0.10 5.07
Overall 1.00 71.4
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 4 High 67 Medium 5 Low 10 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 89 System graph 11 Crowd 0 Layer: Cicd 7 Quality 20 Software 65 Security 3 Api 1 Hardware 3 Frontend 1
Scan summary Quality grade B (71/100). Dimensions: security 34, maintainability 85. 133 findings (67 security). 103,145 lines analyzed.

Showing 30 of 100 actionable findings. 147 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
scripts/submit-olm-bundle.sh:103
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
hack/inject-crd-annotations.sh:73
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
hack/inject-crd-annotations.sh:99
high Security checks cicd CI/CD security conf 0.92 Dockerfile copies the entire context without .dockerignore
COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.
Dockerfile:37 CI/CD securitycontainers
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `gcr.io/distroless/static-debian12:nonroot` not pinned by digest
`FROM gcr.io/distroless/static-debian12:nonroot` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Dockerfile:67
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5005
Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5006
Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5013
Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5014
Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5015
Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5016
Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5017
Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5018
Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5019
Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5020
Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5021
Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5023
Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5033
Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent
go.mod
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
medium System graph hardware Security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
4 files, 4 locations
.github/workflows/release-bump.yml
.github/workflows/release-notes-enrich.yml
.github/workflows/release-please.yml
.github/workflows/release.yml
CI/CD securitySupply chainGithub actions
low Security checks quality Error handling conf 1.00 3 occurrences [ERR003] Ignored Error (Go): Ignoring error return values.
Handle the error or use errcheck linter.
3 files, 3 locations
cmd/podtrace/diagnose_env.go:85
cmd/podtrace/schedule.go:79
cmd/podtrace/watch.go:202
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 19 locations
internal/alerting/webhook.go:1, 76 (2 hits)
internal/diagnose/analyzer/tls.go:20, 32 (2 hits)
internal/tracing/exporter/zipkin.go:49, 113 (2 hits)
pkg/client/applyconfiguration/api/v1alpha1/objectstorereference.go:1, 2 (2 hits)
pkg/client/applyconfiguration/api/v1alpha1/otlpexporter.go:1, 2 (2 hits)
pkg/client/applyconfiguration/api/v1alpha1/podtrace.go:1, 2 (2 hits)
pkg/client/applyconfiguration/api/v1alpha1/podtracenodestatus.go:1, 2 (2 hits)
bpf/filesystem.c:35
duplicationquality
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: gcr.io/distroless/static-debian12:nonroot
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:67 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: golang:${GO_VERSION}-${DEBIAN_RELEASE}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:14 containersPinned dependencies
low System graph quality Complexity conf 1.00 Very large file: internal/ebpf/probes/probes.go (1725 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: internal/ebpf/probes/probes_test.go (2405 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: internal/ebpf/tracer/tracer_test.go (2346 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: internal/events/events_test.go (2065 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: internal/resource/monitor_test.go (1904 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/43662ce4-9ff1-4f00-8325-88d2a0d2fe9d/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/43662ce4-9ff1-4f00-8325-88d2a0d2fe9d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.