Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
181 of your 258 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 140.12s for a 543.2 MB repo slow.
  • Repobility's analysis ran in 499.23s after the clone landed.

facebook/hhvm

https://github.com/facebook/hhvm · scanned 2026-06-05 18:10 UTC (4 days, 19 hours ago) · 10 languages

946 raw signals (240 security + 706 graph) 11/13 scanners ran System graph score 54 (higher by 20)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 19 hours ago · v2 · 282 actionable findings from 2 signal sources. 286 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
63.0
/100
Security checks
72
67 findings
System graph
54
100.0% cov · 215 findings
Critical
4
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 80.0 0.20 16.00
documentation_score 88.0 0.15 13.20
practices_score 50.0 0.15 7.50
code_quality 68.0 0.10 6.80
Overall 1.00 74.5
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 4 High 21 Medium 25 Low 157 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 67 System graph 215 Crowd 0 Layer: Quality 162 Cicd 14 Software 75 Frontend 10 Hardware 8 Security 9 Api 4
Scan summary Quality grade B (74/100). Dimensions: security 100, maintainability 40. 240 findings (30 security). 1,579,583 lines analyzed.

Showing 204 of 282 actionable findings. 568 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection.
Review and fix per the pattern semantics. See CWE-95 / for context.
3 files, 3 locations
hphp/hack/src/client/ide_service/code_actions_services/refactors/add_doc_comment.ml:68
hphp/hack/src/milner/milner.ml:157
hphp/hack/src/simplihack/simplihack_interpreter.mli:9
high Security checks quality Quality conf 1.00 ✓ Repobility 6 occurrences [MINED107] Missing import: `string` used but not imported: The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
Add `import string` at the top of the file.
6 files, 6 locations
third-party/thrift/src/thrift/lib/py/protocol/TJSONProtocol.py:173
third-party/thrift/src/thrift/lib/py/protocol/TSimpleJSONProtocol.py:637
third-party/thrift/src/thrift/lib/py/server/TAsyncioServer.py:150
third-party/thrift/src/thrift/lib/py/util/Decorators.py:48
third-party/thrift/src/thrift/lib/py/util/__init__.py:44
third-party/thrift/src/thrift/lib/python/metadata.py:503
critical System graph security Secrets conf 1.00 5 occurrences Possible secret in third-party/watchman/src/.github/workflows/release.yml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 43, 64, 85, 106, 127
third-party/watchman/src/.github/workflows/release.yml:43, 64, 85, 106, 127 (5 hits)
critical System graph security Secrets conf 1.00 Possible secret in third-party/watchman/src/website/docusaurus.config.js
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
third-party/watchman/src/website/docusaurus.config.js:239
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED002] Dart Null Bang: value! throws on null. Use ?. or null check.
Review and fix per the pattern semantics. See CWE-476 / for context.
hphp/hack/src/typing/typing_argument.ml:148
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED002] Dart Null Bang: value! throws on null. Use ?. or null check.
Review and fix per the pattern semantics. See CWE-476 / for context.
hphp/hack/src/typing/type_mapper_forget.ml:42
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /source has no auth: Express route POST /source declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/source', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/debugger/duk_debug.js:1863
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED113] Express POST /sourceList has no auth: Express route POST /sourceList declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
Add an auth middleware: app.post('/sourceList', requireAuth, handler) — or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/debugger/duk_debug.js:1864
high Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences [MINED118] Dockerfile FROM `ghcr.io/xtruder/nix-devcontainer:v1` not pinned by digest: `FROM ghcr.io/xtruder/nix-devcontainer:v1` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ghcr.io/xtruder/nix-devcontainer:v1@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
3 files, 4 locations
third-party/proxygen/src/proxygen/httpserver/samples/hq/quic-interop/Dockerfile:4, 23 (2 hits)
.devcontainer/Dockerfile:1
third-party/mcrouter/src/mcrouter/scripts/docker/ubuntu/Dockerfile:2
high Security checks cicd CI/CD security conf 0.92 Docker build context is very large
Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 Dockerfile copies the entire context without .dockerignore
Create .dockerignore before using broad context copies, or copy only the required files and directories.
third-party/proxygen/src/proxygen/httpserver/samples/hq/quic-interop/Dockerfile:15 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
third-party/watchman/src/watchman/build/package/ubuntu-env/Dockerfile:18 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
third-party/watchman/src/watchman/build/package/fedora-env/Dockerfile:6 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 71 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
10 files, 71 locations
third-party/thrift/src/.github/workflows/getdeps_python_linux.yml:127, 135, 143, 151, 159, 167, 175, 183, +12 more (20 hits)
third-party/thrift/src/.github/workflows/getdeps_python_linux_container.yml:128, 136, 144, 152, 160, 168, 176, 184, +12 more (20 hits)
third-party/fizz/src/.github/workflows/oss-build-and-test.yml:7, 60, 79, 88, 106, 126, 138, 154, +1 more (14 hits)
third-party/watchman/src/.github/workflows/release.yml:25, 35, 56, 77, 98, 119 (6 hits)
third-party/folly/src/.github/workflows/oss-build-and-test.yml:80, 109, 137 (3 hits)
third-party/fizz/src/.github/workflows/getdeps_linux.yml:30, 135 (2 hits)
third-party/fizz/src/.github/workflows/getdeps_windows.yml:42, 128 (2 hits)
third-party/watchman/src/.github/workflows/package.yml:10, 38 (2 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 59 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `mozilla-actions/sccache-action` pinned to mutable ref `@v0.0.9`: `uses: mozilla-actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K rep…
12 files, 48 locations
third-party/watchman/src/.github/workflows/release.yml:37, 39, 45, 58, 60, 66, 79, 81, +6 more (14 hits)
third-party/fizz/src/.github/workflows/oss-build-and-test.yml:66, 74, 112, 121, 160, 169 (12 hits)
third-party/folly/src/.github/workflows/oss-build-and-test.yml:66, 75, 95, 104, 124, 132 (6 hits)
third-party/watchman/src/.github/workflows/package.yml:13, 16, 23 (3 hits)
third-party/fizz/src/.github/workflows/getdeps_linux.yml:34 (2 hits)
third-party/fizz/src/.github/workflows/getdeps_windows.yml:46 (2 hits)
third-party/watchman/src/.github/workflows/getdeps_linux.yml:34, 55 (2 hits)
third-party/watchman/src/.github/workflows/getdeps_mac.yml:37, 59 (2 hits)
CI/CD securitySupply chainGitHub Actions
high System graph quality Integrity conf 1.00 Blocking `time.sleep(...)` inside `async def badSleep` — third-party/thrift/src/thrift/perf/py3/load_handler.py:74
Sync I/O inside an async function blocks the event loop. While `time.sleep(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_thre…
third-party/thrift/src/thrift/perf/py3/load_handler.py:74 Sync io in asyncPerformance
high System graph security security conf 1.00 Insecure pattern 'eval_used' in third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/config/config-options/DUK_USE_NONSTD_JSON_ESC_U2028_U2029.yaml:10
Found a known-risky pattern (eval_used). Review and replace if possible.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/config/config-options/DUK_USE_NONSTD_JSON_ESC_U2028_U2029.yaml:10 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/config/feature-options/DUK_OPT_NO_NONSTD_JSON_ESC_U2028_U2029.yaml:8
Found a known-risky pattern (eval_used). Review and replace if possible.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/config/feature-options/DUK_OPT_NO_NONSTD_JSON_ESC_U2028_U2029.yaml:8 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/scan_strings.py:44
Found a known-risky pattern (eval_used). Review and replace if possible.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/scan_strings.py:44 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in third-party/thrift/src/thrift/lib/py/util/remote.py:208
Found a known-risky pattern (eval_used). Review and replace if possible.
third-party/thrift/src/thrift/lib/py/util/remote.py:208 Eval used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in third-party/tbb/src/python/tbb/pool.py:357
Found a known-risky pattern (exec_used). Review and replace if possible.
third-party/tbb/src/python/tbb/pool.py:357 Exec used
low Security checks quality Error handling conf 0.55 ✓ Repobility 13 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
6 files, 13 locations
third-party/tbb/src/python/tbb/__init__.py:73, 115, 224, 234, 300 (5 hits)
third-party/tbb/src/python/tbb/pool.py:294, 390, 632 (3 hits)
third-party/folly/src/folly/coro/scripts/co_bt.py:241, 503 (2 hits)
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/extras/cbor/cbordecode.py:19
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/scan_strings.py:45
third-party/tbb/src/python/setup.py:47
Error handlingquality
medium Security checks cicd CI/CD security conf 0.86 Database dump or local database file is included in Docker build context
Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow.
.dockerignore CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 8 occurrences Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
8 files, 8 locations
.devcontainer/Dockerfile:1
third-party/mcrouter/src/mcrouter/scripts/docker/almalinux/Dockerfile:22
third-party/mcrouter/src/mcrouter/scripts/docker/ubuntu/Dockerfile:3
third-party/proxygen/src/proxygen/httpserver/samples/hq/quic-interop/Dockerfile:23
third-party/watchman/src/watchman/build/package/fedora-env/Dockerfile:2
third-party/watchman/src/watchman/build/package/ubuntu-env/Dockerfile:2
third-party/watchman/src/watchman/build/package/watchman-build/Dockerfile:2
third-party/watchman/src/watchman/build/package/watchman-deb/Dockerfile:2
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.94 2 occurrences Dockerfile base image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
lines 4, 23
third-party/proxygen/src/proxygen/httpserver/samples/hq/quic-interop/Dockerfile:4, 23 (2 hits)
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.86 Dockerfile separates apt update from install
Combine update and install in the same RUN instruction and clean package indexes in that layer.
third-party/proxygen/src/proxygen/httpserver/samples/hq/quic-interop/Dockerfile:8 CI/CD securitycontainers
high Security checks quality Quality conf 0.82 3 occurrences Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
3 files, 3 locations
hphp/runtime/vm/jit/cfg-clean.cpp:1
hphp/runtime/vm/jit/vasm-copy.cpp:1
third-party/fb-mysql/8.0.20/extra/icu/source/common/unicode/utf_old.h:1
medium Security checks quality Quality conf 0.78 3 occurrences Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
3 files, 3 locations
hphp/hack/src/elab/passes/validate_method_private_final.rs:1
third-party/fb-mysql/8.0.20/include/mysql/plugin_query_rewrite.h:1
third-party/fb-mysql/8.0.20/sql/sql_query_rewrite.h:1
medium System graph hardware Supply chain conf 1.00 2 occurrences Docker base image uses a mutable or implicit tag: martenseemann/quic-network-simulator-endpoint:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
lines 4, 23
third-party/proxygen/src/proxygen/httpserver/samples/hq/quic-interop/Dockerfile:4, 23 (2 hits)
containersPinned dependencies
medium System graph hardware Security conf 1.00 Dockerfile runs as root: .devcontainer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: third-party/mcrouter/src/mcrouter/scripts/docker/almalinux/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: third-party/mcrouter/src/mcrouter/scripts/docker/ubuntu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: third-party/proxygen/src/proxygen/httpserver/samples/hq/quic-interop/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
4 files, 4 locations
third-party/folly/src/.github/workflows/devcontainer.yml
third-party/proxygen/src/.github/workflows/publish_mvfst_interop.yml
third-party/thrift/src/.github/workflows/devcontainer.yml
third-party/watchman/src/.github/workflows/release.yml
CI/CD securitySupply chainGithub actions
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/folly/src/folly/debugging/exception_tracer/test/exception_tracer_uncaught_test.py:33
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/folly/src/folly/logging/test/fatal_test.py:59
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/folly/src/folly/logging/test/log_after_main.py:47
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/mcrouter/src/mcrouter/test/MCProcess.py:36
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/thrift/src/thrift/compiler/codemod/remove_duplicate_namespaces_test.py:150
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/thrift/src/thrift/compiler/test/ast_generator_test.py:76
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/thrift/src/thrift/test/py/JSONGenerateTest.py:64
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/thrift/src/thrift/test/py/thrift_py_deprecated_warning_e2e_test.py:120
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/thrift/src/thrift/test/py/thrift_py_deprecated_warning_reentrancy_e2e_test.py:41
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/watchman/src/watchman/integration/lib/WatchmanSCMTestCase.py:27
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/watchman/src/watchman/integration/site_spawn.py:17
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — third-party/watchman/src/watchman/python/pywatchman/__init__.py:663
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks cicd CI/CD security conf 0.72 Dockerfile installs recommended OS packages
Add `--no-install-recommends` and explicitly list only packages the image needs.
third-party/proxygen/src/proxygen/httpserver/samples/hq/quic-interop/Dockerfile:13 CI/CD securitycontainers
low Security checks quality Quality conf 0.64 3 occurrences Duplicate top-level symbol appears in a patch-style file
Keep one authoritative implementation, update imports to point at it, and remove or rename the duplicate symbol.
3 files, 3 locations
third-party/fb-mysql/8.0.20/sql/sql_query_rewrite.h:1
third-party/fb-mysql/8.0.20/sql/sql_rewrite.h:1
third-party/fb-mysql/8.0.20/sql/sql_update.h:1
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 19 locations
hphp/compiler/compiler.h:1, 3 (2 hits)
hphp/compiler/decl-provider.cpp:1, 3 (2 hits)
hphp/compiler/decl-provider.h:1, 3 (2 hits)
hphp/compiler/option.cpp:1, 3 (2 hits)
hphp/compiler/option.h:1, 3 (2 hits)
hphp/compiler/package.h:1, 3 (2 hits)
hphp/hack/src/hackc/hhvm_cxx/hhvm_hhbc_defs/as-hhbc-ffi.cpp:1, 3 (2 hits)
hphp/compiler/compiler-systemlib.cpp:1
duplicationquality
low Security checks quality Quality conf 0.70 Generated build artifact directory is present at repository root
Remove generated output from version control, add it to .gitignore and .dockerignore where relevant, and regenerate it in CI or release jobs.
build:1
high Security checks quality Quality conf 0.62 7 occurrences Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
7 files, 7 locations
hphp/hack/src/elab/passes/validate_method_private_final.rs:1
hphp/runtime/vm/jit/ssa-tmp.cpp:1
hphp/runtime/vm/jit/ssa-tmp.h:1
third-party/fb-mysql/8.0.20/include/mysql/plugin_query_rewrite.h:1
third-party/fb-mysql/8.0.20/sql/mdl_context_backup.h:1
third-party/fb-mysql/8.0.20/sql/sql_query_rewrite.h:1
third-party/fb-mysql/8.0.20/sql/sql_rewrite.h:1
low System graph quality Maintenance conf 1.00 401 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ghcr.io/xtruder/nix-devcontainer:v1
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
.devcontainer/Dockerfile:1 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ubuntu:focal
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
third-party/mcrouter/src/mcrouter/scripts/docker/ubuntu/Dockerfile:2 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/examples/eventloop/basic-test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/examples/eventloop/client-socket-test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/examples/eventloop/server-socket-test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/extras/cbor/run_testvectors.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/extras/duk-v1-compat/test_compile1.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/extras/duk-v1-compat/test_compile2.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/extras/duk-v1-compat/test_eval1.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/extras/duk-v1-compat/test_eval2.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/polyfills/console-minimal.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/polyfills/duktape-error-setter-nonwritable.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/polyfills/duktape-error-setter-writable.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/polyfills/duktape-isfastint.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/polyfills/global.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/polyfills/object-assign.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/polyfills/object-prototype-definegetter.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/polyfills/object-prototype-definesetter.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/polyfills/performance-now.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/extract_caseconv.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/extract_chars.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/genbuiltins.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/json2yaml.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/yaml2json.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fb-mysql/8.0.20/extra/icu/as_is/bomlist.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/fizz/src/fizz/contrib/hpke-test-vector-parser.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/tbb/src/python/TBB.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/tbb/src/python/tbb/__main__.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/thrift/src/thrift/lib/py/client/common.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/thrift/src/thrift/lib/py/reflection/limited/constants.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/thrift/src/thrift/lib/py/util/async_common.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/thrift/src/thrift/lib/py3/benchmark/enums.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/thrift/src/thrift/lib/py3/common.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/thrift/src/thrift/lib/py3/ssl.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/thrift/src/thrift/lib/python/any/typestub.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/thrift/src/thrift/lib/setup.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/thrift/src/thrift/test/lazy_deserialization/benchmark.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/thrift/src/thrift/test/py/TestSyntax.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/watchman/integration/case.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/watchman/integration/node_basic.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/watchman/integration/site_spawn.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/watchman/integration/site_spawn_fail.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/watchman/integration/touch.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/watchman/integration/trig-cwd.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/watchman/integration/trig.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/watchman/integration/trigjson.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/watchman/node/example.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/website/.eslintrc.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/website/.stylelintrc.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/website/babel.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/website/docusaurus.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: third-party/watchman/src/website/sidebars.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 7 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: third-party/mcrouter/src/mcrouter/test/MCProcess.py:getprocess, third-party/mcrouter/src/mcrouter/test/MCProcess.py:get This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or …
7 occurrences
repo-level (7 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 12 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: third-party/mcrouter/src/mcrouter/test/MCProcess.py:getport, third-party/mcrouter/src/mcrouter/test/MCProcess.py:getport, third-party/mcrouter/src/mcrouter/test/mock_servers.py:getport This is *the* AI-coder failure mode (4× more duplication in vibe-…
12 occurrences
repo-level (12 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 6 places
Functions with the same first-5-line body hash: third-party/mcrouter/src/mcrouter/test/mock_servers.py:runServer, third-party/mcrouter/src/mcrouter/test/mock_servers.py:runServer, third-party/mcrouter/src/mcrouter/test/mock_servers.py:runServer, third-party/mcrouter/src/mcrouter/test/mock_servers.p…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_to_py_deprecated` in third-party/thrift/src/thrift/lib/py/util/tests/test_converter.py:41
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_to_py_deprecated` in third-party/thrift/src/thrift/lib/python/test/converter.py:681
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_to_py_deprecated` in third-party/thrift/src/thrift/test/py/HiddenTest.py:77
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_to_py_deprecated` in third-party/thrift/src/thrift/test/thrift-python/enum_test.py:248
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_warn_if_legacy` in third-party/thrift/src/thrift/lib/py/transport/TSSLSocket.py:73
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `a_old` in third-party/mcrouter/src/mcrouter/test/test_mcrouter_serialized.py:30
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `b_old` in third-party/mcrouter/src/mcrouter/test/test_shadow.py:127
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `BTreePyDeprecated` in third-party/thrift/src/thrift/lib/py/util/tests/test_fuzzer.py:21
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `source_copy` in third-party/folly/src/folly/python/test/test_iobuf_ext.py:69
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_copy` in third-party/thrift/src/thrift/lib/py3/test/auto_migrate/structs.py:73
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_copy` in third-party/thrift/src/thrift/lib/python/test/exceptions.py:310
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_copy` in third-party/thrift/src/thrift/lib/python/test/mutable_unions.py:79
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_copy` in third-party/thrift/src/thrift/lib/python/test/structs.py:392
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_dumped_config_too_old` in third-party/mcrouter/src/mcrouter/test/test_dump_config.py:123
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_framed_deprecated` in third-party/thrift/src/thrift/lib/py3/test/auto_migrate/client_server.py:225
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_terminate_unused` in third-party/thrift/src/thrift/lib/py3/test/interactions/interaction_test.py:106
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_terminate_unused` in third-party/thrift/src/thrift/lib/python/test/interactions/interaction_test.py:143
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_to_py_deprecated` in third-party/thrift/src/thrift/test/thrift-python/abstract_types_test.py:444
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `types_legacy` in third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/genconfig.py:1209
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `unqualified_old` in third-party/thrift/src/thrift/test/thrift-python/schema_evolution_test.py:85
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `warn_thrift_py_deprecated` in third-party/thrift/src/thrift/lib/py/Thrift.py:547
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `warn_thrift_py_deprecated` in third-party/thrift/src/thrift/test/py/thrift_py_deprecated_warning_test.py:50
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: add_fixup_header_file
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/configure.py:219
low System graph software Dead code conf 1.00 Possibly dead Python function: add_fixup_header_line
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/configure.py:217
low System graph software Dead code conf 1.00 Possibly dead Python function: add_force_option_define
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/configure.py:199
low System graph software Dead code conf 1.00 Possibly dead Python function: add_force_option_file
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/configure.py:195
low System graph software Dead code conf 1.00 Possibly dead Python function: add_force_option_undefine
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/configure.py:208
low System graph software Dead code conf 1.00 Possibly dead Python function: add_force_option_yaml
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/configure.py:192
low System graph software Dead code conf 1.00 Possibly dead Python function: create_targz
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/configure.py:113
low System graph software Dead code conf 1.00 Possibly dead Python function: delete_matching_files
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/configure.py:107
low System graph software Dead code conf 1.00 Possibly dead Python function: display_hint
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/folly/src/folly/fibers/scripts/gdb.py:97
low System graph software Dead code conf 1.00 Possibly dead Python function: display_hint
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/folly/src/folly/support/gdb.py:458
low System graph software Dead code conf 1.00 Possibly dead Python function: duk_heap_hashstring_dense
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:247
low System graph software Dead code conf 1.00 Possibly dead Python function: duk_heap_hashstring_sparse
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:277
low System graph software Dead code conf 1.00 Possibly dead Python function: duk_unicode_unvalidated_utf8_length
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:293
low System graph software Dead code conf 1.00 Possibly dead Python function: emitArray
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:127
low System graph software Dead code conf 1.00 Possibly dead Python function: emitDefine
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:168
low System graph software Dead code conf 1.00 Possibly dead Python function: emitHeader
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:118
low System graph software Dead code conf 1.00 Possibly dead Python function: emitRaw
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:110
low System graph software Dead code conf 1.00 Possibly dead Python function: getByteString
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:97
low System graph software Dead code conf 1.00 Possibly dead Python function: getNumBits
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:70
low System graph software Dead code conf 1.00 Possibly dead Python function: getString
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:177
low System graph software Dead code conf 1.00 Possibly dead Python function: json_decode
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:191
low System graph software Dead code conf 1.00 Possibly dead Python function: json_encode
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:181
low System graph software Dead code conf 1.00 Possibly dead Python function: varuint
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/dukutil.py:38
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/debugger/duk_debug.js:352
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/polyfills/console-minimal.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/polyfills/promise.js:115
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — third-party/fizz/src/fizz/contrib/hpke-test-vector-parser.js:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — third-party/watchman/src/watchman/integration/node_basic.js:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — third-party/watchman/src/watchman/node/example.js:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Integrity conf 1.00 Stub function `_init_subelements` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/util/type_inspect.py:121
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `_preprocess_constraints` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/util/randomizer.py:117
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `_warn_if_insecure_version_specified` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/transport/TSSLSocket.py:83
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `cli` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/python/benchmark/benchmark_struct.py:542
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `cli` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/python/benchmark/struct_memory.py:142
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `doIO` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/protocol/TJSONProtocol.py:69
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `flush` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/transport/TSocket.py:354
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `get_arg_types` (body is just `pass`/`return`) — third-party/folly/src/folly/fibers/scripts/gdb.py:138
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `getsslport` (body is just `pass`/`return`) — third-party/mcrouter/src/mcrouter/test/MCProcess.py:203
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `getsslport` (body is just `pass`/`return`) — third-party/mcrouter/src/mcrouter/test/mock_servers.py:31
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `isOpen` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/transport/TTransport.py:45
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `log` (body is just `pass`/`return`) — third-party/watchman/src/watchman/python/pywatchman/__init__.py:89
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `noop` (body is just `pass`/`return`) — third-party/thrift/src/thrift/perf/py/asyncio_load_handler.py:51
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `noop` (body is just `pass`/`return`) — third-party/thrift/src/thrift/perf/py/py3_load_handler.py:32
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `noop` (body is just `pass`/`return`) — third-party/thrift/src/thrift/perf/py3/load_handler.py:46
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `process` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/Thrift.py:142
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `say` (body is just `pass`/`return`) — third-party/tbb/src/python/tbb/test.py:65
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `sendTestCase` (body is just `pass`/`return`) — third-party/thrift/src/thrift/conformance/python/conformance_server.py:44
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `serve` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/server/TServer.py:213
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `shutdown` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py3/test/auto_migrate/client_server.py:81
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `shutdown` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py3/test/auto_migrate/server.py:57
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `shutdown` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/python/test/client_server.py:68
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `shutdown` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/python/test/metadata_response/metadata_response_test.py:62
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `shutdown` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/python/test/server.py:81
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `test_header_priorities` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/util/TCppServerTestManagerTest.py:227
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `throwUserException` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/server/test/ServiceMetadataTest.py:26
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `write` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/protocol/TSimpleJSONProtocol.py:147
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `writeMessageBegin` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/protocol/TProtocol.py:44
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `writeMessageEnd` (body is just `pass`/`return`) — third-party/thrift/src/thrift/lib/py/protocol/TBinaryProtocol.py:59
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph api Wiring conf 1.00 Unused endpoint: GET /heapDump.json
`third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/debugger/duk_debug.js` declares `GET /heapDump.json` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing …
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /source
`third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/debugger/duk_debug.js` declares `POST /source` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or doc…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: POST /sourceList
`third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/debugger/duk_debug.js` declares `POST /sourceList` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or…
Unused endpoint
low System graph api Wiring conf 1.00 Unused endpoint: USE /
`third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/debugger/duk_debug.js` declares `USE /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documentin…
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/debugger/duk_debug.js (2491 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/genbuiltins.py (3221 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: third-party/fb-mysql/8.0.20/extra/duktape/duktape-2.3.0/tools/genconfig.py (1540 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: third-party/fb-mysql/8.0.20/extra/libedit/libedit-20190324-3.1/ltmain.sh (11147 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: third-party/folly/src/folly/rust/dynamic/dynamic.rs (1568 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: third-party/thrift/src/thrift/lib/java/runtime/src/test/java/com/facebook/thrift/transport/unified/UnifiedServerTransportTest.java (1445 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: third-party/thrift/src/thrift/lib/java/runtime/src/test/java/com/facebook/thrift/util/MonoTimeoutTransformerTest.java (1946 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: third-party/thrift/src/thrift/test/thrift-python/abstract_types_test.py (1421 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: third-party/thrift/src/thrift/test/thrift-python/struct_test.py (2517 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: third-party/thrift/src/thrift/test/thrift-python/union_test.py (1241 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/4717a4c5-1b58-4d0c-83a5-90f6bd950c54/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/4717a4c5-1b58-4d0c-83a5-90f6bd950c54/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.