anashilaly2003/pink-anniversary-moments

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

Scan timing: clone 2.94s · analysis 0.74s · 2.0 MB · GitHub preflight 429ms

anashilaly2003/pink-anniversary-moments

https://github.com/anashilaly2003/pink-anniversary-moments.git · scanned 2026-05-28 13:32 UTC (1 week ago) · 10 languages

91 findings (15 legacy + 76 scanner) 18th percentile · Typescript · small (2-20K LoC) Scanner says 88 (lower by 35)

File as issue Image v2 schema

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week ago · v2 · 53 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	100.0	0.15	15.00
`security_score`	97.0	0.25	24.25
`testing_score`	0.0	0.20	0.00
`documentation_score`	0.0	0.15	0.00
`practices_score`	40.0	0.15	6.00
`code_quality`	80.0	0.10	8.00
Overall		1.00	53.2

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 0 High 0 Medium 8 Low 38 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 15 9-layer 38 Crowd 0 Layer: Quality 16 Software 32 Api 1 Frontend 1 Security 2 Cicd 1

Exclude dismissed / FP Exclude test files

Scan summary Repository scanned at 88.5/100 with 77.8% coverage. It contains 155 nodes across 1 cross-layer flows, written primarily in mixed languages. Engine surfaced 38 findings — concentrated in software (31), security (2), quality (2). Risk profile is low: 0 critical, 0 high, 5 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 46 of 53 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.

For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.

src/components/ui/chart.tsx:75 xsslegacy

medium Legacy quality documentation No README file found

Create a README.md with: project name and description, installation instructions, usage examples, configuration options, and contribution guidelines.

documentationlegacy

medium Legacy quality quality conf 0.70 Public web app has no Content Security Policy

A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.

index.html qualitylegacy

medium Legacy quality quality conf 0.78 Public web service has no security.txt

security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.

.well-known/security.txt qualitylegacy

medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — src/components/ui/chart.tsx:73

Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html

frontend-qualityfq.dangerous-html

medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in src/components/ui/chart.tsx:73

Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.

src/components/ui/chart.tsx:73 owaspdangerous_innerhtml

medium 9-layer security coverage conf 1.00 No auth library detected

The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.

coverageauth

medium 9-layer cicd coverage conf 1.00 No CI/CD pipelines detected

No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.

coverage

medium 9-layer quality tests conf 1.00 Very low test-to-source ratio

0 test file(s) for 59 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.

testscoverage

low Legacy quality documentation No LICENSE file

Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft).

documentationlegacy

low Legacy quality quality conf 0.50 Public web app has no humans.txt

humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.

humans.txt qualitylegacy

low Legacy quality quality conf 0.74 Public web app has no robots.txt

Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.

robots.txt qualitylegacy

low Legacy quality quality conf 0.72 Public web app has no sitemap

A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.

sitemap.xml qualitylegacy

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: eslint.config.js