Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
6 of your 48 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.77s · analysis 132.54s · 6.5 MB · GitHub preflight 461ms

signalapp/Signal-Server

https://github.com/signalapp/Signal-Server · scanned 2026-06-05 20:20 UTC (4 days, 13 hours ago) · 10 languages

88 raw signals (32 security + 56 graph) 21st percentile · Java · large (100-500K LoC) System graph score 80 (lower by 12)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 13 hours ago · v2 · 38 actionable findings from 2 signal sources. 21 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
70.2
/100
Security checks
61
12 findings
System graph
80
100.0% cov · 26 findings
Critical
12
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 55.0 0.25 13.75
testing_score 80.0 0.20 16.00
documentation_score 63.0 0.15 9.45
practices_score 75.0 0.15 11.25
code_quality 78.1 0.10 7.81
Overall 1.00 67.3
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 12 High 3 Medium 2 Low 14 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 12 System graph 26 Crowd 0 Layer: Quality 19 Security 14 Software 2 Frontend 1 Cicd 2
Scan summary Quality grade B- (67/100). Dimensions: security 55, maintainability 60. 32 findings (4 security). 113,733 lines analyzed.

Showing 19 of 38 actionable findings. 59 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 7 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
4 files, 7 locations
service/src/test/resources/config/test-secrets-bundle.yml:52, 150, 158 (3 hits)
service/src/test/resources/org/whispersystems/textsecuregcm/storage/AccountsManagerTest-testJsonRoundTripSerialization.json:35, 42 (2 hits)
service/config/sample-secrets-bundle.yml:2
service/src/test/java/org/whispersystems/textsecuregcm/controllers/MessageControllerTest.java:144
critical Security checks security secrets conf 0.95 8 occurrences Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
Gitleaks detected a committed secret or credential pattern.
3 files, 8 locations
service/src/test/resources/config/test-secrets-bundle.yml:14, 45, 64, 97, 107, 142 (6 hits)
service/src/test/java/org/whispersystems/textsecuregcm/controllers/AttachmentControllerV4Test.java:88
service/src/test/java/org/whispersystems/textsecuregcm/grpc/AttachmentsGrpcServiceTest.java:76
high Security checks software dependencies conf 0.90 ✓ Repobility Binary file `.mvn/wrapper/maven-wrapper.jar` committed in source repo
`.mvn/wrapper/maven-wrapper.jar` is a .jar binary (63,093 bytes) committed to a repo that otherwise has 1183 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
.mvn/wrapper/maven-wrapper.jar:1
high System graph security security conf 1.00 Insecure pattern 'eval_used' in service/src/main/java/org/whispersystems/textsecuregcm/redis/ClusterLuaScript.java:109
Found a known-risky pattern (eval_used). Review and replace if possible.
service/src/main/java/org/whispersystems/textsecuregcm/redis/ClusterLuaScript.java:109 Eval used
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/documentation.yml CI/CD securitySupply chainGithub actions
low Security checks quality Quality conf 0.60 3 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
3 files, 3 locations
service/src/main/java/org/whispersystems/textsecuregcm/entities/ECSignedPreKey.java:14
service/src/main/java/org/whispersystems/textsecuregcm/entities/SelfBadge.java:28
service/src/main/java/org/whispersystems/textsecuregcm/grpc/MessagesGrpcService.java:140
duplicationquality
low System graph quality Complexity conf 1.00 Very large file: service/src/main/java/org/whispersystems/textsecuregcm/controllers/ArchiveController.java (1069 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/main/java/org/whispersystems/textsecuregcm/storage/Accounts.java (1743 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/main/java/org/whispersystems/textsecuregcm/storage/AccountsManager.java (1695 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java (1303 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/test/java/org/whispersystems/textsecuregcm/backup/BackupManagerTest.java (1126 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/test/java/org/whispersystems/textsecuregcm/controllers/DeviceControllerTest.java (1487 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/test/java/org/whispersystems/textsecuregcm/controllers/MessageControllerTest.java (1652 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/test/java/org/whispersystems/textsecuregcm/controllers/ProfileControllerTest.java (1601 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/test/java/org/whispersystems/textsecuregcm/controllers/SubscriptionControllerTest.java (1009 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/test/java/org/whispersystems/textsecuregcm/controllers/VerificationControllerTest.java (1471 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/test/java/org/whispersystems/textsecuregcm/grpc/MessagesAnonymousGrpcServiceTest.java (1651 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/test/java/org/whispersystems/textsecuregcm/storage/AccountsManagerTest.java (1524 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: service/src/test/java/org/whispersystems/textsecuregcm/storage/AccountsTest.java (2202 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/51d35267-89f2-43a3-ba88-321be81b14e2/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/51d35267-89f2-43a3-ba88-321be81b14e2/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.