boxlite-ai/boxlite

Component	Sub-score	Weight	Contribution
`structure_score`	85.0	0.15	12.75
`security_score`	100.0	0.25	25.00
`testing_score`	40.0	0.20	8.00
`documentation_score`	92.0	0.15	13.80
`practices_score`	84.0	0.15	12.60
`code_quality`	69.0	0.10	6.90
Overall		1.00	79.1

low Legacy security credential_exposure conf 0.90 [SEC002] Hardcoded API Key: Hardcoded API key found in source code.

Use environment variables. Add the pattern to .gitignore.

apps/dashboard/src/components/ui/stories/copyable-value.stories.tsx:27 credential_exposurelegacy

critical 9-layer security secrets conf 1.00 Possible secret in apps/api/src/audit/enums/audit-action.enum.ts

Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.

apps/api/src/audit/enums/audit-action.enum.ts:48 secrets

critical 9-layer security secrets conf 1.00 Possible secret in apps/api/src/audit/enums/audit-action.enum.ts

Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.

apps/api/src/audit/enums/audit-action.enum.ts:49 secrets

critical 9-layer security secrets conf 1.00 Possible secret in apps/dashboard/src/components/Playground/Sandbox/CodeSnippets/python.ts

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

apps/dashboard/src/components/Playground/Sandbox/CodeSnippets/python.ts:172 secrets

critical 9-layer security secrets conf 1.00 Possible secret in apps/dashboard/src/components/ui/stories/copyable-value.stories.tsx

Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.

apps/dashboard/src/components/ui/stories/copyable-value.stories.tsx:27 secrets

critical 9-layer security secrets conf 1.00 Possible secret in apps/infra/sst.config.ts

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

apps/infra/sst.config.ts:461 secrets

low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.

Review and fix per the pattern semantics. See CWE-755 / for context.

examples/python/03_lifecycle/share_across_processes.py:151 qualitylegacy

low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.

Review and fix per the pattern semantics. See CWE-755 / for context.

examples/python/03_lifecycle/manage_lifecycle.py:116 qualitylegacy

low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.

Review and fix per the pattern semantics. See CWE-755 / for context.

examples/python/03_lifecycle/clone_export_import.py:78 qualitylegacy

low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).

Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.

src/boxlite/src/images/archive/verifier.rs:87 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.

Review and fix per the pattern semantics. See CWE-705 / for context.

examples/python/04_interactive/run_interactive_shell.py:46 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.

Review and fix per the pattern semantics. See CWE-705 / for context.

examples/python/04_interactive/install_claude_interactively.py:194 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.

Review and fix per the pattern semantics. See CWE-705 / for context.

apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:129 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.

Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.

scripts/common.sh:85 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.

Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.

examples/python/04_interactive/install_claude_interactively.py:43 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.

Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.

scripts/images/create-oci-bundle.sh:125 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.

Review and fix per the pattern semantics. See CWE-755 / for context.

apps/common-go/pkg/errors/middleware.go:176 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.

Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately — assume it is compromised.

src/boxlite/src/net/ca.rs:100 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._poll_until_ready` used but never assigned in __init__: Method `_start_chromium_cdp` of class `BrowserBox` reads `self._poll_until_ready`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self._poll_until_ready = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:355 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._poll_until_ready` used but never assigned in __init__: Method `_start_firefox_bidi` of class `BrowserBox` reads `self._poll_until_ready`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self._poll_until_ready = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:389 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._poll_until_ready` used but never assigned in __init__: Method `_start_playwright_server` of class `BrowserBox` reads `self._poll_until_ready`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self._poll_until_ready = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:264 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._start_cdp_forwarder` used but never assigned in __init__: Method `_start_puppeteer_browser` of class `BrowserBox` reads `self._start_cdp_forwarder`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self._start_cdp_forwarder = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:313 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._start_chromium_cdp` used but never assigned in __init__: Method `_start_puppeteer_browser` of class `BrowserBox` reads `self._start_chromium_cdp`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self._start_chromium_cdp = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:307 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._start_firefox_bidi` used but never assigned in __init__: Method `_start_puppeteer_browser` of class `BrowserBox` reads `self._start_firefox_bidi`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self._start_firefox_bidi = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:309 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._start_playwright_server` used but never assigned in __init__: Method `playwright_endpoint` of class `BrowserBox` reads `self._start_playwright_server`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self._start_playwright_server = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:517 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._start_puppeteer_browser` used but never assigned in __init__: Method `endpoint` of class `BrowserBox` reads `self._start_puppeteer_browser`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self._start_puppeteer_browser = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:556 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `_poll_until_ready` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:224 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `_poll_until_ready` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:216 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `_start_cdp_forwarder` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:481 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `_start_cdp_forwarder` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:476 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `_start_cdp_forwarder` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:473 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `_start_chromium_cdp` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:345 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `_start_chromium_cdp` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:325 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `_start_firefox_bidi` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:382 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `_start_firefox_bidi` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:373 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `_start_firefox_bidi` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:363 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `_start_playwright_server` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:257 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `endpoint` of class `BrowserBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:567 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `install_package` of class `CodeBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/codebox.py:105 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `install_packages` of class `CodeBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/codebox.py:122 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.exec` used but never assigned in __init__: Method `run` of class `CodeBox` reads `self.exec`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.exec = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/codebox.py:73 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.playwright_endpoint` used but never assigned in __init__: Method `connect` of class `BrowserBox` reads `self.playwright_endpoint`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.playwright_endpoint = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/browserbox.py:600 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.run` used but never assigned in __init__: Method `run_script` of class `CodeBox` reads `self.run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

Initialize `self.run = <default>` in __init__, or add a class-level default.

sdks/python/boxlite/codebox.py:88 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED110] Blocking call `urllib.request.urlopen` inside async function `main`: `urllib.request.urlopen` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress.

Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`.

examples/python/02_features/forward_ports.py:40 qualitylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions-rust-lang/setup-rust-toolchain` pinned to mutable ref `@v1`: `uses: actions-rust-lang/setup-rust-toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions-rust-lang/setup-rust-toolchain@<40-char-sha> # v1` and let Dependabot bump it on a scheduled cadence.

.github/workflows/warm-caches.yml:58 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.

.github/workflows/warm-caches.yml:53 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/checkout@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.

.github/workflows/build-wheels.yml:28 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: actions/github-script@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.

.github/workflows/warm-caches.yml:66 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `mozilla-actions/sccache-action` pinned to mutable ref `@v0.0.9`: `uses: mozilla-actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.

Replace with: `uses: mozilla-actions/sccache-action@<40-char-sha> # v0.0.9` and let Dependabot bump it on a scheduled cadence.

.github/workflows/warm-caches.yml:63 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `alpine:3.18` not pinned by digest: `FROM alpine:3.18` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM alpine:3.18@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/otel-collector/Dockerfile:46 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `alpine:3.18` not pinned by digest: `FROM alpine:3.18` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM alpine:3.18@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/snapshot-manager/Dockerfile:41 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `alpine:3.18` not pinned by digest: `FROM alpine:3.18` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM alpine:3.18@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/ssh-gateway/Dockerfile:41 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `alpine:3.18` not pinned by digest: `FROM alpine:3.18` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM alpine:3.18@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/proxy/Dockerfile:45 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `alpine:3.20` not pinned by digest: `FROM alpine:3.20` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM alpine:3.20@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/dex/Dockerfile:1 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `alpine:3.22` not pinned by digest: `FROM alpine:3.22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM alpine:3.22@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/runner/Dockerfile:63 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `dexidp/dex:v2.42.0` not pinned by digest: `FROM dexidp/dex:v2.42.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM dexidp/dex:v2.42.0@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/dex/Dockerfile:5 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `lscr.io/linuxserver/webtop:ubuntu-xfce` not pinned by digest: `FROM lscr.io/linuxserver/webtop:ubuntu-xfce` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM lscr.io/linuxserver/webtop:ubuntu-xfce@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

src/boxlite/resources/images/skillbox/Dockerfile:8 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM node:22-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/runner/Dockerfile:1 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM node:22-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/otel-collector/Dockerfile:1 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM node:22-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/snapshot-manager/Dockerfile:1 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM node:22-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/ssh-gateway/Dockerfile:1 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM node:22-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/proxy/Dockerfile:1 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Replace with: `FROM node:24-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).

apps/api/Dockerfile:1 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED122] package.json dep `@boxlite-ai/boxlite` pulled from URL/Git: `dependencies.@boxlite-ai/boxlite` = `file:../../sdks/node` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.

Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.

examples/node/package.json:1 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED128] go.mod replaces `github.com/boxlite-ai/boxlite/libs/api-client-go` — points to a LOCAL path: `replace github.com/boxlite-ai/boxlite/libs/api-client-go => ../../api-client-go` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines.

If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges.

apps/otel-collector/exporter/go.mod:62 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED128] go.mod replaces `github.com/boxlite-ai/boxlite/libs/api-client-go` — points to a LOCAL path: `replace github.com/boxlite-ai/boxlite/libs/api-client-go => ../api-client-go` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines.

If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges.

apps/runner/go.mod:108 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED128] go.mod replaces `github.com/boxlite-ai/boxlite/libs/api-client-go` — points to a LOCAL path: `replace github.com/boxlite-ai/boxlite/libs/api-client-go => ../api-client-go` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines.

If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges.

apps/cli/go.mod:100 dependencylegacy

high Legacy software dependency conf 0.90 ✓ Repobility [MINED128] go.mod replaces `github.com/boxlite-ai/boxlite/libs/api-client-go` — points to a LOCAL path: `replace github.com/boxlite-ai/boxlite/libs/api-client-go => ../api-client-go` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines.

If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges.

apps/common-go/go.mod:76 dependencylegacy

high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.

Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.

apps/daemon/pkg/toolbox/lsp/lsp.go:110 path_traversallegacy

low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.

For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.

apps/dashboard/src/components/ui/chart.tsx:78 xsslegacy

low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.

For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.

apps/dashboard/src/components/SandboxTable/types.ts:271 xsslegacy

low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.

For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.

apps/dashboard/src/components/SandboxTable/columns.tsx:251 xsslegacy

low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

Use execFile / spawn with separate args array; never pass shell strings.

examples/python/04_interactive/install_claude_interactively.py:54 qualitylegacy

low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

Use execFile / spawn with separate args array; never pass shell strings.

apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:127 qualitylegacy

low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

Use execFile / spawn with separate args array; never pass shell strings.

apps/api/src/common/utils/docker-image.util.ts:154 qualitylegacy

high Legacy quality quality conf 1.00 [SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).

Use a constant command name and validate args via a whitelist.

apps/daemon/pkg/common/spawn_tty.go:34 qualitylegacy

high Legacy quality quality conf 1.00 [SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).

Use a constant command name and validate args via a whitelist.

apps/cli/cmd/common/ssh_windows.go:24 qualitylegacy

high Legacy quality quality conf 1.00 [SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).

Use a constant command name and validate args via a whitelist.

apps/cli/cmd/common/ssh_unix.go:24 qualitylegacy

high Legacy security path_traversal conf 1.00 [SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly.

After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`.

apps/daemon/pkg/session/types.go:41 path_traversallegacy

high Legacy cicd docker conf 0.95 Docker final stage runs as root

Create an application user after package installation and switch to it with USER appuser or USER 10001.

src/boxlite/resources/images/skillbox/Dockerfile:54 dockerlegacy

high Legacy cicd docker conf 0.92 Dockerfile pipes a remote script into a shell

Download the artifact, verify its checksum or signature, pin the version, and then execute it.

src/boxlite/resources/images/skillbox/Dockerfile:47 dockerlegacy

high Legacy security auth conf 0.83 Secret-like setting is echoed into a password input value

Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.

apps/dashboard/src/pages/Registries.tsx:198 authlegacy

high 9-layer quality integrity conf 1.00 Blocking `urllib.request.urlopen(...)` inside `async def main` — examples/python/02_features/forward_ports.py:40

Sync I/O inside an async function blocks the event loop. While `urllib.request.urlopen(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asy…

examples/python/02_features/forward_ports.py:40 integritysync-io-in-asyncperformance

high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in apps/api/src/organization/services/organization-usage.service.ts:333

Found a known-risky pattern (eval_used). Review and replace if possible.

apps/api/src/organization/services/organization-usage.service.ts:333 owaspeval_used

high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:127

Found a known-risky pattern (exec_used). Review and replace if possible.

apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:127 owaspexec_used

high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in sdks/node/lib/native-contracts.ts:265

Found a known-risky pattern (exec_used). Review and replace if possible.

sdks/node/lib/native-contracts.ts:265 owaspexec_used

medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.

Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.

sdks/python/boxlite/orchestration/guest/boxlite_runtime.py:147 error_handlinglegacy

medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.

Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.

sdks/python/boxlite/orchestration/box_runtime.py:173 error_handlinglegacy

medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.

Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.

sdks/python/boxlite/interactivebox.py:291 error_handlinglegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

openapi/reference-server/server.py:859 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

openapi/reference-server/server.py:829 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/07_advanced/ai_pipeline/host.py:127 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/03_lifecycle/share_across_processes.py:234 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/03_lifecycle/share_across_processes.py:140 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/03_lifecycle/manage_lifecycle.py:316 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/03_lifecycle/manage_lifecycle.py:287 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/03_lifecycle/manage_lifecycle.py:190 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/03_lifecycle/manage_lifecycle.py:110 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/04_interactive/install_claude_interactively.py:196 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/04_interactive/run_interactive_shell.py:48 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/06_ai_agents/run_openclaw.py:134 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/06_ai_agents/drive_box_with_llm.py:104 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/06_ai_agents/drive_box_with_minimax.py:133 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/07_advanced/use_native_api.py:259 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/07_advanced/local_to_rest_migration.py:63 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/08_rest_api/use_env_config.py:40 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

examples/python/02_features/forward_ports.py:44 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:184 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:165 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:38 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

sdks/python/boxlite/orchestration/guest/boxlite_runtime.py:117 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

sdks/python/boxlite/orchestration/guest/boxlite_runtime.py:155 qualitylegacy

high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.

sdks/python/boxlite/orchestration/box_runtime.py:163 qualitylegacy

low Legacy security deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.

Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.

sdks/python/boxlite/orchestration/box_runtime.py:118 deserializationlegacy

low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.

Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.

apps/dashboard/src/hooks/useDocsSearchCommands.tsx:99 securitylegacy

low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.

Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.

apps/dashboard/src/components/sandboxes/SandboxDetails.tsx:174 securitylegacy

low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.

Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.

apps/dashboard/src/components/SandboxTable/columns.tsx:80 securitylegacy

medium Legacy quality quality conf 1.00 [SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).

Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`.

apps/proxy/pkg/proxy/proxy.go:239 qualitylegacy

medium Legacy quality quality conf 1.00 [SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).

Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`.

apps/daemon/pkg/terminal/server.go:43 qualitylegacy

medium Legacy quality quality conf 1.00 [SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).

Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`.

apps/cli/auth/auth.go:32 qualitylegacy

medium Legacy security security conf 1.00 [SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.

Use 0600 (owner rw only) for secrets, 0644 for general files, 0700 for directories with secrets. Java: `setReadable(true, true)` (owner-only).

sdks/go/cmd/setup/main.go:167 securitylegacy

medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.

Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.

examples/node/browserbox_puppeteer.js:177 qualitylegacy

medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.

Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.

apps/dashboard/src/components/ui/stories/field.stories.tsx:38 qualitylegacy

medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.

Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.

apps/api/src/config/dto/configuration.dto.ts:163 qualitylegacy

medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.

Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.

sdks/python/boxlite/interactivebox.py:291 qualitylegacy

high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER

Add a non-root USER in the final runtime stage after files and permissions are prepared.

apps/ssh-gateway/Dockerfile:42 dockerlegacy

high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER

Add a non-root USER in the final runtime stage after files and permissions are prepared.

apps/snapshot-manager/Dockerfile:42 dockerlegacy

high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER

Add a non-root USER in the final runtime stage after files and permissions are prepared.

apps/runner/Dockerfile:63 dockerlegacy

high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER

Add a non-root USER in the final runtime stage after files and permissions are prepared.

apps/proxy/Dockerfile:46 dockerlegacy

high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER

Add a non-root USER in the final runtime stage after files and permissions are prepared.

apps/otel-collector/Dockerfile:47 dockerlegacy

high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER

Add a non-root USER in the final runtime stage after files and permissions are prepared.

apps/api/Dockerfile:1 dockerlegacy

high Legacy quality quality conf 0.80 localStorage write failures are swallowed silently

Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.

apps/daemon/pkg/terminal/static/index.html:548 qualitylegacy

high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell

Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.

README.md:196 dependencylegacy

medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/dashboard/src/components/ui/chart.tsx:76

Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html

frontend-qualityfq.dangerous-html

medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — apps/dashboard/src/hooks/useDocsSearchCommands.tsx:119

Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html

frontend-qualityfq.dangerous-html

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/dashboard/public/mockServiceWorker.js:238

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/dashboard/src/lib/suspended-fetch.ts:17

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/dashboard/src/mocks/handlers.ts:18

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/dashboard/src/providers/ConfigProvider.tsx:26

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/dashboard/src/services/webhookService.ts:19

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/libs/sdk-typescript/src/BoxLite.ts:554

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/libs/sdk-typescript/src/Snapshot.ts:213

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — apps/libs/sdk-typescript/src/utils/Stream.ts:26

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/release/sh-installer/src/index.ts:18

Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.

integrityfragile-runtimerobustness

medium 9-layer hardware security conf 1.00 Dockerfile runs as root: apps/api/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

securitycontainer

medium 9-layer hardware security conf 1.00 Dockerfile runs as root: apps/dex/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

securitycontainer

medium 9-layer hardware security conf 1.00 Dockerfile runs as root: apps/otel-collector/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

securitycontainer

medium 9-layer hardware security conf 1.00 Dockerfile runs as root: apps/proxy/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

securitycontainer

medium 9-layer hardware security conf 1.00 Dockerfile runs as root: apps/runner/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

securitycontainer

medium 9-layer hardware security conf 1.00 Dockerfile runs as root: apps/snapshot-manager/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

securitycontainer

medium 9-layer hardware security conf 1.00 Dockerfile runs as root: apps/ssh-gateway/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

securitycontainer

medium 9-layer hardware security conf 1.00 Dockerfile runs as root: src/boxlite/resources/images/skillbox/Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

securitycontainer

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions-rust-lang/setup-rust-toolchain@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/warm-caches.yml:58 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

mozilla-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/warm-caches.yml:63 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions-rust-lang/setup-rust-toolchain@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-wheels.yml:33 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

mozilla-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-wheels.yml:41 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pypa/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-wheels.yml:74 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

pypa/gh-action-pypi-publish@release/v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-wheels.yml:146 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

softprops/action-gh-release@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-wheels.yml:168 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions-rust-lang/setup-rust-toolchain@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/lint.yml:108 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions-rust-lang/setup-rust-toolchain@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/lint.yml:130 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

mozilla-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/lint.yml:150 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions-rust-lang/setup-rust-toolchain@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/lint.yml:254 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

mozilla-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/lint.yml:262 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

golangci/golangci-lint-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/lint.yml:281 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions-rust-lang/setup-rust-toolchain@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-runtime.yml:68 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

mozilla-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-runtime.yml:76 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

softprops/action-gh-release@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-runtime.yml:293 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions-rust-lang/setup-rust-toolchain@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-runtime.yml:322 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions-rust-lang/setup-rust-toolchain@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-node.yml:64 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

mozilla-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-node.yml:72 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

softprops/action-gh-release@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-node.yml:378 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

actions-rust-lang/setup-rust-toolchain@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-c.yml:64 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

mozilla-actions/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-c.yml:72 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

softprops/action-gh-release@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-c.yml:218 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned

softprops/action-gh-release@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/build-runner-binary.yml:145 supply-chaingithub-actionspinned-dependencies

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/build-wheels.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/build-runtime.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/build-node.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/build-c.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/build-runner-binary.yml supply-chaingithub-actionsleast-privilege

medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/build-go.yml supply-chaingithub-actionsleast-privilege

medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/dashboard/src/components/ui/chart.tsx:76

Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.

apps/dashboard/src/components/ui/chart.tsx:76 owaspdangerous_innerhtml

medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in apps/dashboard/src/hooks/useDocsSearchCommands.tsx:119

Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.

apps/dashboard/src/hooks/useDocsSearchCommands.tsx:119 owaspdangerous_innerhtml

medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in apps/api/src/migrations/1744114341077-migration.ts:20

Found a known-risky pattern (weak_hash). Review and replace if possible.

apps/api/src/migrations/1744114341077-migration.ts:20 owaspweak_hash

medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in apps/api/src/migrations/1744808444807-migration.ts:16

Found a known-risky pattern (weak_hash). Review and replace if possible.

apps/api/src/migrations/1744808444807-migration.ts:16 owaspweak_hash

medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in apps/api/src/migrations/1744971114480-migration.ts:14

Found a known-risky pattern (weak_hash). Review and replace if possible.

apps/api/src/migrations/1744971114480-migration.ts:14 owaspweak_hash

medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in apps/api/src/migrations/1745574377029-migration.ts:51

Found a known-risky pattern (weak_hash). Review and replace if possible.

apps/api/src/migrations/1745574377029-migration.ts:51 owaspweak_hash

medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in apps/api/src/migrations/post-deploy/1774438866002-migration.ts:45

Found a known-risky pattern (weak_hash). Review and replace if possible.

apps/api/src/migrations/post-deploy/1774438866002-migration.ts:45 owaspweak_hash

medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — examples/python/01_getting_started/run_codebox.py:53

`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

integrityfragile-runtimerobustness

medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — examples/python/01_getting_started/run_codebox_sync.py:56

`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

integrityfragile-runtimerobustness

medium 9-layer network security conf 1.00 Privileged port 10 in use

Port 10 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

sdks/node/lib/browserbox.ts securityports

medium 9-layer network security conf 1.00 Privileged port 1000 in use

Port 1000 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

openapi/box.openapi.yaml securityports

medium 9-layer network security conf 1.00 Privileged port 1001 in use

Port 1001 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

apps/dex/Dockerfile securityports

medium 9-layer network security conf 1.00 Privileged port 11 in use

Port 11 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

apps/api-client-go/api/openapi.yaml securityports

medium 9-layer network security conf 1.00 Privileged port 23 in use

Port 23 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

apps/api-client-go/api/openapi.yaml securityports

medium 9-layer network security conf 1.00 Privileged port 30 in use

Port 30 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

apps/api-client-go/api/openapi.yaml securityports

medium 9-layer network security conf 1.00 Privileged port 56 in use

Port 56 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

apps/api-client-go/api/openapi.yaml securityports

medium 9-layer network security conf 1.00 Privileged port 59 in use

Port 59 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

apps/api-client-go/api/openapi.yaml securityports

medium 9-layer quality tests conf 1.00 Very low test-to-source ratio

133 test file(s) for 2364 source file(s) (ratio 0.06). Consider adding integration or unit tests for critical paths.

testscoverage

low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults

Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.

.dockerignore dockerlegacy

low Legacy quality error_handling conf 1.00 [ERR003] Ignored Error (Go): Ignoring error return values.

Handle the error or use errcheck linter.

apps/cli/cmd/auth/login.go:178 error_handlinglegacy

low Legacy quality error_handling conf 1.00 [ERR003] Ignored Error (Go): Ignoring error return values.

Handle the error or use errcheck linter.

apps/cli/auth/auth.go:51 error_handlinglegacy

low Legacy quality error_handling conf 1.00 [ERR003] Ignored Error (Go): Ignoring error return values.

Handle the error or use errcheck linter.

apps/cli/apiclient/api_client.go:85 error_handlinglegacy

low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p

Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.

apps/api/src/sandbox/entities/build-info.entity.ts:16 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/model_create_volume.go:57 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/model_create_user.go:208 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/model_create_snapshot.go:291 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/model_create_snapshot.go:266 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/model_create_runner.go:78 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/model_create_organization_role.go:98 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/model_create_linked_account.go:78 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/model_computer_use_stop_response.go:76 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/model_computer_use_status_response.go:58 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_webhooks.go:92 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_webhooks.go:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_volumes.go:420 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_volumes.go:88 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_volumes.go:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_users.go:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_regions.go:49 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_regions.go:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_preview.go:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_object_storage.go:56 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_object_storage.go:54 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_object_storage.go:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_jobs.go:166 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_jobs.go:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_health.go:54 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_health.go:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_docker_registry.go:99 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_docker_registry.go:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_config.go:49 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_audit.go:1 qualitylegacy

high Legacy quality quality conf 0.86 Duplicated implementation block across source files

Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.

apps/api-client-go/api_api_keys.go:1 qualitylegacy

high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact

Rename it to the domain concept it implements or merge it into the existing module it was meant to change.

src/boxlite/src/jailer/shim_copy.rs:1 qualitylegacy

low 9-layer quality integrity conf 1.00 236 env vars used in code but missing from .env.example

Drift between code and config docs. The first few: `ADMIN_API_KEY`, `ADMIN_MAX_CPU_PER_SANDBOX`, `ADMIN_MAX_DISK_PER_SANDBOX`, `ADMIN_MAX_MEMORY_PER_SANDBOX`, `ADMIN_MAX_SNAPSHOT_SIZE`, `ADMIN_SNAPSHOT_QUOTA`, `ADMIN_TOTAL_CPU_QUOTA`, `ADMIN_TOTAL_DISK_QUOTA` + 228 more. Add them (with a placeholde…

integrityconfig-drift

low 9-layer quality maintenance conf 1.00 74 TODO/FIXME markers

High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.

maintenance

low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found

Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.

coveragedeployment

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: alpine:3.18

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/otel-collector/Dockerfile:46 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: alpine:3.18

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/snapshot-manager/Dockerfile:41 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: alpine:3.18

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/ssh-gateway/Dockerfile:41 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: alpine:3.18

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/proxy/Dockerfile:45 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: alpine:3.20

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/dex/Dockerfile:1 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: alpine:3.22

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/runner/Dockerfile:63 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: dexidp/dex:v2.42.0

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/dex/Dockerfile:5 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: lscr.io/linuxserver/webtop:ubuntu-xfce

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

src/boxlite/resources/images/skillbox/Dockerfile:8 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:22-alpine

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/runner/Dockerfile:1 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:22-alpine

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/otel-collector/Dockerfile:1 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:22-alpine

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/snapshot-manager/Dockerfile:1 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:22-alpine

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/ssh-gateway/Dockerfile:1 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:22-alpine

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/proxy/Dockerfile:1 supply-chaindockerpinned-dependencies

low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:24-slim

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

apps/api/Dockerfile:1 supply-chaindockerpinned-dependencies

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: apps/api/jest.config.ts