Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
83 of your 189 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 8.93s · analysis 54.08s · 19.9 MB · GitHub API rate-limit (preflight)

BradGroux/veritas-kanban

https://github.com/BradGroux/veritas-kanban · scanned 2026-06-05 15:09 UTC (1 week, 2 days ago) · 10 languages

626 raw signals (174 security + 452 graph) 38th percentile · Typescript · large (100-500K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 2 days ago · v2 · 298 actionable findings from 2 signal sources. 100 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
64.4
/100
Security checks
58
78 findings
System graph
71
100.0% cov · 220 findings
Critical
4
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 43.1 0.25 10.78
testing_score 95.0 0.20 19.00
documentation_score 87.7 0.15 13.15
practices_score 85.0 0.15 12.75
code_quality 47.2 0.10 4.72
Overall 1.00 69.4
Severity distribution — click a segment to filter
Active filters: severity: info × excluding tests × Reset all
Severity: Critical 4 High 48 Medium 46 Low 145 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 78 System graph 220 Crowd 0 Layer: Quality 98 Security 8 Cicd 7 Software 66 Frontend 55 Network 6 Hardware 2 Api 56
Scan summary Quality grade B- (69/100). Dimensions: security 43, maintainability 60. 174 findings (41 security). 207,012 lines analyzed.

Showing 55 of 298 actionable findings. 398 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.
Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context.
3 files, 3 locations
server/src/routes/prompt-registry.ts:81
server/src/routes/templates.ts:97
server/src/services/template-service.ts:175
info Security checks software Ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
desktop/src/main/deep-links.ts:29
info Security checks software Xss conf 1.00 3 occurrences [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
3 files, 3 locations
scripts/check-permission-coverage.mjs:116
server/src/services/context-provider-health-service.ts:106
server/src/storage/sqlite/work-product-repository.ts:403
info Security checks quality Quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
server/src/services/preview-service.ts:89
info Security checks quality Quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
server/src/storage/sqlite/prompt-registry-repository.ts:380
info Security checks quality Quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
server/src/storage/sqlite/database.ts:164
info Security checks quality Quality conf 1.00 3 occurrences [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes — DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production.
Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint.
3 files, 3 locations
server/src/middleware/request-timeout.ts:55
server/src/routes/attachments.ts:168
server/src/services/audit-service.ts:258
info Security checks security Security conf 1.00 3 occurrences [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
3 files, 3 locations
web/src/components/task/PreviewPanel.tsx:67
web/src/components/task/git/PRDialog.tsx:30
web/src/components/task/git/WorktreeStatus.tsx:54
info Security checks security Injection conf 1.00 3 occurrences [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection).
For literal data structures: use ast.literal_eval(text) — only parses literals, raises on code. For formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists). For Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec'). If you genuinely need to execute admin-st…
3 files, 3 locations
server/src/storage/sqlite/activity-repository.ts:116
server/src/storage/sqlite/chat-repository.ts:73
server/src/storage/sqlite/database.ts:123
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
3 files, 3 locations
demo/seed.sh:6
scripts/squad-event.sh:91
scripts/squad-post.sh:45
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
Review and fix per the pattern semantics. See CWE-532 / for context.
3 files, 3 locations
cli/src/commands/agent-status.ts:27
cli/src/commands/agents.ts:22
cli/src/commands/automation.ts:20
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
3 files, 3 locations
desktop/src/main/paths.ts:98
server/src/middleware/csp-nonce.ts:76
server/src/routes/automation.ts:53
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
server/src/scripts/reset-password.ts:24
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
cli/src/commands/usage.ts:57
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
Review and fix per the pattern semantics. See CWE-704 / for context.
3 files, 3 locations
mcp/src/tools/agents.ts:50
mcp/src/tools/automation.ts:76
mcp/src/tools/comments.ts:78
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
web/vite.config.ts:23
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
mcp/src/tools/projects.ts:284
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
Review and fix per the pattern semantics. See CWE-682 / for context.
3 files, 3 locations
web/src/components/auth/SetupScreen.tsx:179
web/src/components/board/BoardLoadingSkeleton.tsx:27
web/src/components/dashboard/ActivityClock.tsx:96
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.
Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context.
server/src/config/env.ts:93
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.
Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context.
desktop/src/main/lifecycle.ts:38
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/auth/DesktopOnboarding.tsx:385
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/board/BoardSidebar.tsx:123
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/board/MultiAgentPanel.tsx:79
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/dashboard/Dashboard.tsx:385
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/dashboard/DashboardPage.tsx:277
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/dashboard/ErrorsDrillDown.tsx:111
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/dashboard/TasksDrillDown.tsx:174
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/dashboard/WhereTimeWent.tsx:93
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/digest/OperationsDigestPage.tsx:494
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/docs/DocsViewer.tsx:279
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/evidence/EvidenceTimelinePanel.tsx:450
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/layout/ActivitySidebar.tsx:93
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/layout/ArchiveSidebar.tsx:100
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/layout/MobileShell.tsx:119
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/settings/tabs/AgentsTab.tsx:1158
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/settings/tabs/MultiUserTab.tsx:576
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/shared/AgentStatusIndicator.tsx:342
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/task/AgentPanel.tsx:431
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/task/AttachmentsSection.tsx:104
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/task/ConflictResolver.tsx:205
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/task/DeliverablesSection.tsx:249
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/task/DependenciesSection.tsx:253
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/task/diff/FileTree.tsx:46
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/task/git/WorktreeStatus.tsx:271
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/task/PreviewPanel.tsx:224
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/task/TaskCard.tsx:382
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/task/TaskMetricsPanel.tsx:169
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/task/TimeTrackingSection.tsx:339
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/templates/TemplatesPage.tsx:192
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph frontend Frontend quality conf 1.00 `truncate` class without `title=` for hover reveal — web/src/components/time/TimeBreakdownPage.tsx:440
A truncated value should reveal the full text on hover. Pass the full string via `title={...}` so the user can read it. Why: P2 in CHECKLIST.md — truncate without hover-reveal. Rule id: fq.truncate.no-title
Fq truncate no title
info System graph quality Integrity conf 1.00 Commented-code block (10 lines) in server/src/routes/activity.ts:14
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in server/src/__tests__/storage/file-storage.test.ts:308
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in server/src/index.ts:3
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in server/src/services/file-lock.ts:18
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in web/src/hooks/useTasks.ts:177
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/52ffb460-31b3-4e4c-8fbc-f948099ce16c/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/52ffb460-31b3-4e4c-8fbc-f948099ce16c/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.