Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 30.21s for a 37.8 MB repo slow.
  • Repobility's analysis ran in 3.62s after the clone landed.

alumnium-hq/alumnium

https://github.com/alumnium-hq/alumnium · scanned 2026-05-31 01:23 UTC (5 days, 6 hours ago) · 10 languages

425 findings (123 legacy + 302 scanner) 11/13 scanners ran 88th percentile · Typescript · medium (20-100K LoC) Scanner says 71 (higher by 14)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 6 hours ago · v2 · last Δ +0.1 (diff) · 277 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
76.7
/100
Repobility
82
123 legacy
9-layer
71
100.0% cov · 154 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 83.0 0.15 12.45
practices_score 77.0 0.15 11.55
code_quality 78.0 0.10 7.80
Overall 1.00 85.8
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 82 Medium 34 Low 112 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 123 9-layer 154 Crowd 0 Layer: Quality 98 Security 4 Cicd 49 Software 92 Api 1 Frontend 29 Hardware 4
Scan summary Repository scanned at 71.4/100 with 100.0% coverage. It contains 1400 nodes across 4 cross-layer flows, written primarily in mixed languages. Engine surfaced 154 findings — concentrated in software (54), cicd (43), frontend (29). Risk profile is high: 0 critical, 1 high, 30 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 213 of 277 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_raw_ids` used but never assigned in __init__: Method `_add_raw_ids` of class `UIAutomator2AccessibilityTree` reads `self._add_raw_ids`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_raw_ids = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py:43 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_raw_ids` used but never assigned in __init__: Method `to_str` of class `UIAutomator2AccessibilityTree` reads `self._add_raw_ids`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_raw_ids = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py:31 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._build_frame_hierarchy` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._build_frame_hierarchy`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._build_frame_hierarchy = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/drivers/selenium_driver.py:71 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._build_server_pid_name` used but never assigned in __init__: Method `_resolve_url` of class `HttpClient` reads `self._build_server_pid_name`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._build_server_pid_name = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/clients/http_client.py:229 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._from_xml` used but never assigned in __init__: Method `scope_to_area` of class `ChromiumAccessibilityTree` reads `self._from_xml`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._from_xml = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:203 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._get_all_frame_ids` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._get_all_frame_ids`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._get_all_frame_ids = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/drivers/selenium_driver.py:63 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._get_frame_chain` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._get_frame_chain`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._get_frame_chain = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/drivers/selenium_driver.py:85 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._node_to_xml` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._node_to_xml`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._node_to_xml = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:112 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._node_to_xml` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._node_to_xml`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._node_to_xml = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:119 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._node_to_xml` used but never assigned in __init__: Method `to_str` of class `ChromiumAccessibilityTree` reads `self._node_to_xml`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._node_to_xml = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:53 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._normalize_paths` used but never assigned in __init__: Method `invoke` of class `UploadTool` reads `self._normalize_paths`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._normalize_paths = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/tools/upload_tool.py:22 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._stop_server` used but never assigned in __init__: Method `_resolve_url` of class `HttpClient` reads `self._stop_server`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._stop_server = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/clients/http_client.py:242 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._stop_server` used but never assigned in __init__: Method `quit` of class `HttpClient` reads `self._stop_server`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._stop_server = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/clients/http_client.py:86 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._to_str` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._to_str = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:106 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._to_str` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._to_str = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:101 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._to_str` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._to_str = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:89 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._wait_for_page_to_load` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._wait_for_page_to_load`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._wait_for_page_to_load = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/drivers/selenium_driver.py:59 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.to_str` used but never assigned in __init__: Method `element_by_id` of class `ChromiumAccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.to_str = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:141 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.to_str` used but never assigned in __init__: Method `element_by_id` of class `UIAutomator2AccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.to_str = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py:56 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.to_str` used but never assigned in __init__: Method `scope_to_area` of class `ChromiumAccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.to_str = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:172 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.to_str` used but never assigned in __init__: Method `scope_to_area` of class `UIAutomator2AccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.to_str = <default>` in __init__, or add a class-level default.
packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py:85 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions-cool/check-user-permission` pinned to mutable ref `@v2`: `uses: actions-cool/check-user-permission@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions-cool/check-user-permission@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:41 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/attest-build-provenance` pinned to mutable ref `@v3`: `uses: actions/attest-build-provenance@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/attest-build-provenance@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:199 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/attest` pinned to mutable ref `@v4`: `uses: actions/attest@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/attest@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:241 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:223 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:149 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:115 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:85 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:45 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:30 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/deployment.yml:25 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci-java.yml:91 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci-java.yml:57 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v5`: `uses: actions/deploy-pages@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/deploy-pages@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/deployment.yml:47 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-pages-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-pages-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-pages-artifact@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/deployment.yml:33 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `jdx/mise-action` pinned to mutable ref `@v4`: `uses: jdx/mise-action@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: jdx/mise-action@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/deployment.yml:26 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: mxschmitt/action-tmate@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:282 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: mxschmitt/action-tmate@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:207 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: mxschmitt/action-tmate@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:133 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: mxschmitt/action-tmate@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:101 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: mxschmitt/action-tmate@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:70 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: mxschmitt/action-tmate@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci.yml:93 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: mxschmitt/action-tmate@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci-java.yml:106 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: mxschmitt/action-tmate@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/ci-java.yml:81 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`: `uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pypa/gh-action-pypi-publish@<40-char-sha> # release/v1` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:64 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`: `uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pypa/gh-action-pypi-publish@<40-char-sha> # release/v1` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release.yml:59 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM debian:bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED119] Dockerfile `ADD https://github.com/krallin/tini/releases/download/v0.19.0/tini-${TARGETARCH}`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers — or if the URL serves a different file later — malicious content gets baked into the image.
Download the file in CI with a known checksum, vendor it into the repo, and COPY it during the build. Or use `RUN curl -sSL URL | sha256sum -c <(echo '<expected> -')` to verify.
Dockerfile:6 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED134] Binary file `packages/java/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/java/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a repo that otherwise has 334 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
packages/java/gradle/wrapper/gradle-wrapper.jar:1 dependencylegacy
high Legacy software xxe conf 1.00 [SEC024] XML External Entity (XXE) — Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack.
Disable DTDs and external entities before parsing: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities"…
packages/java/src/main/java/ai/alumnium/accessibility/ChromiumAccessibilityTree.java:245 xxelegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
packages/typescript/src/tools/BaseTool.ts:30 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
packages/typescript/src/server/agents/PlannerAgent.ts:155 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
packages/typescript/src/drivers/AppiumDriver.ts:205 xsslegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
packages/typescript/src/server/agents/RetrieverAgent.ts:156 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
packages/typescript/src/server/cache/ElementsCache/ElementsCacheMask.ts:127 qualitylegacy
high Legacy security path_traversal conf 1.00 [SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly.
After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`.
packages/typescript/src/standalone/setupEmbeddedDependencies.ts:188 path_traversallegacy
high Legacy security path_traversal conf 1.00 [SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly.
After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`.
packages/typescript/src/mcp/tools/startMcpTool.ts:81 path_traversallegacy
high 9-layer cicd supply-chain conf 1.00 pull_request_target workflow appears to check out untrusted PR code
pull_request_target runs with base-repo privileges. Checking out PR head code in that context can expose repository tokens or secrets to attacker-controlled code.
.github/workflows/ci.yml supply-chaingithub-actionspull-request-target
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
packages/typescript/src/server/ServerCommand.ts:281 error_handlinglegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:178 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident.
Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly.
packages/python/src/alumnium/drivers/appium_driver.py:64 qualitylegacy
medium Legacy cicd docker conf 0.94 Compose service `lgtm` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
telemetry/docker-compose.yml:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
Dockerfile:1 dockerlegacy
medium Legacy cicd docker conf 0.84 Dockerfile ADD downloads remote content
Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files.
Dockerfile:7 dockerlegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
websites/docs/src/content/blog/2026-05-13-release-0.20.0.md:27 dependencylegacy
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/typescript/src/clients/HttpClient.ts:251
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — websites/docs/scripts/generate-install-scripts.ts:24
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer hardware supply-chain conf 1.00 Dockerfile ADD downloads remote content without checksum
Remote build inputs can change or be replaced upstream. Use Dockerfile ADD --checksum or download with an explicit digest/signature verification step.
Dockerfile:6 supply-chaindockerchecksum
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-java.yml:81 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-java.yml:106 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions-cool/check-user-permission@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:41 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:93 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pypa/gh-action-pypi-publish@release/v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:59 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pypa/gh-action-pypi-publish@release/v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:64 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:70 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:101 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:133 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-qemu-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:158 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:161 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:164 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/metadata-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:175 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:185 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:207 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:282 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-typescript.yml:83 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-typescript.yml:108 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-typescript.yml:134 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-eval.yml:56 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-python.yml:90 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-python.yml:117 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
mxschmitt/action-tmate@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-python.yml:148 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/deployment.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml supply-chaingithub-actionsleast-privilege
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — packages/python/src/alumnium/cli.py:38
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore dockerlegacy
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
packages/java/src/main/java/ai/alumnium/accessibility/UIAutomator2AccessibilityTree.java:63 qualitylegacy
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
packages/java/src/main/java/ai/alumnium/accessibility/ChromiumAccessibilityTree.java:183 qualitylegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
telemetry/docker-compose.yml:1 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
telemetry/docker-compose.yml:1 dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/python/src/alumnium/drivers/playwright_driver.py:66 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/java/src/main/java/ai/alumnium/driver/SeleniumDriver.java:144 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/java/src/main/java/ai/alumnium/driver/SeleniumDriver.java:54 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/java/src/main/java/ai/alumnium/Area.java:96 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/typescript/src/tools/ScrollTool.ts:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/typescript/src/tools/HoverTool.ts:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/typescript/src/server/cache/ResponseCache.ts:111 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/typescript/src/server/agents/LocatorAgent.ts:59 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/typescript/src/drivers/scripts/waiter.js:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/typescript/src/client/Area.ts:53 qualitylegacy
low 9-layer quality maintenance conf 1.00 48 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: debian:bookworm-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/evalite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/scripts/get-ollama-model.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/scripts/version.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/AppId.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/AppId.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/client/result.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/clients/ApiModels.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/drivers/DriverId.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/FileStore/GlobalFileStorePaths.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/Http.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/mcp/McpArtifactsStore.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/mcp/McpCommand.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/mcp/tools/checkMcpTool.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/mcp/tools/fetchAccessibilityTreeMcpTool.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/mcp/tools/getMcpTool.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/mcp/tools/stopMcpTool.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/mcp/tools/waitMcpTool.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/Model.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/package.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/pythonic/pythonicFormat.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/pythonic/pythonicSplitlines.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/agents/Agent.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/agents/prompts/bundledPrompts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/agents/RetrieverAgent.eval.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/cache/ElementsCache/ActorAgentElementsCache.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/cache/ElementsCache/ElementsCache.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/cache/ElementsCache/ElementsCacheMask.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/cache/ElementsCache/ElementsCacheToolCalls.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/cache/ElementsCache/ElementsCacheTree.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/cache/ElementsCache/PlannerAgentElementsCache.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/serverApp.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/serverSchema.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/server/session/SessionId.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/standalone/embeddedAssetNames.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/src/utils/schema.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/npm/cjs/example.spec.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/npm/esm/example.spec.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/system/calculator.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/system/dragAndDrop.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/system/dragSlider.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/system/fileUpload.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/system/frames.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/system/locator.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/system/navigation.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/system/table.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/system/tabs.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/system/todo.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/system/waiter.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/tests/unit/setup.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/typescript/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-java.yml:57 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-java.yml:91 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:30 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:45 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:85 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:115 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:149 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/attest-build-provenance@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:199 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:223 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/attest@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:241 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-typescript.yml:56 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-typescript.yml:93 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-typescript.yml:116 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-eval.yml:44 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-python.yml:64 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-python.yml:100 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci-python.yml:125 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 13 places
Functions with the same first-5-line body hash: packages/python/examples/behave/features/steps/todo_al.py:step_impl, packages/python/examples/behave/features/steps/todo_al.py:step_impl, packages/python/examples/behave/features/steps/todo_al.py:step_impl, packages/python/examples/behave/features/ste…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: packages/python/examples/pytest/table_test.py:test_table_extraction, packages/python/examples/pytest/table_test.py:test_table_sorting This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). C…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: packages/python/src/alumnium/cli.py:run, packages/python/src/alumnium/cli.py:run_async This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: packages/python/src/alumnium/drivers/playwright_driver.py:url, packages/python/src/alumnium/drivers/playwright_async_driver.py:url This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Cons…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: packages/python/src/alumnium/drivers/playwright_driver.py:search_frame, packages/python/src/alumnium/drivers/playwright_async_driver.py:search_frame This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-c…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: packages/python/src/alumnium/drivers/playwright_driver.py:switch_to_next_tab, packages/python/src/alumnium/drivers/playwright_driver.py:switch_to_previous_tab This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py:to_str, packages/python/src/alumnium/accessibility/xcuitest_accessibility_tree.py:to_str This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py:element_by_id, packages/python/src/alumnium/accessibility/xcuitest_accessibility_tree.py:element_by_id This is *the* AI-coder failure mode (4× more duplication in vibe-code…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py:scope_to_area, packages/python/src/alumnium/accessibility/xcuitest_accessibility_tree.py:scope_to_area This is *the* AI-coder failure mode (4× more duplication in vibe-code…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: packages/python/src/alumnium/drivers/base_driver.py:print_to_pdf, packages/python/src/alumnium/tools/base_tool.py:invoke, packages/python/src/alumnium/accessibility/base_accessibility_tree.py:scope_to_area This is *the* AI-coder failure mode (4× more…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 6 places
Functions with the same first-5-line body hash: packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:find_element, packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py:find_element, packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: after_scenario
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/python/examples/behave/features/environment.py:235 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: before_all
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/python/examples/behave/features/environment.py:220 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: before_feature
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/python/examples/behave/features/environment.py:229 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: wrapper
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/python/src/alumnium/drivers/selenium_driver.py:159 dead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/typescript/scripts/build.ts:303
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/typescript/src/cli/bin.ts:36
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/typescript/src/cli/CliCommand.ts:49
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/typescript/src/utils/logFormat.ts:53
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — websites/docs/scripts/generate-install-scripts.ts:59
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality integrity conf 1.00 Stub function `accessibility_tree` (body is just `pass`/`return`) — packages/python/src/alumnium/drivers/base_driver.py:11
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `invoke` (body is just `pass`/`return`) — packages/python/src/alumnium/tools/base_tool.py:30
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `to_str` (body is just `pass`/`return`) — packages/python/src/alumnium/accessibility/base_accessibility_tree.py:8
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
packages/typescript/src/server/ServerCommand.ts:151 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
packages/python/src/alumnium/clients/http_client.py:245 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
packages/java/src/main/java/ai/alumnium/accessibility/ChromiumAccessibilityTree.java:257 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
packages/typescript/src/mcp/tools/checkMcpTool.ts:37 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
packages/typescript/src/cli/CliCommand.ts:114 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
packages/typescript/src/Env.ts:309 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
packages/typescript/src/mcp/McpServer.ts:52 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
packages/typescript/src/client/Alumni.ts:247 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
Review and fix per the pattern semantics. See CWE-704 / for context.
packages/typescript/src/Xml.ts:16 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
packages/python/src/alumnium/result.py:4 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/53d869c3-eb18-4fe6-aa71-30c3aa648529/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/53d869c3-eb18-4fe6-aa71-30c3aa648529/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.