Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
67 of your 129 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.25s · analysis 12.89s · 15.3 MB · GitHub API rate-limit (preflight)

drasi-project/drasi-core

https://github.com/drasi-project/drasi-core · scanned 2026-06-05 22:09 UTC (4 days, 8 hours ago) · 10 languages

245 raw signals (121 security + 124 graph) 46th percentile · Rust · large (100-500K LoC) System graph score 78 (lower by 12)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 8 hours ago · v2 · 78 actionable findings from 2 signal sources. 105 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
73.9
/100
Security checks
69
35 findings
System graph
79
100.0% cov · 43 findings
Critical
9
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 56.0 0.25 14.00
testing_score 63.0 0.20 12.60
documentation_score 70.0 0.15 10.50
practices_score 82.0 0.15 12.30
code_quality 48.3 0.10 4.83
Overall 1.00 67.0
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 9 High 10 Medium 10 Low 31 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 35 System graph 43 Crowd 0 Layer: Cicd 15 Quality 42 Software 5 Security 13 Network 1 Hardware 1 Frontend 1
Scan summary Quality grade B- (67/100). Dimensions: security 56, maintainability 85. 121 findings (44 security). 332,996 lines analyzed.

Showing 60 of 78 actionable findings. 183 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
Gitleaks detected a committed secret or credential pattern.
components/reactions/http/README.md:231
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 22 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 152, 458, 460, 476, 477, 685, 790, 801, +14 more
.github/workflows/implement-source.lock.yml:152, 458, 460, 476, 477, 685, 790, 801, +14 more (22 hits)
CI/CD securityworkflow secretsGitHub Actions
critical System graph security security conf 1.00 Insecure pattern 'private_key_in_repo' in lib/src/identity/application.rs:238
Found a known-risky pattern (private_key_in_repo). Review and replace if possible.
lib/src/identity/application.rs:238 Private key in repo
critical System graph security Secrets conf 1.00 Possible secret in components/bootstrappers/postgres/src/lib.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
components/bootstrappers/postgres/src/lib.rs:45
critical System graph security Secrets conf 1.00 Possible secret in components/mssql-common/src/config.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
components/mssql-common/src/config.rs:252
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in components/reactions/storedproc-mssql/src/config.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 50, 76
components/reactions/storedproc-mssql/src/config.rs:50, 76 (2 hits)
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in components/reactions/storedproc-mysql/src/config.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 50, 76
components/reactions/storedproc-mysql/src/config.rs:50, 76 (2 hits)
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in components/reactions/storedproc-postgres/src/config.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 51, 77
components/reactions/storedproc-postgres/src/config.rs:51, 77 (2 hits)
critical System graph security Secrets conf 1.00 Possible secret in components/sources/postgres/src/lib.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
components/sources/postgres/src/lib.rs:478
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in lib/src/identity/application.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 53, 125, 138, 264
lib/src/identity/application.rs:53, 125, 138, 264 (4 hits)
high Security checks cicd CI/CD security conf 0.90 Database service has no persistent data volume
Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state.
examples/lib/oracle-getting-started/docker-compose.yml:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.84 Database service publishes a host port
Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports.
examples/lib/oracle-getting-started/docker-compose.yml:1 CI/CD securitycontainers
high Security checks software dependencies conf 0.90 ✓ Repobility 10 occurrences Dockerfile FROM `ghcr.io/cross-rs/x86_64-unknown-linux-gnu:0.2.5` not pinned by digest
`FROM ghcr.io/cross-rs/x86_64-unknown-linux-gnu:0.2.5` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
5 files, 10 locations
Dockerfile.cross-gnu:1, 2 (2 hits)
Dockerfile.cross-gnu-aarch64:1, 2 (2 hits)
Dockerfile.cross-musl:1, 2 (2 hits)
Dockerfile.cross-musl-aarch64:1, 2 (2 hits)
Dockerfile.cross-windows-gnu:1, 2 (2 hits)
high Security checks cicd CI/CD security conf 0.90 ✓ Repobility 4 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `drasi-project/.github/.github/workflows/cargo-audit.yaml` pinned to mutable ref `@main` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
4 files, 4 locations
.github/workflows/cargo-audit.yml:12
.github/workflows/ci-lint.yml:16
.github/workflows/devskim.yml:13
.github/workflows/test.yml:21
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 8 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/github-script` pinned to mutable ref `@v7` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 8 locations
.github/workflows/pr-first-approval-label-run.yml:39, 46 (4 hits)
.github/workflows/pr-assignment-check.yml:29 (2 hits)
.github/workflows/pr-first-approval-label.yml:36 (2 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 2 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `sigstore/cosign-installer` pinned to mutable ref `@v3` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 113
.github/workflows/publish-plugins.yml:113 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences Workflow container/services image `redis:7-alpine` unpinned
`container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
lines 44, 134
.github/workflows/coverage.yaml:44, 134 (2 hits)
high System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Action tracks a moving branch
drasi-project/.github/.github/workflows/cargo-audit.yaml@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
4 files, 4 locations
.github/workflows/cargo-audit.yml:12
.github/workflows/ci-lint.yml:16
.github/workflows/devskim.yml:13
.github/workflows/test.yml:21
CI/CD securitySupply chainGithub actions
medium Security checks cicd CI/CD security conf 0.56 Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
examples/lib/oracle-getting-started/docker-compose.yml:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.56 Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
examples/lib/loki/docker-compose.yml:8 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.88 Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
examples/lib/oracle-getting-started/docker-compose.yml:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 5 occurrences Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
5 files, 5 locations
Dockerfile.cross-gnu:3
Dockerfile.cross-gnu-aarch64:3
Dockerfile.cross-musl:3
Dockerfile.cross-musl-aarch64:3
Dockerfile.cross-windows-gnu:3
CI/CD securitycontainers
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
components/reactions/dashboard/static/js/theme.js:43
medium System graph cicd CI/CD security conf 1.00 6 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
6 files, 6 locations
.github/workflows/implement-source.lock.yml
.github/workflows/plan-source.lock.yml
.github/workflows/publish-crate.yml
.github/workflows/publish-plugins.yml
.github/workflows/release-plz.yml
.github/workflows/scorecard.yaml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'cors_wildcard' in components/sources/http/src/lib.rs:1837
Found a known-risky pattern (cors_wildcard). Review and replace if possible.
components/sources/http/src/lib.rs:1837 Cors wildcard
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in components/sources/postgres/src/connection.rs:101
Found a known-risky pattern (weak_hash). Review and replace if possible.
components/sources/postgres/src/connection.rs:101 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in components/sources/postgres/src/protocol.rs:319
Found a known-risky pattern (weak_hash). Review and replace if possible.
components/sources/postgres/src/protocol.rs:319 Weak hash
medium System graph network Security conf 1.00 Privileged port 30 in use
Port 30 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/cargo-audit.yml Ports
high Security checks cicd CI/CD security conf 0.56 3 occurrences Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
2 files, 3 locations
examples/lib/loki/docker-compose.yml:1, 8 (2 hits)
examples/lib/oracle-getting-started/docker-compose.yml:1
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 3 occurrences Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
2 files, 3 locations
examples/lib/loki/docker-compose.yml:1, 8 (2 hits)
examples/lib/oracle-getting-started/docker-compose.yml:1
CI/CD securitycontainers
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 14 locations
components/host-sdk/src/proxies/secret_store.rs:80, 95 (2 hits)
components/host-sdk/src/proxies/source.rs:70, 268 (2 hits)
components/bootstrappers/gtfs-rt/src/descriptor.rs:34
components/bootstrappers/here-traffic/src/descriptor.rs:48
components/bootstrappers/http/src/descriptor.rs:377
components/bootstrappers/mssql/src/descriptor.rs:68
components/bootstrappers/mysql/src/descriptor.rs:41
components/bootstrappers/noop/src/descriptor.rs:20
duplicationquality
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph quality Complexity conf 1.00 Very large file: components/bootstrappers/http/tests/integration_test.rs (2319 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: components/host-sdk/tests/integration_test.rs (3103 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: components/indexes/garnet/tests/scenario_tests.rs (1535 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: components/plugin-sdk/src/ffi/vtable_gen.rs (3621 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: components/reactions/mcp/src/mcp.rs (1738 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: components/sources/dataverse/src/lib.rs (1699 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: components/sources/http/src/lib.rs (2422 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: components/sources/mock/src/tests.rs (1563 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: components/sources/mssql/tests/integration_test.rs (1659 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: components/sources/platform/src/lib.rs (1543 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: components/sources/postgres/src/lib.rs (1772 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: components/state_stores/redb/src/provider.rs (1684 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: core/src/evaluation/expressions/mod.rs (2281 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: core/src/evaluation/expressions/tests/datetime.rs (1825 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: core/src/evaluation/expressions/tests/time.rs (1645 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: core/src/evaluation/functions/temporal_duration/temporal_duration.rs (1155 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: core/src/evaluation/functions/temporal_instant/temporal_instant.rs (2318 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: lib/src/component_graph/graph.rs (1312 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: lib/src/component_graph/tests.rs (1966 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: lib/src/lib_core.rs (2369 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: lib/src/queries/checkpoint_tests.rs (3578 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: lib/src/queries/manager.rs (3033 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: lib/src/queries/tests.rs (1514 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: lib/src/reactions/manager.rs (2549 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: lib/src/sources/base.rs (2553 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: lib/src/sources/tests.rs (1573 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: query-gql/src/tests.rs (5085 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/53f24a18-76d5-4efb-9204-e2b73b09ea39/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/53f24a18-76d5-4efb-9204-e2b73b09ea39/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.