← Back to scan
File as GitHub Issue repo: drasi-project/drasi-core

Push this scan report to drasi-project/drasi-core

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT stripe-access-token Found a Stripe Access Token, posing a risk to payment processing services and sensitive f… components/reactions/http/README.md:231
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:1471
CRIT MINED116 Workflow uses `secrets.GH_AW_CI_TRIGGER_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:1469
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:1442
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:1434
CRIT MINED116 Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:1268
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:1128
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:1109
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:1074
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:1060
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:1046
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:1030
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:855
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:854
CRIT MINED116 Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:853
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:801
CRIT MINED116 Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:790
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:685
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:477
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:476
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:460
CRIT MINED116 Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:458
CRIT MINED116 Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger .github/workflows/implement-source.lock…:152
HIGH MINED039 [MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path. core/src/evaluation/variable_value/ser.…:47
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … components/sources/postgres/src/scram.rs:198
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … components/reactions/dashboard/static/j…:50
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… components/reactions/dashboard/static/j…:230
HIGH SEC040 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML w… components/reactions/dashboard/static/j…:114
HIGH SEC006 [SEC006] XSS Risk: Direct HTML injection without sanitization. components/reactions/dashboard/static/j…:81
HIGH MINED003 [MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky … components/bootstrappers/http/src/respo…:237
HIGH MINED003 [MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky … components/bootstrappers/http/src/conte…:120
HIGH MINED003 [MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky … components/bootstrappers/here-traffic/s…:308
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… components/bootstrappers/here-traffic/s…:208
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… components/bootstrappers/gtfs-rt/src/li…:176
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… components/bootstrappers/cloudflare-rad…:146
HIGH DKC013 Database service has no persistent data volume examples/lib/oracle-getting-started/doc…:1
HIGH MINED115 Action `drasi-project/.github/.github/workflows/devskim.yaml` pinned to mutable ref `@mai… .github/workflows/devskim.yml:13
HIGH MINED115 Action `actions/github-script` pinned to mutable ref `@v7` .github/workflows/pr-first-approval-lab…:46
HIGH MINED115 Action `actions/download-artifact` pinned to mutable ref `@v4` .github/workflows/pr-first-approval-lab…:39
HIGH MINED115 Action `sigstore/cosign-installer` pinned to mutable ref `@v3` .github/workflows/publish-plugins.yml:113
HIGH MINED115 Action `actions/upload-artifact` pinned to mutable ref `@v4` .github/workflows/pr-first-approval-lab…:36
HIGH MINED115 Action `drasi-project/.github/.github/workflows/rust-lint.yaml` pinned to mutable ref `@m… .github/workflows/ci-lint.yml:16
HIGH MINED115 Action `actions/github-script` pinned to mutable ref `@v7` .github/workflows/pr-assignment-check.y…:29
HIGH MINED126 Workflow container/services image `redis:7-alpine` unpinned .github/workflows/coverage.yaml:134
HIGH MINED126 Workflow container/services image `redis:7-alpine` unpinned .github/workflows/coverage.yaml:44
HIGH MINED115 Action `drasi-project/.github/.github/workflows/rust-unit-test.yaml` pinned to mutable re… .github/workflows/test.yml:21
HIGH MINED115 Action `drasi-project/.github/.github/workflows/cargo-audit.yaml` pinned to mutable ref `… .github/workflows/cargo-audit.yml:12
HIGH MINED118 Dockerfile FROM `ubuntu:22.04` not pinned by digest Dockerfile.cross-windows-gnu:2
HIGH MINED118 Dockerfile FROM `ghcr.io/cross-rs/x86_64-pc-windows-gnu:0.2.5` not pinned by digest Dockerfile.cross-windows-gnu:1
HIGH MINED118 Dockerfile FROM `ubuntu:20.04` not pinned by digest Dockerfile.cross-musl:2
HIGH MINED118 Dockerfile FROM `ghcr.io/cross-rs/x86_64-unknown-linux-musl:0.2.5` not pinned by digest Dockerfile.cross-musl:1
HIGH MINED118 Dockerfile FROM `ubuntu:20.04` not pinned by digest Dockerfile.cross-musl-aarch64:2
HIGH MINED118 Dockerfile FROM `ghcr.io/cross-rs/aarch64-unknown-linux-musl:0.2.5` not pinned by digest Dockerfile.cross-musl-aarch64:1
HIGH MINED118 Dockerfile FROM `ubuntu:20.04` not pinned by digest Dockerfile.cross-gnu-aarch64:2
HIGH MINED118 Dockerfile FROM `ghcr.io/cross-rs/aarch64-unknown-linux-gnu:0.2.5` not pinned by digest Dockerfile.cross-gnu-aarch64:1
HIGH MINED118 Dockerfile FROM `ubuntu:20.04` not pinned by digest Dockerfile.cross-gnu:2
HIGH MINED118 Dockerfile FROM `ghcr.io/cross-rs/x86_64-unknown-linux-gnu:0.2.5` not pinned by digest Dockerfile.cross-gnu:1
HIGH DKC011 Database service publishes a host port examples/lib/oracle-getting-started/doc…:1
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… shared-tests/src/use_cases/relabel/mod.…:75
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… components/sources/hyperliquid/src/test…:39
MED DKR007 Docker build context has no .dockerignore .dockerignore
MED DKC015 Database service has no healthcheck examples/lib/oracle-getting-started/doc…:1
MED DKR001 Docker final stage has no non-root USER Dockerfile.cross-windows-gnu:3
MED DKR001 Docker final stage has no non-root USER Dockerfile.cross-musl-aarch64:3
MED DKR001 Docker final stage has no non-root USER Dockerfile.cross-musl:3
MED DKR001 Docker final stage has no non-root USER Dockerfile.cross-gnu-aarch64:3
MED DKR001 Docker final stage has no non-root USER Dockerfile.cross-gnu:3
MED AGT007 localStorage write failures are swallowed silently components/reactions/dashboard/static/j…:43
MED DKC007 Compose service contains a literal secret environment value examples/lib/oracle-getting-started/doc…:1
MED DKC007 Compose service contains a literal secret environment value examples/lib/loki/docker-compose.yml:8
LOW AIC003 Duplicated implementation block across source files components/reactions/dashboard/src/desc…:143
LOW AIC003 Duplicated implementation block across source files components/reactions/azure-storage/src/…:277
LOW AIC003 Duplicated implementation block across source files components/reactions/aws-sqs/src/lib.rs:36
LOW AIC003 Duplicated implementation block across source files components/plugin-sdk/src/registration.…:55
LOW AIC003 Duplicated implementation block across source files components/indexes/rocksdb/src/storage_…:1
LOW AIC003 Duplicated implementation block across source files components/indexes/rocksdb/src/storage_…:4
LOW AIC003 Duplicated implementation block across source files components/indexes/rocksdb/src/storage_…:16
LOW AIC003 Duplicated implementation block across source files components/indexes/rocksdb/src/result_i…:2
LOW AIC003 Duplicated implementation block across source files components/indexes/rocksdb/src/plugin.rs:87
LOW AIC003 Duplicated implementation block across source files components/host-sdk/src/snapshot_fetche…:106
LOW AIC003 Duplicated implementation block across source files components/host-sdk/src/proxies/source.…:268
LOW AIC003 Duplicated implementation block across source files components/host-sdk/src/proxies/source.…:70
LOW AIC003 Duplicated implementation block across source files components/host-sdk/src/proxies/secret_…:95
LOW AIC003 Duplicated implementation block across source files components/host-sdk/src/proxies/secret_…:80
LOW AIC003 Duplicated implementation block across source files components/host-sdk/src/proxies/reactio…:651
LOW AIC003 Duplicated implementation block across source files components/host-sdk/src/proxies/identit…:89
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/sui-deepbook/s…:61
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/sqlite/src/des…:27
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/scriptfile/src…:23
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/postgres/src/p…:52
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/postgres/src/d…:60
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/platform/src/d…:27
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/oracle/src/ora…:69
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/open511/src/de…:37
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/noop/src/descr…:20
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/mysql/src/desc…:41
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/mssql/src/desc…:68
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/http/src/descr…:377
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/here-traffic/s…:48
LOW AIC003 Duplicated implementation block across source files components/bootstrappers/gtfs-rt/src/de…:34
LOW DKC010 Compose service lacks no-new-privileges hardening examples/lib/oracle-getting-started/doc…:1
LOW DKC010 Compose service lacks no-new-privileges hardening examples/lib/loki/docker-compose.yml:8
LOW DKC010 Compose service lacks no-new-privileges hardening examples/lib/loki/docker-compose.yml:1
LOW DKC006 Compose service does not declare a runtime user examples/lib/oracle-getting-started/doc…:1
LOW DKC006 Compose service does not declare a runtime user examples/lib/loki/docker-compose.yml:8
LOW DKC006 Compose service does not declare a runtime user examples/lib/loki/docker-compose.yml:1
INFO MINED053 [MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin… shared-tests/src/use_cases/relabel/mod.…:76
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … components/reactions/dashboard/static/j…:80
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … components/reactions/dashboard/static/j…:280
INFO MINED068 [MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled i… components/host-sdk/src/identity_bridge…:48
INFO MINED068 [MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled i… components/host-sdk/src/fetcher.rs:222
INFO MINED068 [MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled i… components/ffi-primitives/src/macros.rs:181
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… components/reactions/grpc/src/connectio…:64
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… components/host-sdk/src/fetcher.rs:68
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… components/bootstrappers/platform/src/l…:80
INFO MINED066 [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable error… components/host-sdk/src/proxies/identit…:132
INFO MINED066 [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable error… components/bootstrappers/scriptfile/src…:162
INFO MINED066 [MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable error… components/bootstrappers/http/src/respo…:286
INFO MINED059 [MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message. components/bootstrappers/gtfs-rt/src/de…:82
INFO MINED059 [MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message. components/bootstrappers/dataverse/src/…:101
INFO MINED059 [MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message. components/bootstrappers/application/sr…:58
Reset to top 5 121 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `drasi-project/drasi-core`

**Score: 74/100 (B-)**  ·  121 findings  ·  scanned 2026-06-05 22:09 UTC  ·  332,996 LOC

| Severity | Count |
|---|---|
| CRITICAL | 23 |
| HIGH | 35 |
| MEDIUM | 12 |
| LOW | 36 |

📊 [Full filterable report](https://repobility.com/scan/53f24a18-76d5-4efb-9204-e2b73b09ea39/)  ·  ![scorecard](https://repobility.com/scan/53f24a18-76d5-4efb-9204-e2b73b09ea39/report.png?v=1780697387-s2)

### Top findings

1. **CRITICAL** `stripe-access-token` — Found a Stripe Access Token, posing a risk to payment processing services and sensitive fi
   `components/reactions/http/README.md:231`
2. **CRITICAL** `MINED116` — Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger
   `.github/workflows/implement-source.lock.yml:1471` · ✓ Repobility
3. **CRITICAL** `MINED116` — Workflow uses `secrets.GH_AW_CI_TRIGGER_TOKEN` on a `pull_request` trigger
   `.github/workflows/implement-source.lock.yml:1469` · ✓ Repobility
4. **CRITICAL** `MINED116` — Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger
   `.github/workflows/implement-source.lock.yml:1442` · ✓ Repobility
5. **CRITICAL** `MINED116` — Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger
   `.github/workflows/implement-source.lock.yml:1434` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/53f24a18-76d5-4efb-9204-e2b73b09ea39/_
Megaproject â high spam risk
Could not determine 'drasi-project/drasi-core' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Already filed
45/128 findings (35%) on this scan are already flagged as test-file, won't-fix, or suppressed. The scan is too noisy to file as a single issue. Curate down to specific actionable findings, or address the FP source first.
Open in GitHub to file this issue Filing guard overridden Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.