Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
34 of your 124 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.65s · analysis 21.78s · 3.3 MB · GitHub API rate-limit (preflight)

hackclub/hackatime

https://github.com/hackclub/hackatime · scanned 2026-06-05 17:54 UTC (4 days, 20 hours ago) · 10 languages

201 raw signals (117 security + 84 graph) System graph score 69 (lower by 6)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 20 hours ago · v2 · 97 actionable findings from 2 signal sources. 62 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
65.2
/100
Security checks
61
76 findings
System graph
69
100.0% cov · 21 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 36.2 0.25 9.05
testing_score 61.0 0.20 12.20
documentation_score 60.8 0.15 9.12
practices_score 86.0 0.15 12.90
code_quality 71.9 0.10 7.19
Overall 1.00 63.2
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 44 Medium 18 Low 20 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 76 System graph 21 Crowd 0 Layer: Quality 16 Security 33 Software 25 Cicd 17 Api 1 Frontend 1 Network 1 Hardware 3
Scan summary Quality grade C+ (63/100). Dimensions: security 36, maintainability 85. 117 findings (68 security). 42,493 lines analyzed.

Showing 84 of 97 actionable findings. 159 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
docker-compose.yml:15
critical Security checks quality Quality conf 1.00 [SEC096] Rails: SQL injection via where("#{...}") or find_by_sql: ActiveRecord where() / find_by_sql with interpolation enables SQL injection. Concept from Brakeman check_sql — re-authored from OWASP CWE-89.
Use parameterized form: `.where("name = ?", user_input)` or named placeholders.
app/models/concerns/user_fuzzy_search.rb:68
critical Security checks cicd CI/CD security conf 0.96 2 occurrences Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
lines 1, 23
docker-compose.yml:1, 23 (2 hits)
CI/CD securitycontainers
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /badge/:user_id/*project.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /badge/:user_id/*project.
config/routes.rb:238
high Security checks security auth conf 0.70 2 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /my/settings/goals/:goal_id.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /my/settings/goals/:goal_id.
lines 186, 187
config/routes.rb:186, 187 (2 hits)
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /users/:id/heartbeats.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /users/:id/heartbeats.
config/routes.rb:338
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /users/:id/update_trust_level.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /users/:id/update_trust_level.
config/routes.rb:143
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /users/:id/visualization/quantized.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /users/:id/visualization/quantized.
config/routes.rb:319
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic.
Review and fix per the pattern semantics. See CWE-78 / for context.
app/jobs/update_geolite2_database_job.rb:33
high Security checks quality Quality conf 1.00 3 occurrences [SEC097] Rails: force_ssl disabled / protect_from_forgery missing: Rails app disables SSL or CSRF protection. Concept from Brakeman check_force_ssl / check_forgery_setting — re-authored from OWASP A07.
Set `config.force_ssl = true` in production.rb. Use `protect_from_forgery with: :exception`.
3 files, 3 locations
app/controllers/api/hackatime/v1/hackatime_controller.rb:3
app/controllers/api/summary_controller.rb:3
app/controllers/api/v1/badges_controller.rb:4
high Security checks software Csrf conf 1.00 3 occurrences [SEC109] Rails skip_forgery_protection / protect_from_forgery disabled: Rails CSRF protection turned off at controller level. Any state-changing endpoint becomes a CSRF target.
Remove the skip. For pure-API controllers, inherit from ActionController::API instead (which doesn't include forgery protection). For Bearer-auth APIs, use `protect_from_forgery with: :null_session` only on those specific controllers.
3 files, 3 locations
app/controllers/api/hackatime/v1/hackatime_controller.rb:3
app/controllers/api/summary_controller.rb:3
app/controllers/api/v1/badges_controller.rb:4
high Security checks cicd CI/CD security conf 0.84 Database service publishes a host port
Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports.
docker-compose.yml:23 CI/CD securitycontainers
high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences Dockerfile FROM `docker.io/library/ruby (no tag)` not pinned by digest
`FROM docker.io/library/ruby (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
3 files, 3 locations
Dockerfile:12
Dockerfile.dev:1
Dockerfile.production-worker:10
high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell
Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content.
Dockerfile.dev:24 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell
Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content.
Dockerfile:33 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 19 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
2 files, 19 locations
.github/workflows/ci.yml:20, 42, 57, 73, 106, 126, 155, 202, +1 more (17 hits)
.github/workflows/update-linguist.yml:18 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks cicd CI/CD security conf 0.90 ✓ Repobility GitHub Action is tag-pinned rather than SHA-pinned
Action `browser-actions/setup-chrome` pinned to mutable ref `@latest` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
.github/workflows/ci.yml:215 CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 24 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `ruby/setup-ruby` pinned to mutable ref `@v1` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 23, 33, 45, 60, 76, 82, 109, 129, +4 more
.github/workflows/ci.yml:23, 33, 45, 60, 76, 82, 109, 129, +4 more (24 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 lodash-es: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
bun.lock
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
bun.lock
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences Workflow container/services image `postgres:16-alpine` unpinned
`container/services image: postgres:16-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
lines 144, 191
.github/workflows/ci.yml:144, 191 (2 hits)
high System graph hardware Supply chain conf 1.00 Dockerfile pipes a remote installer into a shell
Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.
Dockerfile:33 containersRemote installer
high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch
browser-actions/setup-chrome@latest can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/ci.yml:215 CI/CD securitySupply chainGithub actions
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 31.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 31.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /docs.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /docs.
config/routes.rb:134
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /docs/*path.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /docs/*path.
config/routes.rb:135
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /leaderboard_shadowbans.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /leaderboard_shadowbans.
config/routes.rb:47
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings.
config/routes.rb:152
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/appearance.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/appearance.
config/routes.rb:163
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/appearance/theme.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/appearance/theme.
config/routes.rb:164
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/profile.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/profile.
config/routes.rb:155
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/profile/region.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/profile/region.
config/routes.rb:156
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/profile/username.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/profile/username.
config/routes.rb:157
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/setup.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/setup.
config/routes.rb:160
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/email.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/email.
config/routes.rb:120
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/github.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/github.
config/routes.rb:117
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/github/callback.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/github/callback.
config/routes.rb:118
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/github/unlink.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/github/unlink.
config/routes.rb:119
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/hca.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/hca.
config/routes.rb:113
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/hca/callback.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/hca/callback.
config/routes.rb:114
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/slack.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/slack.
config/routes.rb:115
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/slack/callback.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/slack/callback.
config/routes.rb:116
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /impersonate/:id.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /impersonate/:id.
config/routes.rb:87
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /stop_impersonating.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /stop_impersonating.
config/routes.rb:90
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
config/environments/development.rb:32
medium Security checks cicd CI/CD security conf 0.88 Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
docker-compose.yml:23 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
Dockerfile.dev:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
Dockerfile.production-worker:49 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
Dockerfile:70 CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 lodash-es: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
bun.lock
medium Security checks software dependencies conf 0.90 npm package `prettier-plugin-svelte` is 1 major version(s) behind (^3.5.2 -> 4.1.0)
`prettier-plugin-svelte` is pinned/resolved at ^3.5.2 but the latest stable release on the npm registry is 4.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs r…
package.json
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
bun.lock
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
bun.lock
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
docs/editors/terminal.md:20
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
app/javascript/pages/WakatimeSetup/Index.svelte:44
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/update-linguist.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in app/models/heartbeat.rb:39
Found a known-risky pattern (weak_hash). Review and replace if possible.
app/models/heartbeat.rb:39 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in app/models/user.rb:298
Found a known-risky pattern (weak_hash). Review and replace if possible.
app/models/user.rb:298 Weak hash
medium System graph network Security conf 1.00 Privileged port 1000 in use
Port 1000 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
Dockerfile Ports
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 23 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
low Security checks cicd CI/CD security conf 0.68 App service does not wait for database health
depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently.
docker-compose.yml:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
docker-compose.yml:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml:1 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 6 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
6 files, 6 locations
app/javascript/components/ModalInner.svelte:4
app/javascript/pages/WakatimeAlternative.svelte:126
db/migrate/20250305061242_uniqueness_index_to_hash_on_heartbeats.rb:4
spec/requests/api/v1/users_spec.rb:174
test/controllers/settings_imports_exports_controller_test.rb:36
test/jobs/heartbeat_import_remote_download_job_test.rb:64
duplicationquality
low Security checks software dependencies conf 0.90 npm package `svelte-check` is minor version(s) behind (^4.4.8 -> 4.6.0)
`svelte-check` is pinned/resolved at ^4.4.8 but the latest stable release on the npm registry is 4.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: docker.io/library/ruby:$RUBY_VERSION-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:12 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/javascript/controllers/application.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/javascript/pages/Home/signedIn/utils.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/javascript/pages/OAuthApplications/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/javascript/pages/Projects/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/javascript/pages/Users/Settings/components/SectionIcons.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/javascript/ssr/ssr.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/javascript/types/globals.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/javascript/types/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: svelte.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — app/javascript/controllers/admin_timeline_user_selector_controller.js:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/56bb2fd3-05ef-451b-9d47-d06ccc7ed7eb/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/56bb2fd3-05ef-451b-9d47-d06ccc7ed7eb/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.