Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 32.42s for a 59.5 MB repo slow.
  • Repobility's analysis ran in 9.17s after the clone landed.

wekan/wekan

https://github.com/wekan/wekan.git · scanned 2026-05-22 09:04 UTC (1 week, 6 days ago) · 10 languages

849 findings (183 legacy + 666 scanner) 11/13 scanners ran 22nd percentile · Javascript · large (100-500K LoC) Scanner says 55 (higher by 21)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 6 days ago · v2 · 516 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
66.7
/100
Repobility
79
183 legacy
9-layer
55
100.0% cov · 333 gaps
Critical
10
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 39.0 0.20 7.80
documentation_score 90.0 0.15 13.50
practices_score 100.0 0.15 15.00
code_quality 57.0 0.10 5.70
Overall 1.00 76.0
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 10 High 120 Medium 48 Low 229 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 183 9-layer 333 Crowd 0 Layer: Quality 182 Security 9 Cicd 54 Software 97 Frontend 118 Network 3 Hardware 3 Api 50
Scan summary Repository scanned at 54.7/100 with 100.0% coverage. It contains 3421 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 333 findings — concentrated in frontend (118), quality (82), software (50). Risk profile is high: 3 critical, 0 high, 31 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 407 of 516 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
stacksmith/user-scripts/boot.sh:11 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
docs/Platforms/FOSS/Docker/Meteor3/1createdb.sh:63 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(...)` but never imports `enum`. This raises NameError at runtime the first time the line executes.
Add `import enum` at the top of the file.
openapi/generate_openapi.py:490 qualitylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED123] Trojan Source bidi character (LRM) in source: Line 150 contains a Unicode bidirectional override character (U+200E LRM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer.
Audit the line manually. If the character is not intentional (it almost never is in code), remove it. Configure your editor / pre-commit hook to reject bidi controls in source.
releases/translations/old-pull-translations.sh:150 dependencylegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:112 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:93 dockerlegacy
critical Legacy cicd docker conf 0.96 Docker image bakes a secret-like ENV value
Remove the secret from the Dockerfile, rotate the value if real, and inject runtime secrets through your platform secret manager.
Dockerfile:15 dockerlegacy
critical Legacy cicd docker conf 0.96 Docker image bakes a secret-like ENV value
Remove the secret from the Dockerfile, rotate the value if real, and inject runtime secrets through your platform secret manager.
.devcontainer/Dockerfile:15 dockerlegacy
critical 9-layer security secrets conf 1.00 Possible secret in api.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
api.py:87 secrets
critical 9-layer security secrets conf 1.00 Possible secret in docs/Platforms/FOSS/OpenShift/wekan.yml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
docs/Platforms/FOSS/OpenShift/wekan.yml:34 secrets
critical 9-layer security secrets conf 1.00 Possible secret in docs/Platforms/FOSS/OpenShift/wekan.yml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
docs/Platforms/FOSS/OpenShift/wekan.yml:36 secrets
high Legacy quality quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.
releases/install-sandstorm.sh:4 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._decode` used but never assigned in __init__: Method `_decode` of class `JS2jsonDecoder` reads `self._decode`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._decode = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:115 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._decode` used but never assigned in __init__: Method `_decode` of class `JS2jsonDecoder` reads `self._decode`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._decode = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:113 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._decode` used but never assigned in __init__: Method `decode` of class `JS2jsonDecoder` reads `self._decode`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._decode = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:104 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._path` used but never assigned in __init__: Method `compute_path` of class `EntryPoint` reads `self._path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._path = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:165 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.description` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.description`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.description = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:419 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.doc_param` used but never assigned in __init__: Method `print_openapi_param` of class `EntryPoint` reads `self.doc_param`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.doc_param = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:344 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.error` used but never assigned in __init__: Method `print_openapi_return` of class `EntryPoint` reads `self.error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.error = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:396 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.info` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.info`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.info = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:324 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.log` used but never assigned in __init__: Method `error` of class `EntryPoint` reads `self.log`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.log = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:179 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.log` used but never assigned in __init__: Method `info` of class `EntryPoint` reads `self.log`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.log = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:185 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.log` used but never assigned in __init__: Method `warn` of class `EntryPoint` reads `self.log`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.log = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:182 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.operationId` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.operationId`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.operationId = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:414 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.print_openapi_param` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.print_openapi_param`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.print_openapi_param = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:449 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.print_openapi_return` used but never assigned in __init__: Method `print_openapi_return` of class `EntryPoint` reads `self.print_openapi_return`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.print_openapi_return = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:399 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.print_openapi_return` used but never assigned in __init__: Method `print_openapi_return` of class `EntryPoint` reads `self.print_openapi_return`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.print_openapi_return = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:392 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.print_openapi_return` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.print_openapi_return`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.print_openapi_return = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:460 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.returns` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.returns`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.returns = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:460 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.returns` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.returns`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.returns = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:458 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.summary` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.summary`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.summary = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:417 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.summary` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.summary`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.summary = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:416 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.tags` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.tags`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.tags = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:427 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.tags` used but never assigned in __init__: Method `print_openapi` of class `EntryPoint` reads `self.tags`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.tags = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:429 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.warn` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.warn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.warn = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:258 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.warn` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.warn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.warn = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:271 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.warn` used but never assigned in __init__: Method `doc` of class `EntryPoint` reads `self.warn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.warn = <default>` in __init__, or add a class-level default.
openapi/generate_openapi.py:301 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:108 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/cache@<40-char-sha> # v5` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:101 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:96 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:43 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/playwright.yml:137 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/playwright.yml:58 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/playwright.yml:18 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/download-artifact@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:471 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/download-artifact@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:422 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/download-artifact@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:300 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/download-artifact@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:234 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/download-artifact@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:174 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:409 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:120 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/playwright.yml:140 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/playwright.yml:61 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/playwright.yml:21 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:456 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:337 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:271 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:205 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:141 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/playwright.yml:115 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v7` and let Dependabot bump it on a scheduled cadence.
.github/workflows/playwright.yml:107 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v3`: `uses: softprops/action-gh-release@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: softprops/action-gh-release@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-all.yml:477 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `gitpod/workspace-mongodb (no tag)` not pinned by digest: `FROM gitpod/workspace-mongodb (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM gitpod/workspace-mongodb (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
.gitpod.Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:24.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
.devcontainer/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:24.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `mongo:7` unpinned: `container/services image: mongo:7` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `mongo:7@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/playwright.yml:128 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `mongo:7` unpinned: `container/services image: mongo:7` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `mongo:7@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/playwright.yml:49 dependencylegacy
high Legacy software xxe conf 1.00 [SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs.
Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all.
packages/wekan-accounts-cas/cas_server.js:63 xxelegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
models/avatars.js:43 qualitylegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
models/attachments.js:41 qualitylegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
client/components/settings/translationBody.js:106 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
server/models/activities.js:171 qualitylegacy
high Legacy cicd docker conf 0.90 Compose service bind-mounts a sensitive host path
Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:147 dockerlegacy
high Legacy cicd docker conf 0.90 Compose service bind-mounts a sensitive host path
Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:709 dockerlegacy
high Legacy cicd docker conf 0.90 Compose service bind-mounts a sensitive host path
Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:112 dockerlegacy
high Legacy cicd docker conf 0.90 Compose service bind-mounts a sensitive host path
Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:93 dockerlegacy
high Legacy cicd docker conf 0.90 Compose service bind-mounts a sensitive host path
Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths.
docker-compose.yml:265 dockerlegacy
high Legacy cicd docker conf 0.90 Compose service bind-mounts a sensitive host path
Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths.
docker-compose.yml:224 dockerlegacy
high Legacy cicd docker conf 0.90 Compose service bind-mounts a sensitive host path
Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths.
.devcontainer/docker-compose.yml:18 dockerlegacy
high Legacy cicd docker conf 0.90 Compose service bind-mounts a sensitive host path
Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths.
.devcontainer/docker-compose.yml:4 dockerlegacy
high Legacy cicd docker conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:112 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:709 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:112 dockerlegacy
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
server/models/activities.js:313 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
client/components/unicode-icons.js:66 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
client/00-startup.js:15 error_handlinglegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
openapi/generate_openapi.py:811 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
api.py:785 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
api.py:568 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
api.py:412 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
api.py:389 qualitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
packages/wekan-accounts-cas/cas_client_cordova.js:65 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
packages/wekan-accounts-cas/cas_client.js:115 securitylegacy
medium Legacy software open_redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
packages/wekan-accounts-cas/cas_client.js:51 open_redirectlegacy
medium Legacy software open_redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
config/accounts.js:128 open_redirectlegacy
medium Legacy quality quality conf 0.76 Calendar/event date parsing can crash on malformed persisted data
Parse event dates through a safe helper that returns null for invalid input, filter invalid events before render, and surface data-repair guidance instead of throwing during render.
models/csvCreator.js:310 qualitylegacy
medium Legacy quality quality conf 0.76 Calendar/event date parsing can crash on malformed persisted data
Parse event dates through a safe helper that returns null for invalid input, filter invalid events before render, and surface data-repair guidance instead of throwing during render.
client/components/gantt/gantt.js:110 qualitylegacy
medium Legacy cicd docker conf 0.94 Compose service `wekan` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:265 dockerlegacy
medium Legacy cicd docker conf 0.84 Database data bind mount is inside the Docker build context
Prefer a named volume or a host path outside the build context. If a repo-local path is required, add it to .dockerignore and .gitignore and verify backups separately.
.devcontainer/docker-compose.yml:4 dockerlegacy
medium Legacy cicd docker conf 0.88 Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:709 dockerlegacy
medium Legacy cicd docker conf 0.88 Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:112 dockerlegacy
medium Legacy cicd docker conf 0.88 Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
docker-compose.yml:224 dockerlegacy
medium Legacy cicd docker conf 0.88 Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
.devcontainer/docker-compose.yml:4 dockerlegacy
high Legacy quality quality conf 0.80 localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
client/components/swimlanes/swimlanes.js:106 qualitylegacy
medium Legacy quality quality conf 0.70 Public web app has no Content Security Policy
Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors.
index.html qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt qualitylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docs/Platforms/FOSS/Source/Source.md:23 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docs/Platforms/FOSS/Source/Install-from-source-without-root.md:10 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docs/Platforms/FOSS/Sandstorm/Developing-Wekan-for-Sandstorm.md:15 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docs/Platforms/FOSS/Sandstorm/Building-Wekan-for-Sandstorm.md:62 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docs/DeveloperDocs/Debugging.md:99 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docs/Databases/FerretDB2-PostgreSQL.md:28 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
README.md:127 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
.travis.yml:12 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
.github/workflows/release-all.yml:127 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
.github/workflows/playwright.yml:27 dependencylegacy
medium Legacy quality quality conf 0.86 robots.txt blocks the full public site
Replace full-site blocking with specific private path disallows, or add explicit Allow rules for public docs and landing pages.
public/robots.txt qualitylegacy
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — client/components/cards/attachments.js:279
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — client/components/gantt/gantt.js:41
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — client/components/import/import.js:343
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — client/components/settings/peopleBody.js:283
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — client/lib/attachmentMigrationManager.js:239
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — client/lib/exportHTML.js:94
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — imports/cronMigrationClient.js:71
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — imports/i18n/tap.js:78
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — imports/reactiveCache.js:84
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — models/attachments.js:115
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — models/avatars.js:100
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — models/lib/attachmentBackwardCompatibility.js:222
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — models/lockoutSettings.js:54
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/wekan-fullcalendar/fullcalendar/fullcalendar.js:8708
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/wekan-fullcalendar/fullcalendar/fullcalendar.min.js:9
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/wekan-oidc/oidc_server.js:180
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — server/publications/cards.js:951
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — server/publications/users.js:153
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-qemu-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-all.yml:226 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-qemu-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-all.yml:292 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
softprops/action-gh-release@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-all.yml:477 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
helm/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:28 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-all.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/docker-publish.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml supply-chaingithub-actionsleast-privilege
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — api.py:173
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — docs/ImportExport/trello/api.py:86
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer network security conf 1.00 Privileged port 10 in use
Port 10 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
docker-compose.yml securityports
medium 9-layer network security conf 1.00 Privileged port 20 in use
Port 20 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
releases/build-cache/http/phpdevserver.sh securityports
medium 9-layer network security conf 1.00 Privileged port 47 in use
Port 47 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
releases/snapcraft-local.yaml securityports
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
42 test file(s) for 511 source file(s) (ratio 0.08). Consider adding integration or unit tests for critical paths.
testscoverage
low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore dockerlegacy
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
npm-packages/meteor-jade-loader/index.js:30 qualitylegacy
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
models/server/metrics.js:220 qualitylegacy
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
docs/ImportExport/trello/api.py:155 qualitylegacy
low Legacy cicd docker conf 0.68 App service does not wait for database health
Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:147 dockerlegacy
low Legacy cicd docker conf 0.68 App service does not wait for database health
Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`.
.devcontainer/docker-compose.yml:18 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:147 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docker-compose.yml:265 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docs/Databases/ToroDB-PostgreSQL/docker-compose.yml:147 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docker-compose.yml:265 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
.devcontainer/docker-compose.yml:18 dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/exportPDF.js:37 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/exportPDF.js:32 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/exportExcel.js:31 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/customFields.js:76 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/checklists.js:23 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/checklists.js:21 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/checklists.js:20 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/checklistItems.js:24 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/cardComments.js:26 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/cardComments.js:23 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/avatars.js:20 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/announcements.js:17 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/announcements.js:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
models/accountSettings.js:16 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
imports/lib/secureDOMPurify.js:5 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
config/query-classes.js:5 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
config/query-classes.js:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/lib/pasteImage.js:36 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/lib/filter.js:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/lib/filter.js:4 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/config/blazeHelpers.js:18 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/config/blazeHelpers.js:14 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/components/users/userHeader.js:264 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/components/swimlanes/swimlanes.js:569 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/components/swimlanes/swimlanes.js:412 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/components/swimlanes/swimlaneHeader.js:45 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/components/settings/adminReports.js:243 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/components/rules/actions/checklistActions.js:45 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/components/lists/listHeader.js:343 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
client/components/cards/cardDate.js:9 qualitylegacy
low Legacy quality quality conf 0.64 Public docs site has no llms.txt
Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents.
llms.txt qualitylegacy
low Legacy quality quality conf 0.50 Public web app has no humans.txt
Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date.
humans.txt qualitylegacy
low Legacy quality quality conf 0.72 Public web app has no sitemap
Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt.
sitemap.xml qualitylegacy
low Legacy quality quality conf 0.74 robots.txt does not advertise a sitemap
Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt.
public/robots.txt qualitylegacy
low 9-layer quality maintenance conf 1.00 237 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ubuntu:24.04
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ubuntu:24.04
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
.devcontainer/Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: api.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/boardConversionProgress.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/boards/boardArchive.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/boards/originalPositionsView.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/cards/cardCustomFields.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/cards/cardDescription.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/cards/resultCard.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/cards/subtasks.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/forms/datepicker.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/gantt/ganttCard.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/lib/basicTabs.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/main/accessibility.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/main/bookmarks.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/main/brokenCards.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/main/header.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/main/myCards.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/main/popup.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/main/spinner.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/main/support.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/notifications/notification.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/notifications/notificationsDrawer.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/rules/actions/boardActions.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/rules/actions/cardActions.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/rules/actions/checklistActions.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/rules/actions/mailActions.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/rules/ruleDetails.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/rules/rulesList.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/rules/triggers/boardTriggers.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/rules/triggers/cardTriggers.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/rules/triggers/checklistTriggers.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/settings/attachments.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/settings/connectionMethod.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/settings/informationBody.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/settings/invitationCode.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/settings/lockedUsersBody.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/settings/settingHeader.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/sidebar/sidebarSearches.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/users/avatarUpdateCounter.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/components/users/passwordInput.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/config/gecko-fix.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/imports.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/lib/boardMultiSelection.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/lib/escapeActions.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/lib/fixDuplicateLists.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/lib/inlinedform.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/lib/jquery-ui.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/lib/pasteImage.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/main.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: client/styles.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: rspack.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/playwright.yml:21 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/playwright.yml:61 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/playwright.yml:107 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/playwright.yml:115 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/playwright.yml:140 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-all.yml:101 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-all.yml:108 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/download-artifact@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-all.yml:174 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/download-artifact@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-all.yml:234 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/download-artifact@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-all.yml:300 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/download-artifact@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-all.yml:422 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/download-artifact@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-all.yml:471 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-publish.yml:35 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:18 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/depsreview.yaml:12 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/dependency-review-action@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/depsreview.yaml:14 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `daysOld` in server/cronJobStorage.js:381
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `daysOld` in server/cronMigrationManager.js:3263
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `toLegacy` in packages/wekan-fullcalendar/fullcalendar/fullcalendar.js:1579
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `toLegacy` in packages/wekan-fullcalendar/fullcalendar/fullcalendar.min.js:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: openapi/generate_openapi.py:process_jsdocs, openapi/generate_openapi.py:process_jsdocs This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: openapi/generate_openapi.py:print_openapi_param, openapi/generate_openapi.py:print_openapi, openapi/generate_openapi.py:print_openapi, openapi/generate_openapi.py:print_openapi This is *the* AI-coder failure mode (4× more duplication in vibe-coded re…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 6 places
Functions with the same first-5-line body hash: openapi/generate_openapi.py:doc, openapi/generate_openapi.py:doc, openapi/generate_openapi.py:doc, openapi/generate_openapi.py:doc This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Cons…
integrityduplicatedry
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
packages/wekan-fontawesome/fontawesome-free/package.json supply-chainnpminstall-scripts
low 9-layer frontend frontend-quality conf 1.00 React Flow edge with `label=` but no project-wide edge-label CSS override — packages/wekan-fullcalendar/fullcalendar/lib/jquery-ui.min.js:8
React Flow edge labels render with a white rectangle behind the text by default, which scatters bright boxes across a dark canvas. Either drop the label, or override `.react-flow__edge-textbg` and `.react-flow__edge-text` in your stylesheet. Why: P-H in CHECKLIST.md — vendor edge labels bleed whit…
frontend-qualityfq.edge-label.no-bg
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/00-startup.js:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/boards/boardBody.js:41
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/boards/boardHeader.js:117
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/cards/attachments.js:453
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/cards/cardDetails.js:1881
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/lists/listHeader.js:451
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/main/dueCards.js:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/main/globalSearch.js:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/main/myCards.js:7
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/rules/rulesActions.js:31
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/rules/rulesTriggers.js:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/settings/adminReports.js:194
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/settings/peopleBody.js:1555
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/settings/settingBody.js:470
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/components/users/userHeader.js:266
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/lib/attachmentMigrationManager.js:109
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/lib/boardConverter.js:73
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/lib/cardSearch.js:137
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/lib/exportHTML.js:282
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/lib/fixDuplicateLists.js:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — client/lib/uploadProgressManager.js:62
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — config/query-classes.js:299
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — migrations/009_fix_v795_due_dates.js:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — models/attachments.server.js:345
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — models/avatars.server.js:178
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — models/cardComments.js:169
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — models/fileValidation.js:114
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak

Showing first 300 of 407. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/5937a6d5-bde9-481f-adad-93b0de1062da/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/5937a6d5-bde9-481f-adad-93b0de1062da/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.