Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 32.42s for a 59.5 MB repo slow.
  • Repobility's analysis ran in 9.17s after the clone landed.

wekan/wekan

https://github.com/wekan/wekan.git · scanned 2026-05-22 09:04 UTC (2 weeks ago) · 10 languages

849 findings (183 legacy + 666 scanner) 11/13 scanners ran 36th percentile · Javascript · large (100-500K LoC) Scanner says 55 (higher by 21)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks ago · v2 · 516 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
66.7
/100
Repobility
79
183 legacy
9-layer
55
100.0% cov · 333 gaps
Critical
10
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 39.0 0.20 7.80
documentation_score 90.0 0.15 13.50
practices_score 100.0 0.15 15.00
code_quality 57.0 0.10 5.70
Overall 1.00 76.0
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: layer: api × excluding tests × Reset all
Severity: Critical 10 High 120 Medium 48 Low 229 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 183 9-layer 333 Crowd 0 Layer: Quality 182 Security 9 Cicd 54 Software 97 Frontend 118 Network 3 Hardware 3 Api 50
Scan summary Repository scanned at 54.7/100 with 100.0% coverage. It contains 3421 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 333 findings — concentrated in frontend (118), quality (82), software (50). Risk profile is high: 3 critical, 0 high, 31 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 50 of 516 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /api/boards/:boardId
`server/models/boards.js` declares `DELETE /api/boards/:boardId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /api/boards/:boardId/cards/:cardId/comments/:commentId
`server/models/cardComments.js` declares `DELETE /api/boards/:boardId/cards/:cardId/comments/:commentId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or do…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /api/boards/:boardId/custom-fields/:customFieldId
`server/models/customFields.js` declares `DELETE /api/boards/:boardId/custom-fields/:customFieldId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documen…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId
`server/models/customFields.js` declares `DELETE /api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /api/boards/:boardId/integrations/:intId
`server/models/integrations.js` declares `DELETE /api/boards/:boardId/integrations/:intId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /api/boards/:boardId/integrations/:intId/activities
`server/models/integrations.js` declares `DELETE /api/boards/:boardId/integrations/:intId/activities` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docum…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /api/boards/:boardId/swimlanes/:swimlaneId
`server/models/swimlanes.js` declares `DELETE /api/boards/:boardId/swimlanes/:swimlaneId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who c…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /
`sandstorm.js` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards
`server/models/boards.js` declares `GET /api/boards` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId
`server/models/boards.js` declares `GET /api/boards/:boardId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/attachments
`server/models/boards.js` declares `GET /api/boards/:boardId/attachments` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/attachments/:attachmentId/export
`models/export.js` declares `GET /api/boards/:boardId/attachments/:attachmentId/export` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who con…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/cards/:cardId/comments
`server/models/cardComments.js` declares `GET /api/boards/:boardId/cards/:cardId/comments` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/cards/:cardId/comments/:commentId
`server/models/cardComments.js` declares `GET /api/boards/:boardId/cards/:cardId/comments/:commentId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or docum…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/custom-fields
`server/models/customFields.js` declares `GET /api/boards/:boardId/custom-fields` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/custom-fields/:customFieldId
`server/models/customFields.js` declares `GET /api/boards/:boardId/custom-fields/:customFieldId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documentin…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/export
`models/export.js` declares `GET /api/boards/:boardId/export` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/export/csv
`models/export.js` declares `GET /api/boards/:boardId/export/csv` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/exportExcel
`models/exportExcel.js` declares `GET /api/boards/:boardId/exportExcel` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/integrations
`server/models/integrations.js` declares `GET /api/boards/:boardId/integrations` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes i…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/integrations/:intId
`server/models/integrations.js` declares `GET /api/boards/:boardId/integrations/:intId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who con…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/lists/:listId/cards
`server/models/cards.js` declares `GET /api/boards/:boardId/lists/:listId/cards` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes i…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/lists/:listId/cards/:cardId
`server/models/cards.js` declares `GET /api/boards/:boardId/lists/:listId/cards/:cardId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/lists/:listId/cards/:cardId/exportExcel
`models/exportExcelCard.js` declares `GET /api/boards/:boardId/lists/:listId/cards/:cardId/exportExcel` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or doc…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/lists/:listId/cards/:cardId/exportPDF
`models/exportPDF.js` declares `GET /api/boards/:boardId/lists/:listId/cards/:cardId/exportPDF` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/swimlanes
`server/models/swimlanes.js` declares `GET /api/boards/:boardId/swimlanes` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/swimlanes/:swimlaneId
`server/models/swimlanes.js` declares `GET /api/boards/:boardId/swimlanes/:swimlaneId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards/:boardId/swimlanes/:swimlaneId/cards
`server/models/cards.js` declares `GET /api/boards/:boardId/swimlanes/:swimlaneId/cards` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who co…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/boards_count
`server/models/boards.js` declares `GET /api/boards_count` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/cards/:cardId
`server/models/cards.js` declares `GET /api/cards/:cardId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/users/:userId/boards
`server/models/boards.js` declares `GET /api/users/:userId/boards` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: OPTIONS /users/login
`server/apiAuthRoutes.js` declares `OPTIONS /users/login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: OPTIONS /users/register
`server/apiAuthRoutes.js` declares `OPTIONS /users/register` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/boards
`server/models/boards.js` declares `POST /api/boards` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/boards/:boardId/cards/:cardId/comments
`server/models/cardComments.js` declares `POST /api/boards/:boardId/cards/:cardId/comments` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/boards/:boardId/copy
`server/models/boards.js` declares `POST /api/boards/:boardId/copy` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/boards/:boardId/custom-fields
`server/models/customFields.js` declares `POST /api/boards/:boardId/custom-fields` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/boards/:boardId/custom-fields/:customFieldId/dropdown-items
`server/models/customFields.js` declares `POST /api/boards/:boardId/custom-fields/:customFieldId/dropdown-items` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removi…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/boards/:boardId/integrations
`server/models/integrations.js` declares `POST /api/boards/:boardId/integrations` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/boards/:boardId/integrations/:intId/activities
`server/models/integrations.js` declares `POST /api/boards/:boardId/integrations/:intId/activities` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documen…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/boards/:boardId/members/:memberId
`server/models/boards.js` declares `POST /api/boards/:boardId/members/:memberId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes i…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/boards/:boardId/swimlanes
`server/models/swimlanes.js` declares `POST /api/boards/:boardId/swimlanes` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /users/login
`server/apiAuthRoutes.js` declares `POST /users/login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /users/register
`server/apiAuthRoutes.js` declares `POST /users/register` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PUT /api/boards/:boardId/custom-fields/:customFieldId
`server/models/customFields.js` declares `PUT /api/boards/:boardId/custom-fields/:customFieldId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documentin…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PUT /api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId
`server/models/customFields.js` declares `PUT /api/boards/:boardId/custom-fields/:customFieldId/dropdown-items/:dropdownItemId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — …
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PUT /api/boards/:boardId/integrations/:intId
`server/models/integrations.js` declares `PUT /api/boards/:boardId/integrations/:intId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who con…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PUT /api/boards/:boardId/labels
`server/models/boards.js` declares `PUT /api/boards/:boardId/labels` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PUT /api/boards/:boardId/swimlanes/:swimlaneId
`server/models/swimlanes.js` declares `PUT /api/boards/:boardId/swimlanes/:swimlaneId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who cons…
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PUT /api/boards/:boardId/title
`server/models/boards.js` declares `PUT /api/boards/:boardId/title` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/5937a6d5-bde9-481f-adad-93b0de1062da/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/5937a6d5-bde9-481f-adad-93b0de1062da/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.