Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 1.3s · analysis 0.64s · 0.7 MB · GitHub API rate-limit (preflight)

vinayluffy-12/payrollproject

https://github.com/vinayluffy-12/payrollproject.git · scanned 2026-05-28 06:07 UTC (1 week, 1 day ago) · 10 languages

270 findings (88 legacy + 182 scanner) 30th percentile · Javascript · small (2-20K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 1 day ago · v2 · 179 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
54.7
/100
Repobility
63
88 legacy
9-layer
46
100.0% cov · 91 gaps
Critical
6
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 65.9 0.25 16.48
testing_score 0.0 0.20 0.00
documentation_score 40.0 0.15 6.00
practices_score 50.0 0.15 7.50
code_quality 69.4 0.10 6.94
Overall 1.00 48.2
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 6 High 58 Medium 19 Low 81 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 88 9-layer 91 Crowd 0 Layer: Quality 51 Cicd 26 Software 34 Frontend 8 Hardware 7 Security 1 Api 52
Scan summary Repository scanned at 46.3/100 with 100.0% coverage. It contains 206 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 91 findings — concentrated in api (52), software (15), frontend (8). Risk profile is high: 0 critical, 3 high, 8 medium. Recommended next step: open the api layer findings first — that's where the highest-impact wins live.

Showing 164 of 179 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
docker-compose.yml:27 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
docker-compose.yml:4 dockerlegacy
critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.AWS_ACCESS_KEY_ID` on a `pull_request` trigger
This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_ACCESS_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted …
payrollos/.github/workflows/ci-cd.yml:58 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger
This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trus…
payrollos/.github/workflows/ci-cd.yml:59 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.KUBE_CONFIG_PRODUCTION` on a `pull_request` trigger
This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.KUBE_CONFIG_PRODUCTION }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the tru…
payrollos/.github/workflows/ci-cd.yml:119 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.KUBE_CONFIG_STAGING` on a `pull_request` trigger
This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.KUBE_CONFIG_STAGING }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the truste…
payrollos/.github/workflows/ci-cd.yml:98 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v3`
`uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
payrollos/.github/workflows/ci-cd.yml:113 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v3`
`uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
payrollos/.github/workflows/ci-cd.yml:92 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v3`
`uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
payrollos/.github/workflows/ci-cd.yml:53 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v3`
`uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
payrollos/.github/workflows/ci-cd.yml:14 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v3`
`uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
payrollos/.github/workflows/ci-cd.yml:17 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v4`
`uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
payrollos/.github/workflows/ci-cd.yml:37 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `aws-actions/amazon-ecr-login` pinned to mutable ref `@v1`
`uses: aws-actions/amazon-ecr-login@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
payrollos/.github/workflows/ci-cd.yml:64 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v1`
`uses: aws-actions/configure-aws-credentials@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
payrollos/.github/workflows/ci-cd.yml:56 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `azure/k8s-set-context` pinned to mutable ref `@v2`
`uses: azure/k8s-set-context@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
payrollos/.github/workflows/ci-cd.yml:116 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `azure/k8s-set-context` pinned to mutable ref `@v2`
`uses: azure/k8s-set-context@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
payrollos/.github/workflows/ci-cd.yml:95 dependencylegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports.
docker-compose.yml:17 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports.
docker-compose.yml:4 dockerlegacy
high Legacy cicd docker conf 0.92 Dockerfile copies the entire context without .dockerignore
COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.
payrollos/frontend/Dockerfile:6 dockerlegacy
high Legacy cicd docker conf 0.92 Dockerfile copies the entire context without .dockerignore
COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.
payrollos/fraud-service/Dockerfile:5 dockerlegacy
high Legacy cicd docker conf 0.92 Dockerfile copies the entire context without .dockerignore
COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.
payrollos/backend/Dockerfile:5 dockerlegacy
high Legacy software dependency conf 0.90 ✓ Repobility Dockerfile FROM `nginx:alpine` not pinned by digest
`FROM nginx:alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
payrollos/frontend/Dockerfile:10 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Dockerfile FROM `node:18-alpine` not pinned by digest
`FROM node:18-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
payrollos/frontend/Dockerfile:2 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Dockerfile FROM `node:18-alpine` not pinned by digest
`FROM node:18-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
payrollos/backend/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Dockerfile FROM `python:3.10-slim` not pinned by digest
`FROM python:3.10-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
payrollos/fraud-service/Dockerfile:1 dependencylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express DELETE /:id has no auth
Express route DELETE /:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/employees.js:225 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST / has no auth
Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/leave.js:32 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST / has no auth
Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/employees.js:57 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /2fa/setup has no auth
Express route POST /2fa/setup declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/auth.js:206 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /2fa/verify has no auth
Express route POST /2fa/verify declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/auth.js:240 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /:id/investigate has no auth
Express route POST /:id/investigate declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/fraud.js:29 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /:id/withdraw has no auth
Express route POST /:id/withdraw declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/wallet.js:45 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /checkin has no auth
Express route POST /checkin declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/attendance.js:47 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /checkout has no auth
Express route POST /checkout declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/attendance.js:110 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /forgot-password has no auth
Express route POST /forgot-password declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/auth.js:172 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /generate-ai has no auth
Express route POST /generate-ai declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/reports.js:104 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /login has no auth
Express route POST /login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/auth.js:14 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /logout has no auth
Express route POST /logout declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/auth.js:326 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /refresh has no auth
Express route POST /refresh declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/auth.js:309 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /register has no auth
Express route POST /register declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/auth.js:94 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /runs has no auth
Express route POST /runs declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/payroll.js:26 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /runs/:id/approve has no auth
Express route POST /runs/:id/approve declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/payroll.js:211 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /runs/:id/calculate has no auth
Express route POST /runs/:id/calculate declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/payroll.js:70 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /runs/:id/disburse has no auth
Express route POST /runs/:id/disburse declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/payroll.js:245 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express POST /verify-otp has no auth
Express route POST /verify-otp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/auth.js:155 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express PUT /:code has no auth
Express route PUT /:code declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/currency.js:44 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express PUT /:id has no auth
Express route PUT /:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/employees.js:206 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express PUT /:id/approve has no auth
Express route PUT /:id/approve declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/leave.js:78 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express PUT /:id/resolve has no auth
Express route PUT /:id/resolve declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/fraud.js:46 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility Express PUT /verify/:requestId has no auth
Express route PUT /verify/:requestId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control.
payrollos/backend/src/routes/admin.js:26 qualitylegacy
high Legacy quality quality conf 0.80 ✓ Repobility FastAPI POST /api/v1/fraud/check-run has no auth
Handler `check_payroll_run` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
payrollos/fraud-service/main.py:49 qualitylegacy
high 9-layer api wiring conf 1.00 Dangling fetch: POST http://127.0.0.1:8000/api/v1/fraud/check-run (payrollos/backend/src/routes/payroll.js:157)
`payrollos/backend/src/routes/payroll.js:157` calls `POST http://127.0.0.1:8000/api/v1/fraud/check-run` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios Normalized path used for matching: `/http:/127.0.0.1:8000/api/v1/fraud/check-run` If this points at a…
wiringdangling-fetchaxios
high 9-layer api wiring conf 1.00 Dangling fetch: POST https://api.openai.com/v1/chat/completions (payrollos/backend/src/routes/reports.js:127)
`payrollos/backend/src/routes/reports.js:127` calls `POST https://api.openai.com/v1/chat/completions` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.openai.com/v1/chat/completions` If this points at an ex…
wiringdangling-fetchfetch
high 9-layer security auth conf 1.00 FastAPI POST `check_payroll_run` without auth dependency — payrollos/fraud-service/main.py:48
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
payrollos/fraud-service/main.py:48 authowaspauth.fastapi.unauth_mutation
medium Legacy quality quality conf 1.00 [SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks — exactly the surfaces that need tests — with no companion test file. AI agents rewrite handlers fluently but skip the test diff almost every time, leaving high-blast-radius code uncovered. Distinct from generic 'no tests' because we target sensitive surfaces where the absence of tests is itself a risk signal. CWE-1078 (missing test coverage of security-critica
Require a companion test file for any change to auth/admin/users/payments/webhooks paths. CI gate: if `src/auth/*.py` changed in a PR, fail if `tests/auth/*.py` did not also change. For migrations, require an explicit rollback (`op.execute('-- rollback ...')`) plus a test that exercises both direct…
payrollos/fraud-service/main.py:48 qualitylegacy
medium Legacy quality quality conf 0.76 Compliance or security claim is near a placeholder link
Production pages should not pair trust claims such as SOC 2, GDPR, ISO, biometric consent, or encryption with placeholder links.
payrollos/frontend/src/App.jsx:478 qualitylegacy
medium Legacy quality quality conf 0.76 Compliance or security claim is near a placeholder link
Production pages should not pair trust claims such as SOC 2, GDPR, ISO, biometric consent, or encryption with placeholder links.
payrollos/frontend/src/App.jsx:477 qualitylegacy
medium Legacy quality quality conf 0.76 Compliance or security claim is near a placeholder link
Production pages should not pair trust claims such as SOC 2, GDPR, ISO, biometric consent, or encryption with placeholder links.
payrollos/frontend/src/App.jsx:476 qualitylegacy
medium Legacy quality quality conf 0.76 Compliance or security claim is near a placeholder link
Production pages should not pair trust claims such as SOC 2, GDPR, ISO, biometric consent, or encryption with placeholder links.
payrollos/frontend/src/App.jsx:475 qualitylegacy
medium Legacy quality quality conf 0.76 Compliance or security claim is near a placeholder link
Production pages should not pair trust claims such as SOC 2, GDPR, ISO, biometric consent, or encryption with placeholder links.
payrollos/frontend/src/App.jsx:468 qualitylegacy
medium Legacy quality quality conf 0.76 Compliance or security claim is near a placeholder link
Production pages should not pair trust claims such as SOC 2, GDPR, ISO, biometric consent, or encryption with placeholder links.
payrollos/frontend/src/App.jsx:467 qualitylegacy
medium Legacy quality quality conf 0.76 Compliance or security claim is near a placeholder link
Production pages should not pair trust claims such as SOC 2, GDPR, ISO, biometric consent, or encryption with placeholder links.
payrollos/frontend/src/App.jsx:465 qualitylegacy
medium Legacy quality quality conf 0.76 Compliance or security claim is near a placeholder link
Production pages should not pair trust claims such as SOC 2, GDPR, ISO, biometric consent, or encryption with placeholder links.
payrollos/frontend/src/App.jsx:392 qualitylegacy
medium Legacy cicd docker conf 0.88 Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
docker-compose.yml:4 dockerlegacy
medium Legacy cicd docker conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
payrollos/frontend/Dockerfile:10 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
payrollos/fraud-service/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
payrollos/backend/Dockerfile:1 dockerlegacy
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: payrollos/backend/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: payrollos/fraud-service/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: payrollos/frontend/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
aws-actions/configure-aws-credentials@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
payrollos/.github/workflows/ci-cd.yml:56 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
aws-actions/amazon-ecr-login@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
payrollos/.github/workflows/ci-cd.yml:64 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
azure/k8s-set-context@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
payrollos/.github/workflows/ci-cd.yml:95 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
azure/k8s-set-context@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
payrollos/.github/workflows/ci-cd.yml:116 supply-chaingithub-actionspinned-dependencies
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 27 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
testscoverage
low Legacy cicd docker conf 0.68 App service does not wait for database health
depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently.
docker-compose.yml:27 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
docker-compose.yml:64 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
docker-compose.yml:50 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
docker-compose.yml:27 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml:64 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml:50 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
docker-compose.yml:27 dockerlegacy
low Legacy cicd docker conf 0.72 Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
docker-compose.yml:17 dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
payrollos/backend/api/index.js:4 qualitylegacy
low Legacy quality documentation No LICENSE file
Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft).
documentationlegacy
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: nginx:alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
payrollos/frontend/Dockerfile:10 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:18-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
payrollos/frontend/Dockerfile:2 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:18-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
payrollos/backend/Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.10-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
payrollos/fraud-service/Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/backend/src/app.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/backend/src/config/db.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/backend/src/routes/admin.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/backend/src/routes/auth.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/backend/src/routes/currency.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/backend/src/routes/employees.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/backend/src/routes/fraud.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/backend/src/routes/leave.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/backend/src/routes/reports.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/backend/src/routes/wallet.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/frontend/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/frontend/postcss.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/frontend/src/main.jsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/frontend/tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: payrollos/frontend/vite.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
payrollos/.github/workflows/ci-cd.yml:17 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
payrollos/.github/workflows/ci-cd.yml:37 supply-chaingithub-actionspinned-dependencies
low 9-layer frontend frontend-quality conf 1.00 Icon-only button without accessible name — payrollos/frontend/src/App.jsx:487
A `<button>` whose only child is a single glyph or symbol needs `title=` or `aria-label=` so screen readers (and tooltips on hover) work. Why: P3 in CHECKLIST.md — icon-only buttons skipped a title. Rule id: fq.button.no-label
frontend-qualityfq.button.no-label
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — api/index.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — payrollos/backend/api/index.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — payrollos/backend/src/app.js:40
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — payrollos/backend/src/index.js:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — payrollos/backend/src/utils/seeder.js:23
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer api wiring conf 1.00 Unused endpoint: DELETE /:id
`payrollos/backend/src/routes/employees.js` declares `DELETE /:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /
`payrollos/backend/src/routes/attendance.js` declares `GET /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:employeeId
`payrollos/backend/src/routes/wallet.js` declares `GET /:employeeId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:id
`payrollos/backend/src/routes/employees.js` declares `GET /:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:id/attendance
`payrollos/backend/src/routes/employees.js` declares `GET /:id/attendance` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:id/leaves
`payrollos/backend/src/routes/employees.js` declares `GET /:id/leaves` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:id/payslips
`payrollos/backend/src/routes/employees.js` declares `GET /:id/payslips` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:id/transactions
`payrollos/backend/src/routes/wallet.js` declares `GET /:id/transactions` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /:id/wallet
`payrollos/backend/src/routes/employees.js` declares `GET /:id/wallet` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/v1/fraud/health
`payrollos/fraud-service/main.py` declares `GET /api/v1/fraud/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /api/v1/health
`payrollos/backend/src/app.js` declares `GET /api/v1/health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /attendance
`payrollos/backend/src/routes/reports.js` declares `GET /attendance` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /audit-logs
`payrollos/backend/src/routes/admin.js` declares `GET /audit-logs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /headcount
`payrollos/backend/src/routes/reports.js` declares `GET /headcount` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /payroll-summary
`payrollos/backend/src/routes/reports.js` declares `GET /payroll-summary` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /rates
`payrollos/backend/src/routes/currency.js` declares `GET /rates` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /runs
`payrollos/backend/src/routes/payroll.js` declares `GET /runs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /salary-register
`payrollos/backend/src/routes/reports.js` declares `GET /salary-register` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /system-health
`payrollos/backend/src/routes/admin.js` declares `GET /system-health` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /tax-liability
`payrollos/backend/src/routes/reports.js` declares `GET /tax-liability` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: GET /verification-queue
`payrollos/backend/src/routes/admin.js` declares `GET /verification-queue` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /
`payrollos/backend/src/routes/employees.js` declares `POST /` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /2fa/setup
`payrollos/backend/src/routes/auth.js` declares `POST /2fa/setup` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /2fa/verify
`payrollos/backend/src/routes/auth.js` declares `POST /2fa/verify` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /:id/withdraw
`payrollos/backend/src/routes/wallet.js` declares `POST /:id/withdraw` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /api/v1/fraud/check-run
`payrollos/fraud-service/main.py` declares `POST /api/v1/fraud/check-run` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /checkin
`payrollos/backend/src/routes/attendance.js` declares `POST /checkin` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /checkout
`payrollos/backend/src/routes/attendance.js` declares `POST /checkout` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /forgot-password
`payrollos/backend/src/routes/auth.js` declares `POST /forgot-password` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /generate-ai
`payrollos/backend/src/routes/reports.js` declares `POST /generate-ai` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /login
`payrollos/backend/src/routes/auth.js` declares `POST /login` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /logout
`payrollos/backend/src/routes/auth.js` declares `POST /logout` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /refresh
`payrollos/backend/src/routes/auth.js` declares `POST /refresh` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /register
`payrollos/backend/src/routes/auth.js` declares `POST /register` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /runs
`payrollos/backend/src/routes/payroll.js` declares `POST /runs` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: POST /verify-otp
`payrollos/backend/src/routes/auth.js` declares `POST /verify-otp` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PUT /:code
`payrollos/backend/src/routes/currency.js` declares `PUT /:code` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PUT /:id
`payrollos/backend/src/routes/employees.js` declares `PUT /:id` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: PUT /verify/:requestId
`payrollos/backend/src/routes/admin.js` declares `PUT /verify/:requestId` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: USE /api/
`payrollos/backend/src/app.js` declares `USE /api/` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: USE /api/v1/admin
`payrollos/backend/src/app.js` declares `USE /api/v1/admin` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: USE /api/v1/attendance
`payrollos/backend/src/app.js` declares `USE /api/v1/attendance` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: USE /api/v1/auth
`payrollos/backend/src/app.js` declares `USE /api/v1/auth` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: USE /api/v1/currencies
`payrollos/backend/src/app.js` declares `USE /api/v1/currencies` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: USE /api/v1/employees
`payrollos/backend/src/app.js` declares `USE /api/v1/employees` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: USE /api/v1/fraud-alerts
`payrollos/backend/src/app.js` declares `USE /api/v1/fraud-alerts` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: USE /api/v1/leaves
`payrollos/backend/src/app.js` declares `USE /api/v1/leaves` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: USE /api/v1/payroll
`payrollos/backend/src/app.js` declares `USE /api/v1/payroll` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: USE /api/v1/reports
`payrollos/backend/src/app.js` declares `USE /api/v1/reports` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer api wiring conf 1.00 Unused endpoint: USE /api/v1/wallets
`payrollos/backend/src/app.js` declares `USE /api/v1/wallets` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
wiringunused-endpoint
low 9-layer quality complexity conf 1.00 Very large file: payrollos/frontend/src/App.jsx (3132 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/5e3a4bfb-9ca7-4f09-bc7e-de3da5e404e0/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/5e3a4bfb-9ca7-4f09-bc7e-de3da5e404e0/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.