Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 1.28s · analysis 1.36s · 0.5 MB · GitHub API rate-limit (preflight)

karenrlacour-collab/luminapost-elite

https://github.com/karenrlacour-collab/luminapost-elite.git · scanned 2026-05-25 16:20 UTC (2 weeks, 4 days ago) · 10 languages

118 raw signals (24 security + 94 graph) 2nd percentile · Typescript · small (2-20K LoC) System graph score 67 (lower by 22)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 4 days ago · v2 · 67 actionable findings from 2 signal sources. 4 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
68.2
/100
Security checks
69
20 findings
System graph
67
77.8% cov · 47 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 63.6 0.25 15.90
testing_score 0.0 0.20 0.00
documentation_score 0.0 0.15 0.00
practices_score 40.0 0.15 6.00
code_quality 77.9 0.10 7.79
Overall 1.00 44.7
Severity distribution — click a segment to filter
Active filters: severity: info × excluding tests × Reset all
Severity: Critical 2 High 3 Medium 12 Low 40 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 20 System graph 47 Crowd 0 Layer: Quality 16 Security 8 Software 38 Api 1 Frontend 2 Data 1 Cicd 1
Scan summary Quality grade D (45/100). Dimensions: security 64, maintainability 100. 24 findings (3 security). 8,010 lines analyzed.

Showing 10 of 67 actionable findings. 71 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

info Security checks software Ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
src/components/ArticleEditor.tsx:45
info Security checks software Xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
src/components/ui/chart.tsx:75
info Security checks quality Testing No test files found
Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions.
info Security checks quality Practices No CI/CD configuration found
Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request.
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
Review and fix per the pattern semantics. See CWE-532 / for context.
3 files, 3 locations
src/integrations/supabase/auth-middleware.ts:21
src/integrations/supabase/client.server.ts:18
src/integrations/supabase/client.ts:17
info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
Review and fix per the pattern semantics. See CWE-682 / for context.
3 files, 3 locations
src/components/BreakingTicker.tsx:33
src/components/ParticlesBackground.tsx:42
src/routes/about.tsx:91
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context.
src/routes/article.$slug.tsx:100
info Security checks quality Quality conf 1.00 ✓ Repobility [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context.
src/components/ui/chart.tsx:73
info System graph quality Integrity conf 1.00 Commented-code block (6 lines) in vite.config.ts:1
A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.
commented codeDead code
info System graph api Coverage conf 1.00 No API endpoints detected
The scanner did not find FastAPI/Flask/Express/NestJS/GraphQL/gRPC routes. If this repo exposes APIs, the framework may be unsupported.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/6309549d-7da0-4fbd-99ea-56f06c1cc8a9/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/6309549d-7da0-4fbd-99ea-56f06c1cc8a9/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.