Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
43 of your 193 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.24s · analysis 19.06s · 2.4 MB · GitHub preflight 418ms

fatedier/frp

https://github.com/fatedier/frp · scanned 2026-06-05 05:50 UTC (1 week, 1 day ago) · 10 languages

251 raw signals (183 security + 68 graph) 62nd percentile · Go · medium (20-100K LoC) System graph score 75 (lower by 4)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 1 day ago · v2 · 136 actionable findings from 2 signal sources. 81 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
72.3
/100
Security checks
70
112 findings
System graph
75
88.9% cov · 24 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 53.0 0.25 13.25
testing_score 85.0 0.20 17.00
documentation_score 63.0 0.15 9.45
practices_score 85.0 0.15 12.75
code_quality 60.7 0.10 6.07
Overall 1.00 71.3
Severity distribution — click a segment to filter
Active filters: severity: medium × excluding tests × Reset all
Severity: Critical 2 High 69 Medium 14 Low 29 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 112 System graph 24 Crowd 0 Layer: Software 103 Security 3 Quality 26 Cicd 2 Api 1 Network 1
Scan summary Quality grade B (71/100). Dimensions: security 53, maintainability 85. 183 findings (84 security). 61,051 lines analyzed.

Showing 13 of 136 actionable findings. 217 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
pkg/transport/tls.go:149
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
hack/run-e2e.sh:14
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
hack/run-e2e-compatibility.sh:15
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-jxxr-4gwj-5jf2
brace-expansion: Large numeric range defeats documented `max` DoS protection
web/package-lock.json
medium Security checks software dependencies conf 0.88 github.com/Azure/go-ntlmssp: GHSA-pjcq-xvwq-hhpj
go-ntlmssp NTLM challenges can panic on malformed payloads
go.mod
medium Security checks software dependencies conf 0.88 github.com/quic-go/quic-go: GHSA-vvgj-x9jq-8cj9
quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion
go.mod
medium Security checks software dependencies conf 0.90 2 occurrences npm package `eslint-plugin-vue` is 1 major version(s) behind (9.33.0 -> 10.9.2)
`eslint-plugin-vue` is pinned/resolved at 9.33.0 but the latest stable release on the npm registry is 10.9.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
web/frpc/package.json
web/frps/package.json
medium Security checks software dependencies conf 0.90 2 occurrences npm package `unplugin-auto-import` is 21 major version(s) behind (0.17.8 -> 21.0.0)
`unplugin-auto-import` is pinned/resolved at 0.17.8 but the latest stable release on the npm registry is 21.0.0 (21 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs r…
2 files, 2 locations
web/frpc/package.json
web/frps/package.json
medium Security checks software dependencies conf 0.90 2 occurrences npm package `unplugin-vue-components` is 32 major version(s) behind (0.26.0 -> 32.1.0)
`unplugin-vue-components` is pinned/resolved at 0.26.0 but the latest stable release on the npm registry is 32.1.0 (32 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PR…
2 files, 2 locations
web/frpc/package.json
web/frps/package.json
medium Security checks software dependencies conf 0.90 2 occurrences npm package `vue-router` is 1 major version(s) behind (4.6.4 -> 5.1.0)
`vue-router` is pinned/resolved at 4.6.4 but the latest stable release on the npm registry is 5.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
web/frpc/package.json
web/frps/package.json
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/frpc/src/api/http.ts:19
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/frps/src/api/http.ts:34
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 10 occurrences GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-qemu-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
3 files, 10 locations
.github/workflows/build-and-push-image.yml:27, 30, 41, 47, 64, 75 (6 hits)
.github/workflows/golangci-lint.yml:32 (2 hits)
.github/workflows/goreleaser.yml:33 (2 hits)
CI/CD securitySupply chainGitHub Actions
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/63a5dcbb-05a2-49a9-ba26-bc3a6d948f74/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/63a5dcbb-05a2-49a9-ba26-bc3a6d948f74/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.