Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
188 of your 330 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 528.18s for a 532.2 MB repo slow.
  • Repobility's analysis ran in 11.71s after the clone landed.

HumanSignal/label-studio

https://github.com/HumanSignal/label-studio · scanned 2026-06-06 00:24 UTC (4 days, 2 hours ago) · 10 languages

301 findings 11/13 scanners ran 93rd percentile · Typescript · large (100-500K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

155 actionable findings from 1 signal source. 145 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

Combined
82.4
/100
Security checks
82
155 findings
System graph
—% cov · 0 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 96.0 0.20 19.20
documentation_score 92.0 0.15 13.80
practices_score 94.0 0.15 14.10
code_quality 62.0 0.10 6.20
Overall 1.00 87.3
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 43 Medium 18 Low 14 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 155 System graph 0 Crowd 0 Layer: Quality 83 Security 36 Cicd 13 Software 23

Showing 75 of 155 actionable findings. 300 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED007] Sql String Concat: cursor.execute(f"... {user_input} ...") — SQL injection.
Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context.
label_studio/core/management/commands/locked_migrate.py:55
high Security checks quality Quality conf 1.00 ✓ Repobility 7 occurrences [MINED107] Missing import: `xml` used but not imported: The file uses `xml.something(...)` but never imports `xml`. This raises NameError at runtime the first time the line executes.
Add `import xml` at the top of the file.
6 files, 7 locations
label_studio/core/label_config.py:89, 421 (2 hits)
label_studio/core/redis.py:205
label_studio/core/utils/common.py:602
label_studio/io_storages/base_models.py:263
label_studio/io_storages/localfiles/models.py:148
label_studio/tasks/validation.py:254
critical Security checks software dependencies conf 0.90 ✓ Repobility [MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: `run:` step interpolates ${{ github.event.pull_request.head.ref }} directly into shell. PR title/body/branch/comment fields are attacker-controllable.
Capture the field into an env var first; reference $ENV_VAR in shell.
.github/workflows/cancel_cicd_pipeline.yml:21
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 16 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
4 files, 16 locations
.github/workflows/cicd_pipeline.yml:93, 235, 242, 379, 384, 385, 395, 397, +3 more (11 hits)
.github/workflows/validator-poetry-lock.yml:17, 32 (2 hits)
.github/workflows/validator-poetry-version.yml:17, 29 (2 hits)
.github/workflows/submodules-validator.yml:19
CI/CD securityworkflow secretsGitHub Actions
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /<int:pk>/.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
label_studio/webhooks/urls.py:10
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /<int:pk>/file-uploads.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
label_studio/data_import/urls.py:17
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /<int:pk>/import.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
label_studio/data_import/urls.py:14
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /<int:pk>/import/predictions.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
label_studio/data_import/urls.py:15
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /<int:pk>/reimport.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
label_studio/data_import/urls.py:16
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /<int:pk>/tasks/bulk/.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
label_studio/data_import/urls.py:13
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /export/s3/<int:pk>.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
label_studio/io_storages/urls.py:101
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /file-upload/<int:pk>.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
label_studio/data_import/urls.py:9
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /s3/<int:pk>.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
label_studio/io_storages/urls.py:91
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /s3/<int:pk>/sync.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
label_studio/io_storages/urls.py:92
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.
deploy/install_npm.sh:10
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED040] Python Yaml Load Unsafe: yaml.load(stream) without SafeLoader can deserialize arbitrary classes.
Review and fix per the pattern semantics. See CWE-502 / for context.
scripts/update_ml_tutorials.py:89
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences [MINED108] `self.filepath` used but never assigned in __init__: Method `format` of class `FileUpload` reads `self.filepath`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.filepath = <default>` in __init__, or add a class-level default.
3 files, 25 locations
label_studio/data_import/models.py:61, 126, 127, 139, 145, 146, 151, 153, +11 more (19 hits)
label_studio/webhooks/api.py:70, 74, 76, 139, 144 (5 hits)
label_studio/webhooks/models.py:81
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] Django view `FSMEntityTransitionAPI` has destructive methods without auth: Class-based view `FSMEntityTransitionAPI` implements POST but no auth mixin / DRF permission_classes / request.user.is_authenticated check is visible.
Inherit from LoginRequiredMixin (Django) or set permission_classes = [IsAuthenticated] (DRF).
label_studio/fsm/api.py:135
high Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences [MINED118] Dockerfile FROM `heartexlabs/label-studio:latest` not pinned by digest: `FROM heartexlabs/label-studio:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM heartexlabs/label-studio:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
4 files, 4 locations
Dockerfile.cloudrun:1
Dockerfile.heroku:1
Dockerfile.hgface:1
Dockerfile.testing:7
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED119] Dockerfile `ADD https://install.python-poetry.org`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers — or if the URL serves a different file later — malicious content gets baked into the image.
Download the file in CI with a known checksum, vendor it into the repo, and COPY it during the build. Or use `RUN curl -sSL URL | sha256sum -c <(echo '<expected> -')` to verify.
Dockerfile.development:39
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED119] Dockerfile `ADD https://install.python-poetry.org`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers — or if the URL serves a different file later — malicious content gets baked into the image.
Download the file in CI with a known checksum, vendor it into the repo, and COPY it during the build. Or use `RUN curl -sSL URL | sha256sum -c <(echo '<expected> -')` to verify.
Dockerfile:85
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.15.1`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.15.1`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:3
high Security checks security Injection conf 0.50 [SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters.
label_studio/core/management/commands/locked_migrate.py:55
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
scripts/split_import_json.py:13
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 14 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `hmarr/debug-action` pinned to mutable ref `@v3.0.0`: `uses: hmarr/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char com…
7 files, 14 locations
.github/workflows/cicd_pipeline.yml:37, 44, 230, 484 (4 hits)
.github/workflows/docker-command.yml:18, 21, 96, 111 (4 hits)
.github/workflows/codeql.yml:29, 35 (2 hits)
.github/workflows/create-tag-docs.yml:29
.github/workflows/delete_pr_branch.yml:13
.github/workflows/fmt-command.yml:25
.github/workflows/git-command.yml:16
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 11 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
5 files, 11 locations
.github/workflows/cicd_pipeline.yml:41, 73, 88, 233, 240, 247, 406 (7 hits)
.github/workflows/codeql.yml:26
.github/workflows/create-tag-docs.yml:39
.github/workflows/delete_pr_branch.yml:16
.github/workflows/docker-command.yml:30
CI/CD securitySupply chainGitHub Actions
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 14.8% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
high Security checks security auth conf 0.66 6 occurrences [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /^.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
lines 65, 66, 67, 68, 69, 70
label_studio/core/urls.py:65, 66, 67, 68, 69, 70 (6 hits)
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /api/version/.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
label_studio/core/urls.py:72
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /health/.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
label_studio/core/urls.py:73
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /metrics/.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
label_studio/core/urls.py:74
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /version/.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
label_studio/core/urls.py:71
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /export.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
label_studio/io_storages/urls.py:86
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /export/s3.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
label_studio/io_storages/urls.py:100
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /export/s3/<int:pk>.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
label_studio/io_storages/urls.py:101
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /export/types.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
label_studio/io_storages/urls.py:88
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /s3/.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
label_studio/io_storages/urls.py:90
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /s3/<int:pk>.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
label_studio/io_storages/urls.py:91
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /s3/<int:pk>/sync.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
label_studio/io_storages/urls.py:92
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /s3/form.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
label_studio/io_storages/urls.py:94
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /s3/validate.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
label_studio/io_storages/urls.py:93
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /types.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
label_studio/io_storages/urls.py:87
low Security checks quality Error handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
label_studio/io_storages/azure_blob/utils.py:57
medium Security checks quality Quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `get_blob_metadata` (list): `def get_blob_metadata(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def get_blob_metadata(x=None): x = x or []`
label_studio/io_storages/gcs/utils.py:276
medium Security checks quality Quality conf 1.00 ✓ Repobility [MINED109] Mutable default argument in `get_redis_connection` (dict): `def get_redis_connection(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def get_redis_connection(x=None): x = x or []`
label_studio/io_storages/redis/models.py:41
medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
label_studio/jwt_auth/models.py:129
medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
label_studio/core/utils/mail.py:23
medium Security checks software Csrf conf 1.00 [SEC028] CSRF Protection Removed — @csrf_exempt on state-changing endpoint: @csrf_exempt removes Django's CSRF protection from a view. On a state-changing endpoint (POST/PUT/DELETE) this allows cross-site requests to perform actions on behalf of an authenticated user. Verify there's a compensating mechanism: API token auth, signed request, or explicit Same-Site cookie + Origin check.
Either: (a) Replace @csrf_exempt with @csrf_protect (or just remove the exemption). (b) If this is a public API endpoint, use SessionAuthentication + Token/JWT auth from DRF instead. Token-bearer requests aren't vulnerable to CSRF. (c) If you must skip CSRF (e.g. for a third-party…
label_studio/core/views.py:217
medium Security checks software Open redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
web/apps/labelstudio/src/providers/ApiProvider.tsx:126
medium Security checks software Open redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
web/apps/labelstudio/src/app/AsyncPage/AsyncPage.jsx:28
medium Security checks quality Quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
web/apps/labelstudio/src/pages/WebhookPage/WebhookDetail.jsx:252
low Security checks quality Error handling conf 0.55 ✓ Repobility 23 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
12 files, 18 locations
label_studio/data_import/api.py:307, 614, 629 (3 hits)
label_studio/fsm/transition_utils.py:158, 222 (2 hits)
label_studio/io_storages/utils.py:222, 247 (2 hits)
label_studio/tasks/serializers.py:604, 633 (2 hits)
label_studio/users/admin.py:113, 135 (2 hits)
label_studio/core/current_request.py:102
label_studio/core/middleware.py:125
label_studio/core/redis.py:49
Error handlingquality
medium Security checks cicd CI/CD security conf 0.94 2 occurrences Compose service `nginx` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
lines 1, 26
docker-compose.yml:1, 26 (2 hits)
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.84 Docker build context is very large
Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 3 occurrences Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
3 files, 3 locations
Dockerfile.cloudrun:1
Dockerfile.heroku:1
Dockerfile.hgface:1
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.84 Dockerfile ADD downloads remote content
Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files.
Dockerfile.development:40 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.84 Dockerfile ADD downloads remote content
Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files.
Dockerfile:86 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.94 3 occurrences Dockerfile base image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
3 files, 3 locations
Dockerfile.cloudrun:1
Dockerfile.heroku:1
Dockerfile.testing:9
CI/CD securitycontainers
high Security checks quality Quality conf 0.74 6 occurrences Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
4 files, 6 locations
label_studio/organizations/templates/organizations/people_list.html:109, 117 (2 hits)
web/libs/core/src/hooks/useResolveUser.ts:27, 91 (2 hits)
web/libs/editor/src/components/TaskSummary/Aggregation.tsx:27
web/libs/editor/src/hooks/useAnnotationQuery.ts:32
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
deploy/install_npm.sh:10
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
.github/workflows/cursor-review.yml:32
medium Security checks quality Quality conf 0.72 Service worker is present without a web app manifest
Add a valid manifest.json or site.webmanifest and reference it from the document head. Include name, icons, start_url, display, and theme colors.
manifest.json
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore CI/CD securitycontainers
low Security checks software Race condition conf 1.00 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.
Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.
label_studio/core/utils/io.py:105
low Security checks cicd CI/CD security conf 0.68 App service does not wait for database health
Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`.
docker-compose.yml:26 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 2 occurrences Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
lines 1, 26
docker-compose.yml:1, 26 (2 hits)
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.72 Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
docker-compose.yml:50 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 16 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 13 locations
web/apps/labelstudio/src/pages/Settings/StorageSettings/providers/s3.ts:66, 84 (2 hits)
label_studio/core/utils/serializer_to_openapi_params.py:35
label_studio/data_import/functions.py:90
label_studio/io_storages/gcs/api.py:1
label_studio/io_storages/gcs/openapi_schema.py:14
label_studio/io_storages/localfiles/api.py:1
label_studio/io_storages/redis/api.py:1
label_studio/io_storages/s3/api.py:1
duplicationquality
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date.
humans.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt.
sitemap.xml
low Security checks quality Quality conf 0.74 robots.txt does not advertise a sitemap
Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt.
.github/workflows/invite-check.yml
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/6424ab9c-28fd-4ad3-a97e-c3a3b36a141e/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/6424ab9c-28fd-4ad3-a97e-c3a3b36a141e/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.