auricom/home-ops

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

23 of your 43 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.35s · analysis 2.22s · 1.2 MB · GitHub API rate-limit (preflight)

https://github.com/auricom/home-ops · scanned 2026-06-05 19:10 UTC (4 days, 16 hours ago) · 10 languages

96 raw signals (38 security + 58 graph) 68th percentile · Python · tiny (<2K LoC) System graph score 91 (lower by 20)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 16 hours ago · v2 · 48 actionable findings from 2 signal sources. 19 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

100.0% cov · 25 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	40.0	0.15	6.00
`security_score`	86.0	0.25	21.50
`testing_score`	70.0	0.20	14.00
`documentation_score`	70.0	0.15	10.50
`practices_score`	77.0	0.15	11.55
`code_quality`	77.2	0.10	7.72
Overall		1.00	71.3

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 0 High 4 Medium 25 Low 6 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 23 System graph 25 Crowd 0 Layer: Quality 16 Security 4 Software 2 Cicd 3 Api 1 Network 20 Hardware 1 Frontend 1

Exclude dismissed / FP Exclude test files

Scan summary Quality grade B (71/100). Dimensions: security 86, maintainability 40. 38 findings (15 security). 758 lines analyzed.

Showing 35 of 48 actionable findings. 67 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 2 occurrences Workflow references repository secrets in a pull_request workflow

Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.

lines 101, 102

.github/workflows/flux-local.yaml:101, 102 (2 hits)

CI/CD securityworkflow secretsGitHub Actions

low Security checks quality Quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.

Review and fix per the pattern semantics. See CWE-705 / for context.

kubernetes/apps/default/homelab/nas/backup/resources/script.py:109

high Security checks security Crypto conf 1.00 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`.

Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`.

.archive/kubernetes/homelab/truenas/backup/truenas-backup.sh:14

.archive/kubernetes/certs-deploy/truenas-certs-deploy.sh:21

low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 6 occurrences GitHub Action is tag-pinned rather than SHA-pinned

Action `actions/labeler` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.

3 files, 6 locations

.github/workflows/labeler.yml:26 (2 hits)

.github/workflows/labels-sync.yaml:26 (2 hits)

.github/workflows/renovate.yaml:51 (2 hits)

CI/CD securitySupply chainGitHub Actions

medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 2 occurrences GitHub Action is tag-pinned rather than SHA-pinned

Action `EndBug/label-sync` pinned to mutable ref `@v2` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.

lines 31

.github/workflows/labels-sync.yaml:31 (2 hits)

CI/CD securitySupply chainGitHub Actions

high Security checks software dependencies conf 0.90 ✓ Repobility 5 occurrences pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.5.0`

`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v4.5.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.

lines 6, 12, 17, 22, 26

.pre-commit-config.yaml:6, 12, 17, 22, 26 (5 hits)

medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.

Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.

kubernetes/apps/default/homelab/nas/backup/resources/script.py:68

medium Security checks security Crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.

Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.

.archive/kubernetes/certs-deploy/truenas-certs-deploy.py:30

high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth

Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.

kubernetes/apps/kube-system/cilium/app/helm/values.yaml:31

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — kubernetes/apps/default/homelab/nas/backup/resources/script.py:39

`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph network Security conf 1.00 Privileged port 10 in use

Port 10 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 12 in use

Port 12 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/network/cloudflare-tunnel/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 139 in use

Port 139 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/flaresolverr/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 17 in use

Port 17 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/garage/webui/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 2 in use

Port 2 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/tandoor/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 256 in use

Port 256 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/linkding/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 43 in use

Port 43 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/redlib/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 5 in use

Port 5 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/esphome/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 61 in use

Port 61 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/linkding/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 70 in use

Port 70 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/esphome/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 71 in use

Port 71 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/immich/machine-learning/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 79 in use

Port 79 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/bazarr/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 8 in use

Port 8 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/home-assistant/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 866 in use

Port 866 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/garage/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 896 in use

Port 896 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/unifi/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 91 in use

Port 91 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 914 in use

Port 914 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/database/mosquitto/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 944 in use

Port 944 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/autobrr/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 969 in use

Port 969 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/tandoor/app/helmrelease.yaml Ports

medium System graph network Security conf 1.00 Privileged port 999 in use

Port 999 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

kubernetes/apps/default/immich/database/helmrelease.yaml Ports

medium System graph quality Tests conf 1.00 Very low test-to-source ratio

0 test file(s) for 2 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.

Coverage

low Security checks quality Quality conf 0.60 Duplicated implementation block across source files

Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.

kubernetes/apps/default/homelab/github-notifier/resources/github-notifier.py:100 duplicationquality

low Security checks quality Documentation No LICENSE file

Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft).

low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found

Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.

Deployment

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/65b71faa-24fe-4e85-8a17-dc98736c55bd/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/65b71faa-24fe-4e85-8a17-dc98736c55bd/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.