← Back to scan
File as GitHub Issue repo: ggml-org/llama.cpp

Push this scan report to ggml-org/llama.cpp

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

`self.hparams` used but never assigned in __init__

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
HIGH MINED106 [MINED106] Phantom test coverage: test_single_prompt_similarity: Test function `test_sing… examples/model-conversion/scripts/utils…:46
HIGH MINED106 [MINED106] Phantom test coverage: test_tool_call: Test function `test_tool_call` runs cod… scripts/server-test-model.py:134
HIGH MINED106 [MINED106] Phantom test coverage: test_chat: Test function `test_chat` runs code but cont… scripts/server-test-model.py:115
HIGH MINED108 [MINED108] `self.gguf_writer` used but never assigned in __init__: Method `set_gguf_param… conversion/wavtokenizer.py:34
HIGH MINED108 [MINED108] `self.hparams` used but never assigned in __init__: Method `set_gguf_parameter… conversion/wavtokenizer.py:33
HIGH MINED108 [MINED108] `self.gguf_writer` used but never assigned in __init__: Method `set_gguf_param… conversion/wavtokenizer.py:33
HIGH MINED108 [MINED108] `self._set_vocab_none` used but never assigned in __init__: Method `set_vocab`… conversion/wavtokenizer.py:29
HIGH MINED108 [MINED108] `self.filter_tensors` used but never assigned in __init__: Method `get_tensors… convert_lora_to_gguf.py:460
HIGH MINED108 [MINED108] `self.lazy` used but never assigned in __init__: Method `get_tensors` of class… convert_lora_to_gguf.py:455
HIGH MINED108 [MINED108] `self.gguf_writer` used but never assigned in __init__: Method `set_gguf_param… convert_lora_to_gguf.py:440
HIGH MINED108 [MINED108] `self.gguf_writer` used but never assigned in __init__: Method `set_gguf_param… convert_lora_to_gguf.py:422
HIGH MINED108 [MINED108] `self.gguf_writer` used but never assigned in __init__: Method `set_type` of c… convert_lora_to_gguf.py:418
HIGH MINED108 [MINED108] `self.gguf_writer` used but never assigned in __init__: Method `set_type` of c… convert_lora_to_gguf.py:417
HIGH MINED108 [MINED108] `self.shape` used but never assigned in __init__: Method `split` of class `Lor… convert_lora_to_gguf.py:191
HIGH MINED108 [MINED108] `self.transpose` used but never assigned in __init__: Method `swapaxes` of cla… convert_lora_to_gguf.py:188
HIGH MINED108 [MINED108] `self.permute` used but never assigned in __init__: Method `transpose` of clas… convert_lora_to_gguf.py:185
HIGH MINED108 [MINED108] `self.shape` used but never assigned in __init__: Method `transpose` of class … convert_lora_to_gguf.py:182
HIGH MINED108 [MINED108] `self.shape` used but never assigned in __init__: Method `permute` of class `L… convert_lora_to_gguf.py:169
HIGH MINED108 [MINED108] `self.reshape` used but never assigned in __init__: Method `view` of class `Lo… convert_lora_to_gguf.py:166
HIGH MINED108 [MINED108] `self.reshape` used but never assigned in __init__: Method `reshape_as` of cla… convert_lora_to_gguf.py:163
HIGH MINED108 [MINED108] `self.shape` used but never assigned in __init__: Method `reshape` of class `L… convert_lora_to_gguf.py:141
HIGH MINED108 [MINED108] `self.shape` used but never assigned in __init__: Method `size` of class `Lora… convert_lora_to_gguf.py:128
HIGH MINED108 [MINED108] `self.shape` used but never assigned in __init__: Method `__getitem__` of clas… convert_lora_to_gguf.py:66
HIGH MINED108 [MINED108] `self.add_tensors` used but never assigned in __init__: Method `save` of class… convert_llama_ggml_to_gguf.py:238
HIGH MINED108 [MINED108] `self.add_vocab` used but never assigned in __init__: Method `save` of class `… convert_llama_ggml_to_gguf.py:235
HIGH MINED108 [MINED108] `self.add_params` used but never assigned in __init__: Method `save` of class … convert_llama_ggml_to_gguf.py:234
HIGH MINED108 [MINED108] `self.validate_conversion` used but never assigned in __init__: Method `load` … convert_llama_ggml_to_gguf.py:185
HIGH MINED108 [MINED108] `self.validate_header` used but never assigned in __init__: Method `load` of c… convert_llama_ggml_to_gguf.py:181
HIGH MINED021 [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can co… ggml/src/ggml-webgpu/wgsl-shaders/embed…:15
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… ggml/src/ggml-webgpu/wgsl-shaders/embed…:15
HIGH MINED011 [MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use get… ggml/src/ggml-cuda/mmf.cu:87
HIGH MINED011 [MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use get… ggml/src/ggml-cuda/cumsum.cu:209
HIGH MINED011 [MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use get… ggml/src/ggml-cuda/argsort.cu:41
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … gguf-py/gguf/scripts/gguf_new_metadata.…:98
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … gguf-py/gguf/scripts/gguf_hash.py:34
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … examples/llama.android/app/src/main/jav…:240
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … scripts/gen-unicode-data.py:15
HIGH MINED134 [MINED134] Binary file `examples/llama.android/gradle/wrapper/gradle-wrapper.jar` committ… examples/llama.android/gradle/wrapper/g…:1
HIGH MINED126 [MINED126] Workflow container/services image `ghcr.io/snapdragon-toolchain/arm64-linux:v0… .github/workflows/build-and-test-snapdr…:64
HIGH MINED126 [MINED126] Workflow container/services image `ghcr.io/snapdragon-toolchain/arm64-android:… .github/workflows/build-and-test-snapdr…:34
HIGH MINED126 [MINED126] Workflow container/services image `mthreads/musa:rc4.3.0-devel-ubuntu22.04-amd… .github/workflows/build-cuda-ubuntu.yml:109
HIGH MINED126 [MINED126] Workflow container/services image `rocm/dev-ubuntu-22.04:6.1.2` unpinned: `con… .github/workflows/build-cuda-ubuntu.yml:77
HIGH MINED126 [MINED126] Workflow container/services image `nvidia/cuda:12.6.2-devel-ubuntu24.04` unpin… .github/workflows/build-cuda-ubuntu.yml:41
HIGH MINED126 [MINED126] Workflow container/services image `rocm/dev-ubuntu-22.04:7.2.1` unpinned: `con… .github/workflows/hip-quality-check.yml:38
HIGH MINED126 [MINED126] Workflow container/services image `tonistiigi/binfmt:qemu-v10.2.1` unpinned: `… .github/workflows/docker.yml:157
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-… .github/workflows/ui-build.yml:17
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/ui-build.yml:14
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/build-cmake-pkg.yml:10
HIGH MINED115 [MINED115] Action `ggml-org/ccache-action` pinned to mutable ref `@v1.2.21`: `uses: ggml-… .github/workflows/build-cuda-windows.yml:132
HIGH MINED115 [MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` r… .github/workflows/build-cuda-windows.yml:108
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/build-cuda-windows.yml:98
HIGH MINED115 [MINED115] Action `ggml-org/ccache-action` pinned to mutable ref `@v1.2.21`: `uses: ggml-… .github/workflows/build-cuda-windows.yml:40
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/build-cuda-windows.yml:37
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setu… .github/workflows/update-ops-docs.yml:26
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/update-ops-docs.yml:23
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/ai-issues.yml:18
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setu… .github/workflows/check-vendor.yml:31
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/check-vendor.yml:26
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/build-3rd-party.yml:36
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setu… .github/workflows/pre-tokenizer-hashes.…:22
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/pre-tokenizer-hashes.…:19
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/build-rpc.yml:45
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/build-openvino.yml:52
HIGH MINED126 [MINED126] Workflow container/services image `ghcr.io/snapdragon-toolchain/arm64-android:… .github/workflows/build-android.yml:64
HIGH MINED115 [MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-… .github/workflows/build-android.yml:120
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/build-android.yml:104
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/u… .github/workflows/build-android.yml:90
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/build-android.yml:71
HIGH MINED115 [MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-… .github/workflows/build-android.yml:46
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/build-android.yml:40
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/build-msys.yml:35
HIGH MINED118 [MINED118] Dockerfile FROM `intel/deep-learning-essentials (no tag)` not pinned by digest… .devops/intel.Dockerfile:44
HIGH MINED118 [MINED118] Dockerfile FROM `intel/deep-learning-essentials (no tag)` not pinned by digest… .devops/intel.Dockerfile:7
HIGH MINED118 [MINED118] Dockerfile FROM `ascendai/cann (no tag)` not pinned by digest: `FROM ascendai/… .devops/llama-cli-cann.Dockerfile:33
HIGH MINED118 [MINED118] Dockerfile FROM `ascendai/cann (no tag)` not pinned by digest: `FROM ascendai/… .devops/llama-cli-cann.Dockerfile:5
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/PyCQA/flake8` pinned to mutable rev `7.0.0… .pre-commit-config.yaml:12
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mut… .pre-commit-config.yaml:5
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… tools/results/results.cpp:110
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… scripts/compare-logprobs.py:116
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… ggml/src/ggml-webgpu/wgsl-shaders/embed…:15
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/utils…:44
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/utils…:172
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/utils…:56
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/utils…:44
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/utils…:142
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/utils…:31
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/utils…:49
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/utils…:111
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/utils…:120
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/utils…:50
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/utils…:218
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/model-conversion/scripts/embed…:127
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/llama-eval/llama-server-simula…:295
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/llama-eval/llama-eval.py:1235
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/llama-eval/llama-eval.py:1137
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/llama-eval/llama-eval.py:1097
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… examples/llama-eval/llama-eval.py:1055
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… gguf-py/gguf/scripts/gguf_editor_gui.py:1588
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… gguf-py/gguf/scripts/gguf_editor_gui.py:923
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/jinja/jinja-tester.py:445
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/jinja/jinja-tester.py:459
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/jinja/jinja-tester.py:410
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/jinja/jinja-tester.py:374
MED MINED109 [MINED109] Mutable default argument in `__init__` (dict): `def __init__(... = []/{}/set()… tests/test-tokenizer-random.py:73
MED MINED109 [MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set()… tests/test-tokenizer-random.py:34
MED MINED109 [MINED109] Mutable default argument in `run` (dict): `def run(... = []/{}/set())` — Pytho… scripts/tool_bench.py:244
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… scripts/sync_vendor.py:38
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… conversion/mpt.py:18
MED SEC011 [SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execut… tools/mtmd/legacy-models/llava_surgery_…:25
MED SEC011 [SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execut… tools/mtmd/legacy-models/llava_surgery.…:13
MED SEC011 [SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execut… tools/mtmd/legacy-models/glmedge-conver…:153
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… gguf-py/gguf/scripts/gguf_set_metadata.…:89
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… gguf-py/gguf/scripts/gguf_new_metadata.…:164
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… gguf-py/gguf/scripts/gguf_convert_endia…:181
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… conversion/kimi_linear.py:26
MED COMP001 [COMP001] High cognitive complexity: Function `modify_tensors` has cognitive complexity 1… conversion/arctic.py:114
MED COMP001 [COMP001] High cognitive complexity: Function `modify_tensors` has cognitive complexity 1… conversion/afmoe.py:49
MED MINED124 [MINED124] requirements.txt: `tqdm` has no version pin: Unpinned pip requirement means ev… tools/server/bench/speed-bench/requirem…:3
MED MINED124 [MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement mean… tools/server/bench/speed-bench/requirem…:2
MED MINED124 [MINED124] requirements.txt: `datasets` has no version pin: Unpinned pip requirement mean… tools/server/bench/speed-bench/requirem…:1
MED MINED124 [MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement mean… tools/server/bench/requirements.txt:2
MED MINED124 [MINED124] requirements.txt: `matplotlib` has no version pin: Unpinned pip requirement me… tools/server/bench/requirements.txt:1
MED MINED124 [MINED124] requirements.txt: `sentence-transformers` has no version pin: Unpinned pip req… examples/model-conversion/requirements.…:7
MED MINED124 [MINED124] requirements.txt: `accelerate` has no version pin: Unpinned pip requirement me… examples/model-conversion/requirements.…:6
MED MINED124 [MINED124] requirements.txt: `huggingface-hub` has no version pin: Unpinned pip requireme… examples/model-conversion/requirements.…:5
MED MINED124 [MINED124] requirements.txt: `transformers` has no version pin: Unpinned pip requirement … examples/model-conversion/requirements.…:4
MED MINED124 [MINED124] requirements.txt: `torchvision` has no version pin: Unpinned pip requirement m… examples/model-conversion/requirements.…:3
MED MINED124 [MINED124] requirements.txt: `torch` has no version pin: Unpinned pip requirement means e… examples/model-conversion/requirements.…:2
MED MINED124 [MINED124] requirements.txt: `jinja2` has no version pin: Unpinned pip requirement means … scripts/jinja/requirements.txt:2
MED MINED124 [MINED124] requirements.txt: `PySide6` has no version pin: Unpinned pip requirement means… scripts/jinja/requirements.txt:1
MED AIC001 Parallel implementation file sits beside a canonical file convert_hf_to_gguf_update.py:1
MED SEC017 [SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external … tools/mtmd/legacy-models/minicpmv-surge…:41
MED AIC004 Suspicious implementation file appears unreferenced convert_hf_to_gguf_update.py:1
MED SEC016 [SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolat… tools/mtmd/legacy-models/minicpmv-surge…:41
LOW SEC124 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/ex… tools/mtmd/legacy-models/minicpmv-surge…:29
LOW SEC124 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/ex… tools/mtmd/legacy-models/llava_surgery.…:30
LOW SEC124 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/ex… tools/mtmd/legacy-models/glmedge-surger…:27
LOW AIC003 Duplicated implementation block across source files conversion/phi.py:83
LOW AIC003 Duplicated implementation block across source files conversion/phi.py:41
LOW AIC003 Duplicated implementation block across source files conversion/olmo.py:58
LOW AIC003 Duplicated implementation block across source files conversion/olmo.py:53
LOW AIC003 Duplicated implementation block across source files conversion/olmo.py:50
LOW AIC003 Duplicated implementation block across source files conversion/mimo.py:147
LOW AIC003 Duplicated implementation block across source files conversion/mimo.py:138
LOW AIC003 Duplicated implementation block across source files conversion/mimo.py:136
LOW AIC003 Duplicated implementation block across source files conversion/mellum.py:30
LOW AIC003 Duplicated implementation block across source files conversion/mellum.py:25
LOW AIC003 Duplicated implementation block across source files conversion/mellum.py:22
LOW AIC003 Duplicated implementation block across source files conversion/llama.py:139
LOW AIC003 Duplicated implementation block across source files conversion/llama.py:130
LOW AIC003 Duplicated implementation block across source files conversion/llama.py:110
LOW AIC003 Duplicated implementation block across source files conversion/llada.py:95
LOW AIC003 Duplicated implementation block across source files conversion/llada.py:90
LOW AIC003 Duplicated implementation block across source files conversion/llada.py:11
LOW AIC003 Duplicated implementation block across source files conversion/kimi_linear.py:13
LOW AIC003 Duplicated implementation block across source files conversion/hunyuan.py:84
LOW AIC003 Duplicated implementation block across source files conversion/hunyuan.py:82
LOW AIC003 Duplicated implementation block across source files conversion/hunyuan.py:29
LOW AIC003 Duplicated implementation block across source files conversion/grovemoe.py:48
LOW AIC003 Duplicated implementation block across source files conversion/grovemoe.py:43
LOW AIC003 Duplicated implementation block across source files conversion/glm.py:124
LOW AIC003 Duplicated implementation block across source files conversion/glm.py:122
LOW AIC003 Duplicated implementation block across source files conversion/exaone.py:136
LOW AIC003 Duplicated implementation block across source files conversion/exaone.py:24
LOW AIC003 Duplicated implementation block across source files conversion/ernie.py:92
LOW AIC003 Duplicated implementation block across source files conversion/deepseek.py:120
LOW AIC003 Duplicated implementation block across source files conversion/bert.py:112
LOW AIC002 Source file name looks like an AI patch artifact ggml/src/ggml-hexagon/htp/hvx-copy.h:1
INFO MINED065 [MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser o… tools/ui/vite.config.ts:86
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. tools/ui/vite.config.ts:17
INFO MINED063 [MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/de… tools/mtmd/legacy-models/minicpmv-surge…:29
INFO MINED063 [MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/de… tools/mtmd/legacy-models/llava_surgery.…:30
INFO MINED063 [MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/de… tools/mtmd/legacy-models/glmedge-surger…:27
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… src/llama-memory-hybrid-iswa.cpp:34
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… src/llama-kv-cache-iswa.cpp:279
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… src/llama-kv-cache-dsa.cpp:210
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … tools/ui/scripts/vite-plugin-llama-cpp-…:44
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … tools/server/bench/script.js:29
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … scripts/serve-static.js:12
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… scripts/server-test-model.py:189
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… scripts/get-pg.sh:44
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… scripts/compare-logprobs.py:19
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. gguf-py/gguf/scripts/gguf_set_metadata.…:68
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. gguf-py/gguf/scripts/gguf_new_metadata.…:159
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. gguf-py/gguf/scripts/gguf_convert_endia…:101
INFO MINED080 [MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace. ggml/src/ggml-sycl/sycl_hw.cpp:3
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. scripts/snapdragon/ggml-hexagon-profile…:37
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. ggml/src/ggml-opencl/kernels/embed_kern…:14
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … ggml/src/ggml-cuda/mean.cu:41
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … ggml/src/ggml-cuda/conv-transpose-1d.cu:25
INFO MINED055 [MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versi… examples/model-conversion/scripts/utils…:295
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… scripts/gen-unicode-data.py:15
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… scripts/compare-logprobs.py:29
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… examples/json_schema_pydantic_example.py:32
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. examples/model-conversion/scripts/causa…:64
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. examples/llama.swiftui/llama.cpp.swift/…:133
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. examples/batched.swift/Sources/main.swi…:85
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… conversion/ultravox.py:17
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… conversion/mamba.py:133
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… conversion/kimi_linear.py:27
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `ggml-org/llama.cpp`

**Score: 80/100 (B+)**  ·  233 findings  ·  scanned 2026-06-05 05:22 UTC  ·  601,731 LOC

| Severity | Count |
|---|---|
| CRITICAL | 10 |
| HIGH | 95 |
| MEDIUM | 54 |
| LOW | 34 |

📊 [Full filterable report](https://repobility.com/scan/66068b6a-6304-4731-a390-59c7a48d3b50/)  ·  ![scorecard](https://repobility.com/scan/66068b6a-6304-4731-a390-59c7a48d3b50/report.png?v=1780636932-s2)

### Top findings

1. **HIGH** `MINED106` — Phantom test coverage: test_single_prompt_similarity
   `examples/model-conversion/scripts/utils/semantic_check.py:46` · ✓ Repobility
2. **HIGH** `MINED106` — Phantom test coverage: test_tool_call
   `scripts/server-test-model.py:134` · ✓ Repobility
3. **HIGH** `MINED106` — Phantom test coverage: test_chat
   `scripts/server-test-model.py:115` · ✓ Repobility
4. **HIGH** `MINED108` — `self.gguf_writer` used but never assigned in __init__
   `conversion/wavtokenizer.py:34` · ✓ Repobility
5. **HIGH** `MINED108` — `self.hparams` used but never assigned in __init__
   `conversion/wavtokenizer.py:33` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/66068b6a-6304-4731-a390-59c7a48d3b50/_
Already filed
This repo publishes a SECURITY.md policy and the scan contains 15 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'ggml-org/llama.cpp' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Already filed
92/249 findings (37%) on this scan are already flagged as test-file, won't-fix, or suppressed. The scan is too noisy to file as a single issue. Curate down to specific actionable findings, or address the FP source first.
I read the warnings â override Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.