tauri-apps/tauri

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

64 of your 88 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

https://github.com/tauri-apps/tauri · scanned 2026-06-05 05:49 UTC (1 week, 3 days ago) · 10 languages

322 raw signals (82 security + 240 graph) 11/13 scanners ran 37th percentile · Rust · medium (20-100K LoC) System graph score 66 (lower by 2)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 3 days ago · v2 · 92 actionable findings from 2 signal sources. 110 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

88.9% cov · 67 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	60.0	0.15	9.00
`security_score`	100.0	0.25	25.00
`testing_score`	16.0	0.20	3.20
`documentation_score`	65.0	0.15	9.75
`practices_score`	69.0	0.15	10.35
`code_quality`	70.0	0.10	7.00
Overall		1.00	64.3

security_score may be inflated — optional security scanners were skipped on this fast scan

Severity distribution — click a segment to filter

Active filters: severity: high × excluding tests × Reset all

Severity: Critical 1 High 11 Medium 12 Low 46 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 25 System graph 67 Crowd 0 Layer: Software 27 Quality 30 Security 11 Cicd 8 Api 1 Frontend 12 Hardware 3

Exclude dismissed / FP Exclude test files

Scan summary Quality grade C+ (64/100). Dimensions: security 100, maintainability 60. 82 findings (31 security). 67,768 lines analyzed.

Showing 9 of 92 actionable findings. 202 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.

Review and fix per the pattern semantics. See CWE-476 / for context.

3 files, 3 locations

crates/tauri/mobile/android/src/main/java/app/tauri/AppPlugin.kt:32

crates/tauri/mobile/android/src/main/java/app/tauri/FsUtils.kt:141

crates/tauri/mobile/android/src/main/java/app/tauri/plugin/PluginManager.kt:68

high Security checks software dependencies conf 0.90 ✓ Repobility [MINED122] package.json dep `tauri-plugin-{{ plugin_name }}-api` pulled from URL/Git: `dependencies.tauri-plugin-{{ plugin_name }}-api` = `file:../../` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.

Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.

crates/tauri-cli/templates/plugin/__example-api/tauri-app/package.json:1

high Security checks software dependencies conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/napi-rs/napi-rs/nodejs-rust:lts-alpine` unpinned: `container/services image: ghcr.io/napi-rs/napi-rs/nodejs-rust:lts-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.

Replace with `ghcr.io/napi-rs/napi-rs/nodejs-rust:lts-alpine@sha256:<digest>`. Re-pin via Dependabot Docker scope.

.github/workflows/publish-cli-js.yml:285

high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch

dtolnay/rust-toolchain@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/bench.yml:41 CI/CD securitySupply chainGithub actions

high System graph security security conf 1.00 Insecure pattern 'eval_used' in crates/tauri/src/ipc/channel.rs:158

Found a known-risky pattern (eval_used). Review and replace if possible.

crates/tauri/src/ipc/channel.rs:158 Eval used

high System graph security security conf 1.00 Insecure pattern 'eval_used' in crates/tauri/src/ipc/protocol.rs:334

Found a known-risky pattern (eval_used). Review and replace if possible.

crates/tauri/src/ipc/protocol.rs:334 Eval used

high System graph security security conf 1.00 Insecure pattern 'eval_used' in crates/tauri/src/manager/webview.rs:672

Found a known-risky pattern (eval_used). Review and replace if possible.

crates/tauri/src/manager/webview.rs:672 Eval used

high System graph security security conf 1.00 Insecure pattern 'exec_used' in crates/tauri-cli/src/mobile/init.rs:36

Found a known-risky pattern (exec_used). Review and replace if possible.

crates/tauri-cli/src/mobile/init.rs:36 Exec used

high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell

Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.

.github/workflows/publish-cli-js.yml:172

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/6a9bdf8b-9ece-4780-bdf2-3db6f0001b42/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/6a9bdf8b-9ece-4780-bdf2-3db6f0001b42/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.