Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

leyu-data-collection-platform/leyu-backend

https://github.com/leyu-data-collection-platform/leyu-backend.git · scanned 2026-05-16 17:59 UTC (3 weeks, 3 days ago) · 10 languages

350 raw signals (80 security + 270 graph) 17th percentile · Typescript · medium (20-100K LoC) System graph score 68 (lower by 12)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 weeks, 3 days ago · v2 · 35 actionable findings from 1 signal source. 45 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
67.8
/100
Security checks
68
35 findings
System graph
68
100.0% cov · 0 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Severity distribution — click a segment to filter
Active filters: layer: security × excluding tests × Reset all
Severity: Critical 0 High 22 Medium 5 Low 4 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 35 System graph 0 Crowd 0 Layer: Quality 4 Security 22 Cicd 8 Software 1
Scan summary Quality grade C (56/100). Dimensions: security 62, maintainability 85. 80 findings (33 security). 37,826 lines analyzed.

Showing 20 of 35 actionable findings. 80 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks security auth conf 0.70 6 occurrences [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id.
2 files, 6 locations
src/base_data/controller/DataSetAnnotation.controller.ts:104, 113, 146 (3 hits)
src/base_data/controller/RejectionType.controller.ts:90, 95, 130 (3 hits)
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /add-alternative-name/:id.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /add-alternative-name/:id.
src/base_data/controller/RejectionType.controller.ts:108
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /add-alternative-name/:id.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /add-alternative-name/:id.
src/base_data/controller/DataSetAnnotation.controller.ts:125
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /update-alternative-name/:id.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /update-alternative-name/:id.
src/base_data/controller/RejectionType.controller.ts:121
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /update-alternative-name/:id.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /update-alternative-name/:id.
src/base_data/controller/DataSetAnnotation.controller.ts:137
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /approve/:id.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /approve/:id.
src/task_distribution/controllers/ReviewerTask.controller.ts:88
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /detail/:id.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /detail/:id.
src/task_distribution/controllers/ReviewerTask.controller.ts:408
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my-tasks/:task_id.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my-tasks/:task_id.
src/task_distribution/controllers/ReviewerTask.controller.ts:56
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /pm/approve/:dataset_id.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /pm/approve/:dataset_id.
src/task_distribution/controllers/ReviewerTask.controller.ts:203
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /pm/reject/:dataset_id.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /pm/reject/:dataset_id.
src/task_distribution/controllers/ReviewerTask.controller.ts:249
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /qa/approve/:dataset_id.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /qa/approve/:dataset_id.
src/task_distribution/controllers/ReviewerTask.controller.ts:296
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /qa/microtasks/:task_id.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /qa/microtasks/:task_id.
src/task_distribution/controllers/ReviewerTask.controller.ts:397
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /qa/reject/:dataset_id.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /qa/reject/:dataset_id.
src/task_distribution/controllers/ReviewerTask.controller.ts:342
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /qa/tasks.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /qa/tasks.
src/task_distribution/controllers/ReviewerTask.controller.ts:389
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /reject/:id.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /reject/:id.
src/task_distribution/controllers/ReviewerTask.controller.ts:143
high Security checks security auth conf 0.68 8 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /:id.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /:id.
5 files, 8 locations
src/base_data/controller/Country.controller.ts:91, 102, 138 (3 hits)
src/base_data/controller/Dialect.controller.ts:101, 145 (2 hits)
src/base_data/controller/DataSetAnnotation.controller.ts:146
src/base_data/controller/Language.controller.ts:89
src/base_data/controller/Organization.controller.ts:131
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /add-alternative-name/:id.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /add-alternative-name/:id.
src/base_data/controller/Dialect.controller.ts:108
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /hello.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /hello.
src/app.controller.ts:13
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/6c5a106f-90dc-4a48-8512-e9510a7801a0/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/6c5a106f-90dc-4a48-8512-e9510a7801a0/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.