Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
74 of your 142 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 13.3s · analysis 27.67s · 36.1 MB · GitHub API rate-limit (preflight)

facebook/react

https://github.com/facebook/react · scanned 2026-06-05 04:28 UTC (11 hours, 47 minutes ago) · 10 languages

2383 findings (123 legacy + 2260 scanner) 11/13 scanners ran 88th percentile · Javascript · large (100-500K LoC) Scanner says 41 (higher by 50)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 11 hours, 47 minutes ago · v2 · 1253 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
62.3
/100
Repobility
84
123 legacy
9-layer
41
77.8% cov · 1130 gaps
Critical
4
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 95.0 0.20 19.00
documentation_score 99.0 0.15 14.85
practices_score 100.0 0.15 15.00
code_quality 80.0 0.10 8.00
Overall 1.00 90.8
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: layer: security × excluding tests × Reset all
Severity: Critical 4 High 97 Medium 94 Low 462 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 123 9-layer 1130 Crowd 0 Layer: Quality 382 Security 66 Software 87 Frontend 631 Network 1 Cicd 67 Api 19
Scan summary Repository scanned at 41.0/100 with 77.8% coverage. It contains 23739 nodes across 18 cross-layer flows, written primarily in mixed languages. Engine surfaced 1130 findings — concentrated in frontend (631), quality (302), cicd (67). Risk profile is high: 1 critical, 40 high, 88 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 35 of 1253 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical 9-layer security secrets conf 1.00 Possible secret in compiler/packages/react-mcp-server/src/utils/algolia.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
compiler/packages/react-mcp-server/src/utils/algolia.ts:14 secrets
high 9-layer security secrets conf 1.00 .env file present in repo: fixtures/fiber-debugger/.env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
secretsconfig
high 9-layer security secrets conf 1.00 .env file present in repo: fixtures/nesting/.env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
secretsconfig
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in compiler/packages/snap/src/sprout/evaluator.ts:255
Found a known-risky pattern (eval_used). Review and replace if possible.
compiler/packages/snap/src/sprout/evaluator.ts:255 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in fixtures/fiber-debugger/src/App.js:122
Found a known-risky pattern (eval_used). Review and replace if possible.
fixtures/fiber-debugger/src/App.js:122 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/react-devtools-extensions/src/evalScripts.js:20
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/react-devtools-extensions/src/evalScripts.js:20 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in packages/react-devtools-extensions/deploy.js:43
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/react-devtools-extensions/deploy.js:43 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/bench/build.js:18
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/bench/build.js:18 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/ci/download_devtools_regression_build.js:40
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/ci/download_devtools_regression_build.js:40 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/devtools/prepare-release.js:85
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/devtools/prepare-release.js:85 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/devtools/publish-release.js:107
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/devtools/publish-release.js:107 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/devtools/utils.js:90
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/devtools/utils.js:90 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/release/build-release-locally-commands/build-artifacts.js:15
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/release/build-release-locally-commands/build-artifacts.js:15 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/release/build-release-locally-commands/copy-repo-to-temp-directory.js:19
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/release/build-release-locally-commands/copy-repo-to-temp-directory.js:19 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/release/build-release-locally-commands/npm-pack-and-unpack.js:13
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/release/build-release-locally-commands/npm-pack-and-unpack.js:13 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/release/shared-commands/download-build-artifacts.js:26
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/release/shared-commands/download-build-artifacts.js:26 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/release/utils.js:45
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/release/utils.js:45 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/rollup/utils.js:31
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/rollup/utils.js:31 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in scripts/shared/listChangedFiles.js:40
Found a known-risky pattern (exec_used). Review and replace if possible.
scripts/shared/listChangedFiles.js:40 owaspexec_used
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
packages/react-devtools-shared/src/devtools/views/UnsupportedBridgeProtocolDialog.js:137 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
packages/react-devtools-shared/src/devtools/views/Editor/OpenInEditorButton.js:66 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
packages/react-devtools-shared/src/devtools/views/Components/OpenInEditorButton.js:41 securitylegacy
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in fixtures/attribute-behavior/src/attributes.js:398
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
fixtures/attribute-behavior/src/attributes.js:398 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in fixtures/fizz/src/Html.js:21
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
fixtures/fizz/src/Html.js:21 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in fixtures/ssr/src/components/Chrome.js:24
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
fixtures/ssr/src/components/Chrome.js:24 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in fixtures/ssr2/src/Html.js:21
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
fixtures/ssr2/src/Html.js:21 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in fixtures/view-transition/src/components/Chrome.js:29
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
fixtures/view-transition/src/components/Chrome.js:29 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-dom-bindings/src/client/ReactDOMComponent.js:637
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-dom-bindings/src/client/ReactDOMComponent.js:637 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-dom-bindings/src/client/ReactDOMOption.js:44
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-dom-bindings/src/client/ReactDOMOption.js:44 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-dom-bindings/src/client/ReactFiberConfigDOM.js:164
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-dom-bindings/src/client/ReactFiberConfigDOM.js:164 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-dom-bindings/src/server/ReactFizzConfigDOM.js:1623
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-dom-bindings/src/server/ReactFizzConfigDOM.js:1623 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-dom-bindings/src/shared/possibleStandardNames.js:49
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-dom-bindings/src/shared/possibleStandardNames.js:49 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/react-dom-bindings/src/shared/ReactDOMUnknownPropertyHook.js:104
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/react-dom-bindings/src/shared/ReactDOMUnknownPropertyHook.js:104 owaspdangerous_innerhtml
medium 9-layer security owasp conf 1.00 Insecure pattern 'dangerous_innerhtml' in scripts/error-codes/codes.json:61
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
scripts/error-codes/codes.json:61 owaspdangerous_innerhtml
low 9-layer security owasp conf 1.00 Insecure pattern 'document_write' in packages/react-devtools-shell/src/app/Iframe/index.js:44
Found a known-risky pattern (document_write). Review and replace if possible.
packages/react-devtools-shell/src/app/Iframe/index.js:44 owaspdocument_write
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/71490123-d37f-4659-ac2a-5b9a11374c25/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/71490123-d37f-4659-ac2a-5b9a11374c25/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.