Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
103 of your 143 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 51.98s for a 158.5 MB repo slow.
  • Repobility's analysis ran in 53.04s after the clone landed.

gradle/gradle

https://github.com/gradle/gradle · scanned 2026-06-05 22:43 UTC (4 days, 6 hours ago) · 10 languages

398 raw signals (124 security + 274 graph) 11/13 scanners ran 27th percentile · Java · huge (>500K LoC) System graph score 77 (lower by 7)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 6 hours ago · v2 · 126 actionable findings from 2 signal sources. 135 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
73.8
/100
Security checks
70
58 findings
System graph
77
100.0% cov · 68 findings
Critical
7
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 34.0 0.20 6.80
documentation_score 78.0 0.15 11.70
practices_score 86.0 0.15 12.90
code_quality 80.0 0.10 8.00
Overall 1.00 70.4
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 7 High 34 Medium 19 Low 36 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 58 System graph 68 Crowd 0 Layer: Quality 49 Security 31 Software 31 Cicd 6 Api 1 Frontend 8
Scan summary Quality grade B (70/100). Dimensions: security 100, maintainability 40. 124 findings (54 security). 797,976 lines analyzed.

Showing 91 of 126 actionable findings. 261 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security Deserialization conf 1.00 [SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Collections, etc.) leading to RCE.
Avoid native Java serialization entirely. Use JSON (Jackson with default-typing OFF) or a length-limited Protobuf. If you must, set up a SerialKiller / lookahead-deserializer with a class allowlist.
build-logic/documentation/src/main/groovy/gradlebuild/docs/model/SimpleClassMetaDataRepository.java:46
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
.github/workflows/contributor-pr.yml:18 CI/CD securityworkflow secretsGitHub Actions
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in platforms/documentation/docs/src/snippets/reference/dependency-management/basics/defineRepository/groovy/build.gradle
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 119, 248, 268, 283
platforms/documentation/docs/src/snippets/reference/dependency-management/basics/defineRepository/groovy/build.gradle:119, 248, 268, 283 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in platforms/documentation/docs/src/snippets/reference/dependency-management/declaring-repositories/defineRepository/groovy/build.gradle
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 119, 248, 268, 283
platforms/documentation/docs/src/snippets/reference/dependency-management/declaring-repositories/defineRepository/groovy/build.gradle:119, 248, 268, 283 (4 hits)
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in platforms/documentation/docs/src/snippets/reference/platforms/jvm/defineRepository/groovy/build.gradle
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 119, 248, 268, 283
platforms/documentation/docs/src/snippets/reference/platforms/jvm/defineRepository/groovy/build.gradle:119, 248, 268, 283 (4 hits)
critical System graph security Secrets conf 1.00 Possible secret in platforms/jvm/toolchains-jvm/src/main/java/org/gradle/jvm/toolchain/JvmToolchainManagement.java
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
platforms/jvm/toolchains-jvm/src/main/java/org/gradle/jvm/toolchain/JvmToolchainManagement.java:52
critical System graph security Secrets conf 1.00 Possible secret in subprojects/core-api/src/main/java/org/gradle/api/artifacts/repositories/AuthenticationSupported.java
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
subprojects/core-api/src/main/java/org/gradle/api/artifacts/repositories/AuthenticationSupported.java:64
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic.
Review and fix per the pattern semantics. See CWE-78 / for context.
3 files, 3 locations
platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/inputs/process/ProcessInPluginIntegrationTest.groovy:114
platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/inputs/process/ProcessInTransformIntegrationTest.groovy:60
platforms/core-configuration/configuration-cache/src/integTest/groovy/org/gradle/internal/cc/impl/inputs/process/instrument/AbstractProcessInstrumentationIntegrationTest.groovy:200
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.
Review and fix per the pattern semantics. See CWE-476 / for context.
3 files, 3 locations
build-logic-commons/basics/src/main/kotlin/gradlebuild/basics/BuildEnvironment.kt:111
build-logic-commons/module-identity/src/main/kotlin/gradlebuild/identity/extension/ReleasedVersionsDetails.kt:62
build-logic-settings/architecture-docs/src/main/kotlin/gradlebuild/GeneratePackageInfoDataTask.kt:72
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `.teamcity/.mvn/wrapper/maven-wrapper.jar` committed in source repo: `.teamcity/.mvn/wrapper/maven-wrapper.jar` is a .jar binary (50,710 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
.teamcity/.mvn/wrapper/maven-wrapper.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
gradle/wrapper/gradle-wrapper.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal sourc
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal s
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-no
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwis
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherw
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/fundamentals/authoring-builds/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/reference/core-plugins/customized/groovy/additionalLibs/additional-1.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/reference/core-plugins/customized/groovy/additionalLibs/additional-1.0.jar` is a .jar binary (349 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/reference/core-plugins/customized/groovy/additionalLibs/additional-1.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/reference/core-plugins/customized/kotlin/additionalLibs/additional-1.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/reference/core-plugins/customized/kotlin/additionalLibs/additional-1.0.jar` is a .jar binary (349 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/reference/core-plugins/customized/kotlin/additionalLibs/additional-1.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences [MINED134] Binary file `platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project1/1.0/project1-1.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project1/1.0/project1-1.0.jar` is a .jar binary (261 bytes) committed to a rep
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
3 files, 3 locations
platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project1/1.0/project1-1.0.jar:1
platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project2/1.0/project2-1.0.jar:1
platforms/documentation/docs/src/snippets/reference/dependency-management/dependency-management/customizingResolution-conditionalSubstitutionRule/common/repo/org.example/project3/1.0/project3-1.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply-cha
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known supply
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/unused/plugins/consuming/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a known
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/unused/plugins/multiproject/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a kn
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/unused/plugins/pluginVersions/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a know
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/ivy-repo/com.example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` committed in source repo: `platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar` is a .jar binary (4,098 bytes) committed to a repo that otherwise has 12989 source files. Trojan binaries inside otherwise-normal source repos are a
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
platforms/documentation/docs/src/snippets/unused/plugins/resolutionRules/common/maven-repo/com/example/sample-plugins/1.0.0/sample-plugins-1.0.0.jar:1
high Security checks software Xxe conf 1.00 3 occurrences [SEC024] XML External Entity (XXE) — Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack.
Disable DTDs and external entities before parsing: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities"…
3 files, 3 locations
build-logic/build-update-utils/src/main/kotlin/gradlebuild/buildutils/tasks/AbstractVersionsUpdateTask.kt:67
build-logic/documentation/src/main/groovy/gradlebuild/docs/XIncludeAwareXmlProvider.groovy:39
build-logic/documentation/src/main/groovy/gradlebuild/docs/dsl/docbook/ClassDocExtensionsBuilder.java:75
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 41 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `kentaro-m/auto-assign-action` pinned to mutable ref `@v2.0.2`: `uses: kentaro-m/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. …
12 files, 38 locations
.github/workflows/update-perf-test-buckets.yml:23, 28, 40, 45 (8 hits)
.github/workflows/update-test-buckets.yml:23, 28, 60 (6 hits)
.github/workflows/contributor-pr.yml:50, 82, 116, 145 (4 hits)
.github/workflows/update-jdks.yml:42, 57 (4 hits)
.github/workflows/validate-codeowners.yml:20, 30, 38 (3 hits)
.github/workflows/check-markdown-links.yml:22 (2 hits)
.github/workflows/cleanup-stale-performance-data.yml:23, 29 (2 hits)
.github/workflows/codeql-analysis.yml:57, 96 (2 hits)
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 33 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
11 files, 33 locations
.github/workflows/contributor-pr.yml:32, 36, 41, 71, 73, 88, 105, 107, +2 more (10 hits)
.github/workflows/update-perf-test-buckets.yml:21, 35 (4 hits)
.github/workflows/update-test-buckets.yml:21, 34 (4 hits)
.github/workflows/codeql-analysis.yml:30, 34, 50 (3 hits)
.github/workflows/check-markdown-links.yml:19 (2 hits)
.github/workflows/submit-github-dependency-graph.yml:16, 17 (2 hits)
.github/workflows/update-agp-versions.yml:21, 35 (2 hits)
.github/workflows/update-jdks.yml:21 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks cicd CI/CD security conf 0.90 ✓ Repobility GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `gradle/update-jdks-action` pinned to mutable ref `@main`: `uses: gradle/update-jdks-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 4…
.github/workflows/update-jdks.yml:26 CI/CD securitySupply chainGitHub Actions
high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch
gradle/update-jdks-action@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-jdks.yml:26 CI/CD securitySupply chainGithub actions
high System graph security security conf 1.00 Insecure pattern 'exec_used' in platforms/core-configuration/model-core/src/main/java/org/gradle/api/internal/provider/DefaultProviderFactory.java:227
Found a known-risky pattern (exec_used). Review and replace if possible.
platforms/core-configuration/model-core/src/main/java/org/gradle/api/internal/provider/DefaultProviderFactory.java:227 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in platforms/core-runtime/classpath/src/main/java/org/gradle/internal/classpath/Instrumented.java:238
Found a known-risky pattern (exec_used). Review and replace if possible.
platforms/core-runtime/classpath/src/main/java/org/gradle/internal/classpath/Instrumented.java:238 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in platforms/core-runtime/process-services/src/main/java/org/gradle/api/internal/ProcessOperations.java:27
Found a known-risky pattern (exec_used). Review and replace if possible.
platforms/core-runtime/process-services/src/main/java/org/gradle/api/internal/ProcessOperations.java:27 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in platforms/core-runtime/process-services/src/main/java/org/gradle/process/internal/DefaultExecActionFactory.java:213
Found a known-risky pattern (exec_used). Review and replace if possible.
platforms/core-runtime/process-services/src/main/java/org/gradle/process/internal/DefaultExecActionFactory.java:213 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in platforms/core-runtime/process-services/src/main/java/org/gradle/process/internal/DefaultExecOperations.java:36
Found a known-risky pattern (exec_used). Review and replace if possible.
platforms/core-runtime/process-services/src/main/java/org/gradle/process/internal/DefaultExecOperations.java:36 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in platforms/jvm/language-java/src/main/java/org/gradle/api/tasks/JavaExec.java:155
Found a known-risky pattern (exec_used). Review and replace if possible.
platforms/jvm/language-java/src/main/java/org/gradle/api/tasks/JavaExec.java:155 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in subprojects/core-api/src/main/java/org/gradle/api/provider/ProviderFactory.java:280
Found a known-risky pattern (exec_used). Review and replace if possible.
subprojects/core-api/src/main/java/org/gradle/api/provider/ProviderFactory.java:280 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in subprojects/core-api/src/main/java/org/gradle/process/ExecOperations.java:40
Found a known-risky pattern (exec_used). Review and replace if possible.
subprojects/core-api/src/main/java/org/gradle/process/ExecOperations.java:40 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in subprojects/core/src/main/java/org/gradle/api/tasks/AbstractExecTask.java:65
Found a known-risky pattern (exec_used). Review and replace if possible.
subprojects/core/src/main/java/org/gradle/api/tasks/AbstractExecTask.java:65 Exec used
medium Security checks security path traversal conf 1.00 3 occurrences [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
3 files, 3 locations
build-logic-commons/basics/src/main/kotlin/gradlebuild/basics/tasks/PackageListGenerator.kt:138
build-logic/binary-compatibility/src/main/groovy/gradlebuild/binarycompatibility/transforms/ExplodeZipAndFindJars.groovy:50
platforms/core-configuration/file-operations/src/main/java/org/gradle/api/internal/file/archive/TarFileTree.java:217
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
platforms/documentation/docs/src/docs/userguide/js/theme.js:12
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — platforms/documentation/docs/src/docs/release/content/releaseIssues.js:33
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 8 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
8 files, 8 locations
.github/workflows/cleanup-stale-performance-data.yml
.github/workflows/submit-github-dependency-graph.yml
.github/workflows/update-agp-versions.yml
.github/workflows/update-jdks.yml
.github/workflows/update-perf-test-buckets.yml
.github/workflows/update-test-buckets.yml
.github/workflows/upgrade-to-latest-wrapper.yml
.github/workflows/validate-codeowners.yml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/core-execution/hashing/src/main/java/org/gradle/internal/hash/DefaultFileHasher.java:38
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/core-execution/hashing/src/main/java/org/gradle/internal/hash/DefaultFileHasher.java:38 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/core-execution/hashing/src/main/java/org/gradle/internal/hash/Hashing.java:43
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/core-execution/hashing/src/main/java/org/gradle/internal/hash/Hashing.java:43 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/core-execution/persistent-cache/src/main/java/org/gradle/cache/internal/btree/KeyHasher.java:49
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/core-execution/persistent-cache/src/main/java/org/gradle/cache/internal/btree/KeyHasher.java:49 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/core-runtime/base-services/src/jmh/java/org/gradle/internal/reflect/HashingAlgorithmsBenchmark.java:24
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/core-runtime/base-services/src/jmh/java/org/gradle/internal/reflect/HashingAlgorithmsBenchmark.java:24 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/documentation/docs/src/snippets/unused/worker-api/md5ClassloaderIsolation/common/buildSrc/src/main/java/GenerateMD5.java:16
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/documentation/docs/src/snippets/unused/worker-api/md5ClassloaderIsolation/common/buildSrc/src/main/java/GenerateMD5.java:16 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/documentation/docs/src/snippets/unused/worker-api/md5CustomTask/common/buildSrc/src/main/java/CreateMD5.java:25
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/documentation/docs/src/snippets/unused/worker-api/md5CustomTask/common/buildSrc/src/main/java/CreateMD5.java:25 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/documentation/docs/src/snippets/unused/worker-api/md5NoIsolation/common/buildSrc/src/main/java/GenerateMD5.java:16
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/documentation/docs/src/snippets/unused/worker-api/md5NoIsolation/common/buildSrc/src/main/java/GenerateMD5.java:16 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/documentation/docs/src/snippets/unused/worker-api/md5ProcessIsolation/common/buildSrc/src/main/java/GenerateMD5.java:16
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/documentation/docs/src/snippets/unused/worker-api/md5ProcessIsolation/common/buildSrc/src/main/java/GenerateMD5.java:16 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/software/dependency-management/src/main/java/org/gradle/api/internal/artifacts/ivyservice/ivyresolve/verification/writer/WriteDependencyVerificationFile.java:97
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/software/dependency-management/src/main/java/org/gradle/api/internal/artifacts/ivyservice/ivyresolve/verification/writer/WriteDependencyVerificationFile.java:97 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/software/dependency-management/src/main/java/org/gradle/api/internal/artifacts/verification/model/ChecksumKind.java:23
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/software/dependency-management/src/main/java/org/gradle/api/internal/artifacts/verification/model/ChecksumKind.java:23 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/software/dependency-management/src/main/java/org/gradle/internal/resource/transfer/DefaultCacheAwareExternalResourceAccessor.java:164
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/software/dependency-management/src/main/java/org/gradle/internal/resource/transfer/DefaultCacheAwareExternalResourceAccessor.java:164 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/software/resources-s3/src/main/java/org/gradle/internal/resource/transport/aws/s3/S3Resource.java:66
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/software/resources-s3/src/main/java/org/gradle/internal/resource/transport/aws/s3/S3Resource.java:66 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in platforms/software/resources-s3/src/main/java/org/gradle/internal/resource/transport/aws/s3/S3ResourceConnector.java:77
Found a known-risky pattern (weak_hash). Review and replace if possible.
platforms/software/resources-s3/src/main/java/org/gradle/internal/resource/transport/aws/s3/S3ResourceConnector.java:77 Weak hash
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
.teamcity/src/main/kotlin/promotion/StartReleaseCycle.kt:11 duplicationquality
low System graph quality Maintenance conf 1.00 815 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: platforms/documentation/docs-asciidoctor-extensions-base/src/main/resources/clipboard.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: platforms/documentation/docs/src/docs/dsl/sidebar.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: platforms/documentation/docs/src/snippets/optimizing-builds/build-cache/cacheable-bundle-task/common/scripts/a.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: platforms/documentation/docs/src/snippets/optimizing-builds/build-cache/cacheable-bundle-task/common/scripts/b.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: platforms/documentation/docs/src/snippets/optimizing-builds/build-cache/cacheable-bundle/common/scripts/a.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: platforms/documentation/docs/src/snippets/optimizing-builds/build-cache/cacheable-bundle/common/scripts/b.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: testing/internal-performance-testing/src/main/resources/org/gradle/reporting/report.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: testing/smoke-test/src/smokeTest/resources/org/gradle/play/integtest/fixtures/external/shared/public/javascripts/hello.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: testing/smoke-test/src/smokeTest/resources/org/gradle/smoketests/play-example/public/javascripts/hello.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `__call_old` in platforms/software/software-diagnostics/src/main/resources/org/gradle/api/tasks/diagnostics/htmldependencyreport/jquery.jstree.js:243
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — platforms/documentation/docs/src/snippets/optimizing-builds/build-cache/cacheable-bundle-task/common/scripts/a.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — platforms/documentation/docs/src/snippets/optimizing-builds/build-cache/cacheable-bundle-task/common/scripts/b.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — platforms/documentation/docs/src/snippets/optimizing-builds/build-cache/cacheable-bundle/common/scripts/a.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — platforms/documentation/docs/src/snippets/optimizing-builds/build-cache/cacheable-bundle/common/scripts/b.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — testing/smoke-test/src/smokeTest/resources/org/gradle/play/integtest/fixtures/external/shared/public/javascripts/hello.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — testing/smoke-test/src/smokeTest/resources/org/gradle/smoketests/play-example/public/javascripts/hello.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: platforms/core-configuration/model-core/src/main/java/org/gradle/internal/instantiation/generator/AbstractClassGenerator.java (1597 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: platforms/core-configuration/model-core/src/main/java/org/gradle/internal/instantiation/generator/AsmBackedClassGenerator.java (2093 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: platforms/core-configuration/model-core/src/main/java/org/gradle/model/internal/manage/schema/extract/ManagedProxyClassGenerator.java (1007 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: platforms/core-configuration/model-core/src/test/groovy/org/gradle/internal/instantiation/generator/AsmBackedClassGeneratorTest.java (2148 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: platforms/core-configuration/model-reflect/src/main/java/org/gradle/internal/reflect/annotations/impl/DefaultTypeAnnotationMetadataStore.java (1029 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: platforms/core-runtime/service-registry-impl/src/main/java/org/gradle/internal/service/DefaultServiceRegistry.java (1497 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: platforms/ide/tooling-api/src/main/java/org/gradle/tooling/internal/consumer/parameters/BuildProgressListenerAdapter.java (1427 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: platforms/software/build-init/src/main/java/org/gradle/buildinit/plugins/internal/BuildScriptBuilder.java (2468 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: platforms/software/dependency-management/src/main/java/org/gradle/api/internal/artifacts/configurations/DefaultConfiguration.java (1935 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: platforms/software/dependency-management/src/main/java/org/gradle/api/internal/artifacts/ivyservice/ivyresolve/parser/IvyXmlModuleDescriptorParser.java (1414 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: platforms/software/dependency-management/src/main/java/org/gradle/api/internal/artifacts/ivyservice/resolveengine/graph/builder/NodeState.java (1427 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: platforms/software/software-diagnostics/src/main/resources/org/gradle/api/tasks/diagnostics/htmldependencyreport/jquery.jstree.js (1354 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: subprojects/core-api/src/main/java/org/gradle/api/Project.java (1951 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: subprojects/core/src/main/java/org/gradle/api/internal/project/DefaultProject.java (1619 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: subprojects/core/src/main/java/org/gradle/groovy/scripts/internal/GradleResolveVisitor.java (1669 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: testing/internal-integ-testing/src/main/groovy/org/gradle/integtests/fixtures/executer/AbstractGradleExecuter.java (1735 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/72589fb3-5d28-4958-82db-c6e0f8c38110/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/72589fb3-5d28-4958-82db-c6e0f8c38110/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.