Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 1.42s · analysis 0.53s · 2.4 MB · GitHub API rate-limit (preflight)

opengaming/osgameclones

https://github.com/opengaming/osgameclones · scanned 2026-05-31 01:24 UTC (1 week, 6 days ago) · 10 languages

99 raw signals (39 security + 60 graph) 36th percentile · Python · small (2-20K LoC) System graph score 81 (lower by 20)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 6 days ago · v2 · 46 actionable findings from 2 signal sources. 23 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
77.2
/100
Security checks
73
28 findings
System graph
81
100.0% cov · 18 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 83.5 0.25 20.88
testing_score 0.0 0.20 0.00
documentation_score 71.1 0.15 10.66
practices_score 77.0 0.15 11.55
code_quality 66.0 0.10 6.60
Overall 1.00 60.9
Severity distribution — click a segment to filter
Active filters: source: scanner × excluding tests × Reset all
Severity: Critical 0 High 6 Medium 12 Low 14 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 28 System graph 18 Crowd 0 Layer: Quality 20 Cicd 10 Security 2 Software 5 Api 1 Frontend 4 Hardware 4
Scan summary Quality grade C+ (61/100). Dimensions: security 84, maintainability 75. 39 findings (17 security). 3,004 lines analyzed.

Showing 14 of 46 actionable findings. 69 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high System graph quality Integrity conf 1.00 Blocking `httpx.get(...)` inside `async def check_link` — scripts/check_links.py:13
Sync I/O inside an async function blocks the event loop. While `httpx.get(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_threa…
scripts/check_links.py:13 Sync io in asyncPerformance
high System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Action tracks a moving branch
actions/checkout@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
3 files, 4 locations
.github/workflows/main.yml:8, 21 (2 hits)
.github/workflows/pr_check.yml:9
.github/workflows/pr_comment.yml:15
CI/CD securitySupply chainGithub actions
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:1 containersPinned dependencies
medium System graph hardware Security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/main.yml CI/CD securitySupply chainGithub actions
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 15 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: nginx:1.27.4-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:16 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: .github/workflows/pr_comment.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 2 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: _ext.py:names, _ext.py:names This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
2 occurrences
repo-level (2 hits)
duplicatesduplication
low System graph software Dead code conf 1.00 Possibly dead Python function: parse_item
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
_ext.py:126
low System graph software Dead code conf 1.00 Possibly dead Python function: sort_key
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
_ext.py:269
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — static/main.js:345
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — templates/forms/static/main.js:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/72d19b5e-7f9c-4656-9ae4-1db71aafbad8/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/72d19b5e-7f9c-4656-9ae4-1db71aafbad8/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.