Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

snapotter-hq/SnapOtter

https://github.com/snapotter-hq/SnapOtter · scanned 2026-05-17 01:37 UTC (14 hours, 44 minutes ago) · 10 languages

708 findings (58 legacy + 650 scanner) 8/10 scanners ran 98th percentile · Typescript · large (100-500K LoC) Scanner says 53 (higher by 34)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 14 hours, 44 minutes ago · v2 · 383 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
67.6
/100
Repobility
82
58 legacy
9-layer
53
100.0% cov · 325 gaps
Critical
38
click to filter
Agents
6
0 votes
Crowd
0
reported
Severity distribution — click a segment to filter
Active filters: severity: high × excluding tests × Reset all
Severity: Critical 38 High 16 Medium 47 Low 219 Source: Legacy 58 9-layer 325 Crowd 0 Layer: Security 49 Cicd 13 Quality 149 Software 67 Frontend 43 Hardware 7 Api 55
Scan summary Repository scanned at 53.0/100 with 100.0% coverage. It contains 3614 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 325 findings — concentrated in quality (116), software (64), api (55). Risk profile is high: 35 critical, 7 high, 34 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 15 of 383 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
packages/ai/python/enhance_faces.py:247 path_traversallegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
packages/ai/python/detect_faces.py:236 path_traversallegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
packages/ai/python/colorize.py:177 path_traversallegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
apps/web/src/components/common/dropzone.tsx:131 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
apps/api/src/routes/fetch-urls.ts:101 ssrflegacy
high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
apps/api/src/plugins/oidc.ts:30 ssrflegacy
high Legacy security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
apps/web/src/pages/login-page.tsx:212 authlegacy
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://api.github.com/repos/snapotter-hq/snapotter (apps/landing/src/components/navbar.tsx:28)
`apps/landing/src/components/navbar.tsx:28` calls `GET https://api.github.com/repos/snapotter-hq/snapotter` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.github.com/repos/snapotter-hq/snapotter` If this …
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://api.imgflip.com/get_memes (scripts/fetch-meme-templates.ts:21)
`scripts/fetch-meme-templates.ts:21` calls `GET https://api.imgflip.com/get_memes` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.imgflip.com/get_memes` If this points at an external API, prefix it with `…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /api/v1/tools/convert (apps/web/src/components/editor/common/export-dialog.tsx:194)
`apps/web/src/components/editor/common/export-dialog.tsx:194` calls `POST /api/v1/tools/convert` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/tools/convert` If this points at an external API, prefix it with `ht…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /api/v1/tools/convert (apps/web/src/components/editor/common/export-dialog.tsx:262)
`apps/web/src/components/editor/common/export-dialog.tsx:262` calls `POST /api/v1/tools/convert` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/tools/convert` If this points at an external API, prefix it with `ht…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /api/v1/tools/convert (apps/web/src/pages/editor-page.tsx:107)
`apps/web/src/pages/editor-page.tsx:107` calls `POST /api/v1/tools/convert` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/v1/tools/convert` If this points at an external API, prefix it with `https://` so the matche…
wiringdangling-fetchfetch
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/ai/python/noise_removal.py:328
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/ai/python/noise_removal.py:328 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in packages/ai/python/dispatcher.py:235
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/ai/python/dispatcher.py:235 owaspexec_used
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docker/docker-compose.yml:7 dockerlegacy
{# ── 2026-05-17 Round 14: AI-agent bridge footer ────────────────────── Discoverability: the /agents/voting/ guide + MCP manifest exist but aren't linked from anywhere users actually land. Small, opt-in footer. #}
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/74b4c143-ebfb-420c-bd4a-ca532718732c/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/74b4c143-ebfb-420c-bd4a-ca532718732c/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.