Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
151 of your 325 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 59.9s for a 140.1 MB repo slow.
  • Repobility's analysis ran in 44.0s after the clone landed.

n8n-io/n8n

https://github.com/n8n-io/n8n · scanned 2026-06-05 04:32 UTC (11 hours, 43 minutes ago) · 10 languages

2791 findings (269 legacy + 2522 scanner) 11/13 scanners ran 81st percentile · Typescript · huge (>500K LoC) Scanner says 55 (higher by 35)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 11 hours, 42 minutes ago · v2 · 1530 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
69.2
/100
Repobility
83
269 legacy
9-layer
55
100.0% cov · 1261 gaps
Critical
85
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 97.0 0.15 14.55
practices_score 91.0 0.15 13.65
code_quality 78.0 0.10 7.80
Overall 1.00 90.0
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: layer: software × excluding tests × Reset all
Severity: Critical 85 High 219 Medium 138 Low 507 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 269 9-layer 1261 Crowd 0 Layer: Software 127 Quality 689 Security 82 Cicd 92 Frontend 407 Network 9 Hardware 13 Api 111
Scan summary Repository scanned at 55.0/100 with 100.0% coverage. It contains 50889 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 1261 findings — concentrated in quality (541), frontend (407), api (111). Risk profile is high: 33 critical, 76 high, 123 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 119 of 1530 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci-pull-requests.yml:17 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.DOCKER_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/docker-build-smoke.yml:42 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.DOCKER_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/docker-build-smoke.yml:41 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-backport-bundle.yml:33 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/sec-publish-fix.yml:20 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/docker-build-smoke.yml:55 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-cleanup-abandoned-release-branches.yml:21 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/sec-publish-fix.yml:21 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/docker-build-smoke.yml:56 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-cleanup-abandoned-release-branches.yml:22 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_NOTIFY_PR_STATUS_CHANGED_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_NOTIFY_PR_STATUS_CHANGED_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-notify-pr-status.yml:28 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-notify-pr-status.yml:26 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-notify-pr-status.yml:18 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QA_METRICS_WEBHOOK_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QA_METRICS_WEBHOOK_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci-pull-requests.yml:20 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QA_METRICS_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QA_METRICS_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci-pull-requests.yml:18 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QA_METRICS_WEBHOOK_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QA_METRICS_WEBHOOK_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci-pull-requests.yml:19 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QBOT_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QBOT_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/build-windows.yml:60 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QBOT_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QBOT_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/sec-publish-fix.yml:57 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QBOT_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QBOT_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/docker-build-smoke.yml:77 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.RELEASE_HELPER_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_HELPER_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci-detect-new-packages.yml:34 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.RELEASE_HELPER_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_HELPER_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/release-publish.yml:252 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/release-publish.yml:61 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/publish.yml:76 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/ci.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/publish.yml:79 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/ci.yml:22 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml` pinned to mutable ref `@v2.1.0`: `uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@<40-char-sha> # v2.1.0` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-push.yml:356 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml` pinned to mutable ref `@v2.1.0`: `uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@<40-char-sha> # v2.1.0` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-push.yml:337 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml` pinned to mutable ref `@v2.1.0`: `uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@<40-char-sha> # v2.1.0` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-push.yml:318 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `alpine:3.22` not pinned by digest: `FROM alpine:3.22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM alpine:3.22@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/images/runners/Dockerfile:83 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM debian:bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/images/runners/Dockerfile.distroless:140 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM debian:bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/images/runners/Dockerfile.distroless:107 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `gcr.io/distroless/cc-debian12:latest` not pinned by digest: `FROM gcr.io/distroless/cc-debian12:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM gcr.io/distroless/cc-debian12:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/images/runners/Dockerfile.distroless:180 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `n8nio/base (no tag)` not pinned by digest: `FROM n8nio/base (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM n8nio/base (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/images/n8n/Dockerfile:21 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:24.15.0` not pinned by digest: `FROM node:24.15.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:24.15.0@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
packages/@n8n/benchmark/Dockerfile:2 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED122] package.json dep `wa-sqlite` pulled from URL/Git: `dependencies.wa-sqlite` = `github:rhashimoto/wa-sqlite#779219540f66cecaa159da32b3b8936697ba10a7` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.
packages/frontend/editor-ui/package.json:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.
packages/@n8n/instance-ai/package.json:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.
packages/nodes-base/package.json:1 dependencylegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
.github/scripts/github-helpers.mjs:257 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
.github/scripts/determine-version-info.mjs:78 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
.github/scripts/claude-task/prepare-claude-prompt.mjs:49 xsslegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `export interface RequirementsExtractor<TRequirement> {` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `export interface RequirementsExtractor<TRequirement> {` with `export interface RequirementsExtractor<TRequirement> {==<version>` and manage upgrades through PRs / Dependabot.
packages/cli/src/modules/n8n-packages/entities/requirements-extractor.ts:3 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `extract(workflow: WorkflowEntity): TRequirement[];` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `extract(workflow: WorkflowEntity): TRequirement[];` with `extract(workflow: WorkflowEntity): TRequirement[];==<version>` and manage upgrades through PRs / Dependabot.
packages/cli/src/modules/n8n-packages/entities/requirements-extractor.ts:4 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `}` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `}` with `}==<version>` and manage upgrades through PRs / Dependabot.
packages/cli/src/modules/n8n-packages/entities/requirements-extractor.ts:5 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/README.md:25 dependencylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: .prettierrc.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: jest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/public/static/base-path.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/defaults.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/factories/credential.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/factories/credentialType.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/factories/tag.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/factories/user.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/factories/variable.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/factories/workflow.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/fixtures/tags.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/fixtures/workflows.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/models/credential.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/models/credentialType.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/models/tag.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/models/user.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/models/variable.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/models/workflow.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/__tests__/server/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/init.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/polyfills.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/aiGateway.store.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/cloudPlan.store.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/history.store.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/logs.store.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/npsStore.store.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/rbac.store.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/roles.store.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/settings.store.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/ui.store.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/webhooks.store.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/workflows.store.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/stores/workflowsList.store.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/types/collection-parameter.types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/types/completions.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/types/expressions.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/types/externalHooks.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/types/nodeSettings.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/types/pushConnection.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/types/rbac.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/types/router.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/types/telemetry.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/app/types/utils.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/Interface.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/main.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/src/shims-global.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/frontend/editor-ui/vite/source-map-js-shim.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/block-npm-install.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: vitest.workspace.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code conf 1.00 Possibly dead Python function: custom_print
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_executor.py:415 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: edge_match
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/similarity.py:64 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: node_del_cost
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/similarity.py:56 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: node_ins_cost
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/similarity.py:59 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: node_sort_key
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/similarity.py:440 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: node_subst_cost
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/similarity.py:53 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: normalize_fromAI
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/cost_functions.py:36 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: safe_import
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_executor.py:583 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: start_auto_shutdown
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/shutdown.py:75 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_arg
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:223 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_AsyncFunctionDef
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:198 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_Attribute
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:84 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_Call
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:107 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_Call
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_executor.py:60 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_ClassDef
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:207 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_Constant
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:171 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_ExceptHandler
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:216 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_FunctionDef
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:189 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_Global
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:179 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_Import
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:46 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_ImportFrom
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:58 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_MatchClass
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:230 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_Name
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:78 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_Subscript
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
packages/@n8n/task-runner-python/src/task_analyzer.py:142 dead-code
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/7b1f984f-8cdc-41d5-9e24-88be612a5d44/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/7b1f984f-8cdc-41d5-9e24-88be612a5d44/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.