Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
38 of your 74 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.4s · analysis 16.65s · 26.0 MB · GitHub API rate-limit (preflight)

ivov/lisette

https://github.com/ivov/lisette · scanned 2026-06-06 00:57 UTC (4 days ago) · 10 languages

260 raw signals (70 security + 190 graph) 11/13 scanners ran 76th percentile · Rust · large (100-500K LoC) System graph score 91 (lower by 12)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days ago · v2 · 104 actionable findings from 2 signal sources. 61 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
85.3
/100
Security checks
80
21 findings
System graph
91
100.0% cov · 83 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 75.0 0.20 15.00
documentation_score 77.0 0.15 11.55
practices_score 77.0 0.15 11.55
code_quality 70.0 0.10 7.00
Overall 1.00 79.1
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 2 Medium 7 Low 79 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 21 System graph 83 Crowd 0 Layer: Software 53 Quality 44 Security 1 Cicd 3 Api 1 Frontend 2
Scan summary Quality grade B+ (79/100). Dimensions: security 100, maintainability 60. 70 findings (22 security). 213,819 lines analyzed.

Showing 89 of 104 actionable findings. 165 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED035] Js New Function: new Function(...) compiles strings to functions.
Review and fix per the pattern semantics. See CWE-95 / for context.
playground/src/runner/wasm-bridge.ts:214
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED134] Binary file `editors/intellij/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `editors/intellij/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a repo that otherwise has 604 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source.
editors/intellij/gradle/wrapper/gradle-wrapper.jar:1
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 29 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
lines 58, 68, 84, 122, 137, 151, 168, 185, +9 more
.github/workflows/release.yml:58, 68, 84, 122, 137, 151, 168, 185, +9 more (29 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks quality Quality conf 0.78 React interval is created without an explicit cleanup
Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant.
docs/play/monacoeditorwork/editor.worker.bundle.js:1145
high Security checks software dependencies conf 0.70 3 occurrences Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
3 files, 3 locations
docs/install.sh:2
docs/intro/quickstart.md:9
playground/README.md:82
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — docs/play/assets/index-BwChoxVW.js:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — docs/play/monacoeditorwork/editor.worker.bundle.js:3502
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — docs/play/wasm/lisette_wasm.js:379
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — playground/src/editor/textmate.ts:45
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-publish.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-prepare.yml CI/CD securitySupply chainGithub actions
low Security checks quality Error handling conf 1.00 3 occurrences [ERR003] Ignored Error (Go): Ignoring error return values.
Handle the error or use errcheck linter.
3 files, 3 locations
bindgen/internal/cli/cli.go:61
bindgen/internal/cli/generate_pkgs.go:57
bindgen/internal/convert/returns.go:313
low Security checks quality Quality conf 0.60 26 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 16 locations
crates/semantics/src/passes/lints/ast_walk/checks/helpers.rs:47, 135 (2 hits)
crates/semantics/src/passes/lints/ast_walk/checks/redundant_pattern_matching.rs:6, 8 (2 hits)
crates/semantics/src/passes/lints/ast_walk/checks/unnecessary_range_loop.rs:42, 47 (2 hits)
crates/semantics/src/passes/lints/ast_walk/checks/unsigned_comparison.rs:5, 11 (2 hits)
crates/cli/src/handlers/new.rs:112
crates/cli/src/handlers/run.rs:228
crates/diagnostics/src/diagnostic.rs:127
crates/emit/src/definitions/interfaces.rs:85
duplicationquality
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/abap-BrgZPUOV.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/apex-DyP6w7ZV.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/bat-CFOPXBzS.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/bicep-BfEKNvv3.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/cameligo-BFG1Mk7z.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/coffee-CDGzqUPQ.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/csharp-dUCx_-0o.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/csp-5Rap-vPy.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/css-D3h14YRZ.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/cypher-DrQuvNYM.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/dart-CFKIUWau.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/dockerfile-Zznr-cwX.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/ecl-Ce3n6wWz.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/elixir-deUWdS0T.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/fsharp-CzKuDChf.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/handlebars-CUy5QdJb.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/hcl-0cvrggvQ.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/html-C3fg5IRZ.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/java-B_fMsGYe.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/javascript-BZCtPaFQ.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/julia-Bqgm2twL.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/kotlin-BSkB5QuD.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/less-BsTHnhdd.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/lexon-YWi4-JPR.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/lua-nf6ki56Z.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/markdown-DSZPf7rp.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/mips-B_c3zf-v.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/mysql-DDwshQtU.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/php-CpIb_Oan.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/postiats-BKlk5iyT.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/powershell-Dd3NCNK9.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/pug-BaJupSGV.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/python-D-66HF36.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/redshift-25W9uPmb.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/restructuredtext-DfzH4Xui.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/ruby-Cp1zYvxS.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/scss-4Ik7cdeQ.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/solidity-Tw7wswEv.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/sophia-C5WLch3f.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/sparql-DHaeiCBh.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/swift-DwJ7jVG9.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/tcl-DnHyzjbg.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/twig-CPajHgWi.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/typespec-D-MeaMDU.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/vb-DgyLZaXg.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/xml-B17-ZEqm.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/assets/yaml-imBL_GtK.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/play/wasm/lisette_wasm_bg.wasm.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: editors/vscode/esbuild.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: playground/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Tests conf 1.00 Low test-to-source ratio
105 tests / 484 src (ratio 0.22).
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pg_is_in_backup` in docs/play/assets/pgsql-tGk8EFnU.js:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pg_is_in_backup` in docs/play/assets/redshift-25W9uPmb.js:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `reportsDeprecated` in docs/play/assets/tsMode-C-fsfhVS.js:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `showDeprecated` in docs/play/monacoeditorwork/editor.worker.bundle.js:7881
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/play/assets/index-BwChoxVW.js:23
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/play/monacoeditorwork/editor.worker.bundle.js:273
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: crates/cli/src/handlers/doc.rs (1691 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/diagnostics/src/infer.rs (3013 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/emit/src/patterns/decision_tree.rs (1644 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/lsp/src/lib.rs (1387 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/lsp/tests/lsp.rs (11497 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/semantics/src/checker/infer/expressions/functions.rs (1491 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/syntax/src/ast.rs (1958 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/syntax/src/lex/mod.rs (1513 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/syntax/src/parse/expressions.rs (1648 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/syntax/src/types.rs (1629 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: docs/play/monacoeditorwork/editor.worker.bundle.js (13519 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/spec/emit/control_flow.rs (3407 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/spec/emit/expressions.rs (4511 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/spec/emit/types.rs (3368 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/spec/infer/equality.rs (3163 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/spec/infer/types.rs (5816 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/spec/parse/mod.rs (3624 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/ui/errors/mod.rs (8181 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/ui/lint/mod.rs (9472 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/8062a915-8e13-4d5c-8cd3-25745c390771/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/8062a915-8e13-4d5c-8cd3-25745c390771/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.