Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

payloadcms/payload

https://github.com/payloadcms/payload · scanned 2026-05-16 13:37 UTC (3 weeks, 3 days ago) · 10 languages

1367 raw signals (172 security + 1195 graph) 8/10 scanners ran 2nd percentile · Typescript · huge (>500K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 weeks, 5 days ago · v1 · 42 actionable findings from 1 signal source. 128 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
63.2
/100
Security checks
59
42 findings
System graph
67
100.0% cov · 0 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-17-v4 calibration-aware
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 23.7 0.25 5.92
testing_score 95.0 0.20 19.00
documentation_score 74.0 0.15 11.10
practices_score 75.0 0.15 11.25
code_quality 80.0 0.10 8.00
Overall 1.00 68.0
Calibrated penalty buckets (security_score): web: 3.0 · authz: 10.6 · docker: 140.4 · threat: 12.8 · journey: 44.4
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 21 Medium 11 Low 5 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 42 System graph 0 Crowd 0 Layer: Quality 10 Security 13 Cicd 18 Software 1
Scan summary Quality grade B- (68/100). Dimensions: security 24, maintainability 85. 172 findings (12 security). 601,524 lines analyzed.

Showing 36 of 42 actionable findings. 170 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks cicd CI/CD security conf 0.90 3 occurrences Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
3 files, 3 locations
templates/with-postgres/docker-compose.yml:19
templates/with-vercel-website/docker-compose.yml:3
test/docker-compose.yml:116
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.84 14 occurrences Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
11 files, 14 locations
test/docker-compose.yml:19, 52, 83, 145 (4 hits)
examples/astro/payload/docker-compose.yml:19
examples/localization/docker-compose.yml:17
examples/remix/payload/docker-compose.yml:19
templates/_template/docker-compose.yml:19
templates/blank/docker-compose.yml:19
templates/website/docker-compose.yml:17
templates/with-postgres/docker-compose.yml:19
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 11 occurrences Dockerfile copies the entire context without .dockerignore
Create .dockerignore before using broad context copies, or copy only the required files and directories.
11 files, 11 locations
examples/astro/payload/Dockerfile:25
examples/localization/Dockerfile:8
examples/remix/payload/Dockerfile:25
examples/remix/website/Dockerfile:9
templates/_template/Dockerfile:26
templates/blank/Dockerfile:26
templates/website/Dockerfile:26
templates/with-postgres/Dockerfile:26
CI/CD securitycontainers
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 23.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(frontend)/(sitemaps)/pages-sitemap.xml.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
templates/with-vercel-website/src/app/(frontend)/(sitemaps)/pages-sitemap.xml/route.ts:64
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(frontend)/(sitemaps)/pages-sitemap.xml.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
templates/website/src/app/(frontend)/(sitemaps)/pages-sitemap.xml/route.ts:64
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(frontend)/(sitemaps)/posts-sitemap.xml.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
templates/with-vercel-website/src/app/(frontend)/(sitemaps)/posts-sitemap.xml/route.ts:51
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(frontend)/(sitemaps)/posts-sitemap.xml.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
templates/website/src/app/(frontend)/(sitemaps)/posts-sitemap.xml/route.ts:51
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(frontend)/next/exit-preview.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
templates/with-vercel-website/src/app/(frontend)/next/exit-preview/route.ts:3
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(frontend)/next/exit-preview.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
templates/website/src/app/(frontend)/next/exit-preview/route.ts:3
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(frontend)/next/preview.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
templates/with-vercel-website/src/app/(frontend)/next/preview/route.ts:15
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(frontend)/next/preview.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
templates/website/src/app/(frontend)/next/preview/route.ts:15
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /(frontend)/next/seed.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
templates/with-vercel-website/src/app/(frontend)/next/seed/route.ts:8
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /(frontend)/next/seed.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
templates/website/src/app/(frontend)/next/seed/route.ts:8
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
templates/ecommerce/src/app/(app)/(account)/orders/page.tsx:38
medium Security checks cicd CI/CD security conf 0.94 15 occurrences Compose service `mongo` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
10 files, 15 locations
test/docker-compose.yml:19, 52, 116, 145, 184, 221 (6 hits)
examples/astro/payload/docker-compose.yml:19
examples/localization/docker-compose.yml:17
examples/remix/payload/docker-compose.yml:19
templates/_template/docker-compose.yml:19
templates/blank/docker-compose.yml:19
templates/website/docker-compose.yml:17
templates/with-postgres/docker-compose.yml:19
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.86 Database dump or local database file is included in Docker build context
Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow.
.dockerignore CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.88 10 occurrences Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
10 files, 10 locations
examples/astro/payload/docker-compose.yml:19
examples/localization/docker-compose.yml:17
examples/remix/payload/docker-compose.yml:19
templates/_template/docker-compose.yml:19
templates/blank/docker-compose.yml:19
templates/website/docker-compose.yml:17
templates/with-postgres/docker-compose.yml:19
templates/with-vercel-mongodb/docker-compose.yml:19
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
examples/remix/website/Dockerfile:20 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
examples/localization/Dockerfile:12 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Dockerfile installs dependencies after copying the full source tree
Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree.
examples/remix/website/Dockerfile:17 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Dockerfile installs dependencies after copying the full source tree
Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree.
examples/localization/Dockerfile:9 CI/CD securitycontainers
high Security checks quality Quality conf 0.74 15 occurrences Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
9 files, 15 locations
packages/plugin-ecommerce/src/types/index.ts:137, 159, 161, 197 (4 hits)
packages/plugin-ecommerce/src/collections/carts/endpoints/updateItem.ts:28, 34, 40 (3 hits)
packages/plugin-mcp/src/index.ts:92, 93 (2 hits)
packages/payload/src/config/types.ts:239
templates/ecommerce/src/endpoints/seed/index.ts:87
templates/website/src/endpoints/seed/index.ts:43
templates/website/src/utilities/getMediaUrl.ts:7
templates/with-vercel-website/src/endpoints/seed/index.ts:43
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt
low Security checks cicd CI/CD security conf 0.68 9 occurrences App service does not wait for database health
Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`.
9 files, 9 locations
examples/astro/payload/docker-compose.yml:3
examples/localization/docker-compose.yml:3
examples/remix/payload/docker-compose.yml:3
templates/_template/docker-compose.yml:3
templates/blank/docker-compose.yml:3
templates/website/docker-compose.yml:3
templates/with-postgres/docker-compose.yml:3
templates/with-vercel-mongodb/docker-compose.yml:3
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.56 13 occurrences Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
10 files, 13 locations
test/docker-compose.yml:167, 184, 198, 221 (4 hits)
examples/astro/payload/docker-compose.yml:3
examples/localization/docker-compose.yml:3
examples/remix/payload/docker-compose.yml:3
templates/_template/docker-compose.yml:3
templates/blank/docker-compose.yml:3
templates/website/docker-compose.yml:3
templates/with-postgres/docker-compose.yml:3
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 13 occurrences Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
10 files, 13 locations
test/docker-compose.yml:167, 184, 198, 221 (4 hits)
examples/astro/payload/docker-compose.yml:3
examples/localization/docker-compose.yml:3
examples/remix/payload/docker-compose.yml:3
templates/_template/docker-compose.yml:3
templates/blank/docker-compose.yml:3
templates/website/docker-compose.yml:3
templates/with-postgres/docker-compose.yml:3
CI/CD securitycontainers
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 18 locations
packages/db-vercel-postgres/src/index.ts:3, 11, 159 (3 hits)
packages/db-mongodb/src/findVersions.ts:50, 75 (2 hits)
packages/db-mongodb/src/updateOne.ts:35, 66 (2 hits)
packages/db-sqlite/src/index.ts:1, 10 (2 hits)
packages/db-vercel-postgres/src/connect.ts:47, 81 (2 hits)
.github/actions/activity/src/popular-issues.ts:18
packages/codemod/src/transforms/migrate-import-export-hooks/non-matching.output.ts:1
packages/db-mongodb/src/countGlobalVersions.ts:21
duplicationquality
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date.
humans.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt.
sitemap.xml
low Security checks quality Quality conf 0.74 robots.txt does not advertise a sitemap
Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt.
.github/actions/activity/pnpm-lock.yaml
high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
packages/db-mongodb/src/predefinedMigrations/migrateVersionsV1_V2.ts:1
high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
packages/db-mongodb/src/predefinedMigrations/migrateRelationshipsV2_V3.ts:1
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/836245fa-286f-4238-953c-95e0eac60349/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/836245fa-286f-4238-953c-95e0eac60349/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.