← Back to scan
File as GitHub Issue repo: hiyouga/LlamaFactory

Push this scan report to hiyouga/LlamaFactory

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Workflow uses `secrets.QUAY_ASCEND_TOKEN` on a `pull_request` trigger

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… data/glaive_toolcall_en_demo.json:7236
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… data/glaive_toolcall_en_demo.json:5293
CRIT MINED116 Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger .github/workflows/tests.yml:52
CRIT MINED116 Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger .github/workflows/tests_npu.yml:44
CRIT MINED116 Workflow uses `secrets.QUAY_ASCEND_TOKEN` on a `pull_request` trigger .github/workflows/docker.yml:80
CRIT MINED116 Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger .github/workflows/docker.yml:72
CRIT MINED116 Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger .github/workflows/tests_cuda.yml:41
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… src/llamafactory/model/model_utils/quan…:148
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… src/llamafactory/extras/logging.py:49
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… src/llamafactory/extras/env.py:64
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … src/llamafactory/train/ppo/ppo_utils.py:38
HIGH SEC078 [SEC078] Python: requests without timeout: requests.get/post without a timeout will hang … src/llamafactory/api/chat.py:131
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… src/llamafactory/api/protocol.py:72
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… src/llamafactory/api/common.py:70
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… src/llamafactory/api/chat.py:131
HIGH MINED021 [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can co… scripts/convert_ckpt/llamafy_qwen.py:42
HIGH MINED021 [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can co… scripts/convert_ckpt/llamafy_baichuan2.…:34
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … src/llamafactory/chat/vllm_engine.py:97
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … scripts/vllm_infer.py:122
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … scripts/convert_ckpt/llamafy_baichuan2.…:36
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… scripts/convert_ckpt/llamafy_qwen.py:42
HIGH SEC114 [SEC114] path.join / Path() on user-controlled segment without containment check: filepat… scripts/convert_ckpt/llamafy_baichuan2.…:34
HIGH MINED110 Blocking call `requests.post` inside async function `_generate` src/llamafactory/chat/sglang_engine.py:217
HIGH MINED108 `self.use_rslora` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:608
HIGH MINED108 `self.pissa_init` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:601
HIGH MINED108 `self.reward_model_quantization_bit` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:578
HIGH MINED108 `self.ref_model_quantization_bit` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:577
HIGH MINED108 `self.use_ref_model` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:574
HIGH MINED108 `self.apollo_target` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:573
HIGH MINED108 `self.galore_target` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:572
HIGH MINED108 `self.additional_target` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:571
HIGH MINED108 `self.oft_target` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:570
HIGH MINED108 `self.lora_target` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:569
HIGH MINED108 `self.lora_alpha` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:568
HIGH MINED108 `self.freeze_extra_modules` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:567
HIGH MINED108 `self.freeze_trainable_modules` used but never assigned in __init__ src/llamafactory/hparams/finetuning_arg…:566
HIGH MINED108 `self.use_ray` used but never assigned in __init__ src/llamafactory/hparams/training_args.…:61
HIGH MINED108 `self.get_rope_func` used but never assigned in __init__ scripts/bench_qwen.py:111
HIGH MINED108 `self.get_rope_func` used but never assigned in __init__ scripts/bench_qwen.py:104
HIGH MINED108 `self.model` used but never assigned in __init__ scripts/bench_qwen.py:87
HIGH MINED108 `self.model` used but never assigned in __init__ scripts/bench_qwen.py:86
HIGH MINED108 `self.get_rope_func` used but never assigned in __init__ scripts/bench_qwen.py:89
HIGH MINED108 `self.get_rope_func` used but never assigned in __init__ scripts/bench_qwen.py:87
HIGH MINED108 `self.model` used but never assigned in __init__ scripts/bench_qwen.py:85
HIGH MINED108 `self.model` used but never assigned in __init__ scripts/bench_qwen.py:84
HIGH MINED108 `self.get_rope_func` used but never assigned in __init__ scripts/bench_qwen.py:85
HIGH MINED108 `self.model` used but never assigned in __init__ scripts/bench_qwen.py:82
HIGH MINED108 `self.model` used but never assigned in __init__ scripts/bench_qwen.py:81
HIGH COMP001 [COMP001] High cognitive complexity: Function `block_expansion` has cognitive complexity … scripts/llama_pro.py:40
HIGH COMP001 [COMP001] High cognitive complexity: Function `save_weight` has cognitive complexity 48 (… scripts/convert_ckpt/llamafy_qwen.py:39
HIGH DKC004 Compose service joins the host IPC namespace docker/docker-rocm/docker-compose.yml:1
HIGH DKC009 Compose service bind-mounts a sensitive host path docker/docker-npu/docker-compose.yml:29
HIGH DKC004 Compose service joins the host IPC namespace docker/docker-npu/docker-compose.yml:29
HIGH DKC009 Compose service bind-mounts a sensitive host path docker/docker-npu/docker-compose.yml:1
HIGH DKC004 Compose service joins the host IPC namespace docker/docker-npu/docker-compose.yml:1
HIGH DKC004 Compose service joins the host IPC namespace docker/docker-cuda/docker-compose.yml:1
HIGH MINED115 Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1` .github/workflows/publish.yml:37
HIGH MINED115 Action `astral-sh/setup-uv` pinned to mutable ref `@v7` .github/workflows/publish.yml:27
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/publish.yml:24
HIGH MINED115 Action `actions/cache` pinned to mutable ref `@v5` .github/workflows/tests.yml:81
HIGH MINED115 Action `astral-sh/setup-uv` pinned to mutable ref `@v7` .github/workflows/tests.yml:61
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/tests.yml:58
HIGH MINED115 Action `actions/deploy-pages` pinned to mutable ref `@v4` .github/workflows/docs.yml:77
HIGH MINED115 Action `actions/upload-pages-artifact` pinned to mutable ref `@v3` .github/workflows/docs.yml:64
HIGH MINED115 Action `actions/configure-pages` pinned to mutable ref `@v5` .github/workflows/docs.yml:61
HIGH MINED115 Action `actions/setup-python` pinned to mutable ref `@v5` .github/workflows/docs.yml:30
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v4` .github/workflows/docs.yml:27
HIGH MINED126 Workflow container/services image `ascendai/cann:9.0.0-910b-ubuntu22.04-py3.11` unpinned .github/workflows/tests_npu.yml:41
HIGH MINED115 Action `astral-sh/setup-uv` pinned to mutable ref `@v7` .github/workflows/tests_npu.yml:59
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/tests_npu.yml:50
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/docker.yml:53
HIGH MINED115 Action `jlumbroso/free-disk-space` pinned to mutable ref `@v1.3.1` .github/workflows/docker.yml:47
HIGH MINED115 Action `astral-sh/setup-uv` pinned to mutable ref `@v7` .github/workflows/tests_cuda.yml:50
HIGH MINED115 Action `actions/checkout` pinned to mutable ref `@v6` .github/workflows/tests_cuda.yml:47
HIGH MINED118 Dockerfile FROM `pytorch/pytorch:2.6.0-cuda12.4-cudnn9-devel` not pinned by digest docker/docker-cuda/Dockerfile.base:3
HIGH MINED118 Dockerfile FROM `nvcr.io/nvidia/pytorch:25.06-py3` not pinned by digest docker/docker-cuda/Dockerfile.megatron:3
HIGH MINED131 pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.… .pre-commit-config.yaml:22
HIGH MINED131 pre-commit hook `https://github.com/asottile/pyupgrade` pinned to mutable rev `v3.20.0` .pre-commit-config.yaml:16
HIGH MINED131 pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v… .pre-commit-config.yaml:2
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… scripts/convert_ckpt/llamafy_qwen.py:42
HIGH SEC013 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file pat… scripts/convert_ckpt/llamafy_baichuan2.…:34
HIGH MINED112 FastAPI POST /v1/score/evaluation has no auth src/llamafactory/api/app.py:118
HIGH MINED112 FastAPI POST /v1/chat/completions has no auth src/llamafactory/api/app.py:102
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… src/llamafactory/webui/common.py:146
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… src/llamafactory/webui/common.py:55
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… src/llamafactory/extras/env.py:64
MED SEC045 [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even … src/llamafactory/eval/evaluator.py:79
MED SEC127 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as T… src/llamafactory/chat/vllm_engine.py:263
MED SEC046 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning win… docs/_static/js/switcher.js:34
MED MINED111 Bare except continues silently src/llamafactory/model/model_utils/valu…:53
MED MINED111 Bare except continues silently src/llamafactory/model/model_utils/valu…:47
MED MINED111 Bare except continues silently src/llamafactory/train/mca/workflow.py:156
MED MINED111 Bare except continues silently src/llamafactory/v1/utils/packages.py:44
MED MINED111 Bare except continues silently src/llamafactory/webui/components/data.…:47
MED MINED111 Bare except continues silently src/llamafactory/webui/components/chatb…:45
MED MINED111 Bare except continues silently src/llamafactory/webui/common.py:159
MED MINED111 Bare except continues silently src/llamafactory/webui/common.py:79
MED MINED109 Mutable default argument in `_get_scores` (dict) src/llamafactory/chat/hf_engine.py:314
MED MINED109 Mutable default argument in `_stream_chat` (dict) src/llamafactory/chat/hf_engine.py:267
MED MINED109 Mutable default argument in `_chat` (dict) src/llamafactory/chat/hf_engine.py:212
MED MINED109 Mutable default argument in `_process_args` (dict) src/llamafactory/chat/hf_engine.py:73
MED MINED111 Bare except continues silently src/llamafactory/extras/packages.py:38
MED MINED109 Mutable default argument in `plot_loss` (list) src/llamafactory/extras/ploting.py:69
MED MINED111 Bare except continues silently src/llamafactory/extras/misc.py:44
MED MINED111 Bare except continues silently src/llamafactory/train/trainer_utils.py:876
MED MINED111 Bare except continues silently src/llamafactory/data/data_utils.py:194
MED MINED111 Bare except continues silently src/llamafactory/data/parser.py:111
MED MINED111 Bare except continues silently scripts/qwen_omni_merge.py:135
MED MINED111 Bare except continues silently scripts/qwen_omni_merge.py:86
MED COMP001 [COMP001] High cognitive complexity: Function `save_weight` has cognitive complexity 18 (… scripts/convert_ckpt/llamafy_baichuan2.…:31
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED DKR017 Dockerfile installs dependencies after copying the full source tree docker/docker-rocm/Dockerfile:36
MED DKR017 Dockerfile installs dependencies after copying the full source tree docker/docker-npu/Dockerfile:38
MED DKR017 Dockerfile installs dependencies after copying the full source tree docker/docker-cuda/Dockerfile:35
MED DKR001 Docker final stage has no non-root USER docker/docker-rocm/Dockerfile:4
MED DKR001 Docker final stage has no non-root USER docker/docker-npu/Dockerfile:4
MED DKR001 Docker final stage has no non-root USER docker/docker-cuda/Dockerfile.megatron:3
MED DKR001 Docker final stage has no non-root USER docker/docker-cuda/Dockerfile.base:3
MED DKR001 Docker final stage has no non-root USER docker/docker-cuda/Dockerfile:3
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore docker/docker-rocm/Dockerfile:33
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore docker/docker-npu/Dockerfile:33
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore docker/docker-cuda/Dockerfile:32
MED AUC012 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /…
MED AGT015 Remote install command pipes network code directly to a shell .github/workflows/tests_npu.yml:76
LOW AIC003 Duplicated implementation block across source files tests_v1/conftest.py:14
LOW AIC003 Duplicated implementation block across source files src/llamafactory/v1/utils/logging.py:33
LOW AIC003 Duplicated implementation block across source files src/llamafactory/v1/samplers/cli_sample…:64
LOW AIC003 Duplicated implementation block across source files src/llamafactory/v1/launcher.py:22
LOW AIC003 Duplicated implementation block across source files src/llamafactory/train/sft/workflow.py:84
LOW AIC003 Duplicated implementation block across source files src/llamafactory/train/sft/workflow.py:50
LOW AIC003 Duplicated implementation block across source files src/llamafactory/train/sft/trainer.py:82
LOW AIC003 Duplicated implementation block across source files src/llamafactory/train/sft/trainer.py:80
LOW AIC003 Duplicated implementation block across source files src/llamafactory/train/rm/trainer.py:35
LOW AIC003 Duplicated implementation block across source files src/llamafactory/train/rm/trainer.py:29
LOW AIC003 Duplicated implementation block across source files src/llamafactory/train/pt/workflow.py:26
LOW AIC003 Duplicated implementation block across source files src/llamafactory/train/pt/trainer.py:38
LOW AIC003 Duplicated implementation block across source files src/llamafactory/train/mca/workflow.py:258
LOW AIC003 Duplicated implementation block across source files src/llamafactory/train/kto/workflow.py:37
LOW AIC003 Duplicated implementation block across source files src/llamafactory/train/kto/trainer.py:20
LOW AIC003 Duplicated implementation block across source files src/llamafactory/data/processor/unsuper…:39
LOW AIC003 Duplicated implementation block across source files src/llamafactory/chat/vllm_engine.py:31
LOW AIC003 Duplicated implementation block across source files scripts/llama_pro.py:70
LOW AIC003 Duplicated implementation block across source files scripts/convert_ckpt/llamafy_qwen.py:62
LOW DKR010 Dockerfile leaves apt package indexes in the image layer docker/docker-cuda/Dockerfile.megatron:48
LOW DKR010 Dockerfile leaves apt package indexes in the image layer docker/docker-cuda/Dockerfile.base:36
LOW DKR010 Dockerfile leaves apt package indexes in the image layer docker/docker-cuda/Dockerfile.base:31
LOW DKR010 Dockerfile leaves apt package indexes in the image layer docker/docker-cuda/Dockerfile.base:26
LOW DKR012 Dockerfile keeps pip download cache docker/docker-rocm/Dockerfile:65
LOW DKR012 Dockerfile keeps pip download cache docker/docker-cuda/Dockerfile.megatron:65
LOW DKR011 Dockerfile installs recommended OS packages docker/docker-cuda/Dockerfile.megatron:50
LOW DKR011 Dockerfile installs recommended OS packages docker/docker-cuda/Dockerfile.megatron:48
LOW DKR012 Dockerfile keeps pip download cache docker/docker-cuda/Dockerfile.megatron:35
LOW DKR012 Dockerfile keeps pip download cache docker/docker-cuda/Dockerfile.megatron:24
LOW DKR012 Dockerfile keeps pip download cache docker/docker-cuda/Dockerfile.megatron:20
LOW DKR012 Dockerfile keeps pip download cache docker/docker-cuda/Dockerfile.megatron:18
LOW DKR012 Dockerfile keeps pip download cache docker/docker-cuda/Dockerfile.megatron:12
LOW DKR011 Dockerfile installs recommended OS packages docker/docker-cuda/Dockerfile.base:36
LOW DKR011 Dockerfile installs recommended OS packages docker/docker-cuda/Dockerfile.base:31
LOW DKR011 Dockerfile installs recommended OS packages docker/docker-cuda/Dockerfile.base:26
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW DKC010 Compose service lacks no-new-privileges hardening docker/docker-rocm/docker-compose.yml:1
LOW DKC010 Compose service lacks no-new-privileges hardening docker/docker-npu/docker-compose.yml:29
LOW DKC010 Compose service lacks no-new-privileges hardening docker/docker-npu/docker-compose.yml:1
LOW DKC010 Compose service lacks no-new-privileges hardening docker/docker-cuda/docker-compose.yml:1
LOW DKC006 Compose service does not declare a runtime user docker/docker-rocm/docker-compose.yml:1
LOW DKC006 Compose service does not declare a runtime user docker/docker-npu/docker-compose.yml:29
LOW DKC006 Compose service does not declare a runtime user docker/docker-npu/docker-compose.yml:1
LOW DKC006 Compose service does not declare a runtime user docker/docker-cuda/docker-compose.yml:1
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… src/webui.py:25
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… src/llamafactory/webui/interface.py:95
INFO MINED072 [MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in. src/llamafactory/v1/plugins/trainer_plu…:18
INFO MINED072 [MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in. src/llamafactory/v1/plugins/trainer_plu…:18
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. src/llamafactory/v1/utils/callbacks/tra…:25
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. src/llamafactory/v1/accelerator/interfa…:54
INFO MINED076 [MINED076] Catch And Reraise Noop: except X: raise X — adds no value, hides traceback if … src/llamafactory/v1/samplers/cli_sample…:101
INFO MINED076 [MINED076] Catch And Reraise Noop: except X: raise X — adds no value, hides traceback if … src/llamafactory/chat/chat_model.py:180
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. src/llamafactory/webui/components/chatb…:93
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. src/llamafactory/v1/samplers/cli_sample…:97
INFO MINED064 [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services. src/llamafactory/chat/chat_model.py:176
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. src/llamafactory/api/chat.py:128
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… src/llamafactory/train/ppo/ppo_utils.py:38
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… src/llamafactory/api/chat.py:131
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… scripts/stat_utils/cal_ppl.py:104
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… scripts/stat_utils/cal_mfu.py:98
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… scripts/stat_utils/cal_lr.py:79
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. src/llamafactory/data/processor/pairwis…:106
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. src/llamafactory/data/processor/feedbac…:127
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. scripts/stat_utils/cal_lr.py:91
Reset to top 5 189 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `hiyouga/LlamaFactory`

**Score: 72/100 (B-)**  ·  216 findings  ·  scanned 2026-06-05 08:17 UTC  ·  51,672 LOC

| Severity | Count |
|---|---|
| CRITICAL | 7 |
| HIGH | 76 |
| MEDIUM | 42 |
| LOW | 44 |

📊 [Full filterable report](https://repobility.com/scan/8370691f-4f2c-4b46-ba68-f1d31066d05f/)  ·  ![scorecard](https://repobility.com/scan/8370691f-4f2c-4b46-ba68-f1d31066d05f/report.png?v=1780647446-s2)

### Top findings

1. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `data/glaive_toolcall_en_demo.json:7236`
2. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `data/glaive_toolcall_en_demo.json:5293`
3. **CRITICAL** `MINED116` — Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger
   `.github/workflows/tests.yml:52` · ✓ Repobility
4. **CRITICAL** `MINED116` — Workflow uses `secrets.HF_TOKEN` on a `pull_request` trigger
   `.github/workflows/tests_npu.yml:44` · ✓ Repobility
5. **CRITICAL** `MINED116` — Workflow uses `secrets.QUAY_ASCEND_TOKEN` on a `pull_request` trigger
   `.github/workflows/docker.yml:80` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/8370691f-4f2c-4b46-ba68-f1d31066d05f/_
Already filed
This repo publishes a SECURITY.md policy and the scan contains 12 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'hiyouga/LlamaFactory' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
I read the warnings â override Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.