Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
33 of your 57 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.33s · analysis 8.48s · 0.3 MB · GitHub API rate-limit (preflight)

public-apis

https://github.com/public-apis/public-apis.git · scanned 2026-06-04 04:12 UTC (1 day, 4 hours ago) · 10 languages

104 findings (56 legacy + 48 scanner) 66th percentile · Python · tiny (<2K LoC) Scanner says 88 (lower by 18)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 day, 4 hours ago · v6 · 64 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
73.9
/100
Repobility
60
56 legacy
9-layer
88
55.6% cov · 8 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 55.0 0.15 8.25
security_score 55.0 0.25 13.75
testing_score 85.0 0.20 17.00
documentation_score 85.0 0.15 12.75
practices_score 70.0 0.15 10.50
code_quality 80.0 0.10 8.00
Overall 1.00 70.2
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 43 Medium 8 Low 9 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 56 9-layer 8 Crowd 0 Layer: Software 27 Quality 29 Api 1 Frontend 1 Cicd 6
Scan summary Repository scanned at 87.8/100 with 55.6% coverage. It contains 87 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 8 findings — concentrated in cicd (6), api (1), frontend (1). Risk profile is low: 0 critical, 0 high, 0 medium. Recommended next step: open the cicd layer findings first — that's where the highest-impact wins live.

Showing 26 of 64 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v2`
`uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/validate_links.yml:17 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v2`
`uses: actions/setup-python@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/validate_links.yml:20 dependencylegacy
high Legacy software dependency conf 0.88 certifi: PYSEC-2022-42986
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust sto…
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 certifi: PYSEC-2023-135
Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems.
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 certifi: PYSEC-2024-230
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates …
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 idna: PYSEC-2024-60
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulne…
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 requests: PYSEC-2023-74
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent …
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 urllib3: GHSA-2xpw-w6gg-jr37
urllib3 streaming API improperly handles highly compressed data
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 urllib3: GHSA-38jv-5279-wg99
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 urllib3: GHSA-gm62-xv2j-4w53
urllib3 allows an unbounded number of links in the decompression chain
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 urllib3: PYSEC-2023-192
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak infor…
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 urllib3: PYSEC-2023-212
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required b…
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 urllib3: PYSEC-2026-141
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
scripts/requirements.txt dependencylegacy
medium Legacy software dependency conf 0.90 Python package `certifi` is 5 major version(s) behind (2021.10.8 -> 2026.5.20)
`certifi==2021.10.8` is 5 major version(s) behind the latest stable release on PyPI (2026.5.20). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
scripts/requirements.txt:1 dependencylegacy
medium Legacy software dependency conf 0.90 Python package `charset-normalizer` is 1 major version(s) behind (2.0.10 -> 3.4.7)
`charset-normalizer==2.0.10` is 1 major version(s) behind the latest stable release on PyPI (3.4.7). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
scripts/requirements.txt:2 dependencylegacy
medium Legacy software dependency conf 0.90 Python package `urllib3` is 1 major version(s) behind (1.26.8 -> 2.7.0)
`urllib3==1.26.8` is 1 major version(s) behind the latest stable release on PyPI (2.7.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
scripts/requirements.txt:5 dependencylegacy
medium Legacy software dependency conf 0.88 requests: GHSA-9hjg-9r4m-mvj7
Requests vulnerable to .netrc credentials leak via malicious URLs
scripts/requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 requests: GHSA-9wx4-h78v-vm56
Requests `Session` object does not verify requests after making first request with verify=False
scripts/requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 requests: GHSA-gc5v-m9x4-r6x2
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
scripts/requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 urllib3: GHSA-34jh-p97f-mpxf
urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
scripts/requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 urllib3: GHSA-pq67-6m6q-mj2v
urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
scripts/requirements.txt dependencylegacy
low Legacy software dependency conf 0.90 Python package `idna` is minor version(s) behind (3.3 -> 3.18)
`idna==3.3` is minor version(s) behind the latest stable release on PyPI (3.18). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
scripts/requirements.txt:3 dependencylegacy
low Legacy software dependency conf 0.90 Python package `requests` is minor version(s) behind (2.27.1 -> 2.34.2)
`requests==2.27.1` is minor version(s) behind the latest stable release on PyPI (2.34.2). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
scripts/requirements.txt:4 dependencylegacy
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/validate_links.yml:17 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/validate_links.yml:20 supply-chaingithub-actionspinned-dependencies
low Legacy quality quality conf 1.00 ✓ Repobility [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.
Review and fix per the pattern semantics. See CWE-400 / for context.
scripts/validate/links.py:167 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/8a53490f-106d-43fc-b5b7-d6909ad84ab7/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/8a53490f-106d-43fc-b5b7-d6909ad84ab7/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.