Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
10 of your 63 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.27s · analysis 2.72s · 2.5 MB · GitHub API rate-limit (preflight)

avelino/awesome-go

https://github.com/avelino/awesome-go · scanned 2026-06-05 04:37 UTC (5 hours, 41 minutes ago) · 10 languages

74 findings (64 legacy + 10 scanner) 20th percentile · Go · small (2-20K LoC) Scanner says 96 (lower by 21)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 hours, 41 minutes ago · v2 · 69 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
86.1
/100
Repobility
77
64 legacy
9-layer
96
55.6% cov · 5 gaps
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 55.0 0.25 13.75
testing_score 80.0 0.20 16.00
documentation_score 82.0 0.15 12.30
practices_score 72.0 0.15 10.80
code_quality 69.4 0.10 6.94
Overall 1.00 74.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 64 Medium 1 Low 2 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 64 9-layer 5 Crowd 0 Layer: Quality 1 Software 63 Api 1 Frontend 1 Cicd 3
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 95.6/100 with 55.6% coverage. It contains 72 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 5 findings — concentrated in cicd (3), api (1), frontend (1). Risk profile is low: 0 critical, 0 high, 1 medium. Recommended next step: open the cicd layer findings first — that's where the highest-impact wins live.

Showing 65 of 69 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/cache` pinned to mutable ref `@v4`
`uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/site-deploy.yaml:22 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/run-check.yaml:16 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/site-deploy.yaml:18 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/pr-quality-check.yaml:49 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v6`
`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/site-deploy.yaml:32 dependencylegacy
high Legacy software dependency conf 0.88 golang.org/x/net: GO-2026-4440
Quadratic parsing complexity in golang.org/x/net/html
go.mod dependencylegacy
high Legacy software dependency conf 0.88 golang.org/x/net: GO-2026-4441
Infinite parsing loop in golang.org/x/net
go.mod dependencylegacy
high Legacy software dependency conf 0.88 golang.org/x/net: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
go.mod dependencylegacy
high Legacy software dependency conf 0.88 golang.org/x/net: GO-2026-5025
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
go.mod dependencylegacy
high Legacy software dependency conf 0.88 golang.org/x/net: GO-2026-5026
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
go.mod dependencylegacy
high Legacy software dependency conf 0.88 golang.org/x/net: GO-2026-5027
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
go.mod dependencylegacy
high Legacy software dependency conf 0.88 golang.org/x/net: GO-2026-5028
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
go.mod dependencylegacy
high Legacy software dependency conf 0.88 golang.org/x/net: GO-2026-5029
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
go.mod dependencylegacy
high Legacy software dependency conf 0.88 golang.org/x/net: GO-2026-5030
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
go.mod dependencylegacy
high Legacy software dependency conf 0.88 golang.org/x/sys: GO-2026-5024
Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-3563
Request smuggling due to acceptance of invalid chunked data in net/http
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-3749
Usage of ExtKeyUsageAny disables policy validation in crypto/x509
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-3750
Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-3751
Sensitive headers not cleared on cross-origin redirect in net/http
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-3849
Incorrect results returned from Rows.Scan in database/sql
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-3956
Unexpected paths returned from LookPath in os/exec
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4006
Excessive CPU consumption in ParseAddress in net/mail
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4008
ALPN negotiation error contains attacker controlled information in crypto/tls
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4012
Lack of limit when parsing cookies can cause memory exhaustion in net/http
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4014
Unbounded allocation when parsing GNU sparse map in archive/tar
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4015
Excessive CPU consumption in Reader.ReadResponse in net/textproto
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4155
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2025-4175
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4337
Unexpected session resumption in crypto/tls
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in crypto/tls
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4403
Improper access to parent directory of root in os
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4601
Incorrect parsing of IPv6 host literals in net/url
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4602
FileInfo can escape from a Root in os
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4603
URLs in meta content attribute actions are not escaped in html/template
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4864
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4869
Unbounded allocation for old GNU sparse in archive/tar
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4946
Inefficient policy validation in crypto/x509
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4947
Unexpected work during chain building in crypto/x509
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4971
Panic in Dial and LookupPort when handling NUL byte on Windows in net
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4976
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4977
Quadratic string concatenation in consumePhrase in net/mail
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4980
Escaper bypass leads to XSS in html/template
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4981
Crash when handling long CNAME response in net
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4982
Bypass of meta content URL escaping causes XSS in html/template
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-4986
Quadratic string concatentation in consumeComment in net/mail
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-5037
Inefficient candidate hostname parsing in crypto/x509
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-5038
Quadratic complexity in WordDecoder.DecodeHeader in mime
go.mod dependencylegacy
high Legacy software dependency conf 0.88 stdlib: GO-2026-5039
Arbitrary inputs are included in errors without any escaping in net/textproto
go.mod dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Workflow container/services image `golang:latest` unpinned
`container/services image: golang:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
.github/workflows/run-check.yaml:14 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Workflow container/services image `golang:latest` unpinned
`container/services image: golang:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
.github/workflows/site-deploy.yaml:16 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Workflow container/services image `golang:latest` unpinned
`container/services image: golang:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
.github/workflows/pr-quality-check.yaml:38 dependencylegacy
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/pr-quality-check.yaml supply-chaingithub-actionsleast-privilege
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
.github/scripts/check-quality/main.go:188 qualitylegacy
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/site-deploy.yaml:22 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/site-deploy.yaml:32 supply-chaingithub-actionspinned-dependencies
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/8a9786a9-f820-4353-a30d-bf4f5c088a14/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/8a9786a9-f820-4353-a30d-bf4f5c088a14/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.