Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
91 of your 132 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 6.3s · analysis 48.59s · 15.3 MB · GitHub API rate-limit (preflight)

claude-howto

https://github.com/luongnv89/claude-howto.git · scanned 2026-06-03 04:06 UTC (2 days, 4 hours ago) · 10 languages

675 findings (157 legacy + 518 scanner) 43rd percentile · Python · small (2-20K LoC) Scanner says 92 (lower by 26)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 days, 4 hours ago · v7 · 231 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
72.5
/100
Repobility
53
157 legacy
9-layer
92
100.0% cov · 74 gaps
Critical
10
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 55.0 0.25 13.75
testing_score 72.0 0.20 14.40
documentation_score 100.0 0.15 15.00
practices_score 82.0 0.15 12.30
code_quality 36.5 0.10 3.65
Overall 1.00 65.1
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 10 High 110 Medium 25 Low 73 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 157 9-layer 74 Crowd 0 Layer: Software 68 Quality 108 Security 10 Api 1 Frontend 10 Cicd 34
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 91.6/100 with 100.0% coverage. It contains 1232 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 74 findings — concentrated in cicd (34), quality (22), frontend (10). Risk profile is low: 0 critical, 0 high, 12 medium. Recommended next step: open the cicd layer findings first — that's where the highest-impact wins live.

Showing 157 of 231 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
zh/SECURITY.md:243 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
uk/SECURITY.md:247 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
SECURITY.md:243 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
ja/SECURITY.md:247 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
Gitleaks detected a committed secret or credential pattern.
uk/claude_concepts_guide.md:2041 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
Gitleaks detected a committed secret or credential pattern.
ja/claude_concepts_guide.md:2046 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
Gitleaks detected a committed secret or credential pattern.
claude_concepts_guide.md:2041 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
Gitleaks detected a committed secret or credential pattern.
ja/07-plugins/documentation/templates/api-endpoint.md:72 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
Gitleaks detected a committed secret or credential pattern.
03-skills/doc-generator/SKILL.md:57 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
Gitleaks detected a committed secret or credential pattern.
07-plugins/documentation/templates/api-endpoint.md:68 credential_exposurelegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
uk/06-hooks/context-tracker-tiktoken.py:117 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
06-hooks/context-tracker.py:95 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
06-hooks/context-tracker-tiktoken.py:117 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks.
Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group.
uk/06-hooks/pre-tool-check.sh:75 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks.
Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group.
ja/06-hooks/pre-tool-check.sh:101 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks.
Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group.
06-hooks/pre-tool-check.sh:103 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._collect_folder` used but never assigned in __init__
Method `collect_all_chapters` of class `ChapterCollector` reads `self._collect_folder`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scripts/build_epub.py:468 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._extract_return_type` used but never assigned in __init__
Method `visit_FunctionDef` of class `APIDocExtractor` reads `self._extract_return_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
uk/03-skills/doc-generator/generate-docs.py:19 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._render_one` used but never assigned in __init__
Method `render_all` of class `MermaidRenderer` reads `self._render_one`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scripts/build_epub.py:345 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._resolve_mmdc` used but never assigned in __init__
Method `render_all` of class `MermaidRenderer` reads `self._resolve_mmdc`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scripts/build_epub.py:338 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.generic_visit` used but never assigned in __init__
Method `visit_FunctionDef` of class `APIDocExtractor` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
uk/03-skills/doc-generator/generate-docs.py:22 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v4`
`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/release.yml:20 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v4`
`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docs-check.yml:93 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v4`
`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docs-check.yml:68 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v4`
`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docs-check.yml:51 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v4`
`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docs-check.yml:33 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v4`
`uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docs-check.yml:71 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-node` pinned to mutable ref `@v4`
`uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docs-check.yml:36 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v4`
`uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docs-check.yml:96 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v4`
`uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docs-check.yml:79 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v4`
`uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docs-check.yml:54 dependencylegacy
high Legacy software dependency conf 0.88 markdown: PYSEC-2026-89
Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown m…
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 markdown: PYSEC-2026-89
Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown m…
scripts/requirements-dev.txt dependencylegacy
high Legacy software dependency conf 0.88 pillow: GHSA-cfh3-3jmp-rvhc
Pillow affected by out-of-bounds write when loading PSD images
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 pillow: GHSA-cfh3-3jmp-rvhc
Pillow affected by out-of-bounds write when loading PSD images
scripts/requirements-dev.txt dependencylegacy
high Legacy software dependency conf 0.88 pillow: GHSA-pwv6-vv43-88gr
Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 pillow: GHSA-pwv6-vv43-88gr
Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)
scripts/requirements-dev.txt dependencylegacy
high Legacy software dependency conf 0.88 pillow: GHSA-whj4-6x5x-4v2j
FITS GZIP decompression bomb in Pillow
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 pillow: GHSA-whj4-6x5x-4v2j
FITS GZIP decompression bomb in Pillow
scripts/requirements-dev.txt dependencylegacy
high Legacy software dependency conf 0.88 pillow: PYSEC-2026-165
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
scripts/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 pillow: PYSEC-2026-165
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
scripts/requirements-dev.txt dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.8.2`
`.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.8.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:10 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility pre-commit hook `https://github.com/pre-commit/mirrors-mypy` pinned to mutable rev `v1.13.0`
`.pre-commit-config.yaml` references `https://github.com/pre-commit/mirrors-mypy` at `rev: v1.13.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:55 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v5.0.0`
`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v5.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:36 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility pre-commit hook `https://github.com/PyCQA/bandit` pinned to mutable rev `1.7.10`
`.pre-commit-config.yaml` references `https://github.com/PyCQA/bandit` at `rev: 1.7.10`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:24 dependencylegacy
medium Legacy software redos conf 1.00 [SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more.
Three options, pick one: 1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is functionally equivalent to `a+` for matching purposes. 2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in replacement for `re` for most use cases. 3. Set a hard timeout: `s…
scripts/check_markdown_rendering.py:46 redoslegacy
high Legacy quality quality conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
zh/QUICK_REFERENCE.md:100 qualitylegacy
high Legacy quality quality conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
zh/INDEX.md:396 qualitylegacy
high Legacy quality quality conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
ja/QUICK_REFERENCE.md:104 qualitylegacy
high Legacy quality quality conf 0.68 Agent auto-approve or skip-permissions mode is easy to enable
Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits.
ja/INDEX.md:404 qualitylegacy
high Legacy quality quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
scripts/vendor_assets.py:1 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
03-skills/refactor/scripts/detect-smells.py:646 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
03-skills/refactor/scripts/analyze-complexity.py:479 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
uk/03-skills/refactor/scripts/detect-smells.py:646 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
uk/03-skills/refactor/scripts/analyze-complexity.py:479 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
scripts/check_links.py:80 qualitylegacy
medium Legacy software dependency conf 0.88 filelock: GHSA-qmgc-5h2g-mvrw
filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
scripts/requirements-dev.txt dependencylegacy
medium Legacy software dependency conf 0.88 filelock: GHSA-w853-jp5j-5j7f
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation
scripts/requirements-dev.txt dependencylegacy
medium Legacy software dependency conf 0.88 idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
scripts/requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 idna: GHSA-65pc-fj4g-8rjx
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
scripts/requirements-dev.txt dependencylegacy
medium Legacy software dependency conf 0.88 jinja2: GHSA-cpwx-vrp4-4pq7
Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
scripts/requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 jinja2: GHSA-cpwx-vrp4-4pq7
Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
scripts/requirements-dev.txt dependencylegacy
medium Legacy software dependency conf 0.88 jinja2: GHSA-gmj6-6f8f-6699
Jinja has a sandbox breakout through malicious filenames
scripts/requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 jinja2: GHSA-gmj6-6f8f-6699
Jinja has a sandbox breakout through malicious filenames
scripts/requirements-dev.txt dependencylegacy
medium Legacy software dependency conf 0.88 jinja2: GHSA-q2x7-8rv6-6q7h
Jinja has a sandbox breakout through indirect reference to format method
scripts/requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 jinja2: GHSA-q2x7-8rv6-6q7h
Jinja has a sandbox breakout through indirect reference to format method
scripts/requirements-dev.txt dependencylegacy
medium Legacy software dependency conf 0.88 pillow: GHSA-r73j-pqj5-w3x7
Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
scripts/requirements.txt dependencylegacy
medium Legacy software dependency conf 0.88 pillow: GHSA-r73j-pqj5-w3x7
Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
scripts/requirements-dev.txt dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
vi/09-advanced-features/README.md:393 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
uk/09-advanced-features/README.md:399 dependencylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
ja/09-advanced-features/README.md:461 dependencylegacy
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:23 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
softprops/action-gh-release@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:76 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
astral-sh/setup-uv@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pages.yml:32 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/pages.yml supply-chaingithub-actionsleast-privilege
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/vendor_assets.py:73
`urllib.request.urlopen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
vi/09-advanced-features/setup-auto-mode-permissions.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
vi/07-plugins/pr-review/hooks/pre-review.js:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
vi/07-plugins/devops-automation/hooks/pre-deploy.js:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
vi/07-plugins/devops-automation/hooks/post-deploy.js:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
vi/06-hooks/context-tracker.py:26 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
vi/06-hooks/context-tracker.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
vi/06-hooks/context-tracker-tiktoken.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
uk/09-advanced-features/setup-auto-mode-permissions.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
scripts/build_website.py:83 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
uk/07-plugins/pr-review/hooks/pre-review.js:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
uk/07-plugins/devops-automation/hooks/pre-deploy.js:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
uk/07-plugins/devops-automation/hooks/post-deploy.js:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
uk/06-hooks/context-tracker.py:26 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
uk/06-hooks/context-tracker.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
uk/06-hooks/context-tracker-tiktoken.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
uk/03-skills/refactor/scripts/detect-smells.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
uk/03-skills/refactor/scripts/analyze-complexity.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
uk/03-skills/doc-generator/generate-docs.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
06-hooks/context-tracker.py:26 qualitylegacy
low Legacy software dependency conf 0.90 Python package `beautifulsoup4` is minor version(s) behind (4.12.3 -> 4.14.3)
`beautifulsoup4==4.12.3` is minor version(s) behind the latest stable release on PyPI (4.14.3). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
scripts/requirements.txt:4 dependencylegacy
low Legacy software dependency conf 0.90 Python package `ebooklib` is minor version(s) behind (0.18 -> 0.20)
`ebooklib==0.18` is minor version(s) behind the latest stable release on PyPI (0.20). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
scripts/requirements.txt:2 dependencylegacy
low Legacy software dependency conf 0.90 Python package `markdown` is minor version(s) behind (3.7 -> 3.10.2)
`markdown==3.7` is minor version(s) behind the latest stable release on PyPI (3.10.2). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
scripts/requirements.txt:3 dependencylegacy
low Legacy software dependency conf 0.90 Python package `tenacity` is minor version(s) behind (9.0.0 -> 9.1.4)
`tenacity==9.0.0` is minor version(s) behind the latest stable release on PyPI (9.1.4). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.
scripts/requirements.txt:7 dependencylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scripts/website_templates/tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs-check.yml:33 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs-check.yml:36 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs-check.yml:51 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs-check.yml:54 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs-check.yml:68 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs-check.yml:71 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs-check.yml:79 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs-check.yml:93 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docs-check.yml:96 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:26 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:46 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/download-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:66 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-pages-artifact@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pages.yml:38 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/deploy-pages@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pages.yml:52 supply-chaingithub-actionspinned-dependencies
low 9-layer quality tests conf 1.00 Low test-to-source ratio
6 tests / 37 src (ratio 0.16).
tests
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/code-review-specialist/scripts/compare-complexity.py:calculate_cyclomatic_complexity, 03-skills/code-review-specialist/scripts/compare-complexity.py:calculate_cyclomatic_complexity This is *the* AI-coder failure mode (4× more duplication…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/code-review-specialist/scripts/compare-complexity.py:calculate_cognitive_complexity, 03-skills/code-review-specialist/scripts/compare-complexity.py:calculate_cognitive_complexity This is *the* AI-coder failure mode (4× more duplication i…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/code-review-specialist/scripts/compare-complexity.py:calculate_maintainability_index, 03-skills/code-review-specialist/scripts/compare-complexity.py:calculate_maintainability_index This is *the* AI-coder failure mode (4× more duplication…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/code-review-specialist/scripts/compare-complexity.py:get_complexity_report, 03-skills/code-review-specialist/scripts/compare-complexity.py:get_complexity_report This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/code-review-specialist/scripts/compare-complexity.py:compare_files, 03-skills/code-review-specialist/scripts/compare-complexity.py:compare_files This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://j…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/code-review-specialist/scripts/analyze-metrics.py:analyze_code_metrics, 03-skills/code-review-specialist/scripts/analyze-metrics.py:analyze_code_metrics This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see h…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/doc-generator/generate-docs.py:visit_FunctionDef, 03-skills/doc-generator/generate-docs.py:visit_FunctionDef This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate o…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/doc-generator/generate-docs.py:generate_markdown_docs, 03-skills/doc-generator/generate-docs.py:generate_markdown_docs This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Con…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/refactor/scripts/analyze-complexity.py:calculate_cyclomatic_complexity, 03-skills/refactor/scripts/analyze-complexity.py:calculate_cyclomatic_complexity This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see h…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/refactor/scripts/analyze-complexity.py:calculate_cognitive_complexity, 03-skills/refactor/scripts/analyze-complexity.py:calculate_cognitive_complexity This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see htt…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/refactor/scripts/analyze-complexity.py:calculate_maintainability_index, 03-skills/refactor/scripts/analyze-complexity.py:calculate_maintainability_index This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see h…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/refactor/scripts/analyze-complexity.py:count_lines, 03-skills/refactor/scripts/analyze-complexity.py:count_lines This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolida…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/refactor/scripts/analyze-complexity.py:find_functions, 03-skills/refactor/scripts/analyze-complexity.py:find_functions This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Con…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: uk/03-skills/refactor/scripts/analyze-complexity.py:analyze, 03-skills/refactor/scripts/analyze-complexity.py:analyze This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or do…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: 09-advanced-features/setup-auto-mode-permissions.py:parse_args, uk/09-advanced-features/setup-auto-mode-permissions.py:parse_args, vi/09-advanced-features/setup-auto-mode-permissions.py:parse_args This is *the* AI-coder failure mode (4× more duplicat…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: 09-advanced-features/setup-auto-mode-permissions.py:load_settings, uk/09-advanced-features/setup-auto-mode-permissions.py:load_settings, vi/09-advanced-features/setup-auto-mode-permissions.py:load_settings This is *the* AI-coder failure mode (4× more…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: 09-advanced-features/setup-auto-mode-permissions.py:build_permissions, uk/09-advanced-features/setup-auto-mode-permissions.py:build_permissions, vi/09-advanced-features/setup-auto-mode-permissions.py:build_permissions This is *the* AI-coder failure m…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: 09-advanced-features/setup-auto-mode-permissions.py:append_unique, uk/09-advanced-features/setup-auto-mode-permissions.py:append_unique, vi/09-advanced-features/setup-auto-mode-permissions.py:append_unique This is *the* AI-coder failure mode (4× more…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: 09-advanced-features/setup-auto-mode-permissions.py:atomic_write_json, uk/09-advanced-features/setup-auto-mode-permissions.py:atomic_write_json, vi/09-advanced-features/setup-auto-mode-permissions.py:atomic_write_json This is *the* AI-coder failure m…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: 09-advanced-features/setup-auto-mode-permissions.py:main, uk/09-advanced-features/setup-auto-mode-permissions.py:main, vi/09-advanced-features/setup-auto-mode-permissions.py:main This is *the* AI-coder failure mode (4× more duplication in vibe-coded …
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: check_url
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/check_links.py:66 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: create_epub
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/build_epub.py:1020 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: replace_mermaid
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/build_epub.py:727 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: update_translation_queue
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/sync_translations.py:154 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_FunctionDef
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
uk/03-skills/doc-generator/generate-docs.py:11 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: visit_FunctionDef
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
03-skills/doc-generator/generate-docs.py:11 dead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — 07-plugins/devops-automation/hooks/post-deploy.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — 07-plugins/devops-automation/hooks/pre-deploy.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — 07-plugins/pr-review/hooks/pre-review.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — uk/07-plugins/devops-automation/hooks/post-deploy.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — uk/07-plugins/devops-automation/hooks/pre-deploy.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — uk/07-plugins/pr-review/hooks/pre-review.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — vi/07-plugins/devops-automation/hooks/post-deploy.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — vi/07-plugins/devops-automation/hooks/pre-deploy.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — vi/07-plugins/pr-review/hooks/pre-review.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
07-plugins/devops-automation/scripts/rollback.sh:23 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
07-plugins/devops-automation/scripts/health-check.sh:10 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
07-plugins/devops-automation/scripts/deploy.sh:26 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
uk/06-hooks/context-tracker-tiktoken.py:29 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
06-hooks/context-tracker.py:110 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
06-hooks/context-tracker-tiktoken.py:29 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/8b67872a-a5da-4289-a507-147fcb4d2911/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/8b67872a-a5da-4289-a507-147fcb4d2911/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.