Push this scan report to curl/curl

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Issue title

Hi @curl, an automated scan of this repository surfaced **11 code-quality findings** that may be worth a look. 
Full details, severity filters, and per-file context are at the link below — feel free to close this issue if it isn't useful to you.

## Full interactive report

**https://repobility.com/scan/8f98161c-b05e-4334-8527-5acaa3d0da82/**

![Live scan page](https://repobility.com/scan/8f98161c-b05e-4334-8527-5acaa3d0da82/report.png?v=1778938248)

## At a glance

- **Score**: `87/100`  •  **Grade**: `C`
- **Scanned**: `2026-05-16 13:30 UTC`
- **Lines of code**: 82,972
- **Total findings**: 11
- **Security-tagged**: 0
- **Credential / secret patterns**: 0

## Top issues, with file & line

_These are deterministic rule-based findings — the file paths and line numbers below are real and can be verified in your tree._

1. **[high]** No test files found
   _Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business lo…_
2. **[high]** [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches. — `docs/examples/threaded.c:61`
   _Validate the URL against an allowlist BEFORE fetching:   ALLOWED = {'images.example.com', 'cdn.example.com'}   host = urlparse(url).hostname   if host not in ALLOWED: abort(400)…_
3. **[high]** [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches. — `docs/examples/smooth-gtk-thread.c:91`
   _Validate the URL against an allowlist BEFORE fetching:   ALLOWED = {'images.example.com', 'cdn.example.com'}   host = urlparse(url).hostname   if host not in ALLOWED: abort(400)…_
4. **[high]** [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches. — `include/curl/urlapi.h:113`
   _Validate the URL against an allowlist BEFORE fetching:   ALLOWED = {'images.example.com', 'cdn.example.com'}   host = urlparse(url).hostname   if host not in ALLOWED: abort(400)…_
5. **[low]** No LICENSE file
   _Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)._

See all 11 findings, with severity filters and AI fix prompts: **https://repobility.com/scan/8f98161c-b05e-4334-8527-5acaa3d0da82/**

---

**What is this?** [Repobility](https://repobility.com) is a research project that scans public repositories with a multi-layer static analyzer (rule-based, no AI hallucinations) and learns code-quality patterns across a broad cross-repo corpus. This is **not a sales pitch** — there's no paywall, no signup required to view the report, and no payment ask. If the findings aren't useful, please close this issue and we won't post again.

**To re-run after fixes land:** paste your repo URL at [repobility.com](https://repobility.com) — fresh scan, free.

_Issue filed via the public Repobility report at https://repobility.com/scan/8f98161c-b05e-4334-8527-5acaa3d0da82/._