Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
36 of your 258 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.99s · analysis 13.03s · 10.1 MB · GitHub API rate-limit (preflight)

chef/supermarket

https://github.com/chef/supermarket · scanned 2026-06-05 18:26 UTC (4 days, 18 hours ago) · 10 languages

319 raw signals (219 security + 100 graph) System graph score 76 (lower by 25)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 18 hours ago · v2 · 206 actionable findings from 2 signal sources. 63 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
60.8
/100
Security checks
46
164 findings
System graph
76
100.0% cov · 42 findings
Critical
6
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 65.0 0.15 9.75
security_score 22.9 0.25 5.72
testing_score 15.0 0.20 3.00
documentation_score 85.0 0.15 12.75
practices_score 80.0 0.15 12.00
code_quality 72.9 0.10 7.29
Overall 1.00 50.5
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 6 High 88 Medium 57 Low 42 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 164 System graph 42 Crowd 0 Layer: Quality 14 Security 32 Software 148 Cicd 8 Api 1 Frontend 2 Hardware 1
Scan summary Quality grade C- (50/100). Dimensions: security 23, maintainability 65. 219 findings (158 security). 40,548 lines analyzed.

Showing 189 of 206 actionable findings. 269 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 7 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
4 files, 7 locations
docs-chef-io/content/supermarket/install_supermarket.md:75, 330, 331 (3 hits)
src/supermarket/config/secrets.yml:16, 21 (2 hits)
src/supermarket/app/assets/data/licenses.json:4395
src/supermarket/engines/fieri/spec/dummy/config/secrets.yml:14
critical Security checks software dependencies conf 0.88 rack-session: GHSA-33qg-7wpp-89cq
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
src/supermarket/engines/fieri/Gemfile.lock
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in postgresql/default.toml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 24, 29
postgresql/default.toml:24, 29 (2 hits)
critical System graph security Secrets conf 1.00 Possible secret in src/supermarket/habitat-sidekiq/default.toml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
src/supermarket/habitat-sidekiq/default.toml:26
critical System graph security Secrets conf 1.00 Possible secret in src/supermarket/habitat-web/default.toml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
src/supermarket/habitat-web/default.toml:82
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /cookbooks/:id/transfer_ownership.
A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /cookbooks/:id/transfer_ownership.
src/supermarket/config/routes.rb:56
high Security checks quality Quality conf 1.00 [SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).
Add `filter='data'` (Python ≥ 3.12) or manually validate member paths against `os.path.abspath`.
src/supermarket/engines/fieri/app/models/cookbook_artifact.rb:43
high Security checks quality Quality conf 1.00 3 occurrences [SEC097] Rails: force_ssl disabled / protect_from_forgery missing: Rails app disables SSL or CSRF protection. Concept from Brakeman check_force_ssl / check_forgery_setting — re-authored from OWASP A07.
Set `config.force_ssl = true` in production.rb. Use `protect_from_forgery with: :exception`.
3 files, 3 locations
src/supermarket/app/controllers/api/v1_controller.rb:3
src/supermarket/app/controllers/collaborators_controller.rb:6
src/supermarket/app/controllers/sessions_controller.rb:2
high Security checks software Csrf conf 1.00 3 occurrences [SEC109] Rails skip_forgery_protection / protect_from_forgery disabled: Rails CSRF protection turned off at controller level. Any state-changing endpoint becomes a CSRF target.
Remove the skip. For pure-API controllers, inherit from ActionController::API instead (which doesn't include forgery protection). For Bearer-auth APIs, use `protect_from_forgery with: :null_session` only on those specific controllers.
3 files, 3 locations
src/supermarket/app/controllers/api/v1_controller.rb:3
src/supermarket/app/controllers/collaborators_controller.rb:6
src/supermarket/app/controllers/sessions_controller.rb:2
high Security checks security Crypto conf 1.00 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`.
Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`.
src/supermarket/exec/shared.sh:31
high Security checks software dependencies conf 0.88 activestorage: GHSA-9xrj-h377-fr87
Rails Active Storage has possible Path Traversal in DiskService
src/supermarket/Gemfile.lock
high Security checks software dependencies conf 0.88 addressable: GHSA-h27x-rffw-24p4
Addressable has a Regular Expression Denial of Service in Addressable templates
src/supermarket/Gemfile.lock
high Security checks cicd CI/CD security conf 0.90 Database service has no persistent data volume
Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state.
src/supermarket/docker-compose.yml:2 CI/CD securitycontainers
high Security checks software dependencies conf 0.88 erb: GHSA-q339-8rmv-2mhv
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class
src/supermarket/Gemfile.lock
high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
src/supermarket/package-lock.json
high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
src/supermarket/package-lock.json
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 19 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `ruby/setup-ruby` pinned to mutable ref `@v1` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
6 files, 19 locations
.github/workflows/docs-lint.yml:26, 31, 36, 41, 55 (5 hits)
.github/workflows/brakeman-analysis.yml:27, 45 (4 hits)
.github/workflows/unit.yml:31, 73 (4 hits)
.github/workflows/ci-main-pull-request-stub.yml:52 (2 hits)
.github/workflows/ctl-cookbook-testing.yml:17, 30 (2 hits)
.github/workflows/lint.yml:18, 31 (2 hits)
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 13 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v3` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
7 files, 13 locations
.github/workflows/brakeman-analysis.yml:23 (2 hits)
.github/workflows/ci-main-pull-request-stub.yml:38 (2 hits)
.github/workflows/ctl-cookbook-testing.yml:16, 29 (2 hits)
.github/workflows/docs-lint.yml:23, 52 (2 hits)
.github/workflows/lint.yml:17, 30 (2 hits)
.github/workflows/unit.yml:29, 71 (2 hits)
.github/workflows/labeler.yml:12
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 jwt: GHSA-c32j-vqhx-rx3x
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351
src/supermarket/Gemfile.lock
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
src/supermarket/package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
src/supermarket/package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
src/supermarket/package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
src/supermarket/package-lock.json
high Security checks software dependencies conf 0.88 net-imap: GHSA-vcgp-9326-pqcp
net-imap vulnerable to STARTTLS stripping via invalid response timing
src/supermarket/Gemfile.lock
high Security checks software dependencies conf 0.88 nokogiri: GHSA-c4rq-3m3g-8wgx
Nokogiri CSS selector tokenizer has regular expression backtracking
src/supermarket/Gemfile.lock
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
src/supermarket/package-lock.json
high Security checks software dependencies conf 0.88 rack: GHSA-8vqr-qjwx-82mw
Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
src/supermarket/Gemfile.lock
high Security checks software dependencies conf 0.88 rack: GHSA-h2jq-g4cq-5ppq
Rack::Static prefix matching can expose unintended files under the static root
src/supermarket/Gemfile.lock
high Security checks software dependencies conf 0.88 rack: GHSA-mxw3-3hh2-x2mh
Rack has a Directory Traversal via Rack:Directory
src/supermarket/Gemfile.lock
high Security checks software dependencies conf 0.88 rack: GHSA-v569-hp3g-36wr
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
src/supermarket/Gemfile.lock
high Security checks software dependencies conf 0.88 rack: GHSA-v6x5-cg8r-vv6x
Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
src/supermarket/engines/fieri/Gemfile.lock
high Security checks software dependencies conf 0.88 ruby-lsp: GHSA-c4r5-fxqw-vh93
Ruby LSP has arbitrary code execution through branch setting
src/supermarket/Gemfile.lock
high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
src/supermarket/package-lock.json
high Security checks software dependencies conf 0.88 socket.io-parser: GHSA-677m-j7p3-52f9
socket.io allows an unbounded number of binary attachments
src/supermarket/package-lock.json
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3503
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3563
Request smuggling due to acceptance of invalid chunked data in net/http
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3750
Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3751
Sensitive headers not cleared on cross-origin redirect in net/http
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3849
Incorrect results returned from Rows.Scan in database/sql
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3956
Unexpected paths returned from LookPath in os/exec
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4006
Excessive CPU consumption in ParseAddress in net/mail
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4008
ALPN negotiation error contains attacker controlled information in crypto/tls
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4012
Lack of limit when parsing cookies can cause memory exhaustion in net/http
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4014
Unbounded allocation when parsing GNU sparse map in archive/tar
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4015
Excessive CPU consumption in Reader.ReadResponse in net/textproto
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4155
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4175
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4337
Unexpected session resumption in crypto/tls
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in crypto/tls
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4403
Improper access to parent directory of root in os
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4601
Incorrect parsing of IPv6 host literals in net/url
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4602
FileInfo can escape from a Root in os
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4603
URLs in meta content attribute actions are not escaped in html/template
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4864
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4869
Unbounded allocation for old GNU sparse in archive/tar
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4946
Inefficient policy validation in crypto/x509
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4947
Unexpected work during chain building in crypto/x509
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4971
Panic in Dial and LookupPort when handling NUL byte on Windows in net
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4976
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4977
Quadratic string concatenation in consumePhrase in net/mail
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4980
Escaper bypass leads to XSS in html/template
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4981
Crash when handling long CNAME response in net
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4982
Bypass of meta content URL escaping causes XSS in html/template
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4986
Quadratic string concatentation in consumeComment in net/mail
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5037
Inefficient candidate hostname parsing in crypto/x509
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5038
Quadratic complexity in WordDecoder.DecodeHeader in mime
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5039
Arbitrary inputs are included in errors without any escaping in net/textproto
docs-chef-io/go.mod
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
src/supermarket/package-lock.json
high Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences Workflow container/services image `postgres:13` unpinned
`container/services image: postgres:13` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
lines 18, 25, 60, 67
.github/workflows/unit.yml:18, 25, 60, 67 (4 hits)
high System graph security Secrets conf 1.00 .env file present in repo: src/supermarket/.env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
Config
high System graph security Secrets conf 1.00 .env file present in repo: src/supermarket/engines/fieri/.env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
Config
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 44.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 44.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /accounts.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /accounts.
src/supermarket/config/routes.rb:93
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /group_members.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /group_members.
src/supermarket/config/routes.rb:98
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /groups.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /groups.
src/supermarket/config/routes.rb:96
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /tools.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /tools.
src/supermarket/config/routes.rb:104
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /users.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /users.
src/supermarket/config/routes.rb:83
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbook-versions/cookstyle_evaluation.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbook-versions/cookstyle_evaluation.
src/supermarket/config/routes.rb:27
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks.
src/supermarket/config/routes.rb:20
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook.
lines 16, 21
src/supermarket/config/routes.rb:16, 21 (2 hits)
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook/contingent.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook/contingent.
src/supermarket/config/routes.rb:17
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook/versions/:version.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook/versions/:version.
lines 18, 22
src/supermarket/config/routes.rb:18, 22 (2 hits)
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook/versions/:version/download.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /cookbooks/:cookbook/versions/:version/download.
src/supermarket/config/routes.rb:19
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /search.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /search.
src/supermarket/config/routes.rb:15
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /users/:user.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /users/:user.
src/supermarket/config/routes.rb:23
medium Security checks quality Quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
src/supermarket/config/environments/development.rb:62
medium Security checks software dependencies conf 0.88 activestorage: GHSA-73f9-jhhh-hr5m
Rails Active Storage has possible glob injection in its DiskService
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 activestorage: GHSA-qcfx-2mfw-w4cg
Rails Active Storage has possible content type bypass via metadata in direct uploads
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 activestorage: GHSA-r46p-8f7g-vvvg
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 activesupport: GHSA-2j26-frm8-cmj9
Rails Active Support has a possible DoS vulnerability in its number helpers
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 activesupport: GHSA-89vf-4333-qx8v
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 activesupport: GHSA-cg4j-q9v8-6v38
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 aws-sdk-s3: GHSA-2xgq-q749-89fq
AWS SDK for Ruby's S3 Encryption Client has a Key Commitment Issue
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
src/supermarket/package-lock.json
medium Security checks software dependencies conf 0.88 css_parser: GHSA-ff6c-w6qf-7xqc
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content
src/supermarket/Gemfile.lock
medium Security checks cicd CI/CD security conf 0.88 Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
src/supermarket/docker-compose.yml:2 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.74 Database service has no persistent data volume
Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state.
src/supermarket/docker-compose.yml:8 CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 faraday: GHSA-33mh-2634-fwr2
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
src/supermarket/package-lock.json
medium Security checks software dependencies conf 0.88 fugit: GHSA-2m96-52r3-2f3g
fugit parse and parse_nat stall on lengthy input
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
src/supermarket/package-lock.json
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
src/supermarket/package-lock.json
medium Security checks software dependencies conf 0.88 lodash: GHSA-xxjr-mmjv-4gpg
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
src/supermarket/package-lock.json
medium Security checks software dependencies conf 0.88 nanoid: GHSA-mwcw-c2x4-8c55
Predictable results in nanoid generation when given non-integer values
src/supermarket/package-lock.json
medium Security checks software dependencies conf 0.88 net-imap: GHSA-75xq-5h9v-w6px
net-imap vulnerable to command Injection via unvalidated Symbol inputs
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 net-imap: GHSA-87pf-fpwv-p7m7
net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 net-imap: GHSA-hm49-wcqc-g2xg
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 nokogiri: GHSA-v2fc-qm4h-8hqv
Nokogiri XSLT transform has a memory leak
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 nokogiri: GHSA-wx95-c6cv-8532
Nokogiri does not check the return value from xmlC14NExecute
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.90 npm package `body-parser` is 1 major version(s) behind (1.20.3 -> 2.2.2)
`body-parser` is pinned/resolved at 1.20.3 but the latest stable release on the npm registry is 2.2.2 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
src/supermarket/package.json
medium Security checks software dependencies conf 0.90 npm package `chai` is 5 major version(s) behind (1.8.1 -> 6.2.2)
`chai` is pinned/resolved at 1.8.1 but the latest stable release on the npm registry is 6.2.2 (5 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
src/supermarket/package.json
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
src/supermarket/package-lock.json
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 puma: GHSA-9hf4-67fc-4vf4
Puma's header normalization allows for client to clobber proxy set headers
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
src/supermarket/package-lock.json
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
src/supermarket/package-lock.json
medium Security checks software dependencies conf 0.88 rack: GHSA-7mqq-6cf9-v2qp
Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 rack: GHSA-g2pf-xv49-m2h5
Rack::Request accepts invalid Host characters, enabling host allowlist bypass
src/supermarket/engines/fieri/Gemfile.lock
medium Security checks software dependencies conf 0.88 rack: GHSA-q2ww-5357-x388
Rack has Content-Length mismatch in Rack::Files error responses
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 rack: GHSA-q4qf-9j86-f5mh
Rack:: Static header_rules bypass via URL-encoded paths
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 rack: GHSA-qfgr-crr9-7r49
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
src/supermarket/engines/fieri/Gemfile.lock
medium Security checks software dependencies conf 0.88 rack: GHSA-qv7j-4883-hwh7
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 rack: GHSA-rx22-g9mx-qrhv
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values
src/supermarket/engines/fieri/Gemfile.lock
medium Security checks software dependencies conf 0.88 rack: GHSA-vgpv-f759-9wx3
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 rack: GHSA-whrj-4476-wvmp
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 rack: GHSA-x8cg-fq8g-mxfx
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-76p7-773f-r4q5
Cross-site Scripting (XSS) in serialize-javascript
src/supermarket/package-lock.json
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
src/supermarket/package-lock.json
medium Security checks software dependencies conf 0.88 sidekiq-cron: GHSA-xv9c-mjw8-79gf
Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 sidekiq: GHSA-3qc2-v3hp-6cv8
sidekiq Denial of Service vulnerability
src/supermarket/Gemfile.lock
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
src/supermarket/package-lock.json
medium Security checks software dependencies conf 0.88 yard: GHSA-3jfp-46x4-xgfj
yard: Possible arbitrary path traversal and file access via yard server
src/supermarket/Gemfile.lock
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/ci-main-pull-request-stub.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in nginx/default.toml:55
Found a known-risky pattern (weak_hash). Review and replace if possible.
nginx/default.toml:55 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in src/supermarket/app/helpers/users_helper.rb:43
Found a known-risky pattern (weak_hash). Review and replace if possible.
src/supermarket/app/helpers/users_helper.rb:43 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in src/supermarket/app/lib/supermarket/fips.rb:10
Found a known-risky pattern (weak_hash). Review and replace if possible.
src/supermarket/app/lib/supermarket/fips.rb:10 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in src/supermarket/app/models/user.rb:240
Found a known-risky pattern (weak_hash). Review and replace if possible.
src/supermarket/app/models/user.rb:240 Weak hash
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 27 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
low Security checks software dependencies conf 0.88 actionview: GHSA-v55j-83pf-r9cq
Rails has a possible XSS vulnerability in its Action View tag helpers
src/supermarket/Gemfile.lock
low Security checks software dependencies conf 0.88 activestorage: GHSA-p9fm-f462-ggrg
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
src/supermarket/Gemfile.lock
low Security checks software dependencies conf 0.88 brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
src/supermarket/package-lock.json
low Security checks software dependencies conf 0.88 cookie: GHSA-pxg6-pf52-xh8x
cookie accepts cookie name, path, and domain with out of bounds characters
src/supermarket/package-lock.json
low Security checks cicd CI/CD security conf 0.72 Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
src/supermarket/docker-compose.yml:8 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.58 2 occurrences Database service publishes a loopback host port
Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports.
lines 2, 8
src/supermarket/docker-compose.yml:2, 8 (2 hits)
CI/CD securitycontainers
low Security checks software dependencies conf 0.88 diff: GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
src/supermarket/package-lock.json
low Security checks quality Quality conf 0.60 11 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
11 files, 11 locations
omnibus/cookbooks/omnibus-supermarket/recipes/postgresql.rb:1
src/supermarket/app/assets/javascripts/cookbookDeprecate.js:4
src/supermarket/app/assets/javascripts/group_members.js:4
src/supermarket/app/assets/javascripts/groups.js:4
src/supermarket/engines/fieri/spec/dummy/config/environments/development.rb:1
src/supermarket/engines/fieri/spec/models/no_binaries_worker_spec.rb:12
src/supermarket/spec/api/cookbook_show_spec.rb:34
src/supermarket/spec/extractors/github_extractor_spec.rb:4
duplicationquality
low Security checks software dependencies conf 0.88 faraday: GHSA-5rv5-xj5j-3484
Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping
src/supermarket/engines/fieri/Gemfile.lock
low Security checks software dependencies conf 0.88 net-imap: GHSA-q2mw-fvj9-vvcw
net-imap has quadratic complexity when reading response literals
src/supermarket/Gemfile.lock
low Security checks software dependencies conf 0.88 qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
src/supermarket/package-lock.json
low Security checks software dependencies conf 0.88 rexml: GHSA-c2f4-jgmc-q2r5
REXML has DoS condition when parsing malformed XML file
src/supermarket/Gemfile.lock
low Security checks software dependencies conf 0.88 tmp: GHSA-52f5-9888-hmc6
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
src/supermarket/package-lock.json
low Security checks software dependencies conf 0.88 uri: GHSA-j4pr-3wm6-xx2r
URI Credential Leakage Bypass over CVE-2025-27221
src/supermarket/engines/fieri/Gemfile.lock
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/config/manifest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/advancedSearch.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/announcementBanner.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/application.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/checkbox.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/collaborators.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/cookbookDeprecate.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/cookbookInstallTabs.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/cookbookShow.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/flash.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/group_members.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/groups.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/organizationRoles.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/organizations.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/searchToggle.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/app/assets/javascripts/tools.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/engines/fieri/app/assets/javascripts/fieri/application.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/engines/fieri/app/assets/javascripts/fieri/jobs.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/engines/fieri/spec/dummy/app/assets/config/manifest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/engines/fieri/spec/dummy/app/assets/javascripts/application.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/spec/javascripts/application/flashSpec.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/spec/javascripts/config/karma.conf.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/spec/javascripts/config/specHelper.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/supermarket/spec/javascripts/config/sprockets.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/8fa01497-35dc-4e5f-a82a-98da800f40c7/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/8fa01497-35dc-4e5f-a82a-98da800f40c7/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.