spring-projects/spring-boot

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

54 of your 109 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 4.84s · analysis 28.49s · 37.8 MB · GitHub API rate-limit (preflight)

https://github.com/spring-projects/spring-boot · scanned 2026-06-05 07:23 UTC (1 week, 1 day ago) · 10 languages

234 raw signals (100 security + 134 graph) 11/13 scanners ran 36th percentile · Java · huge (>500K LoC) System graph score 63 (higher by 14)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 1 day ago · v2 · 85 actionable findings from 2 signal sources. 82 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

100.0% cov · 45 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	40.0	0.15	6.00
`security_score`	100.0	0.25	25.00
`testing_score`	80.0	0.20	16.00
`documentation_score`	68.0	0.15	10.20
`practices_score`	81.0	0.15	12.15
`code_quality`	80.0	0.10	8.00
Overall		1.00	77.3

security_score may be inflated — optional security scanners were skipped on this fast scan

Severity distribution — click a segment to filter

Active filters: severity: low × excluding tests × Reset all

Severity: Critical 9 High 23 Medium 14 Low 21 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 40 System graph 45 Crowd 0 Layer: Security 17 Cicd 4 Software 17 Quality 30 Frontend 5 Network 9 Hardware 3

Exclude dismissed / FP Exclude test files

Scan summary Quality grade B+ (77/100). Dimensions: security 100, maintainability 40. 100 findings (46 security). 1,058,820 lines analyzed.

Showing 20 of 85 actionable findings. 167 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 40 occurrences GitHub Action is tag-pinned rather than SHA-pinned

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…

8 files, 40 locations

.github/workflows/release.yml:17, 74, 108, 125, 141, 172 (12 hits)

.github/workflows/release-milestone.yml:18, 63, 93, 124 (8 hits)

.github/workflows/verify.yml:41, 47, 52, 83 (8 hits)

.github/workflows/build-pull-request.yml:12, 21 (4 hits)

.github/workflows/build-and-deploy-snapshot.yml:18 (2 hits)

.github/workflows/ci.yml:45 (2 hits)

.github/workflows/run-system-tests.yml:27 (2 hits)

.github/workflows/trigger-docs-build.yml:29 (2 hits)

CI/CD securitySupply chainGitHub Actions

low Security checks quality Quality conf 0.60 23 occurrences Duplicated implementation block across source files

Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.

12 files, 15 locations

configuration-metadata/spring-boot-configuration-metadata/src/json-shade/java/org/springframework/boot/configurationmetadata/json/JSONObject.java:2, 264

(2 hits)

configuration-metadata/spring-boot-configuration-processor/src/json-shade/java/org/springframework/boot/configurationprocessor/json/JSONObject.java:2, 264

(2 hits)

configuration-metadata/spring-boot-configuration-processor/src/main/java/org/springframework/boot/configurationprocessor/metadata/ItemMetadata.java:45, 119

(2 hits)

build-plugin/spring-boot-gradle-plugin/src/main/java/org/springframework/boot/gradle/tasks/bundling/BootWar.java:50

build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/TestRunMojo.java:38

build-plugin/spring-boot-maven-plugin/src/main/java/org/springframework/boot/maven/VersionExtractor.java:14

buildpack/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/PushImageUpdateEvent.java:12

buildpack/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/type/ManifestList.java:20

duplicationquality

low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found

Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.

Deployment

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — module/spring-boot-devtools/src/main/resources/org/springframework/boot/devtools/livereload/livereload.js:626

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — smoke-test/spring-boot-smoke-test-web-groovy-templates/src/main/resources/static/js/jquery.validate.js:553

Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak

Fq console leak

low System graph quality Complexity conf 1.00 Very large file: core/spring-boot/src/main/java/org/springframework/boot/SpringApplication.java (1876 lines)