yassineaourarh/phishguard-ai

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

Scan timing: clone 1.23s · analysis 0.28s · 0.4 MB · GitHub API rate-limit (preflight)

https://github.com/yassineaourarh/phishguard-ai.git · scanned 2026-05-26 07:42 UTC (2 weeks, 4 days ago) · 10 languages

103 raw signals (45 security + 58 graph) 53rd percentile · Python · small (2-20K LoC) System graph score 86 (lower by 16)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 4 days ago · v2 · 41 actionable findings from 2 signal sources. 33 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

88.9% cov · 29 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	40.0	0.15	6.00
`security_score`	94.2	0.25	23.55
`testing_score`	82.0	0.20	16.40
`documentation_score`	86.0	0.15	12.90
`practices_score`	42.0	0.15	6.30
`code_quality`	48.0	0.10	4.80
Overall		1.00	70.0

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 0 High 5 Medium 7 Low 24 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 12 System graph 29 Crowd 0 Layer: Cicd 4 Quality 12 Software 19 Api 1 Hardware 3 Frontend 1 Security 1

Exclude dismissed / FP Exclude test files

Scan summary Quality grade B (70/100). Dimensions: security 94, maintainability 40. 45 findings (1 security). 5,105 lines analyzed.

Showing 36 of 41 actionable findings. 74 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `email` used but not imported

The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes.

email_sender.py:234

high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self._load_allowlist` used but never assigned in __init__

Method `add_to_allowlist` of class `EmailSecurityValidator` reads `self._load_allowlist`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.

2 files, 25 locations

tracking_server.py:376, 389, 390, 391, 392, 393, 397, 398, +10 more (18 hits)

email_sender.py:150, 171, 234, 239, 496, 524, 531 (7 hits)

high Security checks cicd CI/CD security conf 0.92 Dockerfile copies the entire context without .dockerignore

COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.

Dockerfile:16 CI/CD securitycontainers

high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `python:3.11-slim` not pinned by digest

`FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

Dockerfile:2

medium Security checks quality Practices conf 1.00 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.

Add a .gitignore appropriate for your language/framework.

medium Security checks quality Quality Average file size is 638 lines (recommend <300)

Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle — each module should have one clear purpose.

low Security checks quality Error handling conf 0.55 ✓ Repobility 10 occurrences Broad exception handler needs review

This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.

4 files, 10 locations

agent.py:159, 434, 617 (3 hits)

email_sender.py:337, 398, 452 (3 hits)

setup_colab.py:144, 155, 319 (3 hits)

tracking_server.py:145

Error handlingquality

medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore

Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.

.dockerignore CI/CD securitycontainers

high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER

Docker images run as root unless the image or Dockerfile switches to a non-root user.

Dockerfile:2 CI/CD securitycontainers

medium System graph hardware Security conf 1.00 Dockerfile runs as root: Dockerfile

No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.

Container

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — setup_colab.py:34

`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

medium System graph security Coverage conf 1.00 No auth library detected

The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.

auth

medium System graph cicd CI/CD security conf 1.00 No CI/CD pipelines detected

No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.

CI/CD securityCoverage

low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found

Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.

Deployment

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.11-slim

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

Dockerfile:2 containersPinned dependencies

low System graph software Dead code candidate conf 1.00 File has no detected symbols: config.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: streamlit_app.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: agent.py:to_dict, agent.py:to_dict This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.

duplicatesduplication

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `col_v1` in streamlit_app.py:2389

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph software Dead code conf 1.00 Possibly dead Python function: add_to_allowlist