Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
161 of your 234 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 361.59s for a 1527.7 MB repo slow.
  • Repobility's analysis ran in 1347.93s after the clone landed.

kernel-patches/bpf

https://github.com/kernel-patches/bpf · scanned 2026-06-05 23:45 UTC (4 days, 5 hours ago) · 10 languages

232 findings 11/13 scanners ran 62nd percentile · C · huge (>500K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

59 actionable findings from 1 signal source. 148 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

Combined
78.3
/100
Security checks
78
59 findings
System graph
—% cov · 0 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 65.0 0.15 9.75
security_score 100.0 0.25 25.00
testing_score 20.0 0.20 4.00
documentation_score 80.0 0.15 12.00
practices_score 85.0 0.15 12.75
code_quality 65.0 0.10 6.50
Overall 1.00 70.0
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 6 Medium 5 Low 5 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 59 System graph 0 Crowd 0 Layer: Software 2 Quality 52 Cicd 4 Security 1

Showing 15 of 59 actionable findings. 207 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility 12 occurrences [MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes.
Add `import array` at the top of the file.
10 files, 12 locations
tools/net/ynl/pyynl/lib/ynl.py:783, 1246 (2 hits)
tools/net/ynl/pyynl/ynl_gen_c.py:2003, 2071 (2 hits)
drivers/gpu/drm/msm/registers/gen_header.py:401
scripts/clang-tools/run-clang-tools.py:94
scripts/gdb/vmlinux-gdb.py:16
tools/lib/python/kdoc/kdoc_files.py:310
tools/lib/python/kdoc/kdoc_yaml_file.py:34
tools/net/sunrpc/xdrgen/xdr_ast.py:782
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 10 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
3 files, 10 locations
.github/workflows/ai-agent.yml:157, 158, 163, 219, 220 (5 hits)
.github/workflows/ai-code-review.yml:71, 72, 77 (3 hits)
.github/workflows/test.yml:43, 78 (2 hits)
CI/CD securityworkflow secretsGitHub Actions
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED106] Phantom test coverage: test_bit: Test function `test_bit` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
Add an explicit assertion that captures the test's intent, or remove the test.
scripts/gdb/linux/mm.py:16
low Security checks security Injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
Documentation/sphinx/maintainers_include.py:99
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 10 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `libbpf/ci/get-linux-source` pinned to mutable ref `@v4`: `uses: libbpf/ci/get-linux-source@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-…
4 files, 10 locations
.github/workflows/ai-code-review.yml:27, 75, 87, 138 (4 hits)
.github/workflows/test-progs-asan.yml:59, 64, 71, 87 (4 hits)
.github/workflows/lint.yml:33
.github/workflows/veristat-cilium.yml:62
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 14 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
6 files, 14 locations
.github/workflows/ai-code-review.yml:61, 69, 127, 177 (4 hits)
.github/workflows/lint.yml:18, 31, 51, 62 (4 hits)
.github/workflows/test-progs-asan.yml:51, 76 (2 hits)
.github/workflows/veristat-cilium.yml:39, 47 (2 hits)
.github/workflows/linux-next-sync.yml:74
.github/workflows/test.yml:24
CI/CD securitySupply chainGitHub Actions
high Security checks cicd CI/CD security conf 0.90 ✓ Repobility GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `ludeeus/action-shellcheck` pinned to mutable ref `@master`: `uses: ludeeus/action-shellcheck@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to…
.github/workflows/lint.yml:20 CI/CD securitySupply chainGitHub Actions
medium Security checks quality Quality conf 1.00 ✓ Repobility 5 occurrences [MINED109] Mutable default argument in `__init__` (dict): `def __init__(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def __init__(x=None): x = x or []`
4 files, 5 locations
tools/verification/rvgen/rvgen/generator.py:15, 227 (2 hits)
tools/verification/rvgen/rvgen/container.py:14
tools/verification/rvgen/rvgen/dot2k.py:20
tools/verification/rvgen/rvgen/ltl2k.py:64
medium Security checks quality Quality conf 1.00 ✓ Repobility 9 occurrences [MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def __init__(x=None): x = x or []`
4 files, 9 locations
tools/testing/selftests/damon/_damon_sysfs.py:307, 354, 412, 609, 674, 818 (6 hits)
scripts/bpf_doc.py:61
scripts/checkkconfigsymbols.py:270
tools/testing/selftests/net/bpf_offload.py:219
medium Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences [MINED124] requirements.txt: `alabaster` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `alabaster` with `alabaster==<version>` and manage upgrades through PRs / Dependabot.
lines 2, 3, 4
Documentation/sphinx/requirements.txt:2, 3, 4 (3 hits)
low Security checks quality Error handling conf 0.55 ✓ Repobility 24 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
12 files, 21 locations
tools/mm/show_page_info.py:49, 74, 139, 165 (4 hits)
scripts/bpf_doc.py:458, 463, 475 (3 hits)
scripts/spdxcheck.py:368, 378, 453 (3 hits)
drivers/tty/vt/gen_ucs_fallback_table.py:23, 271 (2 hits)
scripts/gdb/linux/stackdepot.py:52, 65 (2 hits)
drivers/tty/vt/gen_ucs_width_table.py:229
scripts/checkkconfigsymbols.py:112
scripts/gdb/linux/mm.py:78
Error handlingquality
high Security checks quality Quality conf 0.82 8 occurrences Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
8 files, 8 locations
arch/arm/boot/compressed/fdt_wip.c:1
arch/sh/mm/ioremap_fixed.c:1
drivers/clk/tegra/clk-periph-fixed.c:1
drivers/gpu/drm/amd/display/dc/dce/dce_scl_filters_old.c:1
drivers/iio/imu/inv_icm42600/inv_icm42600_temp.h:1
drivers/infiniband/hw/hfi1/pio_copy.c:1
drivers/media/rc/keymaps/rc-pixelview-new.c:1
drivers/net/ethernet/ti/cpsw_new.c:1
medium Security checks quality Quality conf 0.78 20 occurrences Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
12 files, 12 locations
drivers/ata/pata_pdc202xx_old.c:1
drivers/clk/tegra/clk-periph-fixed.c:1
drivers/clk/tegra/clk-tegra-fixed.c:1
drivers/crypto/intel/iaa/iaa_crypto_comp_fixed.c:1
drivers/fpga/intel-m10-bmc-sec-update.c:1
drivers/gpu/drm/amd/display/dc/dce/dce_scl_filters_old.c:1
drivers/hwmon/i5500_temp.c:1
drivers/hwmon/sbtsi_temp.c:1
low Security checks quality Quality conf 0.60 16 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 15 locations
arch/alpha/kernel/core_titan.c:43, 291 (2 hits)
arch/alpha/kernel/core_tsunami.c:7, 26 (2 hits)
arch/alpha/kernel/core_wildfire.c:212, 232 (2 hits)
arch/alpha/boot/bootpz.c:41
arch/alpha/boot/main.c:4
arch/alpha/kernel/core_marvel.c:306
arch/alpha/kernel/core_polaris.c:14
arch/alpha/kernel/sys_miata.c:98
duplicationquality
high Security checks quality Quality conf 0.62 22 occurrences Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
12 files, 12 locations
arch/alpha/lib/csum_partial_copy.c:1
arch/mips/lib/iomap_copy.c:1
drivers/acpi/pfr_update.c:1
drivers/ata/pata_pdc202xx_old.c:1
drivers/clk/tegra/clk-tegra-fixed.c:1
drivers/crypto/intel/iaa/iaa_crypto_comp_fixed.c:1
drivers/firmware/microchip/mpfs-auto-update.c:1
drivers/fpga/intel-m10-bmc-sec-update.c:1
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/983b7a8a-3ae9-4725-aa7f-f810cac52a77/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/983b7a8a-3ae9-4725-aa7f-f810cac52a77/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.