Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
32 of your 92 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

huggingface/accelerate

https://github.com/huggingface/accelerate.git · scanned 2026-05-18 14:47 UTC (2 weeks, 3 days ago) · 10 languages

644 findings (92 legacy + 552 scanner) 66th percentile · Python · medium (20-100K LoC) Scanner says 77 (lower by 10)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 3 days ago · v3 · 248 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
69.5
/100
Repobility
62
92 legacy
9-layer
77
88.9% cov · 156 gaps
Critical
3
click to filter
Agents
6
1 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 34.0 0.25 8.50
testing_score 90.0 0.20 18.00
documentation_score 90.0 0.15 13.50
practices_score 72.0 0.15 10.80
code_quality 36.0 0.10 3.60
Overall 1.00 67.1
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 44 Medium 35 Low 107 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 92 9-layer 156 Crowd 0 Layer: Quality 126 Cicd 36 Security 22 Software 46 Api 1 Network 1 Hardware 15 Frontend 1
Scan summary Repository scanned at 77.0/100 with 88.9% coverage. It contains 2561 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 156 findings — concentrated in quality (70), software (43), cicd (16). Risk profile is high: 0 critical, 7 high, 28 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 186 of 248 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.
Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context.
src/accelerate/utils/operations.py:484 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
src/accelerate/utils/operations.py:484 qualitylegacy
critical Legacy quality quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
src/accelerate/utils/operations.py:484 qualitylegacy 1 TP · 0 FP
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
src/accelerate/utils/environment.py:223 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
src/accelerate/commands/menu/selection_menu.py:32 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
examples/inference/distributed/florence2.py:88 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED020] Logging Credential Via Fstring: logger.error(f"failed for {api_key}") — secrets end up in log aggregators / sentry.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
examples/by_feature/megatron_lm_gpt_pretraining.py:418 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED020] Logging Credential Via Fstring: logger.error(f"failed for {api_key}") — secrets end up in log aggregators / sentry.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
examples/by_feature/deepspeed_with_config_support.py:430 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
src/accelerate/utils/fsdp_utils.py:194 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
src/accelerate/commands/config/config_args.py:30 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
src/accelerate/accelerator.py:3787 qualitylegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
src/accelerate/utils/fsdp_utils.py:194 path_traversallegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
src/accelerate/tracking.py:237 path_traversallegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
src/accelerate/accelerator.py:3787 path_traversallegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
src/accelerate/utils/modeling.py:174 injectionlegacy
high Legacy security path_traversal conf 1.00 [SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly.
After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`.
src/accelerate/utils/fsdp_utils.py:194 path_traversallegacy
high Legacy security path_traversal conf 1.00 [SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly.
After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`.
src/accelerate/tracking.py:237 path_traversallegacy
high Legacy security path_traversal conf 1.00 [SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly.
After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`.
src/accelerate/accelerator.py:3787 path_traversallegacy
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in benchmarks/fp8/ms_amp/fp8_utils.py:106
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmarks/fp8/ms_amp/fp8_utils.py:106 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in benchmarks/fp8/torchao/ddp.py:39
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmarks/fp8/torchao/ddp.py:39 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in benchmarks/fp8/torchao/fp8_utils.py:106
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmarks/fp8/torchao/fp8_utils.py:106 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in benchmarks/fp8/torchao/fsdp.py:56
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmarks/fp8/torchao/fsdp.py:56 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in benchmarks/fp8/torchao/non_distributed.py:38
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmarks/fp8/torchao/non_distributed.py:38 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in benchmarks/fp8/transformer_engine/fp8_utils.py:106
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmarks/fp8/transformer_engine/fp8_utils.py:106 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in benchmarks/torch.compile/regional_compilation.py:49
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmarks/torch.compile/regional_compilation.py:49 owaspeval_used
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
src/accelerate/utils/environment.py:223 error_handlinglegacy
low Legacy security deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
src/accelerate/utils/operations.py:484 deserializationlegacy
medium Legacy quality quality conf 1.00 [SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page with arbitrary template eval).
Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients.
src/accelerate/launchers.py:308 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident.
Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly.
src/accelerate/utils/dataclasses.py:1565 qualitylegacy
medium Legacy cicd docker conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
docker/accelerate-gpu-deepspeed/Dockerfile:32 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
docker/accelerate-gpu/Dockerfile:32 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
benchmarks/fp8/transformer_engine/Dockerfile:4 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
benchmarks/fp8/torchao/Dockerfile:1 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
benchmarks/fp8/ms_amp/Dockerfile:1 dockerlegacy
medium Legacy cicd docker conf 0.94 Dockerfile base image uses the latest tag
The latest tag is mutable and can change without a code review, producing different images from the same source.
docker/accelerate-gpu-deepspeed/Dockerfile:5 dockerlegacy
medium Legacy cicd docker conf 0.94 Dockerfile base image uses the latest tag
The latest tag is mutable and can change without a code review, producing different images from the same source.
docker/accelerate-gpu/Dockerfile:5 dockerlegacy
medium Legacy cicd docker conf 0.86 Dockerfile separates apt update from install
Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable.
docker/accelerate-cpu/Dockerfile:8 dockerlegacy
medium 9-layer hardware supply-chain conf 1.00 Docker base image uses a mutable or implicit tag: continuumio/miniconda3:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/accelerate-gpu-deepspeed/Dockerfile:5 supply-chaindockerpinned-dependencies
medium 9-layer hardware supply-chain conf 1.00 Docker base image uses a mutable or implicit tag: continuumio/miniconda3:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/accelerate-gpu/Dockerfile:5 supply-chaindockerpinned-dependencies
medium 9-layer hardware supply-chain conf 1.00 Docker base image uses a mutable or implicit tag: ghcr.io/azure/msamp
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
benchmarks/fp8/ms_amp/Dockerfile:1 supply-chaindockerpinned-dependencies
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: benchmarks/fp8/ms_amp/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: benchmarks/fp8/torchao/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: benchmarks/fp8/transformer_engine/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: docker/accelerate-gpu-deepspeed/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: docker/accelerate-gpu/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:20 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:22 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:31 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:45 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:47 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:56 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:70 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:72 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:81 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:95 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:97 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build_docker_images.yml:109 supply-chaingithub-actionspinned-dependencies
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/accelerate/commands/env.py:93
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/accelerate/commands/launch.py:989
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/accelerate/commands/tpu.py:149
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/accelerate/utils/environment.py:176
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/accelerate/utils/launch.py:73
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — src/accelerate/utils/torch_xla.py:43
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
medium 9-layer network security conf 1.00 Privileged port 59 in use
Port 59 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
examples/slurm/submit_multigpu.sh securityports
low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
docker/accelerate-gpu-deepspeed/Dockerfile:37 dockerlegacy
low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
docker/accelerate-gpu-deepspeed/Dockerfile:9 dockerlegacy
low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
docker/accelerate-gpu/Dockerfile:37 dockerlegacy
low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
docker/accelerate-gpu/Dockerfile:9 dockerlegacy
high Legacy cicd docker conf 0.72 Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
benchmarks/fp8/transformer_engine/Dockerfile:9 dockerlegacy
high Legacy cicd docker conf 0.72 Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
benchmarks/fp8/transformer_engine/Dockerfile:6 dockerlegacy
high Legacy cicd docker conf 0.72 Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
benchmarks/fp8/torchao/Dockerfile:6 dockerlegacy
high Legacy cicd docker conf 0.72 Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
benchmarks/fp8/torchao/Dockerfile:3 dockerlegacy
high Legacy cicd docker conf 0.72 Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
benchmarks/fp8/ms_amp/Dockerfile:6 dockerlegacy
high Legacy cicd docker conf 0.72 Dockerfile keeps pip download cache
Pip's package cache increases image size and can preserve unnecessary artifacts.
benchmarks/fp8/ms_amp/Dockerfile:3 dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
src/accelerate/commands/config/sagemaker.py:140 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/dataloaders/stage_7.py:120 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/dataloaders/stage_7.py:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/dataloaders/stage_6.py:17 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/dataloaders/stage_6.py:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/dataloaders/stage_5.py:17 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/dataloaders/stage_1.py:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/big_model_inference/stage_5.py:17 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/big_model_inference/stage_5.py:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/big_model_inference/stage_5.py:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/big_model_inference/stage_4.py:28 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/big_model_inference/stage_4.py:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/big_model_inference/stage_3.py:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
manim_animations/big_model_inference/stage_2.py:3 qualitylegacy
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: nvcr.io/nvidia/pytorch:${BASE_YEAR}.${BASE_MONTH}-py3
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
benchmarks/fp8/transformer_engine/Dockerfile:3 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: nvcr.io/nvidia/pytorch:24.07-py3
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
benchmarks/fp8/torchao/Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: nvidia/cuda:12.6.3-cudnn-devel-ubuntu22.04
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/accelerate-gpu-deepspeed/Dockerfile:32 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: nvidia/cuda:12.6.3-cudnn-devel-ubuntu22.04
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/accelerate-gpu/Dockerfile:32 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.10-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/accelerate-cpu/Dockerfile:4 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.10-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/accelerate-cpu/Dockerfile:28 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: benchmarks/torch.compile/regional_compilation.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: examples/config_yaml_templates/run_me.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: examples/inference/distributed/phi2.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: examples/inference/distributed/stable_diffusion.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: examples/inference/pippy/bert.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: examples/inference/pippy/gpt2.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: examples/inference/pippy/llama.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: examples/inference/pippy/t5.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: setup.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/accelerate/memory_utils.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/accelerate/utils/constants.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: src/accelerate/utils/rich.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: utils/log_reports.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/quality.yml:11 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/stale.yml:22 supply-chaingithub-actionspinned-dependencies
low 9-layer security owasp conf 1.00 Insecure pattern 'debug_true' in src/accelerate/launchers.py:308
Found a known-risky pattern (debug_true). Review and replace if possible.
src/accelerate/launchers.py:308 owaspdebug_true
low 9-layer quality integrity conf 1.00 Legacy-named symbol `data_copy` in src/accelerate/test_utils/scripts/test_script.py:711
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_dispatch_model_copy` in tests/test_big_modeling.py:663
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `xla_fsdp_v2` in examples/finetune_lm_tpu.py:102
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 12 places
Functions with the same first-5-line body hash: examples/nlp_example.py:get_dataloaders, examples/by_feature/multi_process_metrics.py:get_dataloaders, examples/by_feature/local_sgd.py:get_dataloaders, examples/by_feature/gradient_accumulation.py:get_dataloaders This is *the* AI-coder failure mode …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 12 places
Functions with the same first-5-line body hash: examples/complete_nlp_example.py:collate_fn, examples/by_feature/multi_process_metrics.py:collate_fn, examples/by_feature/local_sgd.py:collate_fn, examples/by_feature/fsdp_with_peak_mem_tracking.py:collate_fn This is *the* AI-coder failure mode (4× m…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 16 places
Functions with the same first-5-line body hash: examples/nlp_example.py:main, examples/complete_nlp_example.py:main, examples/by_feature/multi_process_metrics.py:main, examples/by_feature/local_sgd.py:main This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://j…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 18 places
Functions with the same first-5-line body hash: benchmarks/fp8/torchao/fp8_utils.py:tokenize_function, benchmarks/fp8/transformer_engine/fp8_utils.py:tokenize_function, benchmarks/fp8/ms_amp/fp8_utils.py:tokenize_function, examples/nlp_example.py:tokenize_function This is *the* AI-coder failure mo…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: benchmarks/fp8/transformer_engine/fsdp.py:train_baseline, benchmarks/fp8/transformer_engine/ddp.py:train_baseline This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or docume…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: benchmarks/fp8/transformer_engine/ddp.py:train_integration, benchmarks/fp8/transformer_engine/non_distributed.py:train_integration This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Cons…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: benchmarks/fp8/ms_amp/ddp.py:train_integration, benchmarks/fp8/ms_amp/non_distributed.py:train_integration This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why …
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: examples/cv_example.py:extract_label, examples/complete_cv_example.py:extract_label This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: examples/nlp_example.py:collate_fn, examples/by_feature/schedule_free.py:collate_fn This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: examples/complete_cv_example.py:training_function, examples/complete_nlp_example.py:training_function This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they'…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: examples/by_feature/megatron_lm_gpt_pretraining.py:parse_args, examples/by_feature/deepspeed_with_config_support.py:parse_args This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolid…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: examples/by_feature/megatron_lm_gpt_pretraining.py:tokenize_function, examples/by_feature/deepspeed_with_config_support.py:tokenize_function This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygi…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: benchmarks/fp8/torchao/fp8_utils.py:get_dataloaders, benchmarks/fp8/transformer_engine/fp8_utils.py:get_dataloaders, benchmarks/fp8/ms_amp/fp8_utils.py:get_dataloaders This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: benchmarks/fp8/torchao/fp8_utils.py:collate_fn, benchmarks/fp8/transformer_engine/fp8_utils.py:collate_fn, benchmarks/fp8/ms_amp/fp8_utils.py:collate_fn This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: benchmarks/fp8/torchao/fp8_utils.py:get_training_utilities, benchmarks/fp8/transformer_engine/fp8_utils.py:get_training_utilities, benchmarks/fp8/ms_amp/fp8_utils.py:get_training_utilities This is *the* AI-coder failure mode (4× more duplication in v…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: benchmarks/fp8/torchao/fp8_utils.py:get_named_parameters, benchmarks/fp8/transformer_engine/fp8_utils.py:get_named_parameters, benchmarks/fp8/ms_amp/fp8_utils.py:get_named_parameters This is *the* AI-coder failure mode (4× more duplication in vibe-co…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: benchmarks/fp8/torchao/fsdp.py:train_baseline, benchmarks/fp8/torchao/ddp.py:train_baseline, benchmarks/fp8/torchao/non_distributed.py:train_baseline This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: examples/nlp_example.py:training_function, examples/by_feature/schedule_free.py:training_function, examples/by_feature/early_stopping.py:training_function This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.h…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: benchmarks/fp8/torchao/fsdp.py:filter_linear_layers, benchmarks/fp8/torchao/ddp.py:filter_linear_layers, benchmarks/fp8/torchao/non_distributed.py:filter_linear_layers, benchmarks/fp8/torchao/distrib_deepspeed.py:filter_linear_layers This is *the* AI…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 5 places
Functions with the same first-5-line body hash: benchmarks/fp8/torchao/fp8_utils.py:evaluate_model, benchmarks/fp8/torchao/fsdp.py:evaluate_model, benchmarks/fp8/torchao/ddp.py:evaluate_model, benchmarks/fp8/torchao/non_distributed.py:evaluate_model This is *the* AI-coder failure mode (4× more dup…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: group_texts
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/fsdp2/utils.py:159 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: group_texts
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/megatron_lm_gpt_pretraining.py:432 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: group_texts
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/deepspeed_with_config_support.py:444 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: launch_train
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/multigpu_remote_launcher.py:23 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: peak_monitor
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/big_model_inference/measures_util.py:33 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: peak_monitor_func
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/fsdp_with_peak_mem_tracking.py:96 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: prepare_accelerate
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/fsdp2/utils.py:262 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: prepare_torch
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/fsdp2/utils.py:204 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/fp8/torchao/fp8_utils.py:25 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/fp8/transformer_engine/fp8_utils.py:25 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/fp8/ms_amp/fp8_utils.py:25 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/fsdp2/utils.py:146 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/nlp_example.py:61 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/complete_nlp_example.py:92 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/megatron_lm_gpt_pretraining.py:402 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/multi_process_metrics.py:70 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/local_sgd.py:66 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/fsdp_with_peak_mem_tracking.py:191 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/gradient_accumulation.py:63 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/automatic_gradient_accumulation.py:68 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/profiler.py:64 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/gradient_accumulation_for_autoregressive_models.py:66 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/memory.py:69 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/ddp_comm_hook.py:64 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/schedule_free.py:71 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/early_stopping.py:63 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/checkpointing.py:69 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/cross_validation.py:87 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/deepspeed_with_config_support.py:414 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: tokenize_function
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
examples/by_feature/tracking.py:68 dead-code
low 9-layer quality integrity conf 1.00 Stub function `do_nothing` (body is just `pass`/`return`) — src/accelerate/state.py:87
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `get_batch_func` (body is just `pass`/`return`) — src/accelerate/utils/megatron_lm.py:422
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality complexity conf 1.00 Very large file: src/accelerate/accelerator.py (4354 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/accelerate/commands/launch.py (1417 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/accelerate/data_loader.py (1461 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/accelerate/state.py (1374 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/accelerate/tracking.py (1317 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/accelerate/utils/dataclasses.py (3214 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/accelerate/utils/megatron_lm.py (1248 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: src/accelerate/utils/modeling.py (2190 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: tests/deepspeed/test_deepspeed.py (1131 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
src/accelerate/commands/config/sagemaker.py:108 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
examples/inference/pippy/llama.py:56 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
benchmarks/big_model_inference/big_model_inference.py:129 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
src/accelerate/utils/environment.py:250 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
src/accelerate/utils/dataclasses.py:113 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
src/accelerate/parallelism_config.py:33 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.
Review and fix per the pattern semantics.
src/accelerate/commands/menu/selection_menu.py:134 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.
Review and fix per the pattern semantics.
src/accelerate/commands/config/config_utils.py:50 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.
Review and fix per the pattern semantics.
src/accelerate/accelerator.py:3074 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/997bbbe3-2683-4e32-a73e-484d75ceba8d/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/997bbbe3-2683-4e32-a73e-484d75ceba8d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.