Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
47 of your 134 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 36.29s for a 125.9 MB repo slow.
  • Repobility's analysis ran in 33.63s after the clone landed.

golang/go

https://github.com/golang/go · scanned 2026-06-05 04:52 UTC (11 hours, 26 minutes ago) · 10 languages

651 findings (117 legacy + 534 scanner) 11/13 scanners ran 29th percentile · Go · huge (>500K LoC) Scanner says 72 (higher by 7)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 11 hours, 26 minutes ago · v2 · 384 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
76.6
/100
Repobility
81
117 legacy
9-layer
72
88.9% cov · 267 gaps
Critical
6
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 65.0 0.15 9.75
security_score 100.0 0.25 25.00
testing_score 85.0 0.20 17.00
documentation_score 93.0 0.15 13.95
practices_score 40.0 0.15 6.00
code_quality 70.0 0.10 7.00
Overall 1.00 78.7
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: high × excluding tests × Reset all
Severity: Critical 6 High 68 Medium 40 Low 240 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 117 9-layer 267 Crowd 0 Layer: Quality 302 Cicd 5 Software 26 Security 41 Api 1 Frontend 5 Hardware 4
Scan summary Repository scanned at 71.9/100 with 88.9% coverage. It contains 12379 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 267 findings — concentrated in quality (211), security (36), software (9). Risk profile is high: 6 critical, 7 high, 27 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 33 of 384 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy quality quality conf 1.00 ✓ Repobility [MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.
Review and fix per the pattern semantics. See CWE-755 / for context.
src/cmd/distpack/pack.go:329 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.
Review and fix per the pattern semantics. See CWE-755 / for context.
src/cmd/compile/internal/syntax/syntax.go:68 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.
Review and fix per the pattern semantics. See CWE-755 / for context.
src/cmd/compile/internal/syntax/dumper.go:28 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.invoke_per_goid` used but never assigned in __init__: Method `invoke` of class `GoroutineCmd` reads `self.invoke_per_goid`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.invoke_per_goid = <default>` in __init__, or add a class-level default.
src/runtime/runtime-gdb.py:635 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.len` used but never assigned in __init__: Method `__getitem__` of class `SliceValue` reads `self.len`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.len = <default>` in __init__, or add a class-level default.
src/runtime/runtime-gdb.py:96 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.val` used but never assigned in __init__: Method `invoke` of class `GoLenFunc` reads `self.val`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.val = <default>` in __init__, or add a class-level default.
src/runtime/runtime-gdb.py:483 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `coqorg/coq:8.13.2` not pinned by digest: `FROM coqorg/coq:8.13.2` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM coqorg/coq:8.13.2@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
src/crypto/internal/fips140/nistec/fiat/Dockerfile:4 dependencylegacy
high Legacy security injection conf 0.80 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
src/cmd/link/internal/ld/execarchive.go:33 injectionlegacy
high Legacy quality quality conf 1.00 [SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification — MITM risk. Ported from gosec G402 (Apache-2.0).
Remove the option. If self-signed certs are required, pin via RootCAs.
src/cmd/pprof/pprof.go:87 qualitylegacy
high Legacy quality quality conf 1.00 [SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification — MITM risk. Ported from gosec G402 (Apache-2.0).
Remove the option. If self-signed certs are required, pin via RootCAs.
src/cmd/go/internal/web/http.go:45 qualitylegacy
high Legacy quality quality conf 1.00 [SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/keys. Ported from gosec G404 (Apache-2.0).
import `crypto/rand` and use `rand.Read(buf)`.
src/cmd/internal/par/work.go:10 qualitylegacy
high Legacy quality quality conf 1.00 [SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/keys. Ported from gosec G404 (Apache-2.0).
import `crypto/rand` and use `rand.Read(buf)`.
src/cmd/go/internal/lockedfile/lockedfile_plan9.go:11 qualitylegacy
high Legacy quality quality conf 1.00 [SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/keys. Ported from gosec G404 (Apache-2.0).
import `crypto/rand` and use `rand.Read(buf)`.
src/cmd/compile/internal/gc/compile.go:10 qualitylegacy
high Legacy quality quality conf 1.00 [SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).
Use a constant command name and validate args via a whitelist.
src/cmd/go/internal/cache/prog.go:87 qualitylegacy
high Legacy quality quality conf 1.00 [SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).
Use a constant command name and validate args via a whitelist.
src/cmd/go/internal/bug/bug.go:164 qualitylegacy
high Legacy quality quality conf 1.00 [SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).
Use a constant command name and validate args via a whitelist.
src/cmd/cover/func.go:203 qualitylegacy
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in src/cmd/go/internal/imports/build.go:88
Found a known-risky pattern (eval_used). Review and replace if possible.
src/cmd/go/internal/imports/build.go:88 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in src/cmd/go/internal/modindex/build.go:652
Found a known-risky pattern (eval_used). Review and replace if possible.
src/cmd/go/internal/modindex/build.go:652 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in src/cmd/go/internal/modindex/read.go:511
Found a known-risky pattern (eval_used). Review and replace if possible.
src/cmd/go/internal/modindex/read.go:511 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in src/cmd/internal/script/conds.go:81
Found a known-risky pattern (eval_used). Review and replace if possible.
src/cmd/internal/script/conds.go:81 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in src/runtime/os3_solaris.go:622
Found a known-risky pattern (exec_used). Review and replace if possible.
src/runtime/os3_solaris.go:622 owaspexec_used
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/runtime/runtime-gdb.py:673 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/runtime/runtime-gdb.py:445 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
src/runtime/runtime-gdb.py:36 qualitylegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/crypto/internal/fips140/nistec/fiat/Dockerfile:5 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
src/crypto/internal/boring/Dockerfile:8 dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/cmd/compile/internal/ssa/_gen/ARM64Ops.go:75 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/cmd/compile/internal/pgoir/irgraph.go:254 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/cmd/compile/internal/noder/html.go:71 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/cmd/compile/internal/mips64/ssa.go:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/cmd/compile/internal/liveness/mergelocals.go:664 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/cmd/compile/internal/ir/reassign_consistency_check.go:20 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
src/cmd/asm/internal/arch/arm64.go:14 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/9a893486-8823-4472-92e2-5fded52d41d6/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/9a893486-8823-4472-92e2-5fded52d41d6/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.