Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

hyperswitch

https://github.com/juspay/hyperswitch.git · scanned 2026-05-17 02:58 UTC (13 hours, 24 minutes ago) · 10 languages

2613 findings (201 legacy + 2412 scanner) 8/10 scanners ran Scanner says 59 (higher by 20)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 13 hours, 24 minutes ago · v2 · 2613 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
69.5
/100
Repobility
80
201 legacy
9-layer
59
100.0% cov · 2412 gaps
Critical
29
click to filter
Agents
6
0 votes
Crowd
0
reported
Severity distribution — click a segment to filter
Active filters: severity: medium × excluding tests × Reset all
Severity: Critical 29 High 70 Medium 126 Low 2364 Source: Legacy 201 9-layer 2412 Crowd 0 Layer: Quality 228 Cicd 229 Software 59 Security 30 Frontend 2040 Network 1 Hardware 8 Api 18
Scan summary Repository scanned at 59.3/100 with 100.0% coverage. It contains 17886 nodes across 19 cross-layer flows, written primarily in mixed languages. Engine surfaced 2412 findings — concentrated in frontend (2040), quality (159), cicd (111). Risk profile is high: 21 critical, 26 high, 43 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 100 of 2613 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

medium Legacy quality quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model.
config/development.toml:150 qualitylegacy
medium Legacy cicd docker conf 0.94 Compose service `create-default-user` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:250 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `grafana` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:333 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `grafana` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
monitoring/docker-compose.yaml:73 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `hyperswitch-control-center` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:231 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `hyperswitch-demo` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:522 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `hyperswitch-web` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:212 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `kafka-ui` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:447 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `loki` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:350 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `loki` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
monitoring/docker-compose.yaml:25 dockerlegacy
medium Legacy cicd docker conf 0.90 Compose service `mailhog` image has no explicit tag
Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:...
docker-compose.yml:110 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `otel-collector` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:362 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `otel-collector` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
monitoring/docker-compose.yaml:36 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `pg` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:26 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `poststart-hook` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:272 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `prestart-hook` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:10 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `prometheus` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:376 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `prometheus` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
monitoring/docker-compose.yaml:49 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `promtail` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
monitoring/docker-compose.yaml:15 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `redis-insight` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:402 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `superposition-init` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:92 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `tempo` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker-compose.yml:388 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `tempo` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
monitoring/docker-compose.yaml:59 dockerlegacy
medium Legacy cicd docker conf 0.88 Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
docker-compose.yml:495 dockerlegacy
medium Legacy cicd docker conf 0.88 Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
docker-compose.yml:480 dockerlegacy
medium Legacy cicd docker conf 0.88 Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
docker-compose.yml:462 dockerlegacy
medium Legacy cicd docker conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker-compose.yml:447 dockerlegacy
medium Legacy cicd docker conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker-compose.yml:413 dockerlegacy
medium Legacy cicd docker conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker-compose.yml:402 dockerlegacy
medium Legacy cicd docker conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker-compose.yml:307 dockerlegacy
medium Legacy cicd docker conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker-compose.yml:292 dockerlegacy
medium Legacy cicd docker conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker-compose.yml:45 dockerlegacy
medium Legacy cicd docker conf 0.90 Dockerfile installs dependencies after copying the full source tree
Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree.
Dockerfile:34 dockerlegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/types/api/refunds_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/types/api/payouts_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/types/api/payments_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/types/api/merchant_connector_webhook_management_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/types/api/fraud_check_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/types/api/files_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/types/api/disputes_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/types/api/authentication_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/core/webhooks/outgoing_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/core/webhooks/incoming_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/core/payments/operations/payment_capture_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/core/payments/operations/payment_cancel_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/router/src/core/refunds_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/openapi/src/openapi_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_interfaces/src/api/vault_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_interfaces/src/api/subscriptions_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_interfaces/src/api/revenue_recovery_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_interfaces/src/api/refunds_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_interfaces/src/api/payouts_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_interfaces/src/api/payments_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_interfaces/src/api/merchant_connector_webhook_management_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_interfaces/src/api/fraud_check_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_interfaces/src/api/files_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_interfaces/src/api/disputes_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_interfaces/src/api/authentication_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_domain_models/src/router_data_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/hyperswitch_connectors/src/default_implementations_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.82 Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
crates/diesel_models/src/schema_v2.rs:1 qualitylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docker-compose.yml:65 dependencylegacy
medium Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
docker-compose-development.yml:54 dependencylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
crates/router/src/core/payments/operations/payment_cancel_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
crates/openapi/src/openapi_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
crates/hyperswitch_interfaces/src/connector_integration_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
crates/hyperswitch_interfaces/src/api/merchant_connector_webhook_management_v2.rs:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
crates/hyperswitch_connectors/src/default_implementations_v2.rs:1 qualitylegacy
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — cypress-tests-v2/cypress/support/redirectionHandler.js:411
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: docker/fluentd/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: loadtest/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/postman-collection-runner.yml:94 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
arduino/setup-protoc@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/postman-collection-runner.yml:100 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
baptiste0928/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/postman-collection-runner.yml:106 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-stable-version.yml:101 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-stable-version.yml:107 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
rui314/setup-mold@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-pr.yml:106 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
arduino/setup-protoc@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-pr.yml:123 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-pr.yml:128 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
rui314/setup-mold@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-pr.yml:174 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
arduino/setup-protoc@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-pr.yml:186 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-pr.yml:191 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-pr.yml:196 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-nightly-version-reusable.yml:64 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
rui314/setup-mold@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-push.yml:75 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
arduino/setup-protoc@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-push.yml:92 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-push.yml:107 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-push.yml:113 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
rui314/setup-mold@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-push.yml:174 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
arduino/setup-protoc@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-push.yml:186 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-push.yml:197 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-push.yml:203 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
crate-ci/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-push.yml:258 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
rui314/setup-mold@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CI-push.yml:281 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/wasm-bulild-check.yml:27 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/create-hotfix-tag.yml:25 supply-chaingithub-actionspinned-dependencies
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in crates/hyperswitch_connectors/src/connectors/trustly/transformers.rs:350
Found a known-risky pattern (weak_hash). Review and replace if possible.
crates/hyperswitch_connectors/src/connectors/trustly/transformers.rs:350 owaspweak_hash
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in crates/hyperswitch_connectors/src/connectors/zsl/transformers.rs:129
Found a known-risky pattern (weak_hash). Review and replace if possible.
crates/hyperswitch_connectors/src/connectors/zsl/transformers.rs:129 owaspweak_hash
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in crates/router/src/utils/user/two_factor_auth.rs:24
Found a known-risky pattern (weak_hash). Review and replace if possible.
crates/router/src/utils/user/two_factor_auth.rs:24 owaspweak_hash
medium 9-layer network security conf 1.00 Privileged port 30 in use
Port 30 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/release-nightly-version.yml securityports
{# ── 2026-05-17 Round 14: AI-agent bridge footer ────────────────────── Discoverability: the /agents/voting/ guide + MCP manifest exist but aren't linked from anywhere users actually land. Small, opt-in footer. #}
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/9c39f054-10cb-4584-aa89-251222603de5/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/9c39f054-10cb-4584-aa89-251222603de5/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.