Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 3.1s · analysis 1.05s · 4.5 MB · GitHub API rate-limit (preflight)

DoD-Platform-One/bigbang

https://github.com/DoD-Platform-One/bigbang · scanned 2026-06-05 18:33 UTC (4 days, 17 hours ago) · 10 languages

36 raw signals (12 security + 24 graph) 10th percentile · Unknown · System graph score 85 (lower by 24)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 17 hours ago · v2 · 18 actionable findings from 2 signal sources. 6 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
65.0
/100
Security checks
45
6 findings
System graph
85
100.0% cov · 12 findings
Critical
8
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 30.0 0.15 4.50
security_score 45.0 0.25 11.25
testing_score 70.0 0.20 14.00
documentation_score 85.0 0.15 12.75
practices_score 70.0 0.15 10.50
code_quality 77.8 0.10 7.78
Overall 1.00 60.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 8 High 3 Medium 4 Low 1 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 6 System graph 12 Crowd 0 Layer: Quality 2 Security 12 Api 1 Network 1 Frontend 1 Cicd 1
Scan summary Quality grade C+ (61/100). Dimensions: security 45, maintainability 30. 12 findings (1 security).

Showing 16 of 18 actionable findings. 24 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 3 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
2 files, 3 locations
docs/community/development/package-integration/storage.md:48, 136 (2 hits)
chart/templates/backstage/values.yaml:114
critical Security checks security secrets conf 0.95 Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource.
Gitleaks detected a committed secret or credential pattern.
docs/packages/core/twistlock.md:101
critical Security checks security secrets conf 0.95 5 occurrences Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
Gitleaks detected a committed secret or credential pattern.
5 files, 5 locations
chart/ingress-certs.yaml:9
docs/configuration/gateways.md:171
docs/configuration/sample-prod-config.md:162
docs/installation/environments/airgap.md:426
docs/reference/configs/example/vault-production-values.yaml:9
critical System graph security security conf 1.00 Insecure pattern 'private_key_in_repo' in chart/ingress-certs.yaml:9
Found a known-risky pattern (private_key_in_repo). Review and replace if possible.
chart/ingress-certs.yaml:9 Private key in repo
critical System graph security Secrets conf 1.00 Possible secret in chart/values.yaml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
chart/values.yaml:2360
critical System graph security Secrets conf 1.00 Possible secret in docs/reference/scripts/airgap-dev/package-repos.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
docs/reference/scripts/airgap-dev/package-repos.sh:10
critical System graph security Secrets conf 1.00 Possible secret in docs/reference/scripts/developer/k3d-dev.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
docs/reference/scripts/developer/k3d-dev.sh:843
critical System graph security Secrets conf 1.00 Possible secret in scripts/install_flux.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
scripts/install_flux.sh:50
high Security checks security secrets conf 1.00 [SEC021] Shell Trace Around Secret Handling: Shell xtrace is enabled near secret handling. CI and deployment logs can echo every command and expand secret values, turning a safe secret-store lookup into a credential leak.
Disable xtrace before reading secrets, re-enable it only after secret handling, and rotate any secret exposed in logs.
docs/reference/scripts/airgap-dev/package-repos.sh:3
high Security checks security Crypto conf 1.00 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`.
Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`.
docs/reference/scripts/airgap-zarf/zarf-dev.sh:27
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
chart/templates/gatekeeper/values.yaml:65
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in base/flux/gotk-components.yaml:4828
Found a known-risky pattern (weak_hash). Review and replace if possible.
base/flux/gotk-components.yaml:4828 Weak hash
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in docs/reference/configs/zarf/metallb/metallb-native-0.13.9.yaml:638
Found a known-risky pattern (weak_hash). Review and replace if possible.
docs/reference/configs/zarf/metallb/metallb-native-0.13.9.yaml:638 Weak hash
medium System graph cicd CI/CD security conf 1.00 No CI/CD pipelines detected
No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.
CI/CD securityCoverage
medium System graph network Security conf 1.00 Privileged port 1000 in use
Port 1000 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
docs/reference/scripts/developer/k3d-dev.sh Ports
low System graph quality Complexity conf 1.00 Very large file: docs/reference/scripts/developer/k3d-dev.sh (1596 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/9cd71d44-cae5-42c5-8ec6-b380cbe0bd7b/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/9cd71d44-cae5-42c5-8ec6-b380cbe0bd7b/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.