Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 16.72s · analysis 11.16s · 44.6 MB · GitHub API rate-limit (preflight)

prisma/prisma

https://github.com/prisma/prisma · scanned 2026-05-31 01:26 UTC (5 days, 7 hours ago) · 10 languages

1059 findings (189 legacy + 870 scanner) 11/13 scanners ran 88th percentile · Typescript · large (100-500K LoC) Scanner says 59 (higher by 26)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 7 hours ago · v2 · 624 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
70.2
/100
Repobility
81
189 legacy
9-layer
59
100.0% cov · 435 gaps
Critical
15
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 95.0 0.20 19.00
documentation_score 80.0 0.15 12.00
practices_score 76.0 0.15 11.40
code_quality 80.0 0.10 8.00
Overall 1.00 84.4
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 15 High 120 Medium 93 Low 178 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 189 9-layer 435 Crowd 0 Layer: Quality 142 Security 13 Cicd 125 Software 92 Frontend 241 Network 3 Hardware 8
Scan summary Repository scanned at 58.9/100 with 100.0% coverage. It contains 8369 nodes across 4 cross-layer flows, written primarily in mixed languages. Engine surfaced 435 findings — concentrated in frontend (241), quality (71), cicd (54). Risk profile is high: 2 critical, 8 high, 69 medium. Recommended next step: open the frontend layer findings first — that's where the highest-impact wins live.

Showing 339 of 624 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
.github/workflows/scripts/setup-postgres.sh:24 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
packages/internals/src/get-generators/utils/getBinaryPathsByVersion.ts:84 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
packages/cli/src/bin.ts:207 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
packages/cli/src/Generate.ts:36 qualitylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CODSPEED_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODSPEED_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/benchmark.yml:88 dependencylegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
docker/docker-compose.yml:149 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
docker/docker-compose.yml:133 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
docker/docker-compose.yml:116 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
docker/docker-compose.yml:99 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
docker/docker-compose.yml:51 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
docker/docker-compose.yml:28 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
docker/docker-compose.yml:5 dockerlegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED032] Ts Nocheck Comment: // @ts-nocheck silences all type checking for entire file.
Review and fix per the pattern semantics. See CWE-704 / for context.
packages/client-generator-ts/src/utils/addPreamble.ts:9 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/update-engines-version.yml:29 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/auto-close-github-discussions.yml:18 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/codeql-analysis.yml:34 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/bundle-size.yml:30 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/github-script@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/update-engines-version.yml:102 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/update-engines-version.yml:33 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/auto-close-github-discussions.yml:26 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `andresz1/size-limit-action` pinned to mutable ref `@v1`: `uses: andresz1/size-limit-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: andresz1/size-limit-action@<40-char-sha> # v1` and let Dependabot bump it on a scheduled cadence.
.github/workflows/bundle-size.yml:38 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v3`: `uses: github/codeql-action/analyze@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: github/codeql-action/analyze@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/codeql-analysis.yml:47 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v3`: `uses: github/codeql-action/init@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: github/codeql-action/init@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/codeql-analysis.yml:38 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `juliangruber/approve-pull-request-action` pinned to mutable ref `@v2`: `uses: juliangruber/approve-pull-request-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: juliangruber/approve-pull-request-action@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
.github/workflows/update-engines-version.yml:149 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: nick-fields/retry@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/update-engines-version.yml:92 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: nick-fields/retry@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/update-engines-version.yml:83 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: nick-fields/retry@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/update-engines-version.yml:74 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: nick-fields/retry@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/update-engines-version.yml:65 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: peter-evans/create-pull-request@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/update-engines-version.yml:163 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: peter-evans/create-pull-request@<40-char-sha> # v8` and let Dependabot bump it on a scheduled cadence.
.github/workflows/update-engines-version.yml:115 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4.0.0`: `uses: pnpm/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pnpm/action-setup@<40-char-sha> # v4.0.0` and let Dependabot bump it on a scheduled cadence.
.github/workflows/update-engines-version.yml:31 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pnpm/action-setup@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
.github/workflows/auto-close-github-discussions.yml:21 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM alpine:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/planetscale_proxy/Dockerfile:5 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ghcr.io/mattrobenolt/ps-http-sim:v0.0.11` not pinned by digest: `FROM ghcr.io/mattrobenolt/ps-http-sim:v0.0.11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ghcr.io/mattrobenolt/ps-http-sim:v0.0.11@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/planetscale_proxy/Dockerfile:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED122] package.json dep `db` pulled from URL/Git: `dependencies.db` = `link:./node_modules/.prisma/client` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.
sandbox/d1/package.json:1 dependencylegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
packages/client/src/runtime/highlight/languages/sql.ts:22 path_traversallegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
packages/cli/src/platform/_lib/help.ts:12 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
packages/cli/scripts/preinstall.ts:39 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
eslint-local-rules/valid-exported-types-index.ts:24 xsslegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
packages/client/src/runtime/utils/createErrorMessageWithContext.ts:132 qualitylegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
packages/cli/src/utils/prompt/utils/deepExtend.ts:42 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
packages/adapter-d1/src/d1-worker.ts:172 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
packages/adapter-better-sqlite3/src/better-sqlite3.ts:186 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
helpers/compile/plugins/replaceWithPlugin.ts:31 qualitylegacy
high Legacy cicd docker conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker/docker-compose.yml:163 dockerlegacy
high Legacy cicd docker conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker/docker-compose.yml:149 dockerlegacy
high Legacy cicd docker conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker/docker-compose.yml:133 dockerlegacy
high Legacy cicd docker conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker/docker-compose.yml:116 dockerlegacy
high Legacy cicd docker conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker/docker-compose.yml:99 dockerlegacy
high Legacy cicd docker conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker/docker-compose.yml:80 dockerlegacy
high Legacy cicd docker conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker/docker-compose.yml:51 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
docker/docker-compose.yml:163 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
docker/docker-compose.yml:149 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
docker/docker-compose.yml:133 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
docker/docker-compose.yml:116 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
docker/docker-compose.yml:99 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
docker/docker-compose.yml:80 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
docker/docker-compose.yml:51 dockerlegacy
high 9-layer security secrets conf 1.00 .env file present in repo: packages/client/src/__tests__/integration/happy/browser/prisma/.env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
secretsconfig
high 9-layer security secrets conf 1.00 .env file present in repo: packages/internals/src/__tests__/__fixtures__/dotenv/.env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
secretsconfig
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
prisma/.github/.github/workflows/secret_detection.yml@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pr-code-security.yml:10 supply-chaingithub-actionspinned-dependencies
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
prisma/.github/.github/workflows/code_scanning.yml@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pr-code-security.yml:14 supply-chaingithub-actionspinned-dependencies
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/cli/src/bin.ts:207
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/cli/src/bin.ts:207 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/cli/src/Generate.ts:36
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/cli/src/Generate.ts:36 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/internals/src/get-generators/utils/getBinaryPathsByVersion.ts:84
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/internals/src/get-generators/utils/getBinaryPathsByVersion.ts:84 owaspeval_used
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
packages/cli/src/utils/printUpdateMessage.ts:33 error_handlinglegacy
medium Legacy quality quality conf 1.00 [SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pulling from env. These get committed verbatim — production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand
Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder.
packages/cli/src/postgres/link/Link.ts:155 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pulling from env. These get committed verbatim — production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand
Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder.
packages/cli/src/postgres/PostgresCommand.ts:29 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
packages/fetch-engine/src/utils.ts:27 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
packages/client/src/runtime/utils/SourceFileSlice.ts:23 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
packages/cli/src/Generate.ts:363 qualitylegacy
medium Legacy cicd docker conf 0.86 App service does not wait for database health
Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`.
docker/docker-compose.yml:244 dockerlegacy
medium Legacy cicd docker conf 0.94 Compose service `neon_wsproxy` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker/docker-compose.yml:226 dockerlegacy
medium Legacy cicd docker conf 0.86 Database dump or local database file is included in Docker build context
Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow.
.dockerignore dockerlegacy
medium Legacy cicd docker conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker/docker-compose.yml:183 dockerlegacy
medium Legacy cicd docker conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
docker/docker-compose.yml:5 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
docker/postgres_ext/Dockerfile:2 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
docker/planetscale_proxy/Dockerfile:5 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
docker/mongodb_replica/Dockerfile:3 dockerlegacy
medium Legacy cicd docker conf 0.94 Dockerfile base image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker/planetscale_proxy/Dockerfile:5 dockerlegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
CONTRIBUTING.md:35 dependencylegacy
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/bundle-size/da-workers-d1/index.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/bundle-size/da-workers-libsql-web/index.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/bundle-size/da-workers-libsql/index.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/bundle-size/da-workers-mariadb/index.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/bundle-size/da-workers-mssql/index.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/bundle-size/da-workers-neon/index.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/bundle-size/da-workers-pg/index.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/bundle-size/da-workers-planetscale/index.js:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/__tests__/studio-server.vitest.ts:19
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/Init.ts:467
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/utils/nps/capture.ts:41
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/utils/nps/status.ts:18
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/client/src/runtime/core/engines/client/RemoteExecutor.ts:310
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/fetch-engine/src/downloadZip.ts:83
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/internals/src/errorReporting.ts:32
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/query-plan-executor/src/server/server.ts:43
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — sandbox/d1/src/index.ts:25
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/ci/publish.ts:882
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer hardware supply-chain conf 1.00 Docker base image uses a mutable or implicit tag: alpine:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/planetscale_proxy/Dockerfile:5 supply-chaindockerpinned-dependencies
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: docker/mongodb_replica/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: docker/planetscale_proxy/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: docker/postgres_ext/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/init@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql-analysis.yml:38 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/analyze@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql-analysis.yml:47 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/auto-close-github-discussions.yml:21 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
nick-fields/retry@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-engines-version.yml:65 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
nick-fields/retry@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-engines-version.yml:74 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
nick-fields/retry@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-engines-version.yml:83 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
nick-fields/retry@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-engines-version.yml:92 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/create-pull-request@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-engines-version.yml:115 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
juliangruber/approve-pull-request-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-engines-version.yml:149 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/create-pull-request@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-engines-version.yml:163 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/create-pull-request@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-engines-version.yml:207 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
peter-evans/create-pull-request@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-studio-version.yml:41 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
juliangruber/approve-pull-request-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-studio-version.yml:72 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
rtCamp/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:164 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
rtCamp/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release.yml:182 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
jaxxstorm/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-engine-branch.yml:123 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
rhysd/github-action-benchmark@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/benchmark.yml:69 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
CodSpeedHQ/action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/benchmark.yml:84 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml supply-chaingithub-actionsleast-privilege
medium 9-layer network security conf 1.00 Privileged port 16 in use
Port 16 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
docker/docker-compose.yml securityports
medium 9-layer network security conf 1.00 Privileged port 256 in use
Port 256 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
docker/docker-compose.yml securityports
medium 9-layer network security conf 1.00 Privileged port 43 in use
Port 43 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/codeql-analysis.yml securityports
low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docker/docker-compose.yml:244 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docker/docker-compose.yml:226 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docker/docker-compose.yml:206 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docker/docker-compose.yml:183 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docker/docker-compose.yml:149 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docker/docker-compose.yml:66 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docker/docker-compose.yml:28 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
docker/docker-compose.yml:5 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docker/docker-compose.yml:244 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docker/docker-compose.yml:226 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docker/docker-compose.yml:206 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docker/docker-compose.yml:149 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docker/docker-compose.yml:66 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docker/docker-compose.yml:28 dockerlegacy
low Legacy cicd docker conf 0.72 Dockerfile installs recommended OS packages
Add `--no-install-recommends` and explicitly list only packages the image needs.
docker/postgres_ext/Dockerfile:8 dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/client-generator-ts/src/TSClient/PrismaClient.ts:20 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/client-generator-ts/src/TSClient/Payload.ts:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/client-generator-ts/src/TSClient/Output.ts:13 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/client-generator-ts/src/TSClient/Model.ts:18 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/client-generator-ts/src/TSClient/Input.ts:11 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/client-generator-ts/src/TSClient/Count.ts:11 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/client-generator-ts/src/TSClient/Args.ts:9 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/client-generator-ts/src/GenericsArgsInfo.ts:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/client-engine-runtime/bench/sample-query-plans.ts:53 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/cli/src/Validate.ts:50 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/bundle-size/da-workers-libsql/index.js:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-ppg/src/errors.ts:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-ppg/src/conversion.ts:121 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-planetscale/src/planetscale.ts:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-planetscale/src/errors.ts:92 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-planetscale/src/conversion.ts:129 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-planetscale/src/conversion.ts:127 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-pg/src/pg.ts:30 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-pg/src/errors.ts:44 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-pg/src/conversion.ts:341 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-pg/src/conversion.ts:10 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-neon/src/conversion.ts:333 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-mssql/src/mssql.ts:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-mssql/src/conversion.ts:99 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-libsql/src/libsql.ts:7 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-libsql/src/errors.ts:53 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-libsql/src/conversion.ts:119 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-libsql/src/conversion.ts:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-d1/src/d1-worker.ts:77 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
packages/adapter-d1/src/conversion.ts:54 qualitylegacy
low Legacy quality quality conf 0.68 Multiple AI-agent scaffold marker files are present
Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior.
AGENTS.md:1 qualitylegacy
low 9-layer quality integrity conf 1.00 102 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `APPDATA`, `AWS_LAMBDA_FUNCTION_VERSION`, `AWS_LAMBDA_JS_RUNTIME`, `BINARY_DOWNLOAD_VERSION`, `BINARY_TARGETS_ENV_VAR_TEST`, `BROWSER`, `CHECKPOINT_DISABLE`, `CI` + 94 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn'…
integrityconfig-drift
low 9-layer quality maintenance conf 1.00 283 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ghcr.io/mattrobenolt/ps-http-sim:v0.0.11
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/planetscale_proxy/Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: mongo:${MONGO_VERSION}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/mongodb_replica/Dockerfile:2 supply-chaindockerpinned-dependencies
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: postgres:${POSTGRES_VERSION}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/postgres_ext/Dockerfile:2 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: eslint-local-rules/all-types-are-exported.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: eslint-local-rules/valid-exported-types-index.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/blaze/_.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/blaze/utils/types/Strict.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/compile/plugins/esmSplitCodeToCjs.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/compile/plugins/externalPlugin.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/compile/plugins/fill-plugin/fillers/buffer.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/compile/plugins/fill-plugin/fillers/perf_hooks.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/compile/plugins/fill-plugin/fillers/process.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/compile/plugins/fixImportsPlugin.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/compile/plugins/nodeProtocolPlugin.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/compile/plugins/onErrorPlugin.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/test/presets/default.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: helpers/test/presets/withSnapshotSerializer.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/adapter-d1/helpers/build.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/adapter-d1/src/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/adapter-d1/src/d1.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/adapter-d1/src/index-node.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/adapter-d1/src/index-workerd.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/default.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/default.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/edge.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/edge.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/extension.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/extension.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/index-browser.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/index.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/jest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/sql.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/sql.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/tests/functional/batching-bigint/_matrix.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/tests/functional/batching-bigint/prisma/_schema.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/tests/functional/batching-bigint/tests.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/tests/functional/find-unique-or-throw-batching/_matrix.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/tests/functional/find-unique-or-throw-batching/prisma/_schema.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/tests/functional/find-unique-or-throw-batching/tests.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/tests/functional/jest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/tests/functional/json-list-push/_matrix.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/tests/functional/json-list-push/prisma/_schema.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/client/tests/functional/json-list-push/tests.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/dmmf/helpers/build.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/dmmf/src/convert.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/dmmf/src/dmmf.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/dmmf/src/util.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/engines/helpers/build.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/engines/jest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/engines/scripts/postinstall.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/engines/src/__tests__/ensureNeededBinariesExist.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/sqlcommenter-query-tags/helpers/build.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/codeql-analysis.yml:34 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/auto-close-github-discussions.yml:18 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/auto-close-github-discussions.yml:26 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-engines-version.yml:102 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/update-engines-version.yml:197 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `generateClientLegacy` in packages/client/tests/functional/_utils/setupTestSuiteClient.ts:3
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json supply-chainnpminstall-scripts
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
packages/engines/package.json supply-chainnpminstall-scripts
low 9-layer cicd supply-chain conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
packages/cli/package.json supply-chainnpminstall-scripts
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — .github/workflows/scripts/auto-close-github-discussions.js:53
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — .github/workflows/scripts/detect-jobs-to-run.js:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — helpers/compile/build.ts:149
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/helpers/resolve.js:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/bin.ts:187
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/bootstrap/Bootstrap.ts:194
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/Init.ts:421
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/postgres/link/Link.ts:55
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/Studio.ts:318
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/cli/src/SubCommand.ts:163
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client-engine-runtime/bench/bench-utils.ts:139
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/fixtures/blog/main.ts:26
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/fixtures/enums/main.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/fixtures/generate.ts:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/fixtures/mongo/main.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/benchmarks/huge-schema/builder.ts:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/benchmarks/huge-schema/compile.ts:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/benchmarks/huge-schema/huge-schema.bench.ts:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/benchmarks/lots-of-relations/lots-of-relations.bench.ts:27
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/benchmarks/query-performance/caching.bench.ts:192
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/benchmarks/query-performance/query-performance.bench.ts:21
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/benchmarks/query-performance/seed-data.ts:654
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/integration/errors/int-errors/test.ts:32
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/integration/errors/source-map-support/test.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/integration/happy/insensitive-postgresql-feature-flag/test.ts:220
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/integration/happy/insensitive-postgresql/test.ts:220
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/integration/happy/signals/__helpers__/client.ts:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/types/pick/test.ts:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/src/__tests__/types/record/test.ts:8
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/_utils/run.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/enum-import-in-edge/_steps.ts:35
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/env-var-security/tests/index.ts:29
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/example/src/index.ts:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/issues/16418-slow-compilation-big-schema/_steps.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/issues/28221-multiple-provider-clients/src/index.ts:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/large-schema-generation/src/generate-schema.ts:69
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/nextjs-schema-not-found/_shared/test.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/prisma-client-generator/enums-tsoa/src/app.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/prisma-client-generator/node-tsup-esm/src/test.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/prisma-client-generator/node-tsx-cjs/src/test.ts:19
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/prisma-client-generator/node-tsx-esm/src/test.ts:19
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/require-in-the-middle/_steps.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/require-in-the-middle/src/index.ts:5
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/schema-folder-sqlite/src/index.ts:12
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/sqlcommenter-query-insights/src/index.ts:107
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/sqlcommenter-query-tags/src/index.ts:94
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/sqlcommenter-trace-context/src/index.ts:20
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/sqlcommenter/src/index.ts:75
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/typed-sql-query-compiler-adapter-libsql/src/index.ts:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/e2e/typed-sql/src/index.ts:17
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/functional/interactive-transactions/tests.ts:34
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/functional/issues/10000/prisma/_schema.ts:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/functional/issues/12557/prisma/_schema.ts:37
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/functional/issues/29331-query-plan-cache-bloat/tests.ts:61
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/functional/relationMode-17255-mixed-actions/_matrix.ts:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/client/tests/functional/relationMode-17255-same-actions/_matrix.ts:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/engines/src/scripts/localinstall.ts:70
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/fetch-engine/src/download.ts:125
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/get-platform/bench/get-platform.bench.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/get-platform/src/logger.ts:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/internals/src/get-generators/getGenerators.ts:385
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — packages/internals/src/logger.ts:13
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak

Showing first 300 of 339. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/a0302965-5ed4-4eba-a4e9-ef700afaebd1/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/a0302965-5ed4-4eba-a4e9-ef700afaebd1/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.