Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
100 of your 179 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 16.4s · analysis 24.93s · 80.2 MB · GitHub API rate-limit (preflight)

zed-industries/zed

https://github.com/zed-industries/zed · scanned 2026-06-05 07:19 UTC (1 week, 1 day ago) · 10 languages

718 raw signals (164 security + 554 graph) 11/13 scanners ran 0th percentile · Rust · huge (>500K LoC) System graph score 72 (lower by 5)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 1 day ago · v2 · 324 actionable findings from 2 signal sources. 90 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
74.2
/100
Security checks
76
54 findings
System graph
73
100.0% cov · 270 findings
Critical
8
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 22.0 0.20 4.40
documentation_score 91.0 0.15 13.65
practices_score 76.0 0.15 11.40
code_quality 44.0 0.10 4.40
Overall 1.00 67.9
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: medium × excluding tests × Reset all
Severity: Critical 8 High 19 Medium 19 Low 249 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 54 System graph 270 Crowd 0 Layer: Quality 274 Cicd 18 Software 12 Security 14 Frontend 3 Network 1 Hardware 2
Scan summary Quality grade B- (68/100). Dimensions: security 100, maintainability 60. 164 findings (45 security). 1,389,458 lines analyzed.

Showing 19 of 324 actionable findings. 414 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 8 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `digitalocean/action-doctl` pinned to mutable ref `@v2`: `uses: digitalocean/action-doctl@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-ch…
2 files, 8 locations
.github/workflows/deploy_collab.yml:90, 120 (4 hits)
.github/workflows/run_tests.yml:797, 802 (4 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks quality Quality Average file size is 751 lines (recommend <300)
Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle — each module should have one clear purpose.
medium Security checks cicd CI/CD security conf 0.84 Database data bind mount is inside the Docker build context
Prefer a named volume or a host path outside the build context. If a repo-local path is required, add it to .dockerignore and .gitignore and verify backups separately.
compose.yml:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore CI/CD securitycontainers
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — docs/theme/[email protected]:1
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — docs/theme/plugins.js:165
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: crates/eval_cli/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 3 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
3 files, 3 locations
.github/workflows/background_agent_mvp.yml
.github/workflows/docs_suggestions.yml
.github/workflows/extension_auto_bump.yml
CI/CD securitySupply chainGithub actions
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — script/flatpak/convert-release-notes.py:58
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — script/github-assign-contributor-issue.py:75
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — script/github-check-new-issue-for-duplicates.py:101
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — script/github-clean-issue-types.py:49
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — script/github-community-pr-board.py:142
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — script/github-find-top-duplicated-bugs.py:112
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — script/github-label-issues-to-triage.py:48
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — script/github-track-duplicate-bot-effectiveness.py:152
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — script/update_top_ranking_issues/main.py:107
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph network Security conf 1.00 Privileged port 16 in use
Port 16 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/bump_collab_staging.yml Ports
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
133 test file(s) for 1718 source file(s) (ratio 0.08). Consider adding integration or unit tests for critical paths.
Coverage
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/a119af50-ee8c-43d5-8bbf-b3fa8f6264d6/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/a119af50-ee8c-43d5-8bbf-b3fa8f6264d6/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.