Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 28.3s · analysis 28.44s · 54.0 MB · GitHub API rate-limit (preflight)

trpc-group/trpc-agent-go

https://github.com/trpc-group/trpc-agent-go · scanned 2026-05-31 01:26 UTC (1 week, 6 days ago) · 10 languages

462 raw signals (187 security + 275 graph) 11/13 scanners ran 90th percentile · Go · huge (>500K LoC) System graph score 66 (higher by 23)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 6 days ago · v2 · last Δ -0.4 (diff) · 174 actionable findings from 2 signal sources. 155 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
79.0
/100
Security checks
92
49 findings
System graph
67
100.0% cov · 125 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 100.0 0.25 25.00
testing_score 85.0 0.20 17.00
documentation_score 95.0 0.15 14.25
practices_score 95.0 0.15 14.25
code_quality 64.0 0.10 6.40
Overall 1.00 89.7
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: high × excluding tests × Reset all
Severity: Critical 1 High 9 Medium 10 Low 122 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 49 System graph 125 Crowd 0 Layer: Software 21 Quality 132 Security 7 Cicd 7 Frontend 5 Hardware 1 Api 1
Scan summary Quality grade A- (90/100). Dimensions: security 100, maintainability 85. 187 findings (60 security). 999,832 lines analyzed.

Showing 9 of 174 actionable findings. 329 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /rerank has no auth: Handler `rerank` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
examples/knowledge/reranker/infinity/deploy_infinity.py:68
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
openclaw/skills/model-usage/scripts/model_usage.py:83
high Security checks software Resource exhaustion conf 1.00 [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants.
Cap user-controlled sizes BEFORE allocation: size = min(int(request.args.get('n', 100)), MAX_SIZE) Set framework-level limits: Flask: app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 FastAPI: use middleware to enforce request size Django: DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py …
internal/toolretry/runner.go:156
high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch
crate-ci/typos@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/prc.yml:366 CI/CD securitySupply chainGithub actions
high System graph security security conf 1.00 Insecure pattern 'eval_used' in evaluation/service/local/local.go:655
Found a known-risky pattern (eval_used). Review and replace if possible.
evaluation/service/local/local.go:655 Eval used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in tool/hostexec/manager.go:78
Found a known-risky pattern (exec_used). Review and replace if possible.
tool/hostexec/manager.go:78 Exec used
high Security checks quality Quality conf 0.80 localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
examples/agui/client/tdesign-chat/src/App.tsx:149
high Security checks cicd CI/CD security conf 0.56 6 occurrences Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
2 files, 6 locations
examples/callbacks/timer/docker-compose.yaml:1, 9, 16 (3 hits)
examples/telemetry/jaeger-prometheus/docker-compose.yaml:1, 10, 17 (3 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 6 occurrences Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
2 files, 6 locations
examples/callbacks/timer/docker-compose.yaml:1, 9, 16 (3 hits)
examples/telemetry/jaeger-prometheus/docker-compose.yaml:1, 10, 17 (3 hits)
CI/CD securitycontainers
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/a403e5be-55bf-4133-b7a5-6bc687c43c3b/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/a403e5be-55bf-4133-b7a5-6bc687c43c3b/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.