Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
97 of your 136 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.59s · analysis 51.53s · 4.1 MB · GitHub API rate-limit (preflight)

D4Vinci/Scrapling

https://github.com/D4Vinci/Scrapling · scanned 2026-06-04 04:11 UTC (1 day, 4 hours ago) · 10 languages

265 findings (131 legacy + 134 scanner) 75th percentile · Python · medium (20-100K LoC) Scanner says 85 (lower by 8)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 day, 4 hours ago · v2 · 198 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
76.3
/100
Repobility
67
131 legacy
9-layer
85
100.0% cov · 67 gaps
Critical
9
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 75.0 0.15 11.25
security_score 49.7 0.25 12.43
testing_score 97.0 0.20 19.40
documentation_score 96.0 0.15 14.40
practices_score 99.0 0.15 14.85
code_quality 46.9 0.10 4.69
Overall 1.00 77.0
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 9 High 85 Medium 27 Low 61 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 131 9-layer 67 Crowd 0 Layer: Software 58 Cicd 22 Security 3 Quality 110 Api 1 Hardware 3 Frontend 1
Scan summary Repository scanned at 85.3/100 with 100.0% coverage. It contains 1802 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 67 findings — concentrated in quality (29), cicd (18), software (13). Risk profile is low: 0 critical, 0 high, 13 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 143 of 198 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
scrapling/engines/toolbelt/proxy_rotation.py:60 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.
Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context.
scrapling/spiders/checkpoint.py:74 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
scrapling/spiders/checkpoint.py:74 qualitylegacy
critical Legacy quality quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
scrapling/spiders/checkpoint.py:74 qualitylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility GHA script injection via github.event.pull_request.title in run-step
`run:` step interpolates ${{ github.event.pull_request.title }} directly into shell. PR title/body/branch/comment fields are attacker-controllable.
.github/workflows/release-and-publish.yml:27 dependencylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `string` used but not imported
The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
scrapling/core/utils/_utils.py:119 qualitylegacy
critical Legacy software dependency conf 0.88 pillow: GHSA-3f63-hfp8-52jq
Arbitrary Code Execution in Pillow
docs/requirements.txt dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.CONTAINER_TOKEN` on a `pull_request` trigger
This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CONTAINER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted co…
.github/workflows/docker-build.yml:47 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.DOCKER_PASSWORD` on a `pull_request` trigger
This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted co…
.github/workflows/docker-build.yml:40 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.DOCKER_USERNAME` on a `pull_request` trigger
This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted co…
.github/workflows/docker-build.yml:39 dependencylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
scrapling/spiders/request.py:122 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.__element_convertor` used but never assigned in __init__
Method `iterancestors` of class `Selector` reads `self.__element_convertor`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:422 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.__element_convertor` used but never assigned in __init__
Method `children` of class `Selector` reads `self.__element_convertor`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:405 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.__element_convertor` used but never assigned in __init__
Method `parent` of class `Selector` reads `self.__element_convertor`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:389 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.__elements_convertor` used but never assigned in __init__
Method `below_elements` of class `Selector` reads `self.__elements_convertor`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:397 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.__elements_convertor` used but never assigned in __init__
Method `__handle_elements` of class `Selector` reads `self.__elements_convertor`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:248 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `next` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:443 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `iterancestors` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:419 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `children` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:402 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `below_elements` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:394 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `has_class` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:381 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `prettify` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:363 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `body` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:357 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `html_content` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:347 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `attrib` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:338 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `get_all_text` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:298 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `text` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:271 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `tag` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:262 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `__contains__` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:189 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._is_text_node` used but never assigned in __init__
Method `__getitem__` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:184 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.attrib` used but never assigned in __init__
Method `__contains__` of class `Selector` reads `self.attrib`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:191 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.attrib` used but never assigned in __init__
Method `__getitem__` of class `Selector` reads `self.attrib`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:186 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.iterancestors` used but never assigned in __init__
Method `path` of class `Selector` reads `self.iterancestors`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:437 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.iterancestors` used but never assigned in __init__
Method `find_ancestor` of class `Selector` reads `self.iterancestors`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:429 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.parent` used but never assigned in __init__
Method `siblings` of class `Selector` reads `self.parent`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:414 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.parent` used but never assigned in __init__
Method `siblings` of class `Selector` reads `self.parent`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
scrapling/parser.py:413 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/docker-build.yml:28 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/code-quality.yml:46 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/release-and-publish.yml:21 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/github-script` pinned to mutable ref `@v8`
`uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/release-and-publish.yml:30 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v6`
`uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/code-quality.yml:51 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/setup-python` pinned to mutable ref `@v6`
`uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/release-and-publish.yml:60 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/upload-artifact` pinned to mutable ref `@v6`
`uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/code-quality.yml:186 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`
`uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/release-and-publish.yml:74 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `softprops/action-gh-release` pinned to mutable ref `@v2`
`uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/release-and-publish.yml:49 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Dockerfile FROM `python:3.12-slim-trixie` not pinned by digest
`FROM python:3.12-slim-trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Dockerfile:1 dependencylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_autoscraper
Test function `test_autoscraper` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
benchmarks.py:116 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_bs4_html5lib
Test function `test_bs4_html5lib` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
benchmarks.py:64 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_bs4_lxml
Test function `test_bs4_lxml` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
benchmarks.py:59 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_lxml
Test function `test_lxml` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
benchmarks.py:47 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_mechanicalsoup
Test function `test_mechanicalsoup` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
benchmarks.py:87 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_parsel
Test function `test_parsel` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
benchmarks.py:82 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_pyquery
Test function `test_pyquery` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
benchmarks.py:69 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_scrapling
Test function `test_scrapling` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
benchmarks.py:74 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_scrapling_text
Test function `test_scrapling_text` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
benchmarks.py:111 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Phantom test coverage: test_selectolax
Test function `test_selectolax` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying anything.
benchmarks.py:94 qualitylegacy
high Legacy software dependency conf 0.88 pillow: GHSA-44wm-f244-xhp3
Pillow buffer overflow vulnerability
docs/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 pillow: PYSEC-2023-175
Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.
docs/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 pillow: PYSEC-2023-227
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on …
docs/requirements.txt dependencylegacy
high Legacy software dependency conf 0.88 pillow: PYSEC-2026-165
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
docs/requirements.txt dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility pre-commit hook `https://github.com/netromdk/vermin` pinned to mutable rev `v1.7.0`
`.pre-commit-config.yaml` references `https://github.com/netromdk/vermin` at `rev: v1.7.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:16 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility pre-commit hook `https://github.com/PyCQA/bandit` pinned to mutable rev `1.9.0`
`.pre-commit-config.yaml` references `https://github.com/PyCQA/bandit` at `rev: 1.9.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
.pre-commit-config.yaml:2 dependencylegacy
low Legacy security deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
scrapling/spiders/checkpoint.py:74 deserializationlegacy
high Legacy quality quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
scrapling/cli.py:153 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
scrapling/spiders/engine.py:210 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
scrapling/core/ai.py:307 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
scrapling/core/shell.py:363 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
cleanup.py:29 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
cleanup.py:37 qualitylegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
Dockerfile:1 dockerlegacy
medium Legacy cicd docker conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
Dockerfile:21 dockerlegacy
medium Legacy cicd docker conf 0.86 Dockerfile separates apt update from install
Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable.
Dockerfile:24 dockerlegacy
medium Legacy software dependency conf 0.88 pillow: GHSA-r73j-pqj5-w3x7
Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
docs/requirements.txt dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility requirements.txt: `pngquant` has no version pin
Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
docs/requirements.txt:8 dependencylegacy
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
softprops/action-gh-release@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-and-publish.yml:49 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
pypa/gh-action-pypi-publish@release/v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-and-publish.yml:74 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:31 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:36 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:43 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/metadata-action@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:51 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:73 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-and-publish.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/docker-build.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in .bandit.yml:7
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
.bandit.yml:7 owaspsubprocess_shell_true
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — benchmarks.py:138
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore dockerlegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
scrapling/fetchers/stealth_chrome.py:22 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
scrapling/fetchers/stealth_chrome.py:20 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.
scrapling/engines/_browsers/_stealth.py:19 qualitylegacy
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.12-slim-trixie
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:1 supply-chaindockerpinned-dependencies
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: agent-skill/Scrapling-Skill/examples/01_fetcher_session.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: agent-skill/Scrapling-Skill/examples/02_dynamic_session.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: agent-skill/Scrapling-Skill/examples/03_stealthy_session.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scrapling/core/_shell_signatures.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scrapling/engines/_browsers/_config_tools.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scrapling/engines/constants.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: scrapling/engines/toolbelt/ad_domains.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-and-publish.yml:30 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-and-publish.yml:60 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/code-quality.yml:46 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/code-quality.yml:51 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/code-quality.yml:186 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-build.yml:28 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_proxies_property_returns_copy` in tests/fetchers/test_proxy_rotation.py:197
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/parser.py:find_ancestor, scrapling/parser.py:find This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/parser.py:getall, scrapling/parser.py:getall This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/parser.py:re_first, scrapling/parser.py:re_first This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/cli.py:get, scrapling/cli.py:delete This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/cli.py:post, scrapling/cli.py:put This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/cli.py:fetch, scrapling/cli.py:stealthy_fetch This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/engines/static.py:get, scrapling/engines/static.py:get This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/engines/static.py:post, scrapling/engines/static.py:post This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/engines/static.py:put, scrapling/engines/static.py:put This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/engines/static.py:delete, scrapling/engines/static.py:delete This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/engines/_browsers/_base.py:start, scrapling/engines/_browsers/_base.py:start This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scrapling/engines/_browsers/_base.py:close, scrapling/engines/_browsers/_base.py:close This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: scrapling/parser.py:retrieve, scrapling/core/storage.py:retrieve, scrapling/core/storage.py:retrieve This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they'r…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: scrapling/parser.py:find_by_text, scrapling/parser.py:find_by_text, scrapling/parser.py:find_by_text This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they'r…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: scrapling/parser.py:find_by_regex, scrapling/parser.py:find_by_regex, scrapling/parser.py:find_by_regex This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why the…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: scrapling/parser.py:css, scrapling/parser.py:xpath, scrapling/parser.py:xpath, scrapling/parser.py:css This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: scrapling/engines/_browsers/_controllers.py:start, scrapling/engines/_browsers/_controllers.py:start, scrapling/engines/_browsers/_stealth.py:start, scrapling/engines/_browsers/_stealth.py:start This is *the* AI-coder failure mode (4× more duplicatio…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: scrapling/engines/_browsers/_controllers.py:fetch, scrapling/engines/_browsers/_controllers.py:fetch, scrapling/engines/_browsers/_stealth.py:fetch, scrapling/engines/_browsers/_stealth.py:fetch This is *the* AI-coder failure mode (4× more duplicatio…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 5 places
Functions with the same first-5-line body hash: scrapling/parser.py:get_all_text, scrapling/parser.py:get, scrapling/parser.py:get, scrapling/parser.py:get This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 5 places
Functions with the same first-5-line body hash: scrapling/parser.py:relocate, scrapling/parser.py:relocate, scrapling/parser.py:relocate, scrapling/parser.py:re This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or documen…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: handle_response
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scrapling/engines/_browsers/_base.py:352 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: show_help
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scrapling/core/shell.py:543 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: show_page_in_browser
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scrapling/core/shell.py:367 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: stream
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scrapling/spiders/spider.py:297 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: validate_fetch
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scrapling/engines/_browsers/_validators.py:178 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: xpath_pseudo_element
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scrapling/core/translator.py:91 dead-code
low 9-layer quality integrity conf 1.00 Stub function `main` (body is just `pass`/`return`) — scrapling/cli.py:653
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality integrity conf 1.00 Stub function `start` (body is just `pass`/`return`) — scrapling/engines/_browsers/_base.py:63
Likely an AI scaffold that was never filled in. Remove or implement.
integrityempty-handlerdead-code
low 9-layer quality complexity conf 1.00 Very large file: scrapling/core/ai.py (907 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: scrapling/engines/toolbelt/ad_domains.py (3537 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: scrapling/parser.py (1381 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
scrapling/engines/toolbelt/proxy_rotation.py:60 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
scrapling/spiders/checkpoint.py:15 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
scrapling/engines/_browsers/_validators.py:158 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
Review and fix per the pattern semantics.
scrapling/engines/_browsers/_page.py:13 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.
Review and fix per the pattern semantics. See CWE-400 / for context.
benchmarks.py:138 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/a5c84e5c-c138-49af-9b50-4766d4aaf498/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/a5c84e5c-c138-49af-9b50-4766d4aaf498/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.