Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
30 of your 108 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.02s · analysis 14.51s · 3.3 MB · GitHub API rate-limit (preflight)

bancolombia/scaffold-clean-architecture

https://github.com/bancolombia/scaffold-clean-architecture · scanned 2026-06-05 13:24 UTC (5 days, 6 hours ago) · 10 languages

171 raw signals (101 security + 70 graph) 27th percentile · Java · medium (20-100K LoC) System graph score 83 (lower by 21)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 6 hours ago · v2 · 77 actionable findings from 2 signal sources. 59 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
67.2
/100
Security checks
52
56 findings
System graph
83
100.0% cov · 21 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 65.0 0.15 9.75
security_score 28.0 0.25 7.00
testing_score 80.0 0.20 16.00
documentation_score 70.0 0.15 10.50
practices_score 74.0 0.15 11.10
code_quality 74.2 0.10 7.42
Overall 1.00 61.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 26 Medium 26 Low 12 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 56 System graph 21 Crowd 0 Layer: Software 34 Cicd 18 Security 2 Quality 10 Api 1 Frontend 1 Hardware 11
Scan summary Quality grade C+ (62/100). Dimensions: security 28, maintainability 65. 101 findings (55 security). 20,393 lines analyzed.

Showing 66 of 77 actionable findings. 136 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks cicd CI/CD security conf 0.96 Compose service contains a literal secret environment value
Literal secrets in Compose files are committed to source and exposed through container inspection.
examples-ca/example-r2dbc/deployment/docker-compose.yml:1 CI/CD securitycontainers
critical Security checks cicd CI/CD security conf 0.98 Compose service mounts the Docker socket
The Docker socket gives the container control over the Docker host and is commonly equivalent to host root access.
examples-ca/s3-example/deployment/docker-compose.yml:1 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 5 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 30, 31, 73, 110, 124
.github/workflows/gradle.yml:30, 31, 73, 110, 124 (5 hits)
CI/CD securityworkflow secretsGitHub Actions
high Security checks software dependencies conf 0.88 @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
docs/package-lock.json
high Security checks software dependencies conf 0.90 ✓ Repobility Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo
`gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a repo that otherwise has 343 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
gradle/wrapper/gradle-wrapper.jar:1
high Security checks cicd CI/CD security conf 0.90 Database service has no persistent data volume
Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state.
examples-ca/example-r2dbc/deployment/docker-compose.yml:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.84 Database service publishes a host port
Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports.
examples-ca/example-redis/deployment/docker-compose.yml:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.84 Database service publishes a host port
Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports.
examples-ca/example-r2dbc/deployment/docker-compose.yml:1 CI/CD securitycontainers
high Security checks software dependencies conf 0.90 ✓ Repobility 12 occurrences Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest
`FROM eclipse-temurin:25-jdk-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
10 files, 12 locations
src/main/resources/structure/deployment/dockerfile.mustache:2, 5, 8 (3 hits)
examples-ca/channel-operations/deployment/Dockerfile:1
examples-ca/example-article/deployment/Dockerfile:1
examples-ca/example-dynamo/deployment/Dockerfile:1
examples-ca/example-mongo/deployment/Dockerfile:1
examples-ca/example-r2dbc/deployment/Dockerfile:1
examples-ca/example-redis/deployment/Dockerfile:1
examples-ca/example-rest-consumer/rest-consumer-client/deployment/Dockerfile:1
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
docs/package-lock.json
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
docs/package-lock.json
high Security checks cicd CI/CD security conf 0.90 ✓ Repobility GitHub Action is tag-pinned rather than SHA-pinned
Action `trufflesecurity/trufflehog` pinned to mutable ref `@main` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
.github/workflows/secret-scanner.yml:24 CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 8 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6.0.3` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 25, 39, 52, 58
.github/workflows/docs.yml:25, 39, 52, 58 (8 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
docs/package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
docs/package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
docs/package-lock.json
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
docs/package-lock.json
high Security checks software dependencies conf 0.88 node-forge: GHSA-2328-f5f3-gj25
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
docs/package-lock.json
high Security checks software dependencies conf 0.88 node-forge: GHSA-5m6q-g25r-mvwx
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
docs/package-lock.json
high Security checks software dependencies conf 0.88 node-forge: GHSA-ppp5-5v6c-4jwp
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
docs/package-lock.json
high Security checks software dependencies conf 0.88 node-forge: GHSA-q67f-28xg-22rw
Forge has signature forgery in Ed25519 due to missing S > L check
docs/package-lock.json
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
docs/package-lock.json
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
docs/package-lock.json
high Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences pre-commit hook `https://github.com/gherynos/pre-commit-java` pinned to mutable rev `v0.6.31`
`.pre-commit-config.yaml` references `https://github.com/gherynos/pre-commit-java` at `rev: v0.6.31`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
lines 2, 6, 10, 14
.pre-commit-config.yaml:2, 6, 10, 14 (4 hits)
high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
docs/package-lock.json
high Security checks software dependencies conf 0.88 svgo: GHSA-xpqw-6gx7-v673
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
docs/package-lock.json
high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch
trufflesecurity/trufflehog@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/secret-scanner.yml:24 CI/CD securitySupply chainGithub actions
medium Security checks security path traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
src/main/java/co/com/bancolombia/utils/FileUtils.java:209
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
docs/package-lock.json
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
docs/package-lock.json
medium Security checks cicd CI/CD security conf 0.88 Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
examples-ca/example-r2dbc/deployment/docker-compose.yml:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.74 Database service has no persistent data volume
Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state.
examples-ca/example-redis/deployment/docker-compose.yml:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 9 occurrences Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
9 files, 9 locations
examples-ca/channel-operations/deployment/Dockerfile:1
examples-ca/example-article/deployment/Dockerfile:1
examples-ca/example-dynamo/deployment/Dockerfile:1
examples-ca/example-mongo/deployment/Dockerfile:1
examples-ca/example-r2dbc/deployment/Dockerfile:1
examples-ca/example-redis/deployment/Dockerfile:1
examples-ca/example-rest-consumer/rest-consumer-client/deployment/Dockerfile:1
examples-ca/example-rest-consumer/rest-consumer-server/deployment/Dockerfile:1
CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
docs/package-lock.json
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
docs/package-lock.json
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
docs/package-lock.json
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
docs/package-lock.json
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
docs/package-lock.json
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
docs/package-lock.json
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
docs/package-lock.json
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-79cf-xcqc-c78w
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
docs/package-lock.json
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
docs/package-lock.json
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples-ca/channel-operations/deployment/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples-ca/example-article/deployment/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples-ca/example-dynamo/deployment/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples-ca/example-mongo/deployment/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples-ca/example-r2dbc/deployment/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples-ca/example-redis/deployment/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples-ca/example-rest-consumer/rest-consumer-client/deployment/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples-ca/example-rest-consumer/rest-consumer-server/deployment/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: examples-ca/s3-example/deployment/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 3 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
3 files, 3 locations
.github/workflows/docs.yml
.github/workflows/gradle.yml
.github/workflows/release.yml
CI/CD securitySupply chainGithub actions
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 6 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks software dependencies conf 0.88 @ai-sdk/provider-utils: GHSA-866g-f22w-33x8
@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue
docs/package-lock.json
high Security checks cicd CI/CD security conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
examples-ca/s3-example/deployment/docker-compose.yml:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
examples-ca/s3-example/deployment/docker-compose.yml:1 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.72 Database service has no healthcheck
Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.
examples-ca/example-redis/deployment/docker-compose.yml:1 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 9 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
9 files, 9 locations
examples-ca/example-r2dbc/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java:1
examples-ca/example-redis/applications/app-service/src/main/java/co/com/bancolombia/config/ObjectMapperConfig.java:1
examples-ca/example-redis/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java:1
examples-ca/example-redis/infrastructure/driven-adapters/redis/src/main/java/co/com/bancolombia/redis/repository/helper/RepositoryAdapterOperations.java:17
examples-ca/example-rest-consumer/rest-consumer-client/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java:1
examples-ca/example-rest-consumer/rest-consumer-server/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java:1
examples-ca/s3-example/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java:1
src/main/java/co/com/bancolombia/factory/upgrades/actions/UpgradeY2026M03D11PitestReportAggregate.java:10
duplicationquality
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 9 occurrences Docker base image is tag-pinned but not digest-pinned: eclipse-temurin:25-jdk-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
9 files, 9 locations
examples-ca/channel-operations/deployment/Dockerfile:1
examples-ca/example-article/deployment/Dockerfile:1
examples-ca/example-dynamo/deployment/Dockerfile:1
examples-ca/example-mongo/deployment/Dockerfile:1
examples-ca/example-r2dbc/deployment/Dockerfile:1
examples-ca/example-redis/deployment/Dockerfile:1
examples-ca/example-rest-consumer/rest-consumer-client/deployment/Dockerfile:1
examples-ca/example-rest-consumer/rest-consumer-server/deployment/Dockerfile:1
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/babel.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/docusaurus.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/sidebars.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/version.js:46
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: src/functionalTest/java/co/com/bancolombia/PluginCleanFunctionalTest.java (1301 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/a9463ab3-85e9-45d6-ac77-9e9a7087fc3e/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/a9463ab3-85e9-45d6-ac77-9e9a7087fc3e/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.