Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
14 of your 82 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 31.22s for a 65.4 MB repo slow.
  • Repobility's analysis ran in 147.39s after the clone landed.

drupal/drupal

https://github.com/drupal/drupal · scanned 2026-05-20 15:21 UTC (2 weeks, 1 day ago) · 10 languages

251 findings (75 legacy + 176 scanner) 11/13 scanners ran Scanner says 90 (lower by 15)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 1 day ago · v2 · 163 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
80.9
/100
Repobility
72
75 legacy
9-layer
90
100.0% cov · 88 gaps
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 80.0 0.20 16.00
documentation_score 40.0 0.15 6.00
practices_score 95.0 0.15 14.25
code_quality 80.0 0.10 8.00
Overall 1.00 75.2
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 23 Medium 25 Low 75 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 75 9-layer 88 Crowd 0 Layer: Quality 89 Security 7 Software 56 Api 1 Frontend 10
Scan summary Repository scanned at 90.1/100 with 100.0% coverage. It contains 20475 nodes across 11 cross-layer flows, written primarily in mixed languages. Engine surfaced 88 findings — concentrated in software (50), quality (26), frontend (10). Risk profile is low: 0 critical, 0 high, 4 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 125 of 163 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.
Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context.
core/modules/ckeditor5/js/ckeditor5_plugins/drupalMedia/src/mediaimagetextalternative/ui/textalternativeformview.js:90 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.
Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context.
core/modules/ckeditor5/js/ckeditor5_plugins/drupalImage/src/imagealternativetext/ui/imagealternativetextformview.js:134 qualitylegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
core/misc/progress.js:85 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
core/misc/message.js:263 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
core/misc/active-link.js:43 xsslegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
core/misc/machine-name.js:45 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
core/misc/tableresponsive.js:175 qualitylegacy
medium Legacy quality practices conf 1.00 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
Add a .gitignore appropriate for your language/framework.
practiceslegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
core/modules/system/src/Controller/SystemInfoController.php:87 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
core/modules/file/js/file.js:292 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
core/modules/datetime/src/Plugin/Field/FieldFormatter/DateTimeCustomFormatter.php:72 securitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
core/modules/system/src/PathBasedBreadcrumbBuilder.php:147 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
core/modules/navigation/src/Menu/NavigationMenuLinkTreeManipulators.php:110 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
core/modules/layout_builder/src/SectionStorage/SectionStorageManager.php:78 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/workspaces/workspaces.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/views/views.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/update/update.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/taxonomy/taxonomy.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/system/system.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/node/node.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/media_library/media_library.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/media/media.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/locale/locale.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/layout_builder/layout_builder.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/help/help.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/field/field.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/content_moderation/content_moderation.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/ckeditor5/js/ckeditor5.dialog.fix.js:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/ckeditor5/ckeditor5.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/block_content/block_content.post_update.php:1 qualitylegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
core/modules/block/block.post_update.php:1 qualitylegacy
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — core/modules/ckeditor5/js/ckeditor5_plugins/drupalMedia/src/drupalmediaediting.js:189
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — core/modules/ckeditor5/js/ckeditor5_plugins/drupalMedia/src/drupalmediametadatarepository.js:21
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — core/modules/contextual/js/contextual.js:195
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
core/lib/Drupal/Component/PhpStorage/FileStorage.php:76 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
core/lib/Drupal/Component/FileSecurity/FileSecurity.php:3 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
core/lib/Drupal/Component/DependencyInjection/PhpArrayContainer.php:24 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
core/assets/scaffold/files/ht.router.php:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
composer/Generator/Builder/DrupalPinnedDevDependenciesBuilder.php:27 qualitylegacy
low Legacy quality documentation No LICENSE file
Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft).
documentationlegacy
low Legacy quality quality conf 0.74 robots.txt does not advertise a sitemap
Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt.
robots.txt qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/scripts/js/vendor-update.js:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/workspaces/workspaces.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/views/views.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/update/update.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/taxonomy/taxonomy.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/system/system.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/node/node.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/media_library/media_library.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/media/media.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/locale/locale.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/layout_builder/layout_builder.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/help/help.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/field/field.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/content_moderation/content_moderation.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/ckeditor5/js/ckeditor5.dialog.fix.js:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/ckeditor5/ckeditor5.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/block_content/block_content.post_update.php:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
core/modules/block/block.post_update.php:1 qualitylegacy
low 9-layer quality maintenance conf 1.00 40 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/scripts/css/log.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/scripts/js/assets/ckeditor5Files.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/scripts/js/assets/process/jqueryui.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/scripts/js/assets/process/map.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/scripts/js/log.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Assertions/deprecationErrorExists.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Assertions/elementCount.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Assertions/noDeprecationErrors.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/nightwatch.conf.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/a11yTestAdmin.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/a11yTestDefault.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/ajaxExecutionOrderTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Claro/claroDrupalMessageTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Claro/claroPrimaryTabsTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/claroAutocompleteTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/htmx/htmxTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/installProfileTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/jsDisplace.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/jsOnceTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/langcodeTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/loginTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Olivero/oliveroColorTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Olivero/oliveroCommentTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Olivero/oliveroDesktopMenuTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Olivero/oliveroDrupalMessageTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Olivero/oliveroMiscTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Olivero/oliveroPreprocessFieldMultipleValueFormTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Olivero/oliveroPreprocessInputTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Olivero/oliveroPrimaryTabsTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Olivero/oliveroRemoveBlockConsoleTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/Olivero/oliveroStickyHeaderToggleTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/statesTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Nightwatch/Tests/tabbingManagerTest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/latin_9.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/latin_9.js.optimized.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/source_mapping_url.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/source_mapping_url.min.js.optimized.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/source_mapping_url_old.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/source_mapping_url_old.min.js.optimized.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/source_url.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/source_url.min.js.optimized.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/source_url_old.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/source_url_old.min.js.optimized.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/syntax_error.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/to_be_minified.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/to_be_minified.js.optimized.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/utf16_bom.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/utf16_bom.js.optimized.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/utf8_bom.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: core/tests/Drupal/Tests/Core/Asset/js_test_files/utf8_bom.js.optimized.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer quality integrity conf 1.00 Legacy-named symbol `checkLegacy` in core/themes/default_admin/migration/js/init.js:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — core/misc/jquery.form.js:1529
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — core/modules/ckeditor5/tests/src/Nightwatch/Tests/drupalHtmlBuilderTest.js:83
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — core/modules/system/tests/modules/sdc_test/components/my-cta/my-cta.js:6
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — core/scripts/css/log.js:3
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — core/scripts/js/log.js:3
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — core/scripts/js/vendor-update.js:265
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality complexity conf 1.00 Very large file: core/misc/ajax.js (1914 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: core/misc/tabledrag.js (1779 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: core/tests/Drupal/Nightwatch/Tests/jQueryUIPositionShimTest.js (2388 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: core/themes/default_admin/migration/js/tabledrag.js (1847 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
core/modules/breakpoint/src/Hook/BreakpointHooks.php:33 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
core/modules/basic_auth/src/Hook/BasicAuthHooks.php:26 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
core/install.php:42 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/ab12e53b-f3c5-4aa8-b379-78d9cade414d/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/ab12e53b-f3c5-4aa8-b379-78d9cade414d/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.