Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 10.23s · analysis 39.56s · 31.8 MB · GitHub API rate-limit (preflight)

PaddlePaddle/FastDeploy

https://github.com/PaddlePaddle/FastDeploy · scanned 2026-05-31 01:23 UTC (1 week, 6 days ago) · 10 languages

1206 raw signals (392 security + 814 graph) 11/13 scanners ran 78th percentile · Python · large (100-500K LoC) System graph score 69 (higher by 16)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 6 days ago · v2 · 519 actionable findings from 2 signal sources. 289 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
75.5
/100
Security checks
82
144 findings
System graph
69
100.0% cov · 375 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 83.0 0.15 12.45
practices_score 92.0 0.15 13.80
code_quality 45.0 0.10 4.50
Overall 1.00 84.8
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 74 Medium 35 Low 262 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 144 System graph 375 Crowd 0 Layer: Software 60 Quality 357 Security 60 Cicd 15 Hardware 1 Frontend 1 Api 25
Scan summary Quality grade A- (85/100). Dimensions: security 100, maintainability 60. 392 findings (89 security). 460,329 lines analyzed.

Showing 373 of 519 actionable findings. 808 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.
Review and fix per the pattern semantics. See CWE-502 / for context.
fastdeploy/cache_manager/multimodal_cache_manager.py:149
high Security checks quality Quality conf 1.00 ✓ Repobility 10 occurrences [MINED107] Missing import: `string` used but not imported: The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
Add `import string` at the top of the file.
10 files, 10 locations
fastdeploy/collect_env.py:716
fastdeploy/engine/common_engine.py:1836
fastdeploy/entrypoints/openai/tool_parsers/utils.py:107
fastdeploy/entrypoints/openai/utils.py:249
fastdeploy/input/multimodal_processor.py:522
fastdeploy/inter_communicator/fmq.py:60
fastdeploy/inter_communicator/ipc_signal.py:98
fastdeploy/rl/dynamic_weight_manager.py:486
critical Security checks quality Quality conf 1.00 [SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).
Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC.
fastdeploy/cache_manager/multimodal_cache_manager.py:149
critical System graph security Secrets conf 1.00 Possible secret in fastdeploy/scheduler/config.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
fastdeploy/scheduler/config.py:242
low Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
3 files, 3 locations
.claude/skills/nsys-capture/nsys_default_client.py:48
fastdeploy/entrypoints/openai/multi_api_server.py:187
fastdeploy/golang_router/launch.py:96
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.
Review and fix per the pattern semantics. See CWE-78 / for context.
fastdeploy/cache_manager/transfer_factory/kvcache_transfer/include/kvcache_rdma.h:121
high Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED020] Logging Credential Via Fstring: logger.error(f"failed for {api_key}") — secrets end up in log aggregators / sentry.
Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context.
3 files, 3 locations
fastdeploy/cache_manager/cache_metrics.py:103
fastdeploy/cache_manager/transfer_factory/mooncake_store/attention_store.py:146
fastdeploy/logger/deterministic_logger.py:299
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
scripts/extract_mtp_weight_from_safetensor.py:77
high Security checks quality Quality conf 1.00 ✓ Repobility [MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context.
benchmarks/paddleocr_vl/benchmark.py:130
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences [MINED108] `self.is_unified_ckpt` used but never assigned in __init__: Method `_post_init` of class `ModelConfig` reads `self.is_unified_ckpt`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.is_unified_ckpt = <default>` in __init__, or add a class-level default.
2 files, 25 locations
fastdeploy/config.py:304, 305, 306, 307, 311, 313, 339, 341, +2 more (14 hits)
setup.py:144, 145, 146, 147, 148, 182, 199, 213, +3 more (11 hits)
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /check_redundant has no auth: Handler `check_redundant` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:729
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /generate has no auth: Handler `generate` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/api_server.py:65
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /get_per_expert_tokens_stats has no auth: Handler `get_per_expert_tokens_stats` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:718
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /rearrange_experts has no auth: Handler `rearrange_experts` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:707
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /register has no auth: Handler `register` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/router/router.py:535
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/abort_requests has no auth: Handler `abort_requests` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:490
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/abort_requests has no auth: Handler `abort_requests` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/router/router.py:586
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/chat/completions has no auth: Handler `create_chat_completion` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:548
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/chat/completions has no auth: Handler `create_chat_completion` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/router/router.py:557
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/completions has no auth: Handler `create_completion` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:589
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/completions has no auth: Handler `create_completion` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/router/router.py:562
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/embeddings has no auth: Handler `create_embedding` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:654
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/pause has no auth: Handler `pause` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:397
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/resume has no auth: Handler `resume` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:406
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/reward has no auth: Handler `create_reward` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:640
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/sleep has no auth: Handler `sleep` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:422
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/update_weights has no auth: Handler `update_weights` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:460
high Security checks quality Quality conf 0.80 ✓ Repobility [MINED112] FastAPI POST /v1/wakeup has no auth: Handler `wakeup` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.
Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional.
fastdeploy/entrypoints/openai/api_server.py:441
high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences [MINED118] Dockerfile FROM `ccr-2vdh3abv-pub.cnc.bj.baidubce.com/paddlepaddle/fastdeploy-cuda-12.6:tag-base` not pinned by digest: `FROM ccr-2vdh3abv-pub.cnc.bj.baidubce.com/paddlepaddle/fastdeploy-cuda-12.6:tag-base` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ccr-2vdh3abv-pub.cnc.bj.baidubce.com/paddlepaddle/fastdeploy-cuda-12.6:tag-base@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
3 files, 3 locations
dockerfiles/Dockerfile.gpu:1
dockerfiles/Dockerfile.xpu:1
tools/dockerfile/Dockerfile.ci:1
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED121] requirements.txt installs from `flashinfer-python-paddle @ https://xly-devops.bj.b...` (git/URL): Pip requirement points to a VCS URL or direct download. Bypasses PyPI's integrity check + scanning. If the host or branch tip changes, the next `pip install` pulls a different package — no diff visible to reviewers.
Publish to PyPI (private if needed) and reference by version. If that's not feasible, lock to a commit SHA via `package @ git+https://...@<sha>` and verify in CI.
requirements.txt:49
high Security checks software dependencies conf 0.90 ✓ Repobility 12 occurrences [MINED131] pre-commit hook `https://github.com/psf/black.git` pinned to mutable rev `25.1.0`: `.pre-commit-config.yaml` references `https://github.com/psf/black.git` at `rev: 25.1.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
2 files, 12 locations
.pre-commit-config.yaml:14, 21, 25, 30, 53, 58 (6 hits)
tests/input/.pre-commit-config.yaml:13, 20, 24, 29, 52, 57 (6 hits)
high Security checks security path traversal conf 0.80 3 occurrences [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
3 files, 3 locations
benchmarks/paddleocr_vl/benchmark.py:130
fastdeploy/logger/setup_logging.py:109
fastdeploy/multimodal/image.py:116
high Security checks cicd CI/CD security conf 1.00 [SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\s*USER\s+\S+` other than `root`.
Add `RUN adduser -D app && USER app` before the CMD/ENTRYPOINT.
tools/dockerfile/docker_build.sh:1 CI/CD securitycontainers
high Security checks quality Quality conf 1.00 [SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).
Add `filter='data'` (Python ≥ 3.12) or manually validate member paths against `os.path.abspath`.
custom_ops/xpu_ops/setup_ops.py:59
high Security checks quality Quality conf 1.00 [SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).
Add `filter='data'` (Python ≥ 3.12) or manually validate member paths against `os.path.abspath`.
custom_ops/setup_ops_cpu.py:56
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 44 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
12 files, 39 locations
.github/workflows/publish_job.yml:140, 147, 264, 324, 360, 396 (8 hits)
.github/workflows/CheckPRTemplate.yml:26, 37 (4 hits)
.github/workflows/Codestyle-Check.yml:25, 36 (4 hits)
.github/workflows/remove-skip-ci-labels.yml:21, 41 (4 hits)
.github/workflows/_clone_linux.yml:36, 54 (3 hits)
.github/workflows/_unit_test_coverage.yml:429, 432 (3 hits)
.github/workflows/ci_image_update.yml:28, 35 (3 hits)
.github/workflows/_xpu_4cards_case_test.yml:234 (2 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 7 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v6`: `uses: codecov/codecov-action@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char com…
4 files, 7 locations
.github/workflows/_unit_test_coverage.yml:448 (2 hits)
.github/workflows/check-bypass.yml:37 (2 hits)
.github/workflows/ci_metax.yml:27 (2 hits)
.github/workflows/_xpu_coverage_report.yml:300
CI/CD securitySupply chainGitHub Actions
high System graph security auth conf 1.00 FastAPI POST `abort_requests` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:489
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:489 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `abort_requests` without auth dependency — fastdeploy/router/router.py:585
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/router/router.py:585 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `check_redundant` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:727
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:727 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_chat_completion` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:546
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:546 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_chat_completion` without auth dependency — fastdeploy/router/router.py:556
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/router/router.py:556 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_completion` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:587
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:587 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_completion` without auth dependency — fastdeploy/router/router.py:561
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/router/router.py:561 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_embedding` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:653
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:653 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `create_reward` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:639
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:639 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `generate` without auth dependency — fastdeploy/entrypoints/api_server.py:64
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/api_server.py:64 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `get_per_expert_tokens_stats` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:716
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:716 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `pause` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:396
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:396 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `rearrange_experts` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:705
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:705 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `resume` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:405
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:405 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `sleep` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:421
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:421 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `update_weights` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:459
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:459 securityAuth fastapi unauth mutation
high System graph security auth conf 1.00 FastAPI POST `wakeup` without auth dependency — fastdeploy/entrypoints/openai/api_server.py:440
`@router.post` decorator with no `Depends(get_current_user)` or auth-shaped dependency in its signature. Mutating endpoints should require authentication unless explicitly public.
fastdeploy/entrypoints/openai/api_server.py:440 securityAuth fastapi unauth mutation
high System graph security security conf 1.00 Insecure pattern 'eval_used' in benchmarks/benchmark_serving.py:935
Found a known-risky pattern (eval_used). Review and replace if possible.
benchmarks/benchmark_serving.py:935 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/config.py:397
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/config.py:397 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/engine/common_engine.py:2712
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/engine/common_engine.py:2712 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/engine/engine.py:920
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/engine/engine.py:920 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/entrypoints/cli/tokenizer.py:222
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/entrypoints/cli/tokenizer.py:222 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/model_executor/layers/moe/routing_indices_cache.py:569
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/model_executor/layers/moe/routing_indices_cache.py:569 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/model_executor/model_loader/default_loader.py:89
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/model_executor/model_loader/default_loader.py:89 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/model_executor/model_loader/default_loader_v1.py:101
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/model_executor/model_loader/default_loader_v1.py:101 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/model_executor/model_loader/dummy_loader.py:102
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/model_executor/model_loader/dummy_loader.py:102 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/model_executor/models/ernie4_5_vl/ernie4_5_vl_moe.py:620
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/model_executor/models/ernie4_5_vl/ernie4_5_vl_moe.py:620 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/model_executor/models/paddleformers/base.py:467
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/model_executor/models/paddleformers/base.py:467 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/model_executor/models/qwen2_5_vl/qwen2_5_vl.py:180
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/model_executor/models/qwen2_5_vl/qwen2_5_vl.py:180 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/model_executor/models/qwen3_vl/qwen3_vl.py:184
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/model_executor/models/qwen3_vl/qwen3_vl.py:184 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in fastdeploy/rl/rollout_model.py:108
Found a known-risky pattern (eval_used). Review and replace if possible.
fastdeploy/rl/rollout_model.py:108 Eval used
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 20.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /clear_load_weight.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
fastdeploy/entrypoints/openai/api_server.py:686
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /check_redundant.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
fastdeploy/entrypoints/openai/api_server.py:727
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /get_per_expert_tokens_stats.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
fastdeploy/entrypoints/openai/api_server.py:716
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /rearrange_experts.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
fastdeploy/entrypoints/openai/api_server.py:705
medium Security checks security auth conf 0.72 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
Set docs_url=None, redoc_url=None, and openapi_url=None for production apps unless the docs are intentionally public and protected by routing, ingress, or an authenticated docs handler.
low Security checks quality Error handling conf 1.00 3 occurrences [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
3 files, 3 locations
.claude/skills/benchmark-compare/scripts/extract_metrics.py:107
benchmarks/paddleocr_vl/benchmark.py:91
fastdeploy/cache_manager/v1/transfer/ipc/connector.py:61
medium Security checks quality Quality conf 1.00 ✓ Repobility 11 occurrences [MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def __init__(x=None): x = x or []`
9 files, 11 locations
fastdeploy/model_executor/ops/triton_ops/triton_utils.py:588, 828 (2 hits)
fastdeploy/model_executor/ops/triton_ops/triton_utils_v2.py:85, 340 (2 hits)
fastdeploy/cache_manager/cache_data.py:43
fastdeploy/cache_manager/transfer_factory/rdma_cache_transfer.py:30
fastdeploy/cache_manager/v1/radix_tree.py:625
fastdeploy/model_executor/layers/utils.py:253
fastdeploy/model_executor/models/qwen2_5_vl/dfnrope/configuration.py:67
fastdeploy/scheduler/splitwise_scheduler.py:140
medium Security checks quality Quality conf 1.00 ✓ Repobility 6 occurrences [MINED109] Mutable default argument in `paddle_use_triton` (dict): `def paddle_use_triton(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
Use None as the default and create the collection inside the function: `def paddle_use_triton(x=None): x = x or []`
5 files, 6 locations
tests/model_loader/utils.py:58, 81 (2 hits)
fastdeploy/model_executor/ops/triton_ops/triton_utils.py:828
fastdeploy/model_executor/ops/triton_ops/triton_utils_v2.py:340
fastdeploy/rl/rollout_config.py:24
fastdeploy/spec_decode/mtp.py:478
medium Security checks software dependencies conf 0.90 ✓ Repobility 25 occurrences [MINED124] requirements.txt: `setuptools` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `setuptools` with `setuptools==<version>` and manage upgrades through PRs / Dependabot.
lines 1, 2, 3, 4, 5, 6, 7, 9, +17 more
requirements.txt:1, 2, 3, 4, 5, 6, 7, 9, +17 more (25 hits)
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
fastdeploy/cache_manager/multimodal_cache_manager.py:149
medium Security checks security path traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
custom_ops/xpu_ops/setup_ops.py:59
medium Security checks security path traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
custom_ops/setup_ops_cpu.py:56
medium Security checks quality Quality conf 1.00 [SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Ported from gosec G301 / G302 / G306 (Apache-2.0).
Use 0600 for files, 0700 for dirs that should be private.
fastdeploy/golang_router/pkg/logger/logger.go:40
medium Security checks security Security conf 1.00 [SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.
Use 0600 (owner rw only) for secrets, 0644 for general files, 0700 for directories with secrets. Java: `setReadable(true, true)` (owner-only).
fastdeploy/golang_router/launch.py:38
medium Security checks security Security conf 1.00 [SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.
Use 0600 (owner rw only) for secrets, 0644 for general files, 0700 for directories with secrets. Java: `setReadable(true, true)` (owner-only).
custom_ops/xpu_ops/setup_ops.py:109
high Security checks quality Quality conf 0.72 6 occurrences Agent control bridge may listen on a network interface without visible auth
Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model.
6 files, 6 locations
.github/workflows/_unit_test_coverage.yml:13
fastdeploy/cache_manager/cache_messager.py:12
fastdeploy/cache_manager/cache_transfer_manager.py:12
fastdeploy/config.py:12
fastdeploy/engine/args_utils.py:12
fastdeploy/engine/common_engine.py:12
low Security checks quality Error handling conf 0.55 ✓ Repobility 25 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
9 files, 25 locations
benchmarks/backend_request_func_swe.py:275, 531, 567, 633, 1041, 1120, 1185, 1233, +2 more (10 hits)
benchmarks/backend_request_func.py:567, 633, 1035, 1114, 1179, 1227, 1318 (7 hits)
fastdeploy/utils.py:1038, 1113 (2 hits)
benchmarks/quick_benchmark.py:681
custom_ops/setup_ops.py:125
custom_ops/setup_ops_cpu.py:62
fastdeploy/collect_env.py:529
scripts/CheckPRTemplate.py:133
Error handlingquality
medium Security checks cicd CI/CD security conf 0.94 2 occurrences Compose service `prometheus` image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
lines 2, 13
examples/observability/docker-compose.yaml:2, 13 (2 hits)
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 3 occurrences Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
3 files, 3 locations
dockerfiles/Dockerfile.gpu:1
dockerfiles/Dockerfile.xpu:1
tools/dockerfile/Dockerfile.ci:1
CI/CD securitycontainers
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/gh-pages.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/cherry-pick.yml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in custom_ops/setup_ops.py:60
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
custom_ops/setup_ops.py:60 Subprocess shell true
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in fastdeploy/cache_manager/prefix_cache_manager.py:338
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
fastdeploy/cache_manager/prefix_cache_manager.py:338 Subprocess shell true
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in fastdeploy/collect_env.py:116
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
fastdeploy/collect_env.py:116 Subprocess shell true
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in fastdeploy/engine/common_engine.py:2597
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
fastdeploy/engine/common_engine.py:2597 Subprocess shell true
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in fastdeploy/engine/engine.py:725
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
fastdeploy/engine/engine.py:725 Subprocess shell true
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in fastdeploy/logger/deterministic_logger.py:193
Found a known-risky pattern (weak_hash). Review and replace if possible.
fastdeploy/logger/deterministic_logger.py:193 Weak hash
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — custom_ops/setup_ops.py:58
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — examples/intel_hpu/bench_gsm8k.py:58
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — fastdeploy/cache_manager/transfer_factory/rdma_cache_transfer.py:53
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — fastdeploy/cache_manager/transfer_factory/utils.py:33
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — fastdeploy/engine/common_engine.py:2594
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — fastdeploy/engine/engine.py:722
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — fastdeploy/engine/sched/resource_manager_v1.py:1692
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — fastdeploy/entrypoints/cli/serve.py:47
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — fastdeploy/entrypoints/openai/multi_api_server.py:135
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — fastdeploy/golang_router/launch.py:94
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — fastdeploy/multimodal/image.py:116
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — setup.py:229
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks cicd CI/CD security conf 1.00 [SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive — orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\s*HEALTHCHECK\b`.
Add `HEALTHCHECK CMD curl -f http://localhost:PORT/health || exit 1`.
tools/dockerfile/docker_build.sh:1 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.56 4 occurrences Compose service does not declare a runtime user
Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive.
lines 2, 13, 31, 40
examples/observability/docker-compose.yaml:2, 13, 31, 40 (4 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 4 occurrences Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
lines 2, 13, 31, 40
examples/observability/docker-compose.yaml:2, 13, 31, 40 (4 hits)
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.72 4 occurrences Dockerfile installs recommended OS packages
Add `--no-install-recommends` and explicitly list only packages the image needs.
2 files, 4 locations
tools/dockerfile/Dockerfile.ci:2, 16, 23 (3 hits)
dockerfiles/Dockerfile.xpu:11
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.72 2 occurrences Dockerfile keeps pip download cache
Use `pip install --no-cache-dir ...` in container builds.
lines 15, 35
dockerfiles/Dockerfile.xpu:15, 35 (2 hits)
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.74 3 occurrences Dockerfile leaves apt package indexes in the image layer
End the apt install layer with `rm -rf /var/lib/apt/lists/*`.
2 files, 3 locations
tools/dockerfile/Dockerfile.ci:2, 16 (2 hits)
dockerfiles/Dockerfile.xpu:11
CI/CD securitycontainers
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 22 locations
custom_ops/gpu_ops/cutlass_extensions/gemm/threadblock/dq_mma_pipelined_percol.h:1, 7, 80, 109 (4 hits)
custom_ops/gpu_ops/cutlass_kernels/fp8_gemm_fused/dual_gemm/threadblock/dual_mma_multistage.h:98, 106, 202 (3 hits)
custom_ops/gpu_ops/cutlass_extensions/epilogue/broadcast_load_epilogue_c3x.hpp:18, 20 (2 hits)
custom_ops/gpu_ops/cutlass_extensions/gemm/collective/sm90_mma_tma_gmma_ss_warpspecialized_fp8_blockwise_scaling.hpp:7, 113 (2 hits)
custom_ops/gpu_ops/cutlass_extensions/gemm/threadblock/dq_mma_multistage_percol.h:1, 10 (2 hits)
custom_ops/gpu_ops/cutlass_extensions/gemm/threadblock/dq_mma_pipelined_finegrained.h:1, 111 (2 hits)
custom_ops/gpu_ops/cutlass_extensions/gemm/threadblock/wint2x_mma_multistage.h:1, 179 (2 hits)
custom_ops/gpu_ops/append_attn/multiquery_attention_c4_kernel.h:20
duplicationquality
high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
custom_ops/xpu_ops/src/plugin/src/wrapper/mtp_wrapper/draft_model_update.cpp:1
low System graph quality Maintenance conf 1.00 93 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/conftest.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/test_block_attn_prefix_cache.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/test_get_infer_param.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/test_get_token_penalty_multi_scores.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/test_read_data_ipc.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/test_set_data_ipc.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/test_set_get_data_ipc.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/test_set_value_by_flags_and_idx.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/test_step.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/test_stop_generation_multi_ends.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/test_token_repetition_penalty.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: custom_ops/xpu_ops/test/test_update_inputs.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: examples/intel_hpu/offline_demo.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: fastdeploy/demo/offline_demo.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: fastdeploy/demo/offline_prefix_caching_demo.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: fastdeploy/demo/openai_demo.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: fastdeploy/demo/openai_vl_demo.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: fastdeploy/engine/tasks.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: fastdeploy/model_executor/models/ernie4_5_vl/image_op.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/merge_cache_scale.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/vit_model_split.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/ci_use/DCU/run_ernie.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/ci_use/GCU/run_ernie.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/ci_validation/server/core/request_template.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/ci_validation/server/test_DDoS.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/metax_ci/run_ernie_vl_28B.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: tests/plugins/setup.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Integrity conf 1.00 9 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: setup.py:run, setup.py:run This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
9 occurrences
repo-level (9 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 9 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: benchmarks/backend_request_func_swe.py:async_request_tgi, benchmarks/backend_request_func.py:async_request_tgi, fastdeploy/benchmarks/lib/endpoint_request_func.py:async_request_tgi This is *the* AI-coder failure mode (4× more duplication in vibe-code…
9 occurrences
repo-level (9 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: benchmarks/backend_request_func_swe.py:async_request_eb_openai_completions, benchmarks/backend_request_func.py:async_request_eb_openai_completions, fastdeploy/benchmarks/lib/endpoint_request_func.py:async_request_eb_openai_chat_completions, fastdeploy…
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 8 places
Functions with the same first-5-line body hash: benchmarks/quick_benchmark.py:process_one_metric, benchmarks/quick_benchmark.py:process_one_length, benchmarks/benchmark_serving.py:process_one_metric, benchmarks/benchmark_serving.py:process_one_length This is *the* AI-coder failure mode (4× more du…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_pending_backup` in fastdeploy/cache_manager/v1/cache_manager.py:106
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_schedule_request_to_worker_v1` in tests/engine/test_common_engine.py:596
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `_time_cpu_copy` in tests/spec_decode/test_benchmark_ngram_kernel.py:188
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `check_and_add_pending_backup` in tests/cache_manager/v1/test_cache_manager.py:823
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_parameter_and_copy` in fastdeploy/model_executor/layers/quantization/nvfp4.py:30
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `create_parameter_and_copy` in fastdeploy/model_executor/utils.py:298
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_loader_v1` in fastdeploy/model_executor/model_loader/__init__.py:20
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/config.py:1430
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/engine/args_utils.py:511
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/backends/iluvatar/moe/fuse_moe_cutlass_iluvatar_backend.py:311
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/backends/iluvatar/quantization/weight_only.py:55
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/backends/metax/moe/fused_moe_cutlass_metax_backend.py:333
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/backends/metax/moe/fused_moe_triton_metax_backend.py:73
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/backends/xpu/moe/fused_moe.py:140
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/backends/xpu/quantization/weight_only.py:51
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/moe/fused_moe_blackwell_backend.py:328
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/moe/fused_moe_cutlass_backend.py:1036
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/moe/fused_moe_triton_backend.py:94
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/quantization/block_wise_fp8.py:200
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/quantization/weight_only.py:256
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/layers/quantization/wfp8afp8.py:110
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/model_executor/models/gpt_oss.py:347
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/rl/rollout_config.py:70
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in fastdeploy/worker/worker_process.py:973
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/e2e/4cards_cases/test_GLM_45_AIR_mtp_tp4.py:86
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/e2e/4cards_cases/test_GLM_45_AIR_tp4.py:85
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/e2e/test_Qwen2_5_VL_torch_serving.py:75
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/layers/test_deepgemm_fused_moe.py:102
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/layers/test_fp8_ue8m0.py:77
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/layers/test_fused_moe_cutlass_backend.py:58
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/layers/test_fused_moe_triton_backend.py:53
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/metax_ci/run_ernie_vl_28B.py:24
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/metax_ci/test_ernie_21b.py:33
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/metax_ci/test_ernie_28b_vl.py:45
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/model_executor/test_gpt_oss.py:158
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/model_loader/test_load_ernie_vl.py:92
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/model_loader/test_offline_model.py:100
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `default_v1` in tests/model_loader/test_torch_model.py:139
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `enable_cache_manager_v1` in fastdeploy/engine/resource_manager.py:56
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `enable_cache_manager_v1` in fastdeploy/engine/sched/resource_manager_v1.py:1028
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `enable_cache_manager_v1` in fastdeploy/spec_decode/mtp.py:454
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `enable_cache_manager_v1` in tests/distributed/chunked_moe.py:154
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `fa4_old` in tests/layers/test_flash_attn_func.py:268
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `fd_outputs_v1` in tests/model_loader/test_model_cache.py:92
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `fd_v1` in tests/utils/test_config.py:311
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `get_candidates_for_backup` in fastdeploy/cache_manager/v1/radix_tree.py:625
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `get_candidates_for_backup` in tests/cache_manager/v1/test_radix_tree.py:1220
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `h2d_copy` in fastdeploy/model_executor/layers/embeddings.py:28
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `h2d_copy` in fastdeploy/model_executor/layers/linear.py:34
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `h2d_copy` in fastdeploy/model_executor/layers/moe/moe.py:34
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `h2d_copy` in fastdeploy/model_executor/models/ernie4_5_vl/dfnrope/modeling.py:32
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `h2d_copy` in fastdeploy/model_executor/models/paddleocr_vl/projector.py:23
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `h2d_copy` in fastdeploy/model_executor/models/paddleocr_vl/siglip.py:26
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `h2h_copy` in fastdeploy/cache_manager/transfer_factory/mooncake_store/attention_store.py:209
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `infer_to_train_mapping_copy` in fastdeploy/rl/rollout_model.py:813
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `insert_tasks_v1` in fastdeploy/worker/gpu_worker.py:218
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `insert_tasks_v1` in fastdeploy/worker/hpu_model_runner.py:534
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `insert_tasks_v1` in fastdeploy/worker/hpu_worker.py:191
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `insert_tasks_v1` in fastdeploy/worker/metax_worker.py:213
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `insert_tasks_v1` in fastdeploy/worker/xpu_worker.py:175
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `is_copy` in fastdeploy/metrics/trace.py:131
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `is_copy` in tests/metrics/test_trace.py:334
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `layer_v1` in tests/model_executor/test_linear.py:412
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `loader_v1` in fastdeploy/model_executor/models/glm4_moe.py:544
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `lookup_table_v2` in fastdeploy/worker/gpu_model_runner.py:189
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `lookup_table_v2` in fastdeploy/worker/metax_model_runner.py:145
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `lookup_table_v2` in fastdeploy/worker/xpu_model_runner.py:125
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `maybe_unused` in custom_ops/gpu_ops/machete/generate.py:63
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `mock_legacy` in tests/logger/test_logger.py:207
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `paddle_use_triton_v2` in fastdeploy/model_executor/ops/triton_ops/triton_utils_v2.py:340
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `q_legacy` in tests/model_executor/test_paddleformers_base.py:934
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `qkv_copy` in tests/layers/test_append_attention.py:671
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `qkv_copy` in tests/operators/attention/test_decode_unified_attention_c16.py:320
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `resource_manager_v1` in fastdeploy/engine/common_engine.py:55
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `resource_manager_v1` in tests/engine/test_resource_manager_v1.py:22
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `resource_manager_v1` in tests/scheduler/test_chunked_prefill_determinism.py:32
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `resource_manager_v1` in tests/v1/test_resource_manager_v1.py:43
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `resource_manager_v1` in tests/v1/test_schedule_output.py:23
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `set_value_by_flags_and_idx_v2` in fastdeploy/model_executor/ops/npu/__init__.py:22
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `split_or_merge_func_v1` in fastdeploy/model_executor/models/ernie4_5_moe.py:856
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `split_or_merge_func_v1` in fastdeploy/model_executor/models/ernie4_5_vl/ernie4_5_vl_moe.py:985
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `split_or_merge_func_v1` in fastdeploy/model_executor/models/glm4_mtp.py:59
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `split_or_merge_func_v1` in fastdeploy/model_executor/models/qwen2_5_vl/qwen2_5_vl.py:388
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `split_or_merge_func_v1` in fastdeploy/model_executor/models/qwen3_vl/qwen3_vl.py:444
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `split_or_merge_func_v1` in fastdeploy/model_executor/models/tp_utils.py:421
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `split_or_merge_func_v1` in tests/model_executor/test_glm4_mtp.py:51
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `split_or_merge_func_v1` in tests/model_executor/test_tp_utils.py:455
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `sublayer1_copy` in tests/graph_optimization/test_cuda_graph_recapture.py:65
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `sublayer1_copy` in tests/graph_optimization/test_cuda_graph_spec_decode.py:64
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_copy` in tests/model_executor/guided_decoding/test_guided_decoding_xgrammar_backend.py:195
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_create_weights_bf16_checkpoint_default_v1` in tests/quantization/test_wfp8afp8.py:151
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_get_all_layer_times_returns_copy` in tests/cache_manager/v1/test_cache_utils.py:580
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_get_captured_graph_log_returns_copy` in tests/graph_optimization/test_cuda_graph_op_unit.py:46
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_identical_positions_copy` in tests/worker/test_gpu_model_runner.py:187
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_insert_tasks_v1` in tests/spec_decode/test_mtp_proposer.py:223
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `tmem_tiled_copy` in tests/operators/test_deepgemm_precision.py:344
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `tokens_list_part_v1` in benchmarks/ernie_tokenizer.py:723
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `triton_utils_v2` in fastdeploy/model_executor/ops/triton_ops/wint2_fused_moe_kernel.py:19
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `triton_utils_v2` in tests/model_executor/ops/triton_ops/test_triton_utils_v2.py:26
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `update_inputs_v1` in custom_ops/setup_ops.py:306
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `update_inputs_v1` in fastdeploy/model_executor/pre_and_post_process.py:41
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `update_inputs_v1` in fastdeploy/model_executor/xpu_pre_and_post_process.py:46
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `update_inputs_v1` in tests/operators/test_update_inputs_v1.py:20
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `w4afp8_default_v1` in tests/ci_use/w4afp8/test_moe_w4afp8_online_quant.py:41
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `zero_copy` in fastdeploy/eplb/async_expert_loader.py:178
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `zero_copy` in fastdeploy/model_executor/layers/attention/attention.py:177
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `zero_copy` in fastdeploy/model_executor/load_weight_utils.py:266
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `zero_copy` in tests/distributed/test_hopper_ll_precision.py:82
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `zero_copy` in tests/model_executor/test_load_weight_utils.py:439
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: adjust_size
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
fastdeploy/input/image_processors/paddleocr_processor.py:64
low System graph software Dead code conf 1.00 Possibly dead Python function: async_request_eb_openai_chat_completions_multi_turn
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/backend_request_func_swe.py:638
low System graph software Dead code conf 1.00 Possibly dead Python function: async_request_eb_openai_chat_completions_multi_turn
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/backend_request_func.py:638
low System graph software Dead code conf 1.00 Possibly dead Python function: benchmark_metrics
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/benchmark_serving.py:919
low System graph software Dead code conf 1.00 Possibly dead Python function: build_extension
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
setup.py:175
low System graph software Dead code conf 1.00 Possibly dead Python function: consumer_process
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/benchmark_fmq.py:99
low System graph software Dead code conf 1.00 Possibly dead Python function: create_and_submit_new_task
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/paddleocr_vl/benchmark.py:105
low System graph software Dead code conf 1.00 Possibly dead Python function: decode_audio
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
fastdeploy/input/tokenizer_client.py:102
low System graph software Dead code conf 1.00 Possibly dead Python function: do_nothing
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
fastdeploy/utils.py:1256
low System graph software Dead code conf 1.00 Possibly dead Python function: encode_audio
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
fastdeploy/input/tokenizer_client.py:96
low System graph software Dead code conf 1.00 Possibly dead Python function: encode_str_and_encode_str
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/ernie_tokenizer.py:903
low System graph software Dead code conf 1.00 Possibly dead Python function: fused_attention_forward
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
fastdeploy/worker/hpu_model_runner.py:257
low System graph software Dead code conf 1.00 Possibly dead Python function: fused_mlp_forward
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
fastdeploy/worker/hpu_model_runner.py:303
low System graph software Dead code conf 1.00 Possibly dead Python function: fused_self_atten_forward
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
fastdeploy/worker/hpu_model_runner.py:285
low System graph software Dead code conf 1.00 Possibly dead Python function: log_response
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
fastdeploy/input/tokenizer_client.py:111
low System graph software Dead code conf 1.00 Possibly dead Python function: monitor_device
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/paddleocr_vl/benchmark.py:60
low System graph software Dead code conf 1.00 Possibly dead Python function: nvtx_range
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
fastdeploy/usage/nvtx.py:25
low System graph software Dead code conf 1.00 Possibly dead Python function: producer_process
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/benchmark_fmq.py:54
low System graph software Dead code conf 1.00 Possibly dead Python function: set_oov_utf_16_be
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
benchmarks/ernie_tokenizer.py:999
low System graph software Dead code conf 1.00 Possibly dead Python function: singleton
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
fastdeploy/utils.py:653
low System graph software Dead code conf 1.00 Possibly dead Python function: tune_blockwise_fp8_gemm_fused
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/tune_cutlass_fp8_gemm.py:151
low System graph software Dead code conf 1.00 Possibly dead Python function: tune_cublaslt_int8_gemm
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/tune_cublaslt_int8_gemm.py:20
low System graph software Dead code conf 1.00 Possibly dead Python function: tune_cutlass_fp8_fp8_fp8_dual_gemm_fused
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/tune_cutlass_fp8_gemm.py:60
low System graph software Dead code conf 1.00 Possibly dead Python function: tune_cutlass_fp8_fp8_half_gemm_fused
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/tune_cutlass_fp8_gemm.py:20
low System graph software Dead code conf 1.00 Possibly dead Python function: tune_per_channel_fp8_gemm_fused
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/tune_cutlass_fp8_gemm.py:106
low System graph software Dead code conf 1.00 Possibly dead Python function: tune_scaled_gemm_f8_i4_f16
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/tune_scaled_gemm_f8_i4_f16.py:24
low System graph quality Integrity conf 1.00 Stub function `_build_stream_response` (body is just `pass`/`return`) — fastdeploy/entrypoints/openai/v1/serving_base.py:176
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `_init_weight` (body is just `pass`/`return`) — fastdeploy/model_executor/models/qwen3_vl/qwen3_vl.py:395
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `_init_weights` (body is just `pass`/`return`) — fastdeploy/model_executor/models/glm4_mtp.py:48
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `apply` (body is just `pass`/`return`) — fastdeploy/model_executor/layers/quantization/w8a8.py:176
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `close` (body is just `pass`/`return`) — benchmarks/paddleocr_vl/benchmark.py:41
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `close` (body is just `pass`/`return`) — fastdeploy/inter_communicator/zmq_client.py:147
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `close` (body is just `pass`/`return`) — fastdeploy/inter_communicator/zmq_server.py:403
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `disable_record` (body is just `pass`/`return`) — fastdeploy/worker/iluvatar_model_runner.py:32
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `download_model` (body is just `pass`/`return`) — fastdeploy/model_executor/model_loader/default_loader_v1.py:47
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `for_classify` (body is just `pass`/`return`) — fastdeploy/model_executor/layers/pooler.py:132
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `forward` (body is just `pass`/`return`) — fastdeploy/model_executor/models/interfaces_base.py:50
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code
low System graph quality Integrity conf 1.00 Stub function `postprocess` (body is just `pass`/`return`) — fastdeploy/output/token_processor.py:1299
Likely an AI scaffold that was never filled in. Remove or implement.
Empty handlerDead code

Showing first 300 of 373. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/ab654ff4-2d45-41c2-a338-f39e691f30b3/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/ab654ff4-2d45-41c2-a338-f39e691f30b3/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.