nocodb/nocodb

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

48 of your 156 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Upstream (GitHub) caused delay on this scan — not Repobility.

GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
Clone from GitHub took 64.96s for a 138.0 MB repo slow.
Repobility's analysis ran in 25.19s after the clone landed.

https://github.com/nocodb/nocodb · scanned 2026-06-05 09:04 UTC (5 days, 19 hours ago) · 10 languages

1640 raw signals (130 security + 1510 graph) 10/13 scanners ran 5th percentile · Typescript · huge (>500K LoC) System graph score 55 (higher by 15)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 19 hours ago · v2 · 800 actionable findings from 2 signal sources. 85 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

100.0% cov · 733 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	60.0	0.15	9.00
`security_score`	100.0	0.25	25.00
`testing_score`	37.0	0.20	7.40
`documentation_score`	64.0	0.15	9.60
`practices_score`	74.0	0.15	11.10
`code_quality`	80.0	0.10	8.00
Overall		1.00	70.1

security_score may be inflated — optional security scanners were skipped on this fast scan

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 13 High 36 Medium 17 Low 312 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 67 System graph 733 Crowd 0 Layer: Quality 242 Security 31 Cicd 17 Software 59 Frontend 386 Hardware 1 Api 64

Exclude dismissed / FP Exclude test files

Bug-class explainers. Each card groups findings of the same shape — these are the patterns most likely to ship to prod and reappear in future scans unless you systematically fix the cause, not just the instance.

Commented-out code 148 findings

What it is: Lines of source that were intentionally disabled but never deleted.

Why it matters: Git already remembers history — commented code rots, becomes wrong, and adds noise to diffs.

How AI causes it: AI sometimes comments out broken code instead of fixing it. Reviewers approve out of inertia.

Fix approach: Delete. Trust `git log`. If you really need to remember, save it in a notes file under `docs/`.

12 matching findings on this repo

info Commented-code block (8 lines) in packages/nocodb/jest.config.js:25
info Commented-code block (7 lines) in packages/nocodb/src/dbQueryClient/mysql.ts:47
info Commented-code block (5 lines) in packages/nocodb/src/dbQueryClient/aggregation…
info Commented-code block (5 lines) in packages/nocodb/src/dbQueryClient/cross-db-ut…
info Commented-code block (6 lines) in packages/nocodb/src/models/Filter.ts:611
info Commented-code block (7 lines) in packages/nocodb/src/models/View.ts:568
info Commented-code block (9 lines) in packages/nocodb/src/models/HookFilter.ts:245
info Commented-code block (5 lines) in packages/nocodb/src/models/Column.ts:2068
info Commented-code block (5 lines) in packages/nocodb/src/models/Source.ts:228
info Commented-code block (5 lines) in packages/nocodb/src/models/Model.ts:881
info Commented-code block (18 lines) in packages/nocodb/src/version-upgrader/upgrade…
info Commented-code block (10 lines) in packages/nocodb/src/version-upgrader/upgrade…

View all commented-out code findings →

Config drift 16 findings

What it is: Settings duplicated across env files, Docker compose, K8s, and code defaults, all with slightly different values.

Why it matters: Production behaviour depends on whichever copy your loader reads first. Subtle bugs in staging that don't reproduce in dev.

How AI causes it: AI writes new config from memory rather than reading the existing source.

Fix approach: Pick one source of truth (env vars + a settings module). Have every other place import from there. Lint for duplicates in CI.

12 matching findings on this repo

high [SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers c… packages/nc-gui/utils/fileUtils.ts:164
low File has no detected symbols: packages/nocodb-sdk-v2/rslib.config.ts
low File has no detected symbols: packages/nocodb/jest.config.js
low File has no detected symbols: packages/nocodb/rspack.config.js
low File has no detected symbols: packages/nocodb/rspack.timely.config.js
low File has no detected symbols: packages/nocodb/rspack.dev.config.js
low File has no detected symbols: packages/nocodb/src/app.config.ts
low File has no detected symbols: packages/nocodb/src/types/nc-plugin/lib/XcPluginC…
low File has no detected symbols: packages/nocodb/src/version-upgrader/upgraders/01…
info TODO/FIXME marker in shipping code — packages/nocodb/src/utils/nc-config/helper…
low Stray `console.log` in TS/JS — packages/nocodb/src/meta/migrations/v0/nc_202604…
info TODO/FIXME marker in shipping code — packages/nc-gui/nuxt.config.ts:52

View all config drift findings →

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/ac9bfbed-85b8-40b6-bc96-88903626f9c2/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/ac9bfbed-85b8-40b6-bc96-88903626f9c2/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.