Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
100 of your 173 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 4.24s · analysis 17.32s · 7.4 MB · GitHub preflight 417ms

sharkdp/bat

https://github.com/sharkdp/bat · scanned 2026-06-04 22:46 UTC (9 hours, 3 minutes ago) · 10 languages

242 findings (170 legacy + 72 scanner) 80th percentile · Rust · medium (20-100K LoC) Scanner says 78 (lower by 3)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 9 hours ago · v2 · 206 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
74.5
/100
Repobility
71
170 legacy
9-layer
79
100.0% cov · 36 gaps
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 50.8 0.25 12.70
testing_score 85.0 0.20 17.00
documentation_score 98.0 0.15 14.70
practices_score 81.0 0.15 12.15
code_quality 64.5 0.10 6.45
Overall 1.00 75.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 130 Medium 32 Low 27 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 170 9-layer 36 Crowd 0 Layer: Software 113 Cicd 15 Quality 69 Api 1 Frontend 4 Hardware 3 Security 1
Scan summary Repository scanned at 78.5/100 with 100.0% coverage. It contains 1264 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 36 findings — concentrated in cicd (13), quality (9), software (5). Risk profile is high: 0 critical, 3 high, 8 medium. Recommended next step: open the cicd layer findings first — that's where the highest-impact wins live.

Showing 57 of 206 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy software dependency conf 0.90 ✓ Repobility Workflow uses `secrets.WINGET_TOKEN` on a `pull_request` trigger
This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WINGET_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted conte…
.github/workflows/CICD.yml:464 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:181 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:153 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:138 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:122 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:93 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:83 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:71 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:61 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:38 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/checkout` pinned to mutable ref `@v6`
`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/require-changelog-for-PRs.yml:16 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/upload-artifact` pinned to mutable ref `@master`
`uses: actions/upload-artifact@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:431 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `actions/upload-artifact` pinned to mutable ref `@master`
`uses: actions/upload-artifact@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:425 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `dtolnay/rust-toolchain` pinned to mutable ref `@master`
`uses: dtolnay/rust-toolchain@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:73 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`
`uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:192 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`
`uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:140 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`
`uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:127 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`
`uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:97 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`
`uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:58 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility Action `softprops/action-gh-release` pinned to mutable ref `@v2`
`uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
.github/workflows/CICD.yml:445 dependencylegacy
high Legacy software dependency conf 0.88 bincode: RUSTSEC-2025-0141
Bincode is unmaintained
Cargo.lock dependencylegacy
high Legacy software dependency conf 0.88 yaml-rust: RUSTSEC-2024-0320
yaml-rust is unmaintained.
Cargo.lock dependencylegacy
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
dtolnay/rust-toolchain@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:73 supply-chaingithub-actionspinned-dependencies
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
actions/upload-artifact@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:425 supply-chaingithub-actionspinned-dependencies
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
actions/upload-artifact@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:431 supply-chaingithub-actionspinned-dependencies
medium Legacy cicd docker conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore dockerlegacy
medium Legacy software dependency conf 0.90 GitHub Action `softprops/action-gh-release@v2` is 1 major version(s) behind (latest v3.0.0)
`uses: softprops/action-gh-release@v2` is 1 major version(s) behind the latest published release v3.0.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no covera…
.github/workflows/CICD.yml:445 dependencylegacy
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: tests/syntax-tests/highlighted/Dockerfile/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: tests/syntax-tests/source/Dockerfile/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/rust-toolchain@stable can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:97 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/rust-toolchain@stable can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:127 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/rust-toolchain@stable can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:140 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/rust-toolchain@stable can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:192 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
softprops/action-gh-release@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:445 supply-chaingithub-actionspinned-dependencies
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
low Legacy quality quality conf 0.70 Generated build artifact directory is present at repository root
Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate.
build:1 qualitylegacy
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/examples/regression_tests/issue_985.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/syntax-tests/highlighted/JavaScript/test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/syntax-tests/highlighted/Python/battest.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/syntax-tests/highlighted/TypeScript/example.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: tests/syntax-tests/highlighted/TypeScriptReact/app.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:71 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:93 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:122 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:138 supply-chaingithub-actionspinned-dependencies
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/CICD.yml:181 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `pdataOld` in tests/benchmarks/highlighting-speed-src/jquery.js:5636
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `root_old` in tests/syntax-tests/compare_highlighted_versions.py:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_copy` in tests/benchmarks/highlighting-speed-src/numpy_test_multiarray.py:1941
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/syntax-tests/source/JavaScript/test.js:79
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — tests/syntax-tests/source/TypeScript/example.ts:10
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality complexity conf 1.00 Very large file: tests/benchmarks/highlighting-speed-src/jquery.js (10364 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: tests/benchmarks/highlighting-speed-src/numpy_test_multiarray.py (8471 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: tests/integration_tests.rs (4237 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
src/less.rs:48 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.
src/assets/build_assets/acknowledgements.rs:96 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/b504f98d-17fc-4f9d-a9ba-35a8204074a9/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/b504f98d-17fc-4f9d-a9ba-35a8204074a9/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.