Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
35 of your 82 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 15.79s · analysis 8.77s · 24.0 MB · GitHub API rate-limit (preflight)

kptdev/kpt

https://github.com/kptdev/kpt · scanned 2026-06-05 13:20 UTC (5 days, 6 hours ago) · 10 languages

148 raw signals (78 security + 70 graph) 69th percentile · Go · medium (20-100K LoC) System graph score 88 (lower by 15)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 6 hours ago · v2 · 51 actionable findings from 2 signal sources. 62 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
79.0
/100
Security checks
70
35 findings
System graph
88
100.0% cov · 16 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 50.8 0.25 12.70
testing_score 80.0 0.20 16.00
documentation_score 81.0 0.15 12.15
practices_score 88.0 0.15 13.20
code_quality 65.5 0.10 6.55
Overall 1.00 73.3
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 12 Medium 11 Low 14 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 35 System graph 16 Crowd 0 Layer: Cicd 6 Quality 14 Software 24 Api 1 Network 3 Hardware 2 Frontend 1
Scan summary Quality grade B (73/100). Dimensions: security 51, maintainability 85. 78 findings (44 security). 52,416 lines analyzed.

Showing 34 of 51 actionable findings. 113 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks software File upload conf 1.00 [SEC032] Unrestricted File Upload — no extension/MIME validation: File upload accepts the user's filename without validating extension, content-type, or magic bytes. Attackers upload `.php`, `.jsp`, or executable files to a web-served directory, then visit the URL to trigger RCE. CWE-434. Examples: Apache Struts (CVE-2017-9805), countless WordPress plugin RCEs.
Validate THREE things server-side: 1. Extension allowlist: ALLOWED = {'.png', '.jpg', '.pdf'} ext = Path(file.filename).suffix.lower() if ext not in ALLOWED: abort(400) 2. Magic-byte check (don't trust the extension): import magic mime = magic.from_buffer(file…
pkg/fn/runtime/wasm.go:159
high Security checks software dependencies conf 0.90 ✓ Repobility Dockerfile FROM `alpine:3.18` not pinned by digest
`FROM alpine:3.18` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
release/images/Dockerfile:14
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 9 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `engineerd/setup-kind` pinned to mutable ref `@v0.6.2` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 9 locations
.github/workflows/release.yml:48, 59, 83 (5 hits)
.github/workflows/e2eEnvironment.yml:50 (2 hits)
.github/workflows/live-e2e.yml:50 (2 hits)
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 29 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v5` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
6 files, 29 locations
.github/workflows/go.yml:53, 57, 75, 79 (8 hits)
.github/workflows/live-e2e.yml:38, 42, 46 (5 hits)
.github/workflows/e2eEnvironment.yml:39, 43 (4 hits)
.github/workflows/release.yml:31, 36 (4 hits)
.github/workflows/verifyContent.yml:34, 38 (4 hits)
.github/workflows/verifyDocumentation.yml:32, 35 (4 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/net: GO-2026-5025
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
2 files, 2 locations
go.mod
healthcheck/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/net: GO-2026-5026
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
2 files, 2 locations
go.mod
healthcheck/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/net: GO-2026-5027
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
2 files, 2 locations
go.mod
healthcheck/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/net: GO-2026-5028
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
2 files, 2 locations
go.mod
healthcheck/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/net: GO-2026-5029
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
2 files, 2 locations
go.mod
healthcheck/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/net: GO-2026-5030
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
2 files, 2 locations
go.mod
healthcheck/go.mod
high Security checks software dependencies conf 0.88 3 occurrences stdlib: GO-2026-5037
Inefficient candidate hostname parsing in crypto/x509
3 files, 3 locations
documentation/go.mod
go.mod
healthcheck/go.mod
high Security checks software dependencies conf 0.88 3 occurrences stdlib: GO-2026-5038
Quadratic complexity in WordDecoder.DecodeHeader in mime
3 files, 3 locations
documentation/go.mod
go.mod
healthcheck/go.mod
high Security checks software dependencies conf 0.88 3 occurrences stdlib: GO-2026-5039
Arbitrary inputs are included in errors without any escaping in net/textproto
3 files, 3 locations
documentation/go.mod
go.mod
healthcheck/go.mod
medium Security checks quality Quality conf 1.00 [SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Ported from gosec G301 / G302 / G306 (Apache-2.0).
Use 0600 for files, 0700 for dirs that should be private.
commands/alpha/wasm/pull/command.go:89
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
release/images/Dockerfile:15 CI/CD securitycontainers
medium Security checks software dependencies conf 0.90 npm package `firebase-admin` is 4 major version(s) behind (^9.8.0 -> 13.10.0)
`firebase-admin` is pinned/resolved at ^9.8.0 but the latest stable release on the npm registry is 13.10.0 (4 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
firebase/functions/package.json
medium Security checks software dependencies conf 0.90 npm package `firebase-functions-test` is 3 major version(s) behind (^0.2.0 -> 3.5.0)
`firebase-functions-test` is pinned/resolved at ^0.2.0 but the latest stable release on the npm registry is 3.5.0 (3 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs …
firebase/functions/package.json
medium Security checks software dependencies conf 0.90 npm package `firebase-functions` is 4 major version(s) behind (^3.14.1 -> 7.2.5)
`firebase-functions` is pinned/resolved at ^3.14.1 but the latest stable release on the npm registry is 7.2.5 (4 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
firebase/functions/package.json
medium System graph hardware Security conf 1.00 Dockerfile runs as root: release/images/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml CI/CD securitySupply chainGithub actions
low Security checks quality Error handling conf 1.00 3 occurrences [ERR003] Ignored Error (Go): Ignoring error return values.
Handle the error or use errcheck linter.
3 files, 3 locations
commands/fn/render/cmdrender.go:56
commands/pkg/get/cmdget.go:59
commands/pkg/update/cmdupdate.go:57
low Security checks quality Quality conf 0.60 7 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
6 files, 7 locations
commands/live/destroy/cmddestroy.go:85, 89 (2 hits)
commands/alpha/wasm/push/command.go:24
commands/live/apply/cmdapply.go:132
pkg/lib/runneroptions/imagepullpolicy.go:2
pkg/lib/util/addmergecomment/addmergecomment.go:53
thirdparty/cmdconfig/commands/runner/runner.go:56
duplicationquality
low Security checks software dependencies conf 0.90 npm package `autoprefixer` is minor version(s) behind (^10.4.21 -> 10.5.0)
`autoprefixer` is pinned/resolved at ^10.4.21 but the latest stable release on the npm registry is 10.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
documentation/package.json
low Security checks software dependencies conf 0.90 npm package `hugo-extended` is minor version(s) behind (^0.161.1 -> 0.162.1)
`hugo-extended` is pinned/resolved at ^0.161.1 but the latest stable release on the npm registry is 0.162.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
documentation/package.json
low System graph quality Maintenance conf 1.00 42 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: alpine:3.18
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
release/images/Dockerfile:14 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: documentation/assets/js/search.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: documentation/postcss.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: firebase/functions/.eslintrc.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: internal/testutil/testdata/dataset5/somefunction.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: internal/testutil/testdata/dataset6/somefunction.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
documentation/package.json CI/CD securitySupply chainNpm
low System graph quality Complexity conf 1.00 Very large file: pkg/lib/update/update_test.go (3873 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/b7f85d24-e1ab-4fe3-ae8e-1bebaec5b884/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/b7f85d24-e1ab-4fe3-ae8e-1bebaec5b884/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.