Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
34 of your 148 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 9.69s · analysis 12.79s · 14.7 MB · GitHub API rate-limit (preflight)

etcd-io/etcd

https://github.com/etcd-io/etcd · scanned 2026-06-05 11:32 UTC (5 days, 11 hours ago) · 10 languages

176 raw signals (122 security + 54 graph) 36th percentile · Go · large (100-500K LoC) System graph score 74 (lower by 2)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 11 hours ago · v2 · 62 actionable findings from 2 signal sources. 87 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
68.0
/100
Security checks
62
35 findings
System graph
74
100.0% cov · 27 findings
Critical
6
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 31.1 0.25 7.78
testing_score 85.0 0.20 17.00
documentation_score 90.0 0.15 13.50
practices_score 83.0 0.15 12.45
code_quality 78.1 0.10 7.81
Overall 1.00 71.3
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 6 High 16 Medium 9 Low 18 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 35 System graph 27 Crowd 0 Layer: Cicd 6 Software 14 Quality 24 Security 7 Hardware 10 Frontend 1
Scan summary Quality grade B (71/100). Dimensions: security 31, maintainability 85. 122 findings (80 security). 198,508 lines analyzed.

Showing 41 of 62 actionable findings. 149 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 3 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
3 files, 3 locations
codecov.yml:4
scripts/genproto.sh:96
tests/e2e/discovery_v3_test.go:69
critical Security checks software dependencies conf 0.90 ✓ Repobility GHA script injection via github.event.pull_request.head.ref in run-step
Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.ref }} into shell. PR title/body/branch/comment fields are attacker-controllable.
.github/workflows/bump-devcontainer-version.yml:45
critical Security checks security secrets conf 0.95 Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
Gitleaks detected a committed secret or credential pattern.
pkg/proxy/fixtures/server.key.insecure:1
critical System graph security Secrets conf 1.00 Possible secret in etcdctl/ctlv3/command/global.go
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
etcdctl/ctlv3/command/global.go:314
critical System graph security Secrets conf 1.00 Possible secret in etcdctl/ctlv3/command/make_mirror_command.go
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
etcdctl/ctlv3/command/make_mirror_command.go:90
critical System graph security Secrets conf 1.00 Possible secret in tools/benchmark/cmd/util.go
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
tools/benchmark/cmd/util.go:44
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
tools/rw-heatmaps/pkg/dataset/dataset.go:68
high Security checks quality Quality conf 1.00 [SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/keys. Ported from gosec G404 (Apache-2.0).
import `crypto/rand` and use `rand.Read(buf)`.
server/proxy/tcpproxy/userspace.go:20
high Security checks quality Quality conf 1.00 [SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/keys. Ported from gosec G404 (Apache-2.0).
import `crypto/rand` and use `rand.Read(buf)`.
client/v3/utils.go:18
high Security checks software dependencies conf 0.88 golang.org/x/image: GO-2026-5031
Panic when reading out of bound palette index in golang.org/x/image/bmp
tools/rw-heatmaps/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/image: GO-2026-5032
Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff
tools/rw-heatmaps/go.mod
high Security checks software dependencies conf 0.88 11 occurrences golang.org/x/net: GO-2026-5025
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
11 files, 11 locations
api/go.mod
cache/go.mod
client/v3/go.mod
etcdctl/go.mod
etcdutl/go.mod
go.mod
pkg/go.mod
server/go.mod
high Security checks software dependencies conf 0.88 11 occurrences golang.org/x/net: GO-2026-5026
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
11 files, 11 locations
api/go.mod
cache/go.mod
client/v3/go.mod
etcdctl/go.mod
etcdutl/go.mod
go.mod
pkg/go.mod
server/go.mod
high Security checks software dependencies conf 0.88 11 occurrences golang.org/x/net: GO-2026-5027
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
11 files, 11 locations
api/go.mod
cache/go.mod
client/v3/go.mod
etcdctl/go.mod
etcdutl/go.mod
go.mod
pkg/go.mod
server/go.mod
high Security checks software dependencies conf 0.88 11 occurrences golang.org/x/net: GO-2026-5028
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
11 files, 11 locations
api/go.mod
cache/go.mod
client/v3/go.mod
etcdctl/go.mod
etcdutl/go.mod
go.mod
pkg/go.mod
server/go.mod
high Security checks software dependencies conf 0.88 11 occurrences golang.org/x/net: GO-2026-5029
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
11 files, 11 locations
api/go.mod
cache/go.mod
client/v3/go.mod
etcdctl/go.mod
etcdutl/go.mod
go.mod
pkg/go.mod
server/go.mod
high Security checks software dependencies conf 0.88 11 occurrences golang.org/x/net: GO-2026-5030
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
11 files, 11 locations
api/go.mod
cache/go.mod
client/v3/go.mod
etcdctl/go.mod
etcdutl/go.mod
go.mod
pkg/go.mod
server/go.mod
high System graph security security conf 1.00 Insecure pattern 'eval_used' in client/v3/leasing/txn.go:53
Found a known-risky pattern (eval_used). Review and replace if possible.
client/v3/leasing/txn.go:53 Eval used
medium Security checks cicd CI/CD security conf 0.86 Database dump or local database file is included in Docker build context
Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions.
.dockerignore CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 3 occurrences Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
3 files, 3 locations
tests/antithesis/server/Dockerfile:68
tests/antithesis/test-template/Dockerfile:13
tools/container-images/devcontainer/Dockerfile:1
CI/CD securitycontainers
medium System graph hardware Security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: tests/antithesis/config/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: tests/antithesis/server/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: tests/antithesis/test-template/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: tools/container-images/devcontainer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/bump-devcontainer-version.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/scorecards.yml CI/CD securitySupply chainGithub actions
low Security checks quality Error handling conf 1.00 [ERR003] Ignored Error (Go): Ignoring error return values.
Handle the error or use errcheck linter.
server/storage/backend.go:105
low Security checks quality Error handling conf 1.00 [ERR003] Ignored Error (Go): Ignoring error return values.
Handle the error or use errcheck linter.
server/etcdserver/api/v3lock/v3lockpb/gw/v3lock.pb.gw.go:48
low Security checks quality Quality conf 0.60 3 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
3 files, 3 locations
client/v3/experimental/recipes/queue.go:21
etcdutl/etcdutl/completion_commmand.go:24
server/etcdserver/api/v3lock/v3lockpb/gw/v3lock.pb.gw.go:8
duplicationquality
low System graph quality Maintenance conf 1.00 236 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph quality Complexity conf 1.00 Very large file: api/etcdserverpb/gw/rpc.pb.gw.go (3259 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: api/etcdserverpb/rpc.pb.go (6952 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: api/etcdserverpb/rpc_grpc.pb.go (2137 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/embed/config.go (1402 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: server/etcdserver/server.go (2478 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/framework/integration/cluster.go (1707 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/integration/cache_test.go (1716 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/integration/clientv3/lease/leasing_test.go (1805 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/integration/v3_grpc_test.go (2357 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/ba97197c-2e3b-4bc7-a17c-38a79bdd557b/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/ba97197c-2e3b-4bc7-a17c-38a79bdd557b/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.