Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
31 of your 73 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.68s · analysis 5.74s · 0.5 MB · GitHub API rate-limit (preflight)

meshery/meshery-operator

https://github.com/meshery/meshery-operator · scanned 2026-06-05 16:46 UTC (4 days, 23 hours ago) · 10 languages

125 raw signals (69 security + 56 graph) 50th percentile · Go · small (2-20K LoC) System graph score 90 (lower by 12)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 23 hours ago · v2 · 46 actionable findings from 2 signal sources. 51 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
83.9
/100
Security checks
77
38 findings
System graph
90
88.9% cov · 8 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 100.0 0.15 15.00
security_score 53.7 0.25 13.43
testing_score 80.0 0.20 16.00
documentation_score 80.0 0.15 12.00
practices_score 98.0 0.15 14.70
code_quality 75.5 0.10 7.55
Overall 1.00 78.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 30 Medium 5 Low 5 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 38 System graph 8 Crowd 0 Layer: Software 30 Cicd 7 Quality 2 Security 3 Api 1 Hardware 2 Frontend 1
Scan summary Quality grade B+ (79/100). Dimensions: security 54, maintainability 100. 69 findings (55 security). 4,294 lines analyzed.

Showing 43 of 46 actionable findings. 97 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 github.com/jackc/pgx/v5: GHSA-9jj7-4m8r-rfcm
Memory-safety vulnerability in github.com/jackc/pgx/v5.
go.mod
critical Security checks software dependencies conf 0.88 google.golang.org/grpc: GHSA-p77j-4mvh-x3m3
gRPC-Go has an authorization bypass via missing leading slash in :path
go.mod
critical Security checks security secrets conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
pkg/broker/resources.go:82
high Security checks security Secret conf 1.00 [SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT).
If the JWT is live, invalidate by rotating the signing key. Move tokens out of source.
pkg/broker/resources.go:82
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences Dockerfile FROM `golang:1.26.4` not pinned by digest
`FROM golang:1.26.4` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
lines 2, 23
Dockerfile:2, 23 (2 hits)
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 17 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `golangci/golangci-lint-action` pinned to mutable ref `@v9` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
7 files, 17 locations
.github/workflows/slack.yaml:21, 36 (4 hits)
.github/workflows/integration-tests-ci.yml:47, 49 (3 hits)
.github/workflows/approve-to-run-ci.yml:22 (2 hits)
.github/workflows/build-and-release.yml:21 (2 hits)
.github/workflows/error-ref-publisher.yaml:37 (2 hits)
.github/workflows/label-commenter.yml:26 (2 hits)
.github/workflows/release-drafter.yml:22 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks cicd CI/CD security conf 0.90 ✓ Repobility 3 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@master` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 3 locations
.github/workflows/build-and-release.yml:17
.github/workflows/label-commenter.yml:21
.github/workflows/newcomer-alert.yml:16
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 25 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
3 files, 25 locations
.github/workflows/approve-to-run-ci.yml:15, 16, 30, 32, 47, 49, 68, 70 (15 hits)
.github/workflows/error-ref-publisher.yaml:20, 27, 48 (5 hits)
.github/workflows/integration-tests-ci.yml:39, 43, 66 (5 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 github.com/containerd/containerd: GHSA-fqw6-gf59-qr4w
containerd user ID handling bypass allows runAsNonRoot evasion
go.mod
high Security checks software dependencies conf 0.88 github.com/jackc/pgx/v5: GO-2026-4771
CVE-2026-33815 in github.com/jackc/pgx
go.mod
high Security checks software dependencies conf 0.88 github.com/moby/spdystream: GO-2026-4958
Uncontrolled resource consumption when parsing SPDY frames in github.com/moby/spdystream
go.mod
high Security checks software dependencies conf 0.88 go.opentelemetry.io/otel: GHSA-mh2q-q3fh-2475
OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5005
Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5006
Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5013
Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5014
Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5015
Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5016
Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5017
Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5018
Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5019
Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5020
Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5021
Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5023
Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5033
Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5025
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5026
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5027
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5028
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5029
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5030
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/sys: GO-2026-5024
Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
go.mod
high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch
pullreminders/slack-action@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/newcomer-alert.yml:16 CI/CD securitySupply chainGithub actions
high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch
actions/checkout@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-and-release.yml:17 CI/CD securitySupply chainGithub actions
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 helm.sh/helm/v3: GHSA-hr2v-4r36-88hr
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
go.mod
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/error-ref-publisher.yaml CI/CD securitySupply chainGithub actions
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks quality Quality conf 0.60 7 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
6 files, 7 locations
pkg/meshsync/meshsync.go:1, 45 (2 hits)
api/v1alpha1/meshsync_types.go:1
controllers/error.go:1
controllers/meshsync_controller.go:1
pkg/meshsync/error.go:12
pkg/meshsync/resources.go:1
duplicationquality
low Security checks software dependencies conf 0.88 github.com/jackc/pgx/v5: GHSA-j88v-2chj-qfwx
pgx: SQL Injection via placeholder confusion with dollar quoted string literals
go.mod
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: gcr.io/distroless/static:nonroot
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:23 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: golang:1.26.4
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:2 containersPinned dependencies
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/bc4addc2-37af-4ccb-a213-bcdbcd3c7240/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/bc4addc2-37af-4ccb-a213-bcdbcd3c7240/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.