Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
34 of your 92 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 5.63s · analysis 25.37s · 18.7 MB · GitHub preflight 604ms

WerWolv/ImHex

https://github.com/WerWolv/ImHex · scanned 2026-06-05 11:06 UTC (5 days, 12 hours ago) · 10 languages

203 raw signals (91 security + 112 graph) 38th percentile · Cpp · large (100-500K LoC) System graph score 91 (lower by 32)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 12 hours ago · v2 · 47 actionable findings from 2 signal sources. 100 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
76.2
/100
Security checks
61
42 findings
System graph
91
88.9% cov · 5 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 65.0 0.15 9.75
security_score 59.6 0.25 14.90
testing_score 20.0 0.20 4.00
documentation_score 85.0 0.15 12.75
practices_score 74.0 0.15 11.10
code_quality 63.7 0.10 6.37
Overall 1.00 58.9
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 23 Medium 7 Low 6 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 42 System graph 5 Crowd 0 Layer: Cicd 16 Software 19 Quality 6 Security 4 Api 1 Frontend 1
Scan summary Quality grade C (59/100). Dimensions: security 60, maintainability 65. 91 findings (50 security). 103,121 lines analyzed.

Showing 37 of 47 actionable findings. 147 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
lib/third_party/imgui/imgui/source/imgui.cpp:4507
critical Security checks security secrets conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
lib/third_party/imgui/imnodes/README.md:6
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
plugins/builtin/source/content/tools/file_tool_combiner.cpp:128
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 37 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
7 files, 37 locations
.github/workflows/build.yml:51, 74, 164, 171, 180, 206, 237, 266, +5 more (13 hits)
.github/workflows/release.yml:24, 81, 138, 148, 194 (9 hits)
.github/workflows/analysis.yml:19, 36 (4 hits)
.github/workflows/dl-cache.yml:18, 43 (4 hits)
.github/workflows/tests.yml:27, 98 (4 hits)
.github/workflows/nightly_release.yml:17 (2 hits)
.github/workflows/stale_issues.yml:15
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 37 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `github/codeql-action/init` pinned to mutable ref `@v2` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
6 files, 37 locations
.github/workflows/release.yml:42, 53, 64, 105, 161, 173, 219, 268, +1 more (13 hits)
.github/workflows/nightly_release.yml:43, 114, 124, 140 (8 hits)
.github/workflows/analysis.yml:24, 29, 66 (6 hits)
.github/workflows/build.yml:56, 64, 242, 247, 255, 348 (6 hits)
.github/workflows/dl-cache.yml:35 (2 hits)
.github/workflows/tests.yml:32 (2 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.90 ✓ Repobility 5 occurrences Workflow container/services image `ubuntu:24.04` unpinned
`container/services image: ubuntu:24.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
lines 652, 655, 658, 821, 940
.github/workflows/build.yml:652, 655, 658, 821, 940 (5 hits)
high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch
lukka/get-cmake@latest can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build.yml:263 CI/CD securitySupply chainGithub actions
medium Security checks cicd CI/CD security conf 0.94 Compose service `imhex_web` image uses the latest tag
The latest tag is mutable and can change without a code review, producing different images from the same source.
dist/web/compose.yml:2 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
dist/web/Dockerfile:108 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
dist/Arch/Dockerfile:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.94 Dockerfile base image uses the latest tag
The latest tag is mutable and can change without a code review, producing different images from the same source.
dist/Arch/Dockerfile:1 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 3 occurrences Dockerfile copies broad context with incomplete .dockerignore
COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts.
2 files, 3 locations
dist/web/Dockerfile:87, 109 (2 hits)
dist/AppImage/Dockerfile:27
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.86 Dockerfile separates apt update from install
Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable.
dist/web/Dockerfile:7 CI/CD securitycontainers
high Security checks software dependencies conf 0.90 GitHub Action `actions/attest-build-provenance@v2` is 2 major version(s) behind (latest v4.1.0)
`uses: actions/attest-build-provenance@v2` is 2 major version(s) behind the latest published release v4.1.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no co…
.github/workflows/build.yml:164
high Security checks software dependencies conf 0.90 GitHub Action `actions/cache@v4` is 1 major version(s) behind (latest v5.0.5)
`uses: actions/cache@v4` is 1 major version(s) behind the latest published release v5.0.5. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/analysis.yml:36
high Security checks software dependencies conf 0.90 6 occurrences GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)
`uses: actions/checkout@v4` is 2 major version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
6 files, 6 locations
.github/workflows/analysis.yml:19
.github/workflows/build.yml:51
.github/workflows/dl-cache.yml:18
.github/workflows/nightly_release.yml:17
.github/workflows/release.yml:24
.github/workflows/tests.yml:27
high Security checks software dependencies conf 0.90 GitHub Action `actions/setup-dotnet@v4` is 1 major version(s) behind (latest v5.3.0)
`uses: actions/setup-dotnet@v4` is 1 major version(s) behind the latest published release v5.3.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/build.yml:74
high Security checks software dependencies conf 0.90 GitHub Action `actions/stale@v5` is 5 major version(s) behind (latest v10.3.0)
`uses: actions/stale@v5` is 5 major version(s) behind the latest published release v10.3.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/stale_issues.yml:15
high Security checks software dependencies conf 0.90 3 occurrences GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)
`uses: actions/upload-artifact@v4` is 3 major version(s) behind the latest published release v7.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage f…
3 files, 3 locations
.github/workflows/build.yml:171
.github/workflows/dl-cache.yml:43
.github/workflows/release.yml:138
high Security checks software dependencies conf 0.90 GitHub Action `dawidd6/action-download-artifact@v6` is 15 major version(s) behind (latest v21)
`uses: dawidd6/action-download-artifact@v6` is 15 major version(s) behind the latest published release v21. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no cov…
.github/workflows/release.yml:105
high Security checks software dependencies conf 0.90 GitHub Action `dawidd6/action-download-artifact@v6` is 15 major version(s) behind (latest v21)
`uses: dawidd6/action-download-artifact@v6` is 15 major version(s) behind the latest published release v21. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no cov…
.github/workflows/nightly_release.yml:43
high Security checks software dependencies conf 0.90 GitHub Action `KSXGitHub/github-actions-deploy-aur@v2` is 2 major version(s) behind (latest v4.1.3)
`uses: KSXGitHub/github-actions-deploy-aur@v2` is 2 major version(s) behind the latest published release v4.1.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had n…
.github/workflows/release.yml:219
high Security checks software dependencies conf 0.90 GitHub Action `signpath/github-action-submit-signing-request@v1` is 1 major version(s) behind (latest v2)
`uses: signpath/github-action-submit-signing-request@v1` is 1 major version(s) behind the latest published release v2. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility…
.github/workflows/release.yml:161
medium System graph cicd CI/CD security conf 1.00 3 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
3 files, 3 locations
.github/workflows/build.yml
.github/workflows/nightly_release.yml
.github/workflows/release.yml
CI/CD securitySupply chainGithub actions
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
dist/web/compose.yml:2 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
dist/web/compose.yml:2 CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.72 Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
dist/web/Dockerfile:8 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 9 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
9 files, 9 locations
main/gui/source/window/platform/web.cpp:80
plugins/builtin/source/content/providers/motorola_srec_provider.cpp:20
plugins/builtin/source/content/views/view_pattern_data.cpp:228
plugins/disassembler/source/content/pl_builtin_types.cpp:8
plugins/ui/include/popups/popup_notification.hpp:18
plugins/ui/include/popups/popup_question.hpp:22
plugins/ui/include/popups/popup_text_input.hpp:28
plugins/ui/include/ui/pattern_value_editor.hpp:11
duplicationquality
low Security checks quality Quality conf 0.70 Generated build artifact directory is present at repository root
Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate.
dist:1
high Security checks software dependencies conf 0.90 3 occurrences GitHub Action `hendrikmuhs/ccache-action@v1` is minor version(s) behind (latest v1.2.23)
`uses: hendrikmuhs/ccache-action@v1` is minor version(s) behind the latest published release v1.2.23. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage …
3 files, 3 locations
.github/workflows/analysis.yml:29
.github/workflows/build.yml:56
.github/workflows/tests.yml:32
high Security checks software dependencies conf 0.90 GitHub Action `msys2/setup-msys2@v2` is minor version(s) behind (latest v2.31.1)
`uses: msys2/setup-msys2@v2` is minor version(s) behind the latest published release v2.31.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/build.yml:64
high Security checks software dependencies conf 0.90 GitHub Action `ncipollo/release-action@v1` is minor version(s) behind (latest v1.21.0)
`uses: ncipollo/release-action@v1` is minor version(s) behind the latest published release v1.21.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage fo…
.github/workflows/release.yml:42
high Security checks software dependencies conf 0.90 GitHub Action `snapcore/action-publish@v1` is minor version(s) behind (latest v1.2.0)
`uses: snapcore/action-publish@v1` is minor version(s) behind the latest published release v1.2.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/release.yml:268
high Security checks software dependencies conf 0.90 GitHub Action `snapcore/action-publish@v1` is minor version(s) behind (latest v1.2.0)
`uses: snapcore/action-publish@v1` is minor version(s) behind the latest published release v1.2.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/nightly_release.yml:114
high Security checks software dependencies conf 0.90 GitHub Action `peter-evans/repository-dispatch@v4` is patch version(s) behind (latest v4.0.1)
`uses: peter-evans/repository-dispatch@v4` is patch version(s) behind the latest published release v4.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no cove…
.github/workflows/nightly_release.yml:140
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/bc7155d7-e326-40f1-a0ed-b5e05fd81bad/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/bc7155d7-e326-40f1-a0ed-b5e05fd81bad/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.