Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
71 of your 259 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 12.57s · analysis 42.28s · 22.6 MB · GitHub preflight 406ms

skyhook-io/radar

https://github.com/skyhook-io/radar · scanned 2026-06-05 22:31 UTC (4 days, 4 hours ago) · 10 languages

874 raw signals (246 security + 628 graph) 15th percentile · Typescript · large (100-500K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 4 hours ago · v2 · 390 actionable findings from 2 signal sources. 170 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
62.9
/100
Security checks
60
117 findings
System graph
66
100.0% cov · 273 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 30.7 0.25 7.67
testing_score 75.0 0.20 15.00
documentation_score 82.0 0.15 12.30
practices_score 90.0 0.15 13.50
code_quality 36.0 0.10 3.60
Overall 1.00 64.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 78 Medium 26 Low 90 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 117 System graph 273 Crowd 0 Layer: Security 30 Quality 148 Software 113 Cicd 4 Api 1 Frontend 89 Network 2 Hardware 3
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Ranks in the 8th percentile among small-sized repos. Strongest documentation (61), dependencies (60); weakest testing (35), security (40). 75 findings (16 critical, 4 high). Most common pattern: ts-any-typed. ~101h tech debt (rating C).

Showing 195 of 390 actionable findings. 560 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical System graph security Secrets conf 1.00 Possible secret in packages/k8s-ui/src/components/resources/resource-utils-eso.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/k8s-ui/src/components/resources/resource-utils-eso.ts:19
low Security checks quality Quality conf 1.00 ✓ Repobility [MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context.
internal/version/version.go:300
high Security checks software dependencies conf 0.90 ✓ Repobility 4 occurrences Dockerfile FROM `node:20-alpine` not pinned by digest
`FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
lines 11, 29, 64, 83
Dockerfile:11, 29, 64, 83 (4 hits)
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5005
Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5006
Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5013
Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5014
Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5015
Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5016
Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5017
Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5018
Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5019
Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5020
Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5021
Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5023
Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5033
Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent
go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
pkg/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5025
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
pkg/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5026
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
pkg/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5027
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
pkg/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5028
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
pkg/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5029
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
pkg/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5030
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
pkg/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/sys: GO-2026-5024
Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4599
Incorrect enforcement of email constraints in crypto/x509
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4600
Panic in name constraint checking for malformed certificates in crypto/x509
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4601
Incorrect parsing of IPv6 host literals in net/url
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4602
FileInfo can escape from a Root in os
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4603
URLs in meta content attribute actions are not escaped in html/template
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4864
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4866
Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4869
Unbounded allocation for old GNU sparse in archive/tar
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4946
Inefficient policy validation in crypto/x509
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4947
Unexpected work during chain building in crypto/x509
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4971
Panic in Dial and LookupPort when handling NUL byte on Windows in net
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4976
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4977
Quadratic string concatenation in consumePhrase in net/mail
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4980
Escaper bypass leads to XSS in html/template
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4981
Crash when handling long CNAME response in net
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4982
Bypass of meta content URL escaping causes XSS in html/template
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4986
Quadratic string concatentation in consumeComment in net/mail
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-5037
Inefficient candidate hostname parsing in crypto/x509
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-5038
Quadratic complexity in WordDecoder.DecodeHeader in mime
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-5039
Arbitrary inputs are included in errors without any escaping in net/textproto
2 files, 2 locations
go.mod
pkg/go.mod
high Security checks security prompt injection conf 0.80 User-editable role instructions are inserted into the system prompt
Fleet or role instructions that users can edit should be treated as untrusted configuration. Prepending them to every system prompt lets stored text override runtime behavior.
packages/k8s-ui/src/components/resources/ResourcesView.tsx:1786
high System graph security security conf 1.00 Insecure pattern 'exec_used' in deploy/helm/radar/values.schema.json:50
Found a known-risky pattern (exec_used). Review and replace if possible.
deploy/helm/radar/values.schema.json:50 Exec used
high System graph security security conf 1.00 Insecure pattern 'exec_used' in internal/k8s/capabilities.go:76
Found a known-risky pattern (exec_used). Review and replace if possible.
internal/k8s/capabilities.go:76 Exec used
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 13.9% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 13.9% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /gitops/managed-resources.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /gitops/managed-resources.
internal/server/server.go:274
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /include_managed.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /include_managed.
internal/server/server.go:2338
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /namespace.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /namespace.
internal/server/traffic_handlers.go:102
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings.
internal/server/server.go:478
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/audit.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/audit.
internal/server/server.go:318
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings.
internal/server/server.go:479
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings/audit.
An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings/audit.
internal/server/server.go:319
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /releases/{namespace}/{name}.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /releases/{namespace}/{name}.
internal/helm/handlers.go:63
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /charts.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /charts.
internal/helm/handlers.go:68
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /repositories.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /repositories.
internal/helm/handlers.go:66
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /releases/{namespace}/{name}/rollback-stream.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /releases/{namespace}/{name}/rollback-stream.
internal/helm/handlers.go:58
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /releases/{namespace}/{name}/rollback.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /releases/{namespace}/{name}/rollback.
internal/helm/handlers.go:57
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /releases/{namespace}/{name}/upgrade-stream.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /releases/{namespace}/{name}/upgrade-stream.
internal/helm/handlers.go:60
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /releases/{namespace}/{name}/upgrade.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /releases/{namespace}/{name}/upgrade.
internal/helm/handlers.go:59
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /releases/{namespace}/{name}/values/preview.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /releases/{namespace}/{name}/values/preview.
internal/helm/handlers.go:61
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /repositories/{name}/update.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /repositories/{name}/update.
internal/helm/handlers.go:67
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /releases/{namespace}/{name}/values.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /releases/{namespace}/{name}/values.
internal/helm/handlers.go:62
medium Security checks quality Error handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
packages/k8s-ui/src/components/dock/NodeTerminalTab.tsx:75
medium Security checks security Security conf 1.00 [SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.
Use 0600 (owner rw only) for secrets, 0644 for general files, 0700 for directories with secrets. Java: `setReadable(true, true)` (owner-only).
internal/updater/apply_linux.go:68
medium Security checks quality Quality conf 0.74 Audit export may include unredacted sensitive metadata
Audit logs can be useful live state, but exported debug bundles should redact user messages, transcripts, connector payloads, and large metadata values before sharing.
packages/k8s-ui/src/types/core.ts:6
high Security checks quality Quality conf 0.80 5 occurrences localStorage write failures are swallowed silently
localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota.
5 files, 5 locations
packages/k8s-ui/src/components/logs/LogCore.tsx:155
packages/k8s-ui/src/components/resources/ResourcesView.tsx:1674
web/src/api/client.ts:1412
web/src/components/ui/UpdateNotification.tsx:78
web/src/hooks/useFavorites.ts:24
medium Security checks software dependencies conf 0.90 2 occurrences npm package `@types/diff` is 1 major version(s) behind (7.0.2 -> 8.0.0)
`@types/diff` is pinned/resolved at 7.0.2 but the latest stable release on the npm registry is 8.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
packages/k8s-ui/package.json
web/package.json
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
install.sh:3
high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
README.md:27
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/k8s-ui/src/components/logs/LogCore.tsx:930
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — packages/k8s-ui/src/utils/log-format.ts:104
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/k8s-ui/src/components/resources/renderers/NamespaceRenderer.tsx:14
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/k8s-ui/src/components/resources/renderers/PodRenderer.tsx:88
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/k8s-ui/src/components/resources/renderers/RoleBindingRenderer.tsx:18
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/k8s-ui/src/components/resources/renderers/RoleRenderer.tsx:11
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/k8s-ui/src/components/resources/renderers/ServiceAccountRenderer.tsx:117
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/k8s-ui/src/components/resources/renderers/WorkloadRenderer.tsx:27
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/api/config.ts:100
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/components/gitops/GitOpsView.tsx:885
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/components/helm/OwnedResources.tsx:321
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/components/home/MCPSetupDialog.tsx:78
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/components/portforward/PortForwardManager.tsx:89
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/components/resources/ImageFilesystemModal.tsx:639
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/components/resources/ResourcesView.tsx:96
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — web/src/context/ConnectionContext.tsx:32
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph cicd CI/CD security conf 1.00 19 occurrences GitHub Action is tag-pinned rather than SHA-pinned
azure/setup-helm@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
5 files, 19 locations
.github/workflows/codeql.yml:36, 42, 45 (6 hits)
.github/workflows/release.yml:51, 71, 115, 118, 121, 137 (6 hits)
.github/workflows/docker-build.yml:25, 28, 35 (3 hits)
.github/workflows/ci.yml:104, 139 (2 hits)
.github/workflows/release-desktop.yml:57 (2 hits)
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 5 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
5 files, 5 locations
.github/workflows/docker-build.yml
.github/workflows/publish-k8s-ui.yml
.github/workflows/publish-radar-app.yml
.github/workflows/release-desktop.yml
.github/workflows/release.yml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in packages/k8s-ui/src/components/logs/LogCore.tsx:930
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
packages/k8s-ui/src/components/logs/LogCore.tsx:930 Dangerous innerhtml
medium System graph network Security conf 1.00 Privileged port 256 in use
Port 256 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
deploy/krew/radar.yaml Ports
medium System graph network Security conf 1.00 Privileged port 36 in use
Port 36 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
deploy/krew/radar.yaml Ports
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
.dockerignore exists but does not cover common secret or VCS patterns.
.dockerignore CI/CD securitycontainers
low Security checks quality Error handling conf 1.00 3 occurrences [ERR003] Ignored Error (Go): Ignoring error return values.
Handle the error or use errcheck linter.
3 files, 3 locations
cmd/desktop/main.go:58
internal/cloud/serve.go:35
internal/k8s/detect_capi.go:111
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 15 locations
packages/k8s-ui/src/components/resources/renderers/CAPIMachineRenderer.tsx:94, 121 (2 hits)
packages/k8s-ui/src/components/resources/renderers/CAPIMachineSetRenderer.tsx:38, 54 (2 hits)
packages/k8s-ui/src/components/resources/renderers/HelmRepositoryRenderer.tsx:25, 99 (2 hits)
internal/k8s/detect_missing_refs.go:36
internal/mcp/tools_diagnose.go:289
internal/search/provider.go:9
internal/server/ai_handlers.go:28
internal/server/github_star.go:60
duplicationquality
low Security checks quality Quality conf 0.70 Generated build artifact directory is present at repository root
Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate.
build:1
high Security checks software dependencies conf 0.90 9 occurrences GitHub Action `actions/setup-go@v6` is minor version(s) behind (latest v6.4.0)
`uses: actions/setup-go@v6` is minor version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
6 files, 9 locations
.github/workflows/ci.yml:20, 60 (2 hits)
.github/workflows/release-desktop.yml:19, 24 (2 hits)
.github/workflows/release.yml:39, 44 (2 hits)
.github/workflows/codeql.yml:31
.github/workflows/publish-k8s-ui.yml:30
.github/workflows/publish-radar-app.yml:37
high Security checks software dependencies conf 0.90 GitHub Action `goreleaser/goreleaser-action@v7` is minor version(s) behind (latest v7.2.2)
`uses: goreleaser/goreleaser-action@v7` is minor version(s) behind the latest published release v7.2.2. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverag…
.github/workflows/release.yml:51
high Security checks software dependencies conf 0.90 GitHub Action `helmfile/[email protected]` is minor version(s) behind (latest v2.4.4)
`uses: helmfile/[email protected]` is minor version(s) behind the latest published release v2.4.4. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverag…
.github/workflows/ci.yml:139
low Security checks software dependencies conf 0.90 npm package `@tanstack/react-query` is minor version(s) behind (5.100.14 -> 5.101.0)
`@tanstack/react-query` is pinned/resolved at 5.100.14 but the latest stable release on the npm registry is 5.101.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs …
web/package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `@xyflow/react` is minor version(s) behind (12.10.2 -> 12.11.0)
`@xyflow/react` is pinned/resolved at 12.10.2 but the latest stable release on the npm registry is 12.11.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
packages/k8s-ui/package.json
web/package.json
low Security checks software dependencies conf 0.90 2 occurrences npm package `shiki` is minor version(s) behind (4.0.2 -> 4.2.0)
`shiki` is pinned/resolved at 4.0.2 but the latest stable release on the npm registry is 4.2.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
2 files, 2 locations
packages/k8s-ui/package.json
web/package.json
high Security checks quality Quality conf 0.62 Source file name looks like an AI patch artifact
Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area.
internal/server/desktop_update.go:1
low System graph hardware Supply chain conf 1.00 2 occurrences Docker base image is tag-pinned but not digest-pinned: gcr.io/distroless/static-debian12:nonroot
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
lines 64, 83
Dockerfile:64, 83 (2 hits)
containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: golang:1.26-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:29 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:11 containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/charts/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/compare/normalize.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/compare/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/compare/url.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/resources/get-pod-phase-display.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/resources/renderers/KarpenterNodePoolRenderer.test.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/resources/renderers/PodRenderer.test.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/resources/renderers/WorkloadRenderer.test.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/resources/resource-utils-cnpg.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/resources/resource-utils-crossplane.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/resources/resources-column-filter.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/resources/summarize-scheduler-message.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/topology/layout.worker.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/ui/status-tone.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/components/ui/tooltip-position.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/types/gitops-insights.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/types/gitops-tree.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/types/rbac.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/utils/context-name.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/utils/git-provider-urls.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/utils/gitops-owner.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/utils/helm-status.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/utils/parse-go-time.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/utils/pluralize.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/utils/validators.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: packages/k8s-ui/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/playwright.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/postcss.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/components/dock/DockContext.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/components/ui/ConfirmDialog.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/components/ui/ForceDeleteConfirmDialog.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/components/ui/ResourceBar.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/components/ui/Toast.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/components/ui/Tooltip.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/components/ui/YamlEditor.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/monaco-deep.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/monaco-setup.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/types/gitops.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/utils/animation.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/utils/badge-colors.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/utils/context-name.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/utils/format.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/utils/log-format.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/utils/resource-hierarchy.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/utils/resource-icons.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/utils/skeleton-yaml.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: web/vite.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph cicd CI/CD security conf 1.00 44 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-go@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
6 files, 44 locations
.github/workflows/release-desktop.yml:16, 19, 24, 113, 139, 142, 147, 198, +7 more (27 hits)
.github/workflows/ci.yml:20, 40, 60, 84 (4 hits)
.github/workflows/release.yml:39, 44, 61, 103 (4 hits)
.github/workflows/codeql.yml:27, 31 (3 hits)
.github/workflows/publish-k8s-ui.yml:20, 30 (3 hits)
.github/workflows/publish-radar-app.yml:27, 37 (3 hits)
CI/CD securitySupply chainGitHub Actions
low System graph frontend Frontend quality conf 1.00 Icon-only button without accessible name — web/src/App.tsx:1848
A `<button>` whose only child is a single glyph or symbol needs `title=` or `aria-label=` so screen readers (and tooltips on hover) work. Why: P3 in CHECKLIST.md — icon-only buttons skipped a title. Rule id: fq.button.no-label
Fq button no label
low System graph quality Tests conf 1.00 Low test-to-source ratio
206 tests / 897 src (ratio 0.23).
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — packages/k8s-ui/src/components/ui/Toast.tsx:62
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — web/src/api/client.ts:2893
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — web/src/App.tsx:731
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — web/src/components/resource-drawer/ResourceDrawer.tsx:203
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — web/src/hooks/useEventSource.ts:100
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: internal/helm/client.go (2885 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: internal/issues/issues_test.go (1347 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: internal/k8s/detect_test.go (1666 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: internal/k8s/history.go (2515 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: internal/mcp/tools.go (2744 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: internal/server/dashboard.go (1908 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: internal/server/server.go (3639 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/k8s-ui/src/components/gitops/GitOpsTableView.tsx (1937 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/k8s-ui/src/components/gitops/insights/GitOpsInsightViews.tsx (1456 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/k8s-ui/src/components/resources/resource-utils.ts (1904 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/k8s-ui/src/components/resources/ResourcesView.tsx (6501 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/k8s-ui/src/components/timeline/TimelineSwimlanes.tsx (1320 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/k8s-ui/src/components/topology/TopologyGraph.tsx (1460 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: packages/k8s-ui/src/components/workload/WorkloadView.tsx (1261 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: pkg/audit/checks_test.go (1789 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: pkg/gitops/insights/insights.go (1725 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: pkg/k8score/cache.go (1498 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: pkg/topology/builder.go (7930 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: web/src/api/client.ts (3306 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: web/src/App.tsx (2066 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: web/src/components/traffic/TrafficGraph.tsx (1550 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
high Security checks software dependencies conf 0.90 7 occurrences GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)
`uses: actions/checkout@v6` is patch version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
7 files, 7 locations
.github/workflows/ci.yml:17
.github/workflows/codeql.yml:27
.github/workflows/docker-build.yml:22
.github/workflows/publish-k8s-ui.yml:20
.github/workflows/publish-radar-app.yml:27
.github/workflows/release-desktop.yml:16
.github/workflows/release.yml:23
high Security checks software dependencies conf 0.90 GitHub Action `actions/download-artifact@v8` is patch version(s) behind (latest v8.0.1)
`uses: actions/download-artifact@v8` is patch version(s) behind the latest published release v8.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage f…
.github/workflows/release.yml:103
high Security checks software dependencies conf 0.90 GitHub Action `actions/download-artifact@v8` is patch version(s) behind (latest v8.0.1)
`uses: actions/download-artifact@v8` is patch version(s) behind the latest published release v8.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage f…
.github/workflows/release-desktop.yml:330
high Security checks software dependencies conf 0.90 GitHub Action `actions/upload-artifact@v7` is patch version(s) behind (latest v7.0.1)
`uses: actions/upload-artifact@v7` is patch version(s) behind the latest published release v7.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/release.yml:61
high Security checks software dependencies conf 0.90 GitHub Action `actions/upload-artifact@v7` is patch version(s) behind (latest v7.0.1)
`uses: actions/upload-artifact@v7` is patch version(s) behind the latest published release v7.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/release-desktop.yml:113
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/bcdc3430-6099-4232-a0a7-f9df8ed4e7f0/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/bcdc3430-6099-4232-a0a7-f9df8ed4e7f0/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.