Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
29 of your 107 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.52s · analysis 7.8s · 0.8 MB · GitHub API rate-limit (preflight)

terraform-google-modules/terraform-google-project-factory

https://github.com/terraform-google-modules/terraform-google-project-factory · scanned 2026-06-05 22:56 UTC (4 days ago) · 10 languages

131 raw signals (103 security + 28 graph) System graph score 98 (lower by 28)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days ago · v2 · 82 actionable findings from 2 signal sources. 12 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
76.5
/100
Security checks
55
74 findings
System graph
98
88.9% cov · 8 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 55.0 0.25 13.75
testing_score 90.0 0.20 18.00
documentation_score 97.0 0.15 14.55
practices_score 65.0 0.15 9.75
code_quality 76.3 0.10 7.62
Overall 1.00 69.7
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 66 Medium 6 Low 6 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 74 System graph 8 Crowd 0 Layer: Software 67 Quality 10 Cicd 1 Api 1 Hardware 1 Frontend 1 Security 1
Scan summary Quality grade B- (70/100). Dimensions: security 55, maintainability 40. 103 findings (70 security). 3,056 lines analyzed.

Showing 15 of 82 actionable findings. 94 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility `self.targets` used but never assigned in __init__
Method `moves` of class `ProjectServicesMigration` reads `self.targets`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
helpers/migrate4.py:51
high Security checks quality Quality conf 1.00 ✓ Repobility `self.targets` used but never assigned in __init__
Method `moves` of class `GSuiteMigration` reads `self.targets`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
helpers/migrate.py:143
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 4 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v6` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
2 files, 4 locations
.github/workflows/lint.yaml:61, 65 (3 hits)
.github/workflows/stale.yml:34
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 requests: PYSEC-2023-74
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent …
helpers/preconditions/requirements.txt
medium Security checks software dependencies conf 0.88 requests: GHSA-9hjg-9r4m-mvj7
Requests vulnerable to .netrc credentials leak via malicious URLs
helpers/preconditions/requirements.txt
medium Security checks software dependencies conf 0.88 requests: GHSA-9wx4-h78v-vm56
Requests `Session` object does not verify requests after making first request with verify=False
helpers/preconditions/requirements.txt
medium Security checks software dependencies conf 0.88 requests: GHSA-gc5v-m9x4-r6x2
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
helpers/preconditions/requirements.txt
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — helpers/migrate.py:305
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — helpers/migrate4.py:233
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
low Security checks quality Quality conf 0.60 5 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
5 files, 5 locations
helpers/migrate4.py:53
test/integration/full/controls/shared-vpc.rb:18
test/integration/minimal/controls/minimal.rb:40
test/integration/shared_vpc_no_subnets/controls/gcloud.rb:8
test/integration/vpc_sc_project/controls/vpc_sc_project.rb:11
duplicationquality
low Security checks quality Quality conf 0.70 Generated build artifact directory is present at repository root
Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate.
build:1
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph quality Integrity conf 1.00 6 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: helpers/migrate.py:has_resource, helpers/migrate4.py:has_resource This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
6 occurrences
repo-level (6 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 5 places
Functions with the same first-5-line body hash: helpers/preconditions/preconditions.py:validate, helpers/preconditions/preconditions.py:validate, helpers/preconditions/preconditions.py:validate, helpers/preconditions/preconditions.py:validate This is *the* AI-coder failure mode (4× more duplicatio…
duplicatesduplication
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/be5d5d5d-c671-4215-9637-667cc16b6a20/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/be5d5d5d-c671-4215-9637-667cc16b6a20/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.