← Back to scan
File as GitHub Issue repo: dotnet/runtime

Push this scan report to dotnet/runtime

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT MINED107 [MINED107] Missing import: `os` used but not imported: The file uses `os.something(...)` … src/coreclr/scripts/superpmi_diffs.py:109
CRIT MINED107 [MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)… src/coreclr/scripts/genDummyProvider.py:172
CRIT MINED107 [MINED107] Missing import: `argparse` used but not imported: The file uses `argparse.some… src/coreclr/scripts/genDummyProvider.py:144
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_PAT_0` on a `pull_request` trigger: This workfl… .github/workflows/code-review.lock.yml:1317
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This w… .github/workflows/code-review.lock.yml:1060
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This w… .github/workflows/code-review.lock.yml:1027
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This w… .github/workflows/code-review.lock.yml:1013
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This w… .github/workflows/code-review.lock.yml:999
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This w… .github/workflows/code-review.lock.yml:983
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This w… .github/workflows/code-review.lock.yml:809
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trig… .github/workflows/code-review.lock.yml:808
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_PAT_9` on a `pull_request` trigger: This workfl… .github/workflows/code-review.lock.yml:807
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_PAT_8` on a `pull_request` trigger: This workfl… .github/workflows/code-review.lock.yml:806
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_PAT_7` on a `pull_request` trigger: This workfl… .github/workflows/code-review.lock.yml:805
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_PAT_6` on a `pull_request` trigger: This workfl… .github/workflows/code-review.lock.yml:804
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_PAT_5` on a `pull_request` trigger: This workfl… .github/workflows/code-review.lock.yml:803
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_PAT_4` on a `pull_request` trigger: This workfl… .github/workflows/code-review.lock.yml:802
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_PAT_3` on a `pull_request` trigger: This workfl… .github/workflows/code-review.lock.yml:801
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_PAT_2` on a `pull_request` trigger: This workfl… .github/workflows/code-review.lock.yml:800
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_PAT_1` on a `pull_request` trigger: This workfl… .github/workflows/code-review.lock.yml:799
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_PAT_0` on a `pull_request` trigger: This workfl… .github/workflows/code-review.lock.yml:798
CRIT MINED116 [MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This… .github/workflows/code-review.lock.yml:797
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trig… .github/workflows/code-review.lock.yml:745
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trig… .github/workflows/code-review.lock.yml:625
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trig… .github/workflows/code-review.lock.yml:436
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This w… .github/workflows/code-review.lock.yml:435
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trig… .github/workflows/code-review.lock.yml:419
CRIT MINED116 [MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trig… .github/workflows/code-review.lock.yml:417
HIGH MINED108 [MINED108] `self.target` used but never assigned in __init__: Method `parse_args` of clas… src/mono/mono/offsets/offsets-tool.py:121
HIGH MINED108 [MINED108] `self.sys_includes` used but never assigned in __init__: Method `parse_args` o… src/mono/mono/offsets/offsets-tool.py:120
HIGH MINED108 [MINED108] `self.target` used but never assigned in __init__: Method `parse_args` of clas… src/mono/mono/offsets/offsets-tool.py:236
HIGH MINED108 [MINED108] `self.target_args` used but never assigned in __init__: Method `parse_args` of… src/mono/mono/offsets/offsets-tool.py:234
HIGH MINED108 [MINED108] `self.target_args` used but never assigned in __init__: Method `parse_args` of… src/mono/mono/offsets/offsets-tool.py:233
HIGH MINED108 [MINED108] `self.sys_includes` used but never assigned in __init__: Method `parse_args` o… src/mono/mono/offsets/offsets-tool.py:115
HIGH MINED108 [MINED108] `self.args` used but never assigned in __init__: Method `parse_args` of class … src/mono/mono/offsets/offsets-tool.py:240
HIGH MINED108 [MINED108] `self.target_args` used but never assigned in __init__: Method `parse_args` of… src/mono/mono/offsets/offsets-tool.py:111
HIGH MINED108 [MINED108] `self.target` used but never assigned in __init__: Method `parse_args` of clas… src/mono/mono/offsets/offsets-tool.py:110
HIGH MINED108 [MINED108] `self.sys_includes` used but never assigned in __init__: Method `parse_args` o… src/mono/mono/offsets/offsets-tool.py:109
HIGH MINED108 [MINED108] `self.get_stamp_path` used but never assigned in __init__: Method `_one_failur… .github/skills/ci-pipeline-monitor/scri…:222
HIGH MINED108 [MINED108] `self.get_stamp_path` used but never assigned in __init__: Method `_one_failur… .github/skills/ci-pipeline-monitor/scri…:126
HIGH MINED108 [MINED108] `self._one_failure` used but never assigned in __init__: Method `generate_issu… .github/skills/ci-pipeline-monitor/scri…:54
HIGH MINED108 [MINED108] `self.generate_issues` used but never assigned in __init__: Method `generate` … .github/skills/ci-pipeline-monitor/scri…:35
HIGH MINED108 [MINED108] `self.probe_configuration` used but never assigned in __init__: Method `genera… .github/skills/ci-pipeline-monitor/scri…:34
HIGH MINED108 [MINED108] `self._one_failure` used but never assigned in __init__: Method `_failure_deta… .github/skills/ci-pipeline-monitor/scri…:197
HIGH MINED108 [MINED108] `self._footer` used but never assigned in __init__: Method `generate` of class… .github/skills/ci-pipeline-monitor/scri…:47
HIGH MINED108 [MINED108] `self._action_items` used but never assigned in __init__: Method `generate` of… .github/skills/ci-pipeline-monitor/scri…:46
HIGH MINED108 [MINED108] `self._github_issue_summary` used but never assigned in __init__: Method `gene… .github/skills/ci-pipeline-monitor/scri…:45
HIGH MINED108 [MINED108] `self._failure_details` used but never assigned in __init__: Method `generate`… .github/skills/ci-pipeline-monitor/scri…:44
HIGH MINED108 [MINED108] `self._pipeline_summary` used but never assigned in __init__: Method `generate… .github/skills/ci-pipeline-monitor/scri…:43
HIGH MINED108 [MINED108] `self._header` used but never assigned in __init__: Method `generate` of class… .github/skills/ci-pipeline-monitor/scri…:42
HIGH SEC032 [SEC032] Unrestricted File Upload — no extension/MIME validation: File upload accepts the… src/coreclr/scripts/utilities.py:49
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). src/coreclr/tools/Common/Internal/Runti…:33
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). src/coreclr/tools/Common/Internal/Metad…:40
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). src/coreclr/inc/md5.h:61
HIGH SEC025 [SEC025] XML External Entity (XXE) — .NET XmlDocument / XmlTextReader: .NET XmlDocument a… src/coreclr/inc/genheaders/genheaders.cs:94
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … src/coreclr/scripts/pgocheck.py:61
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … src/coreclr/md/inc/liteweightstgdb.h:72
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … src/coreclr/debug/di/dbgtransportmanage…:98
HIGH MINED017 [MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic. src/coreclr/binder/defaultassemblybinde…:219
HIGH SEC103 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDA… .github/skills/ci-pipeline-monitor/scri…:52
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… src/coreclr/tools/Common/TypeSystem/Ecm…:123
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… src/coreclr/scripts/jitformat.py:109
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… .github/skills/ci-pipeline-monitor/scri…:29
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… src/coreclr/scripts/coreclr_arguments.py:140
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… .github/skills/ci-pipeline-monitor/scri…:163
HIGH COMP001 [COMP001] High cognitive complexity: Function `fetch_failed_tests` has cognitive complexi… .github/skills/ci-pipeline-monitor/scri…:88
HIGH DKR015 Docker build context is very large .dockerignore
HIGH MINED134 [MINED134] Binary file `src/mono/wasm/testassets/native-libs/variadic.o` committed in sou… src/mono/wasm/testassets/native-libs/va…:1
HIGH MINED134 [MINED134] Binary file `src/mono/wasm/testassets/native-libs/native-lib.o` committed in s… src/mono/wasm/testassets/native-libs/na…:1
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout… src/native/external/libunwind/.github/w…:33
HIGH MINED115 [MINED115] Action `actions/stale` pinned to mutable ref `@v5`: `uses: actions/stale@v5` r… src/native/external/libunwind/.github/w…:14
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout… src/native/external/libunwind/.github/w…:98
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout… src/native/external/libunwind/.github/w…:39
HIGH MINED115 [MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v2`: `uses: gith… src/native/external/libunwind/.github/w…:41
HIGH MINED115 [MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v2`: `uses: gi… src/native/external/libunwind/.github/w…:38
HIGH MINED115 [MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v2`: `uses: github/… src/native/external/libunwind/.github/w…:32
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout… src/native/external/libunwind/.github/w…:29
HIGH MINED118 [MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-ne… src/coreclr/nativeaot/docs/Dockerfile.c…:1
HIGH MINED118 [MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-ne… src/coreclr/nativeaot/docs/Dockerfile.c…:1
HIGH MINED130 [MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-… src/mono/sample/wasi/jco/package-lock.j…:1
HIGH MINED130 [MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-… src/mono/browser/runtime/package-lock.j…:1
HIGH MINED130 [MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-… src/native/package-lock.json:1
HIGH MINED115 [MINED115] Action `dotnet/arcade/.github/workflows/backport-base.yml` pinned to mutable r… .github/workflows/backport.yml:18
HIGH MINED126 [MINED126] Workflow container/services image `mcr.microsoft.com/dotnet-buildtools/prereqs… .github/workflows/jit-format.yml:18
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/u… .github/workflows/jit-format.yml:49
HIGH MINED115 [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setu… .github/workflows/jit-format.yml:40
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/jit-format.yml:36
HIGH MINED115 [MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setu… .github/workflows/jit-format.yml:32
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/git… .github/workflows/locker.yml:52
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/locker.yml:33
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/skill-validation.yml:30
HIGH MINED115 [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-… .github/workflows/markdownlint.yml:22
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/markdownlint.yml:20
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/copilot-setup-steps.y…:18
HIGH MINED115 [MINED115] Action `dotnet/arcade/.github/workflows/inter-branch-merge-base.yml` pinned to… .github/workflows/inter-branch-merge-fl…:13
HIGH MINED115 [MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/git… .github/workflows/bump-chrome-version.y…:50
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/bump-chrome-version.y…:19
HIGH MINED115 [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/u… .github/workflows/aspnetcore-sync.yml:47
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/aspnetcore-sync.yml:27
HIGH MINED115 [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout… .github/workflows/aspnetcore-sync.yml:19
HIGH MINED118 [MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/dotnet (no tag)` not pinned b… .devcontainer/android/Dockerfile:2
HIGH MINED118 [MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/dotnet (no tag)` not pinned b… .devcontainer/wasm/Dockerfile:5
HIGH MINED118 [MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/dotnet (no tag)` not pinned b… .devcontainer/wasm-multiThreaded/Docker…:5
HIGH MINED118 [MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/dotnet (no tag)` not pinned b… .devcontainer/Dockerfile:5
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/native/external/brotli/setup.py:14
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/coreclr/scripts/superpmi_collect_se…:418
MED MINED109 [MINED109] Mutable default argument in `partition_files` (list): `def partition_files(...… src/coreclr/scripts/superpmi_collect_se…:380
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/coreclr/scripts/jitutil.py:585
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/coreclr/scripts/jitutil.py:578
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/coreclr/scripts/superpmi_aspnet2.py:401
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/coreclr/scripts/superpmi_aspnet2.py:408
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/coreclr/scripts/superpmi_aspnet2.py:65
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/coreclr/scripts/superpmi_aspnet2.py:390
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/coreclr/scripts/superpmi.py:2553
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/coreclr/scripts/superpmi.py:2447
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/coreclr/scripts/superpmi.py:795
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… src/mono/mono/mini/genmdesc.py:204
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… .github/skills/ci-pipeline-monitor/scri…:449
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… .github/skills/ci-pipeline-monitor/scri…:145
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… .github/skills/ci-pipeline-monitor/scri…:55
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… .github/skills/ci-pipeline-monitor/scri…:83
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… eng/common/cross/install-debs.py:92
MED SEC119 [SEC119] World-writable / world-readable file permissions: World-writable files let any l… src/coreclr/scripts/jitformat.py:131
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… src/coreclr/scripts/coreclr_arguments.py:140
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… src/coreclr/nativeaot/System.Private.Co…:54
MED SEC136 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all excepti… src/coreclr/System.Private.CoreLib/src/…:38
MED DKR009 Dockerfile separates apt update from install .devcontainer/wasm-multiThreaded/Docker…:8
MED DKR009 Dockerfile separates apt update from install .devcontainer/wasm/Dockerfile:7
MED DKR009 Dockerfile separates apt update from install .devcontainer/android/Dockerfile:5
MED DKR001 Docker final stage has no non-root USER src/coreclr/nativeaot/docs/Dockerfile.c…:1
MED DKR001 Docker final stage has no non-root USER src/coreclr/nativeaot/docs/Dockerfile.c…:1
MED DKR001 Docker final stage has no non-root USER .devcontainer/wasm-multiThreaded/Docker…:5
MED DKR001 Docker final stage has no non-root USER .devcontainer/wasm/Dockerfile:5
MED DKR001 Docker final stage has no non-root USER .devcontainer/android/Dockerfile:2
MED DKR001 Docker final stage has no non-root USER .devcontainer/Dockerfile:5
MED AIC001 Parallel implementation file sits beside a canonical file src/mono/mono/metadata/metadata-update.c:1
MED CORE_LARGE_FILES Average file size is 711 lines (recommend <300)
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… src/coreclr/scripts/genEventingTests.py:33
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… src/coreclr/scripts/genEtwProvider.py:165
LOW SEC132 [SEC132] String concat where the language has interpolation (AI style drift): String buil… src/coreclr/inc/genheaders/genheaders.cs:51
LOW COMP001 [COMP001] High cognitive complexity: Function `fetch_and_save` has cognitive complexity 1… .github/skills/ci-pipeline-monitor/scri…:26
LOW COMP001 [COMP001] High cognitive complexity: Function `main` has cognitive complexity 8 (SonarSou… .github/skills/ci-pipeline-monitor/scri…:227
LOW AIC003 Duplicated implementation block across source files src/coreclr/gc/wasm/gcenv.cpp:171
LOW AIC003 Duplicated implementation block across source files src/coreclr/gc/vxsort/machine_traits.ne…:123
LOW AIC003 Duplicated implementation block across source files src/coreclr/gc/vxsort/machine_traits.av…:29
LOW AIC003 Duplicated implementation block across source files src/coreclr/gc/gcinterface.h:335
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/shared/riscv64/primit…:1
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/inc/riscv64/primitive…:96
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/inc/riscv64/primitive…:46
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/inc/riscv64/primitive…:1
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/inc/loongarch64/primi…:92
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/inc/loongarch64/primi…:1
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/ee/riscv64/primitives…:3
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/ee/loongarch64/walker…:1
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/ee/loongarch64/primit…:3
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/ee/i386/debuggerregdi…:5
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/ee/arm64/primitives.c…:3
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/di/windowspipeline.cpp:25
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/di/shimremotedatatarg…:92
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/di/shimremotedatatarg…:6
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/di/remoteeventchannel…:8
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/di/loongarch64/cordbr…:148
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/di/i386/cordbregister…:134
LOW AIC003 Duplicated implementation block across source files src/coreclr/debug/di/i386/cordbregister…:42
LOW AIC003 Duplicated implementation block across source files src/coreclr/System.Private.CoreLib/src/…:84
LOW AIC003 Duplicated implementation block across source files src/coreclr/System.Private.CoreLib/src/…:85
LOW AIC003 Duplicated implementation block across source files src/coreclr/System.Private.CoreLib/src/…:274
LOW AIC003 Duplicated implementation block across source files src/coreclr/System.Private.CoreLib/src/…:25
LOW AIC003 Duplicated implementation block across source files src/coreclr/System.Private.CoreLib/src/…:34
LOW AIC003 Duplicated implementation block across source files src/coreclr/System.Private.CoreLib/src/…:62
LOW AIC003 Duplicated implementation block across source files src/coreclr/System.Private.CoreLib/src/…:94
LOW DKR011 Dockerfile installs recommended OS packages .devcontainer/wasm-multiThreaded/Docker…:57
LOW DKR011 Dockerfile installs recommended OS packages .devcontainer/wasm-multiThreaded/Docker…:42
LOW DKR011 Dockerfile installs recommended OS packages .devcontainer/wasm/Dockerfile:56
LOW DKR011 Dockerfile installs recommended OS packages .devcontainer/wasm/Dockerfile:41
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW AIC002 Source file name looks like an AI patch artifact src/mono/mono/metadata/metadata-update.h:1
INFO MINED077 [MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles. src/coreclr/scripts/jitformat.py:210
INFO MINED057 [MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — l… src/coreclr/nativeaot/System.Private.Co…:53
INFO MINED075 [MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking fo… src/coreclr/pal/src/include/pal/synchca…:288
INFO MINED075 [MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking fo… src/coreclr/jit/alloc.cpp:37
INFO MINED075 [MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking fo… src/coreclr/interpreter/eeinterp.cpp:259
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … src/coreclr/hosts/corerun/wasm/libCorer…:186
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … src/coreclr/hosts/corerun/wasm/libCorer…:25
INFO MINED080 [MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace. src/coreclr/gc/vxsort/standalone/demo/d…:6
INFO MINED080 [MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace. src/coreclr/gc/vxsort/smallsort/bitonic…:12
INFO MINED080 [MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace. src/coreclr/gc/vxsort/alignment.h:9
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… src/coreclr/debug/di/rsassembly.cpp:164
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… src/coreclr/debug/createdump/createdump…:17
INFO MINED042 [MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak ri… src/coreclr/binder/applicationcontext.c…:97
INFO MINED051 [MINED051] Csharp Null Forgive: x! tells compiler "definitely not null" — bypasses nullab… src/coreclr/System.Private.CoreLib/src/…:22
INFO MINED051 [MINED051] Csharp Null Forgive: x! tells compiler "definitely not null" — bypasses nullab… src/coreclr/System.Private.CoreLib/src/…:116
INFO MINED051 [MINED051] Csharp Null Forgive: x! tells compiler "definitely not null" — bypasses nullab… src/coreclr/System.Private.CoreLib/src/…:119
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… eng/common/cross/tizen-fetch.sh:56
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… .github/skills/ci-pipeline-monitor/scri…:130
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… .github/skills/ci-pipeline-monitor/scri…:100
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… src/coreclr/scripts/fuzzlyn_run.py:206
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… src/coreclr/scripts/coreclr_arguments.py:141
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… .github/skills/ci-pipeline-monitor/scri…:164
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. .github/skills/ci-pipeline-monitor/scri…:73
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `dotnet/runtime`

**Score: 79/100 (B+)**  ·  293 findings  ·  scanned 2026-06-05 19:50 UTC  ·  14,932,384 LOC

| Severity | Count |
|---|---|
| CRITICAL | 53 |
| HIGH | 76 |
| MEDIUM | 33 |
| LOW | 40 |

📊 [Full filterable report](https://repobility.com/scan/c11c5d9d-29cd-45bc-ad93-25084caec83e/)  ·  ![scorecard](https://repobility.com/scan/c11c5d9d-29cd-45bc-ad93-25084caec83e/report.png?v=1780689047-s2)

### Top findings

1. **CRITICAL** `MINED107` — Missing import: `os` used but not imported
   `src/coreclr/scripts/superpmi_diffs.py:109` · ✓ Repobility
2. **CRITICAL** `MINED107` — Missing import: `sys` used but not imported
   `src/coreclr/scripts/genDummyProvider.py:172` · ✓ Repobility
3. **CRITICAL** `MINED107` — Missing import: `argparse` used but not imported
   `src/coreclr/scripts/genDummyProvider.py:144` · ✓ Repobility
4. **CRITICAL** `MINED116` — Workflow uses `secrets.COPILOT_PAT_0` on a `pull_request` trigger
   `.github/workflows/code-review.lock.yml:1317` · ✓ Repobility
5. **CRITICAL** `MINED116` — Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger
   `.github/workflows/code-review.lock.yml:1060` · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/c11c5d9d-29cd-45bc-ad93-25084caec83e/_
Already filed
This repo publishes a SECURITY.md policy and the scan contains 9 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'dotnet/runtime' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Already filed
150/312 findings (48%) on this scan are already flagged as test-file, won't-fix, or suppressed. The scan is too noisy to file as a single issue. Curate down to specific actionable findings, or address the FP source first.
Open in GitHub to file this issue Filing guard overridden Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.