Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
67 of your 122 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 44.07s for a 140.6 MB repo slow.
  • Repobility's analysis ran in 42.65s after the clone landed.

flutter/flutter

https://github.com/flutter/flutter · scanned 2026-06-05 04:37 UTC (4 hours, 25 minutes ago) · 10 languages

290 findings (114 legacy + 176 scanner) 11/13 scanners ran

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 hours, 25 minutes ago · v2 · 202 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
75.6
/100
Repobility
73
114 legacy
9-layer
78
88.9% cov · 88 gaps
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 85.0 0.20 17.00
documentation_score 92.0 0.15 13.80
practices_score 68.0 0.15 10.20
code_quality 71.0 0.10 7.10
Overall 1.00 79.1
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 3 High 77 Medium 32 Low 51 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 114 9-layer 88 Crowd 0 Layer: Quality 157 Security 7 Software 23 Api 1 Frontend 6 Cicd 8
Scan summary Repository scanned at 78.1/100 with 88.9% coverage. It contains 6841 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 88 findings — concentrated in quality (50), software (18), cicd (8). Risk profile is high: 1 critical, 2 high, 27 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 101 of 202 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection.
Review and fix per the pattern semantics. See CWE-95 / for context.
engine/src/flutter/impeller/renderer/backend/metal/allocator_mtl.mm:57 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.
Review and fix per the pattern semantics. See CWE-120 / for context.
engine/src/flutter/impeller/renderer/shader_key.cc:16 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.
Add `import stat` at the top of the file.
engine/src/flutter/tools/fuchsia/toolchain/copy.py:40 qualitylegacy
critical 9-layer security secrets conf 1.00 Possible secret in engine/src/flutter/shell/platform/android/io/flutter/embedding/engine/systemchannels/SettingsChannel.java
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
engine/src/flutter/shell/platform/android/io/flutter/embedding/engine/systemchannels/SettingsChannel.java:30 secrets
high Legacy quality quality conf 1.00 ✓ Repobility [MINED002] Dart Null Bang: value! throws on null. Use ?. or null check.
Review and fix per the pattern semantics. See CWE-476 / for context.
dev/bots/custom_rules/render_box_intrinsics.dart:69 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED002] Dart Null Bang: value! throws on null. Use ?. or null check.
Review and fix per the pattern semantics. See CWE-476 / for context.
dev/bots/custom_rules/protect_public_state_subtypes.dart:76 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match.
Review and fix per the pattern semantics. See CWE-476 / for context.
engine/src/flutter/impeller/playground/backend/metal/playground_impl_mtl.mm:115 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.
Review and fix per the pattern semantics. See CWE-476 / for context.
dev/benchmarks/platform_channels_benchmarks/android/app/src/main/kotlin/com/example/platform_channels_benchmarks/MainActivity.kt:34 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.
Review and fix per the pattern semantics. See CWE-78 / for context.
engine/src/flutter/ci/scan_deps.py:153 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/upload-artifact@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
engine/src/flutter/.github/workflows/third_party_scan.yml:34 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `dorny/paths-filter` pinned to mutable ref `@v3`: `uses: dorny/paths-filter@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: dorny/paths-filter@<40-char-sha> # v3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/freeze.yml:27 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED117] Workflow declares `permissions: write-all`: The job's GITHUB_TOKEN gets EVERY permission scope. If the workflow is ever compromised (mutable action, fork PR, injected step), the attacker can push to main, publish packages, alter releases. Use least-privilege by listing only the scopes the job actually needs.
Replace with a scoped block: `permissions:\n contents: read\n issues: write` (only the scopes you need).
engine/src/flutter/.github/workflows/engine-cp.yml:11 dependencylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
engine/src/flutter/ci/scan_deps.py:66 qualitylegacy
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in engine/src/flutter/ci/scan_deps.py:66
Found a known-risky pattern (exec_used). Review and replace if possible.
engine/src/flutter/ci/scan_deps.py:66 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in engine/src/tools/dart/create_updated_flutter_deps.py:53
Found a known-risky pattern (exec_used). Review and replace if possible.
engine/src/tools/dart/create_updated_flutter_deps.py:53 owaspexec_used
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
engine/src/flutter/tools/fuchsia/with_envs.py:51 qualitylegacy
medium Legacy security injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
engine/src/flutter/ci/scan_deps.py:153 injectionlegacy
medium Legacy quality quality conf 0.78 Suspicious implementation file appears unreferenced
Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes.
engine/src/flutter/shell/platform/embedder/embedder_semantics_update.h:1 qualitylegacy
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — engine/src/flutter/lib/web_ui/flutter_js/src/entrypoint_loader.js:165
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
google/osv-scanner-action/.github/workflows/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
engine/src/flutter/.github/workflows/third_party_scan.yml:44 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
dorny/paths-filter@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/freeze.yml:27 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
engine/src/flutter/.github/workflows/engine-cp.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/merge-changelog.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/cut-release-branch.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/roll-dart-dependencies.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/sync-engine-version.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in engine/src/flutter/ci/scan_deps.py:156
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
engine/src/flutter/ci/scan_deps.py:156 owaspsubprocess_shell_true
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/ci/scan_deps.py:146
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/impeller/tools/malioc_cores.py:43
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/sky/tools/sky_utils.py:200
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/testing/android_systrace_test.py:38
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/testing/rules/run_gradle.py:42
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/testing/run_tests.py:100
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/testing/xvfb.py:64
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/tools/download_fuchsia_sdk.py:58
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/tools/font_subset/test.py:123
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/tools/fuchsia/build_fuchsia_artifacts.py:207
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/tools/fuchsia/copy_debug_symbols.py:45
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/tools/fuchsia/make_build_info.py:26
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/tools/fuchsia/merge_and_upload_debug_symbols.py:72
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/tools/fuchsia/upload_to_symbol_server.py:36
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/tools/githooks/setup.py:56
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/tools/luci/build.py:26
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — engine/src/flutter/tools/pub_get_offline.py:132
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer security coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
coverageauth
low Legacy quality quality conf 0.64 Duplicate top-level symbol appears in a patch-style file
Keep one authoritative implementation, update imports to point at it, and remove or rename the duplicate symbol.
engine/src/flutter/lib/ui/semantics/semantics_update.h:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
dev/bots/unpublish_package.dart:346 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
dev/bots/unpublish_package.dart:69 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
dev/a11y_assessments/lib/use_cases/card.dart:10 qualitylegacy
low Legacy quality quality conf 0.74 robots.txt does not advertise a sitemap
Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt.
.agents/skills/analyze-github-flake/SKILL.md qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
engine/src/flutter/shell/platform/embedder/embedder_semantics_update.h:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
engine/src/flutter/lib/ui/semantics/semantics_update.h:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
dev/bots/prepare_package/transactional_update.dart:1 qualitylegacy
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: .github/scripts/no-response.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: dev/a11y_assessments/web/flutter_bootstrap.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: dev/benchmarks/macrobenchmarks/web/flutter_bootstrap.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: dev/docs/assets/api_survey.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: dev/integration_tests/web_compile_tests/web/flutter_bootstrap.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: dev/integration_tests/web_e2e_tests/web/flutter_bootstrap.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: engine/src/flutter/lib/web_ui/flutter_js/src/flutter.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: engine/src/flutter/lib/web_ui/flutter_js/src/types.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: engine/src/flutter/skwasm/library_skwasm_support.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: examples/hello_world/web/flutter_bootstrap.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/flutter_tools/lib/src/web/file_generators/js/flutter_service_worker.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: packages/integration_test/example/web/flutter_bootstrap.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
engine/src/flutter/.github/workflows/third_party_scan.yml:34 supply-chaingithub-actionspinned-dependencies
low 9-layer quality integrity conf 1.00 Legacy-named symbol `enable_legacy` in engine/src/flutter/tools/fuchsia/build_fuchsia_artifacts.py:388
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: engine/src/tools/dart/create_updated_flutter_deps_tests.py:test_ComputeDartDeps_unused_dep, engine/src/tools/dart/create_updated_flutter_deps_tests.py:test_ComputeDartDeps_used_dep This is *the* AI-coder failure mode (4× more duplication in vibe-code…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: engine/src/flutter/tools/fuchsia/merge_and_upload_debug_symbols.py:CheckCIPDPackageExists, engine/src/flutter/tools/fuchsia/build_fuchsia_artifacts.py:CheckCIPDPackageExists This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: engine/src/flutter/tools/fuchsia/merge_and_upload_debug_symbols.py:RunCIPDCommandWithRetries, engine/src/flutter/tools/fuchsia/build_fuchsia_artifacts.py:RunCIPDCommandWithRetries This is *the* AI-coder failure mode (4× more duplication in vibe-coded…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: engine/src/flutter/tools/fuchsia/build_fuchsia_artifacts.py:CopyToBucketWithMode, engine/src/flutter/tools/fuchsia/build_fuchsia_artifacts.py:CopyToBucket This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.h…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: engine/src/flutter/impeller/tools/malioc_diff.py:read_malioc_file_performance, engine/src/flutter/impeller/tools/malioc_diff.py:read_malioc_file This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: engine/src/flutter/impeller/tools/xxd.py:make_directories, engine/src/flutter/impeller/tools/metal_library.py:make_directories This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolid…
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: engine/src/flutter/sky/tools/create_ios_framework.py:zip_archive, engine/src/flutter/sky/tools/create_macos_framework.py:zip_xcframework_archive This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-…
integrityduplicatedry
low 9-layer software dead-code conf 1.00 Possibly dead Python function: GetFlutterEngineGitRevision
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
engine/src/flutter/tools/fuchsia/make_build_info.py:35 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: GitHashArg
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
engine/src/tools/dart/create_updated_flutter_deps.py:57 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: IsMac
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
engine/src/flutter/tools/fuchsia/build_fuchsia_artifacts.py:48 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: Lookup
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
engine/src/tools/dart/create_updated_flutter_deps.py:30 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: lookup
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
engine/src/flutter/ci/scan_deps.py:44 dead-code
low 9-layer software dead-code conf 1.00 Possibly dead Python function: OnErrorRmTree
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
engine/src/flutter/tools/download_fuchsia_sdk.py:81 dead-code
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — .github/scripts/no-response.js:89
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — dev/docs/assets/snippets.js:91
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer frontend frontend-quality conf 1.00 Stray `console.log` in TS/JS — engine/src/flutter/lib/web_ui/flutter_js/src/instantiate_wasm.js:22
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
frontend-qualityfq.console-leak
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/io/flutter/embedding/android/FlutterActivity.java (1528 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/io/flutter/embedding/android/FlutterActivityAndFragmentDelegate.java (1356 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/io/flutter/embedding/android/FlutterFragment.java (1805 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/io/flutter/embedding/android/FlutterView.java (1639 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/io/flutter/embedding/engine/FlutterJNI.java (1750 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/io/flutter/embedding/engine/renderer/FlutterRenderer.java (1558 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/io/flutter/plugin/platform/PlatformViewsController.java (1431 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/io/flutter/view/AccessibilityBridge.java (3408 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/test/io/flutter/embedding/android/FlutterActivityAndFragmentDelegateTest.java (1683 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/test/io/flutter/embedding/android/FlutterViewTest.java (1499 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/test/io/flutter/embedding/android/KeyboardManagerTest.java (2125 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/test/io/flutter/embedding/engine/loader/FlutterLoaderTest.java (1449 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/test/io/flutter/plugin/editing/InputConnectionAdaptorTest.java (1431 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/test/io/flutter/plugin/editing/TextInputPluginTest.java (3164 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/test/io/flutter/plugin/platform/PlatformViewsControllerTest.java (2269 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/shell/platform/android/test/io/flutter/view/AccessibilityBridgeTest.java (3510 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low 9-layer quality complexity conf 1.00 Very large file: engine/src/flutter/testing/run_tests.py (1504 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
complexity
low Legacy quality quality conf 1.00 ✓ Repobility [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
Review and fix per the pattern semantics. See CWE-476 / for context.
engine/src/flutter/impeller/renderer/backend/metal/surface_mtl.mm:230 qualitylegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/c3e85ec5-2e36-4677-a1e8-7af65f6cee90/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/c3e85ec5-2e36-4677-a1e8-7af65f6cee90/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.