redpanda-data/kminion

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

14 of your 44 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.75s · analysis 3.52s · 0.9 MB · GitHub API rate-limit (preflight)

https://github.com/redpanda-data/kminion · scanned 2026-06-05 13:20 UTC (5 days, 6 hours ago) · 10 languages

58 raw signals (44 security + 14 graph) 10th percentile · Go · small (2-20K LoC) System graph score 92 (lower by 39)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 6 hours ago · v2 · 40 actionable findings from 2 signal sources. 11 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

100.0% cov · 7 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	75.0	0.15	11.25
`security_score`	37.3	0.25	9.32
`testing_score`	15.0	0.20	3.00
`documentation_score`	62.0	0.15	9.30
`practices_score`	77.0	0.15	11.55
`code_quality`	80.0	0.10	8.00
Overall		1.00	52.4

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 0 High 20 Medium 7 Low 6 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 33 System graph 7 Crowd 0 Layer: Cicd 12 Quality 7 Software 17 Api 1 Hardware 2 Frontend 1

Exclude dismissed / FP Exclude test files

Scan summary Quality grade C- (52/100). Dimensions: security 37, maintainability 75. 44 findings (26 security). 6,760 lines analyzed.

Showing 33 of 40 actionable findings. 51 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks cicd CI/CD security conf 0.84 2 occurrences Database service publishes a host port

Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports.

lines 5, 15

docker-compose.yml:5, 15 (2 hits)

CI/CD securitycontainers

high Security checks cicd CI/CD security conf 0.92 Dockerfile copies the entire context without .dockerignore

COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts.

Dockerfile:18 CI/CD securitycontainers

high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences Dockerfile FROM `golang:1.26.3-alpine` not pinned by digest

`FROM golang:1.26.3-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.

lines 4, 30

Dockerfile:4, 30 (2 hits)

medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 5 occurrences GitHub Action is tag-pinned rather than SHA-pinned

Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.

2 files, 5 locations

.github/workflows/docker-image.yml:15, 19, 51, 56 (4 hits)

.github/workflows/goreleaser.yml:18

CI/CD securitySupply chainGitHub Actions

low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 3 occurrences GitHub Action is tag-pinned rather than SHA-pinned

Action `actions/checkout` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.

2 files, 3 locations

.github/workflows/goreleaser.yml:12, 15 (2 hits)

.github/workflows/docker-image.yml:24

CI/CD securitySupply chainGitHub Actions

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5005

Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5006

Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5013

Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5014

Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5015

Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5016

Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5017

Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5018

Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5019

Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5020

Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5021

Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5023

Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh

go.mod

high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5033

Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-5037

Inefficient candidate hostname parsing in crypto/x509

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-5038

Quadratic complexity in WordDecoder.DecodeHeader in mime

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-5039

Arbitrary inputs are included in errors without any escaping in net/textproto

go.mod

medium Security checks cicd CI/CD security conf 0.94 2 occurrences Compose service `zookeeper` image uses the latest tag

The latest tag is mutable and can change without a code review, producing different images from the same source.

lines 5, 15

docker-compose.yml:5, 15 (2 hits)

CI/CD securitycontainers

medium Security checks cicd CI/CD security conf 0.74 2 occurrences Database service has no persistent data volume

Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state.

lines 5, 15

docker-compose.yml:5, 15 (2 hits)

CI/CD securitycontainers

medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore

Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.

.dockerignore CI/CD securitycontainers

medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/docker-image.yml CI/CD securitySupply chainGithub actions

medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/goreleaser.yml CI/CD securitySupply chainGithub actions

medium System graph quality Tests conf 1.00 Very low test-to-source ratio

2 test file(s) for 52 source file(s) (ratio 0.04). Consider adding integration or unit tests for critical paths.

Coverage

low Security checks quality Error handling conf 1.00 [ERR003] Ignored Error (Go): Ignoring error return values.

Handle the error or use errcheck linter.

logging/logger.go:20

low Security checks cicd CI/CD security conf 0.68 App service does not wait for database health

depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently.

docker-compose.yml:33 CI/CD securitycontainers

high Security checks cicd CI/CD security conf 0.62 Compose service lacks no-new-privileges hardening

no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.

docker-compose.yml:33 CI/CD securitycontainers

low Security checks cicd CI/CD security conf 0.72 2 occurrences Database service has no healthcheck

Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy.

lines 5, 15

docker-compose.yml:5, 15 (2 hits)

CI/CD securitycontainers

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: alpine:3

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

Dockerfile:30 containersPinned dependencies

low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: golang:1.26.3-alpine

Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.

Dockerfile:4 containersPinned dependencies

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/c58f3377-b01f-4e72-88bc-6df502faf969/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/c58f3377-b01f-4e72-88bc-6df502faf969/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.