Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 55.76s for a 179.7 MB repo slow.
  • Repobility's analysis ran in 32.95s after the clone landed.

vm0-ai/vm0

https://github.com/vm0-ai/vm0 · scanned 2026-05-31 01:27 UTC (5 days, 6 hours ago) · 10 languages

1670 findings (261 legacy + 1409 scanner) 11/13 scanners ran 42nd percentile · Typescript · huge (>500K LoC) Scanner says 59 (higher by 24)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 6 hours ago · v2 · last Δ -4.4 (diff) · 950 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
66.6
/100
Repobility
74
261 legacy
9-layer
59
100.0% cov · 689 gaps
Critical
43
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 98.0 0.15 14.70
practices_score 82.0 0.15 12.30
code_quality 51.0 0.10 5.10
Overall 1.00 83.1
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 43 High 151 Medium 194 Low 356 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 261 9-layer 689 Crowd 0 Layer: Quality 423 Security 42 Software 148 Cicd 87 Api 1 Frontend 241 Network 3 Hardware 5
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 58.9/100 with 100.0% coverage. It contains 17603 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 689 findings — concentrated in quality (283), frontend (241), cicd (75). Risk profile is high: 11 critical, 2 high, 186 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 688 of 950 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.
Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context.
turbo/apps/api/src/signals/services/zero-custom-connector.service.ts:211 qualitylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.ABLY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ABLY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:295 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.AWS_METAL_RUNNER_HOSTS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_METAL_RUNNER_HOSTS }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:438 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.AWS_METAL_RUNNER_HOSTS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_METAL_RUNNER_HOSTS }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:181 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.AWS_METAL_RUNNER_SSH_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_METAL_RUNNER_SSH_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:1075 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.AWS_METAL_RUNNER_SSH_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_METAL_RUNNER_SSH_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:884 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.AWS_METAL_RUNNER_SSH_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_METAL_RUNNER_SSH_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:772 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.AWS_METAL_RUNNER_SSH_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_METAL_RUNNER_SSH_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:510 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.AWS_METAL_RUNNER_SSH_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_METAL_RUNNER_SSH_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:454 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.AWS_METAL_RUNNER_SSH_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_METAL_RUNNER_SSH_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:395 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CF_ACCESS_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CF_ACCESS_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:1076 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CF_ACCESS_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CF_ACCESS_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:885 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CF_ACCESS_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CF_ACCESS_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:773 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CF_ACCESS_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CF_ACCESS_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:511 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CF_ACCESS_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CF_ACCESS_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:455 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CF_ACCESS_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CF_ACCESS_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:396 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CF_ACCESS_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CF_ACCESS_CLIENT_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:886 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CF_ACCESS_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CF_ACCESS_CLIENT_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:774 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CF_ACCESS_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CF_ACCESS_CLIENT_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:512 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CF_ACCESS_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CF_ACCESS_CLIENT_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:456 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CF_ACCESS_CLIENT_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CF_ACCESS_CLIENT_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:397 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:286 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.OFFICIAL_RUNNER_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OFFICIAL_RUNNER_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:891 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.OFFICIAL_RUNNER_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OFFICIAL_RUNNER_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:779 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.OFFICIAL_RUNNER_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OFFICIAL_RUNNER_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:517 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.OFFICIAL_RUNNER_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OFFICIAL_RUNNER_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/crates.yml:461 dependencylegacy
critical Legacy security credential_exposure conf 1.00 [SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.
Remove immediately and rotate the token. Use environment variables.
turbo/packages/firewalls-generator/src/sendgrid.ts:17 credential_exposurelegacy
critical Legacy security secret conf 1.00 [SEC051] Stripe live/test key: Stripe API key (live or test). Live keys can charge real cards. Ported from gitleaks stripe-access-token (MIT).
Roll the key in Stripe Dashboard immediately. If a live key was committed, audit Stripe events for unauthorized charges.
turbo/packages/firewalls-generator/src/clerk.ts:42 secretlegacy
critical Legacy security secret conf 1.00 [SEC056] GitLab personal access token: GitLab personal access token. Ported from gitleaks gitlab-pat (MIT).
Revoke the token in GitLab -> User Settings -> Access Tokens.
turbo/packages/firewalls-generator/src/gitlab.ts:14 secretlegacy
critical 9-layer security secrets conf 1.00 Possible secret in crates/api-contracts/src/generated/model_providers.rs
Detected pattern matching openai_or_anthropic_key. Rotate the credential and move to a secret manager.
crates/api-contracts/src/generated/model_providers.rs:23 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/vsock-guest/src/user.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/vsock-guest/src/user.rs:261 secrets
critical 9-layer security secrets conf 1.00 Possible secret in crates/vsock-guest/src/user.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/vsock-guest/src/user.rs:274 secrets
critical 9-layer security secrets conf 1.00 Possible secret in turbo/packages/api-contracts/src/contracts/model-providers.ts
Detected pattern matching openai_or_anthropic_key. Rotate the credential and move to a secret manager.
turbo/packages/api-contracts/src/contracts/model-providers.ts:979 secrets
critical 9-layer security secrets conf 1.00 Possible secret in turbo/packages/api-contracts/src/contracts/model-providers.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
turbo/packages/api-contracts/src/contracts/model-providers.ts:969 secrets
critical 9-layer security secrets conf 1.00 Possible secret in turbo/packages/api-contracts/src/contracts/model-providers.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
turbo/packages/api-contracts/src/contracts/model-providers.ts:982 secrets
critical 9-layer security secrets conf 1.00 Possible secret in turbo/packages/connectors/src/connectors/servicenow.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
turbo/packages/connectors/src/connectors/servicenow.ts:40 secrets
critical 9-layer security secrets conf 1.00 Possible secret in turbo/packages/firewalls-generator/src/bland.ts
Detected pattern matching openai_or_anthropic_key. Rotate the credential and move to a secret manager.
turbo/packages/firewalls-generator/src/bland.ts:12 secrets
critical 9-layer security secrets conf 1.00 Possible secret in turbo/packages/firewalls-generator/src/cronlytic.ts
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
turbo/packages/firewalls-generator/src/cronlytic.ts:4 secrets
critical 9-layer security secrets conf 1.00 Possible secret in turbo/packages/firewalls-generator/src/deepseek.ts
Detected pattern matching openai_or_anthropic_key. Rotate the credential and move to a secret manager.
turbo/packages/firewalls-generator/src/deepseek.ts:14 secrets
critical 9-layer security secrets conf 1.00 Possible secret in turbo/packages/firewalls-generator/src/stability-ai.ts
Detected pattern matching openai_or_anthropic_key. Rotate the credential and move to a secret manager.
turbo/packages/firewalls-generator/src/stability-ai.ts:14 secrets
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /f/:userId/:id/:filename.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
turbo/apps/web/app/f/[userId]/[id]/[filename]/route.ts:45 authlegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
turbo/apps/web/proxy.cors.ts:99 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
turbo/apps/web/app/f/[userId]/[id]/[filename]/route.ts:38 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-please.yml:90 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:1444 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:1304 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:1070 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:879 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:767 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:505 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:449 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:429 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:375 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:325 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:309 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:251 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:84 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:339 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-python@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:326 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v6`: `uses: codecov/codecov-action@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: codecov/codecov-action@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:284 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: pnpm/action-setup@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:336 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `slackapi/slack-github-action` pinned to mutable ref `@v3.0.3`: `uses: slackapi/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: slackapi/slack-github-action@<40-char-sha> # v3.0.3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-please.yml:263 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `slackapi/slack-github-action` pinned to mutable ref `@v3.0.3`: `uses: slackapi/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: slackapi/slack-github-action@<40-char-sha> # v3.0.3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-please.yml:240 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `slackapi/slack-github-action` pinned to mutable ref `@v3.0.3`: `uses: slackapi/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: slackapi/slack-github-action@<40-char-sha> # v3.0.3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-please.yml:215 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `slackapi/slack-github-action` pinned to mutable ref `@v3.0.3`: `uses: slackapi/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: slackapi/slack-github-action@<40-char-sha> # v3.0.3` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-please.yml:100 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:376 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: Swatinem/rust-cache@<40-char-sha> # v2` and let Dependabot bump it on a scheduled cadence.
.github/workflows/crates.yml:252 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `vm0-ai/release-please-action` pinned to mutable ref `@vm0`: `uses: vm0-ai/release-please-action@vm0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: vm0-ai/release-please-action@<40-char-sha> # vm0` and let Dependabot bump it on a scheduled cadence.
.github/workflows/release-please.yml:39 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ubuntu:24.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/toolchain/Dockerfile:2 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/runner-image.yml:202 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/rollback-runner.yml:53 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:1883 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:1647 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/crates.yml:364 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/crates.yml:247 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain-rust:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain-rust:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/crates.yml:61 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/turbo.yml:393 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/turbo.yml:380 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/turbo.yml:356 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/turbo.yml:108 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/cleanup-stale.yml:20 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/cleanup.yml:85 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:2074 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:2050 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:1110 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:994 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:876 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:749 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:603 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:414 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:283 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/release-please.yml:85 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `ghcr.io/vm0-ai/vm0-toolchain:20260525` unpinned: `container/services image: ghcr.io/vm0-ai/vm0-toolchain:20260525` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/vm0-ai/vm0-toolchain:20260525@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/crates.yml:303 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED126] Workflow container/services image `semgrep/semgrep` unpinned: `container/services image: semgrep/semgrep` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `semgrep/semgrep@sha256:<digest>`. Re-pin via Dependabot Docker scope.
.github/workflows/security.yml:63 dependencylegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
crates/runner/mitm-addon/scripts/update-x-tlds.py:48 path_traversallegacy
high Legacy software xxe conf 1.00 [SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs.
Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all.
turbo/apps/platform/src/signals/zero-page/clipboard.ts:191 xxelegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
turbo/packages/firewalls-generator/src/docusign.ts:44 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
turbo/packages/firewalls-generator/src/browserless.ts:21 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
turbo/packages/firewalls-generator/src/atlassian.ts:26 xsslegacy
high Legacy quality quality conf 1.00 [SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).
Add `filter='data'` (Python ≥ 3.12) or manually validate member paths against `os.path.abspath`.
turbo/apps/cli/src/commands/volume/pull.ts:97 qualitylegacy
high Legacy quality quality conf 1.00 [SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).
Add `filter='data'` (Python ≥ 3.12) or manually validate member paths against `os.path.abspath`.
turbo/apps/cli/src/commands/artifact/pull.ts:104 qualitylegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
turbo/apps/cli/src/commands/zero/connector/connected-as.ts:33 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
turbo/apps/platform/src/signals/usage-page/usage-insight-signals.ts:153 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
turbo/apps/platform/custom-eslint/rules/no-raw-msw-http.ts:109 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
crates/runner/src/main.rs:68 qualitylegacy
high Legacy security crypto conf 1.00 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`.
Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`.
scripts/cf-ssh.sh:116 cryptolegacy
high Legacy security path_traversal conf 1.00 [SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly.
After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`.
turbo/apps/desktop/src/desktop-renderer-url.ts:29 path_traversallegacy
high Legacy security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state.
turbo/apps/api/src/signals/services/zero-runs-create.service.ts:224 authlegacy
high Legacy cicd docker conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
docker/toolchain/Dockerfile:49 dockerlegacy
high Legacy cicd docker conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
docker/toolchain/Dockerfile:19 dockerlegacy
high Legacy security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
turbo/apps/platform/src/views/device-bb0/bb0-device-page.tsx:246 authlegacy
high 9-layer hardware supply-chain conf 1.00 Dockerfile pipes a remote installer into a shell
Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.
docker/toolchain/Dockerfile:19 supply-chaindockerremote-installer
high 9-layer hardware supply-chain conf 1.00 Dockerfile pipes a remote installer into a shell
Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.
docker/toolchain/Dockerfile:49 supply-chaindockerremote-installer
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /f/:userId/:id/:filename.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
turbo/apps/web/app/f/[userId]/[id]/[filename]/route.ts:45 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /monday-app-association.json.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
turbo/apps/web/app/monday-app-association.json/route.ts:4 authlegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
turbo/apps/platform/custom-eslint/rules/no-empty-promise-catch.ts:46 error_handlinglegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
turbo/apps/platform/src/views/router/link.tsx:55 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
turbo/apps/platform/src/signals/zero-page/zero-github.ts:203 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
turbo/apps/platform/src/signals/zero-page/telegram-login-popup.ts:27 securitylegacy
medium Legacy software open_redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
turbo/apps/web/app/desktop-auth/consume/DesktopAuthConsumeClient.tsx:61 open_redirectlegacy
medium Legacy software open_redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
turbo/apps/web/app/desktop-auth/callback/DesktopAuthCallbackClient.tsx:87 open_redirectlegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
crates/ably-subscriber/src/connection/endpoint.rs:331 qualitylegacy
medium Legacy cicd docker conf 0.86 Database dump or local database file is included in Docker build context
Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
docker/toolchain/Dockerfile:123 dockerlegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/services/built-in-generation-provider-webhooks.service.ts:56 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/services/agent-webhook-events.service.ts:67 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/services/agent-webhook-events.service.ts:62 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/zero-integrations-telegram.ts:50 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/zero-integrations-slack.ts:51 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/zero-integrations-github-download-file.ts:19 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/zero-connectors.ts:558 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/zero-chat-messages.ts:250 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/model-stats.ts:62 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/model-stats.ts:32 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/internal-event-consumers-telegram-typing.ts:68 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/internal-event-consumers-agentphone-typing.ts:92 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/internal-callbacks-chat.ts:164 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/github-oauth.ts:57 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
turbo/apps/api/src/signals/routes/zero-web-download.ts:20 qualitylegacy
medium Legacy quality quality conf 0.70 Public web app has no Content Security Policy
Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors.
index.html qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt qualitylegacy
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — turbo/apps/platform/src/views/zero-page/zero-directed-connect-page.tsx:170
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — turbo/apps/web/app/[locale]/blog/page.tsx:100
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — turbo/apps/web/app/[locale]/docs/[...slug]/page.tsx:169
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — turbo/apps/web/app/[locale]/docs/page.tsx:103
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — turbo/apps/web/app/[locale]/security/page.tsx:78
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — turbo/apps/web/app/components/AvatarCustomizer.tsx:219
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — turbo/apps/web/app/layout.tsx:168
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer frontend frontend-quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — turbo/packages/ui/src/components/ui/table.tsx:12
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/playwright/lib/clerk-api.ts:23
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/custom-eslint/rules/signal-check-await.ts:16
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/lib/slack-client.ts:51
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/external/clerk-membership-requests.ts:32
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/external/slack-file-fetcher.ts:49
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/external/telegram-client.ts:97
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/routes/audio-transcriptions-v1.ts:305
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/routes/internal-event-consumers-agentphone-typing.ts:52
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/routes/zero-integrations-github-download-file.ts:155
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/routes/zero-integrations-phone-download-file.ts:65
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/routes/zero-integrations-telegram.ts:282
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/routes/zero-voice-io-stt.ts:111
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/routes/zero-voice-io-tts.ts:58
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/agent-run-callback.service.ts:143
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/agent-run-callbacks.service.ts:81
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/agent-webhook-events.service.ts:131
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/github-app.service.ts:77
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/google-drive-artifact-sync.service.ts:147
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/run-summary.service.ts:37
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/zero-chat-title.service.ts:68
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/zero-email-common.service.ts:882
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/zero-image-io-generate.service.ts:1384
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/zero-maps.service.ts:162
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/zero-schedules.service.ts:169
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/api/src/signals/services/zero-video-io-generate.service.ts:1175
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/commands/artifact/pull.ts:68
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/commands/volume/pull.ts:61
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/commands/zero/github/upload-file.ts:105
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/commands/zero/phone/upload-file.ts:86
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/commands/zero/slack/upload-file.ts:60
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/commands/zero/telegram/upload-file.ts:106
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/lib/api/auth.ts:35
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/lib/api/domains/web.ts:541
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/lib/api/domains/zero-host.ts:55
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/lib/api/domains/zero-maps.ts:74
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/lib/host/publish-static-site.ts:68
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/cli/src/lib/storage/clone-utils.ts:80
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/desktop/scripts/computer-use-eval.ts:394
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/desktop/src/desktop-auth-session.ts:112
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/desktop/src/desktop-computer-use-api.ts:29
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/desktop/src/main.ts:161
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/host-worker/src/index.ts:210
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/custom-eslint/__tests__/no-mockapi-raw-async.test.ts:46
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/custom-eslint/__tests__/require-accept.test.ts:62
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/custom-eslint/__tests__/signal-check-await.test.ts:16
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/custom-eslint/rules/signal-check-await.ts:16
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/public/mockServiceWorker.js:238
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/public/sw.js:67
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/src/lib/push-notifications.ts:123
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/src/mocks/__tests__/example.test.ts:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/src/mocks/__tests__/msw-contract.test.ts:25
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/src/signals/fetch.ts:163
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/src/signals/zero-page/__tests__/zero-schedule.test.ts:158
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/platform/src/signals/zero-page/chat-draft.ts:168
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/web/__tests__/api-backend-rewrite-proxy.test.ts:3167
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/web/app/[locale]/rankings/page.tsx:179
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/web/app/[locale]/use-cases/[slug]/opengraph-image.tsx:62
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/web/app/cli-auth/page.tsx:39
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/web/app/components/AvatarCustomizer.tsx:125
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/web/app/desktop-auth/callback/DesktopAuthCallbackClient.tsx:45
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/web/app/desktop-auth/consume/DesktopAuthConsumeClient.tsx:21
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/apps/web/app/export/page.tsx:329
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/google.ts:68
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/microsoft.ts:72
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/ahrefs.ts:61
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/airtable.ts:102
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/asana.ts:57
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/base44.ts:110
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/canva.ts:104
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/close.ts:56
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/codex-oauth.ts:78
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/deel.ts:104
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/docusign.ts:105
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/dropbox.ts:64
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/figma.ts:65
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/garmin-connect.ts:101
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/github.ts:54
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/gmail.ts:47
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/gumroad.ts:54
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/hubspot.ts:59
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/intervals-icu.ts:50
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/linear.ts:65
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/mailchimp.ts:52
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/mercury.ts:61
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/meta-ads.ts:58
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/monday.ts:61
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/neon.ts:62
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/notion.ts:66
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/posthog.ts:60
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/reddit.ts:66
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/sentry.ts:59
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/slack.ts:51
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/slock.ts:254
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/spotify.ts:65
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/strava.ts:62
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/stripe.ts:60
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/supabase.ts:104
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/test-oauth-device.ts:63
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/test-oauth.ts:174
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/todoist.ts:52
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/vercel.ts:47
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/webflow.ts:49
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/x.ts:104
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/xero.ts:62
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/connectors/src/auth-providers/oauth/providers/zoom.ts:67
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/firewalls-generator/src/codegen.ts:310
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/firewalls-generator/src/google.ts:282
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/firewalls-generator/src/update-specs.ts:246
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — turbo/packages/firewalls-generator/src/xero.ts:34
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: docker/toolchain/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@cargo-llvm-cov can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/crates.yml:275 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
codecov/codecov-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/crates.yml:284 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:100 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:215 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:240 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:263 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:300 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
dopplerhq/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:328 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:378 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:394 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:431 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
dopplerhq/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:458 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:512 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:528 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:614 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:662 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:678 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
bobheadxi/deployments@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:763 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:774 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
bobheadxi/deployments@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:809 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:831 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-please.yml:847 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/rollback-runner.yml:85 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/rollback-runner.yml:199 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
slackapi/[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/rollback-runner.yml:215 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-toolchain-publish.yml:40 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-toolchain-publish.yml:43 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-toolchain-publish.yml:51 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-toolchain-publish.yml:66 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-toolchain-publish.yml:81 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-toolchain-publish.yml:127 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-toolchain-publish.yml:130 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-toolchain.yml:36 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v7 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-toolchain.yml:41 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/upload-sarif@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/security.yml:111 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/init@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/security.yml:127 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
github/codeql-action/analyze@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/security.yml:135 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
codecov/codecov-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/turbo.yml:449 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
codecov/codecov-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/turbo.yml:456 supply-chaingithub-actionspinned-dependencies
medium 9-layer cicd supply-chain conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
codecov/codecov-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/turbo.yml:594 supply-chaingithub-actionspinned-dependencies

Showing first 300 of 688. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/c5e1fbe1-170b-4f36-b3c5-d92f53e41551/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/c5e1fbe1-170b-4f36-b3c5-d92f53e41551/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.