home-assistant/frontend — Repobility public scan

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

Sign up free Scan another repo

Scan timing: clone 7.71s · analysis 34.6s · 24.2 MB · GitHub API rate-limit (preflight)

home-assistant/frontend

https://github.com/home-assistant/frontend · scanned 2026-05-21 18:12 UTC (2 weeks ago) · 10 languages

461 findings (103 legacy + 358 scanner) 10/13 scanners ran 22nd percentile · Typescript · huge (>500K LoC) Scanner says 70 (higher by 6)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks ago · v2 · 282 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON

88.9% cov · 179 gaps

click to filter

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	85.0	0.15	12.75
`security_score`	100.0	0.25	25.00
`testing_score`	39.0	0.20	7.80
`documentation_score`	75.0	0.15	11.25
`practices_score`	76.0	0.15	11.40
`code_quality`	80.0	0.10	8.00
Overall		1.00	76.2

security_score may be inflated — optional security scanners were skipped on this fast scan

Severity distribution — click a segment to filter

Active filters: layer: security × excluding tests × Reset all

Severity: Critical 8 High 41 Medium 27 Low 159 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 103 9-layer 179 Crowd 0 Layer: Quality 140 Security 36 Cicd 6 Software 60 Api 1 Frontend 36 Hardware 3

Exclude dismissed / FP Exclude test files

Scan summary Repository scanned at 70.5/100 with 88.9% coverage. It contains 6788 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 179 findings — concentrated in quality (80), software (51), frontend (36). Risk profile is high: 2 critical, 1 high, 16 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 32 of 282 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy security deserialization conf 1.00 [SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes — direct RCE on untrusted input. `unsafe_load` is even more dangerous.

Use `YAML.safe_load(input, permitted_classes: [Date])` — explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead.

build-scripts/gulp/gallery.js:50 deserializationlegacy

critical 9-layer security secrets conf 1.00 Possible secret in gallery/src/pages/components/ha-form.ts

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

gallery/src/pages/components/ha-form.ts:268 secrets

critical 9-layer security secrets conf 1.00 Possible secret in gallery/src/pages/components/ha-form.ts

Detected pattern matching password_literal. Rotate the credential and move to a secret manager.

gallery/src/pages/components/ha-form.ts:442 secrets

high Legacy security auth conf 0.78 Consent is collected in UI without visible backend audit persistence

Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state.

build-scripts/gulp/fetch-nightly-translations.js:78 authlegacy

high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in script/version_bump.js:78

Found a known-risky pattern (exec_used). Review and replace if possible.

script/version_bump.js:78 owaspexec_used

medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.

authlegacy

high Legacy security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.

authlegacy

high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /#external-app-configuration.

Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.

src/panels/config/ha-panel-config.ts:110 authlegacy

high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /#settings.

Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.

gallery/src/pages/components/ha-list.ts:320 authlegacy

high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /config/apps.

Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.

src/panels/config/ha-panel-config.ts:85 authlegacy

high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /config/apps/available.

Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.

src/data/quick_bar.ts:163 authlegacy

high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /config/areas.

Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.

src/panels/config/ha-panel-config.ts:77 authlegacy

high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /config/automation.

Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.

src/panels/config/ha-panel-config.ts:69 authlegacy

high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /config/integrations.

Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.

src/panels/config/ha-panel-config.ts:61 authlegacy

high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /config/lovelace/dashboards.

Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.

src/panels/config/ha-panel-config.ts:93 authlegacy

high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /config/voice-assistants.

Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.

src/panels/config/ha-panel-config.ts:101 authlegacy

high Legacy security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /config/zha.

Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.

src/panels/config/ha-panel-config.ts:128 authlegacy

high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /climate.

Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.

src/panels/climate/ha-panel-climate.ts:152 authlegacy

high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /config/voice-assistants/assistants.

Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.

src/panels/config/voice-assistants/ha-config-voice-assistants.ts:15 authlegacy

high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /energy.

Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.

src/panels/energy/ha-panel-energy.ts:97 authlegacy

high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /home.

Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.

src/panels/home/ha-panel-home.ts:351 authlegacy

high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /lovelace.

Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.

src/fake_data/demo_panels.ts:9 authlegacy

high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /maintenance.

Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.

src/panels/maintenance/ha-panel-maintenance.ts:154 authlegacy

high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /profile/general.

Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.

src/panels/profile/ha-panel-profile.ts:13 authlegacy

low Legacy security deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.

Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.

build-scripts/gulp/gallery.js:50 deserializationlegacy

low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.

Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.

gallery/src/ha-gallery.ts:117 securitylegacy

low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.

Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.

demo/src/custom-cards/ha-demo-card.ts:57 securitylegacy

low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.

Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.

cast/src/launcher/layout/hc-layout.ts:32 securitylegacy

high Legacy security auth conf 0.82 Browser storage is used for session token material

Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens.

src/common/auth/token_storage.ts:67 authlegacy

high Legacy security auth conf 0.82 Browser storage is used for session token material

Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens.

src/common/auth/token_storage.ts:44 authlegacy

medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in src/resources/jinja_ha_completions.ts:1213

Found a known-risky pattern (weak_hash). Review and replace if possible.

src/resources/jinja_ha_completions.ts:1213 owaspweak_hash

low Legacy security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.

Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior.

authlegacy

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/c5fbe1f2-2dac-4c77-947a-f406588dcb31/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/c5fbe1f2-2dac-4c77-947a-f406588dcb31/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.