Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
34 of your 41 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

alexbelgium/hassio-addons

https://github.com/alexbelgium/hassio-addons · scanned 2026-06-05 19:33 UTC (4 days, 15 hours ago) · 10 languages

495 raw signals (39 security + 456 graph) 11/13 scanners ran 79th percentile · Python · tiny (<2K LoC) System graph score 66 (higher by 7)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 15 hours ago · v2 · 189 actionable findings from 2 signal sources. 78 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
67.0
/100
Security checks
68
14 findings
System graph
66
100.0% cov · 175 findings
Critical
8
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 30.0 0.15 4.50
security_score 100.0 0.25 25.00
testing_score 70.0 0.20 14.00
documentation_score 75.0 0.15 11.25
practices_score 72.0 0.15 10.80
code_quality 80.0 0.10 8.00
Overall 1.00 73.5
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 8 High 3 Medium 147 Low 19 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 14 System graph 175 Crowd 0 Layer: Quality 14 Software 3 Cicd 6 Api 1 Network 4 Hardware 151 Frontend 1 Security 9
Scan summary Quality grade B (74/100). Dimensions: security 100, maintainability 30. 39 findings (27 security). 315 lines analyzed.

Showing 177 of 189 actionable findings. 267 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical System graph security Secrets conf 1.00 Possible secret in birdnet-pi/rootfs/etc/cont-init.d/99-run.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
birdnet-pi/rootfs/etc/cont-init.d/99-run.sh:24
critical System graph security Secrets conf 1.00 Possible secret in collabora/rootfs/etc/cont-init.d/99-run.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
collabora/rootfs/etc/cont-init.d/99-run.sh:16
critical System graph security Secrets conf 1.00 3 occurrences Possible secret in immich/rootfs/etc/cont-init.d/99-run.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 88, 91, 181
immich/rootfs/etc/cont-init.d/99-run.sh:88, 91, 181 (3 hits)
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in joplin/rootfs/etc/cont-init.d/99-run.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 117, 136
joplin/rootfs/etc/cont-init.d/99-run.sh:117, 136 (2 hits)
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in photoprism/rootfs/etc/cont-init.d/99-run.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 47, 149
photoprism/rootfs/etc/cont-init.d/99-run.sh:47, 149 (2 hits)
critical System graph security Secrets conf 1.00 Possible secret in photoprism/rootfs/run.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
photoprism/rootfs/run.sh:61
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in postgres_15/rootfs/etc/cont-init.d/99-run.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 155, 156
postgres_15/rootfs/etc/cont-init.d/99-run.sh:155, 156 (2 hits)
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in seafile/rootfs/etc/cont-init.d/99-run.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 274, 275
seafile/rootfs/etc/cont-init.d/99-run.sh:274, 275 (2 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences [MINED126] Workflow container/services image `ghcr.io/hadolint/hadolint:latest-alpine` unpinned: `container/services image: ghcr.io/hadolint/hadolint:latest-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `ghcr.io/hadolint/hadolint:latest-alpine@sha256:<digest>`. Re-pin via Dependabot Docker scope.
lines 13, 34
.github/workflows/archived_lint-checks.yaml:13, 34 (2 hits)
high Security checks cicd CI/CD security conf 0.90 ✓ Repobility 3 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `super-linter/super-linter/slim` pinned to mutable ref `@main`: `uses: super-linter/super-linter/slim@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. …
2 files, 3 locations
.github/workflows/lint.yml:52, 101 (2 hits)
.github/workflows/weekly_reduceimagesize.yml:21
CI/CD securitySupply chainGitHub Actions
high System graph cicd CI/CD security conf 1.00 3 occurrences GitHub Action tracks a moving branch
super-linter/super-linter/slim@main can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
2 files, 3 locations
.github/workflows/lint.yml:52, 101 (2 hits)
.github/workflows/weekly_reduceimagesize.yml:21
CI/CD securitySupply chainGithub actions
medium Security checks quality Practices conf 1.00 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
Add a .gitignore appropriate for your language/framework.
low Security checks quality Error handling conf 0.55 ✓ Repobility Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
birdnet-pi/rootfs/helpers/birdnet_to_mqtt.py:102 Error handlingquality
low Security checks quality Error handling conf 0.55 ✓ Repobility Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
.github/generate_map.py:80 Error handlingquality
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: fireflyiii/core:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
fireflyiii/Dockerfile:19 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: flaresolverr/flaresolverr:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
flaresolverr/Dockerfile:18 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: ghcr.io/ente-io/server:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
ente/Dockerfile:55 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: ghcr.io/jokob-sk/netalertx:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
netalertx/Dockerfile:48 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: hkotel/mealie:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
mealie/Dockerfile:38 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: joplin/server:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
joplin/Dockerfile:18 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: m4dm4rtig4n/myelectricaldata:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
enedisgateway2mqtt/Dockerfile:18 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: nathanvaughn/webtrees:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
webtrees/Dockerfile:19 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: netbirdio/dashboard:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
netbird-server/Dockerfile:26 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: netbirdio/management:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
netbird-server/Dockerfile:23 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: netbirdio/relay:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
netbird-server/Dockerfile:25 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: netbirdio/signal:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
netbird-server/Dockerfile:24 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: ssenart/gazpar2mqtt:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
gazpar2mqtt/Dockerfile:19 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: tritruongtr/zoneminder:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
zoneminder/Dockerfile:20 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: troglobit/inadyn:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
inadyn/Dockerfile:16 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: wger/server:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
wger/Dockerfile:19 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: wiserain/flexget:latest
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
flexget/Dockerfile:19 containersPinned dependencies
medium System graph hardware Supply chain conf 1.00 Dockerfile ADD downloads remote content without checksum
Remote build inputs can change or be replaced upstream. Use Dockerfile ADD --checksum or download with an explicit digest/signature verification step.
portainer_agent/Dockerfile:32 containersChecksum
medium System graph hardware Security conf 1.00 Dockerfile runs as root: addons_updater/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: arpspoof/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: aurral/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: autobrr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: baikal/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: bazarr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: bentopdf/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: binance-trading-bot/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: birdnet-go/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: birdnet-pipy/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: bitwarden/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: booksonic_air/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: browser_brave/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: browser_chromium/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: browserless_chrome/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: calibre/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: calibre_web/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: changedetection.io/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: cleanuparr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: cloudcommander/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: codex/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: collabora/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: comixed/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: elasticsearch/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: emby/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: emby_beta/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: enedisgateway2mqtt/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: enedisgateway2mqtt_dev/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: ente/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: epicgamesfree/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: filebrowser/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: filebrowser_quantum/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: fireflyiii/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: fireflyiii_data_importer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: fireflyiii_fints_importer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: flaresolverr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: flexget/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: free_games_claimer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: gazpar2mqtt/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: gitea/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: grampsweb/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: grav/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: guacamole/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: immich/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: immich_cuda/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: immich_frame/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: immich_noml/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: immich_openvino/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: immich_power_tools/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: inadyn/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: jackett/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: jellyfin/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: joal/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: joplin/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: kometa/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: librespeed/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: lidarr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: linkwarden/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: maintainerr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: manyfold/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: mealie/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: monica/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: mylar3/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: navidrome/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: netbird-server/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: nextcloud/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: nginx_webserver_proxy/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: nzbget/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: omni-tools/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: openproject/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: organizr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: photoprism/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: piwigo/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: plex/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: portainer/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: portainer_agent/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: postgres_15/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: postgres_17/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: prowlarr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: qbittorrent/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: radarr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: readarr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: requestrr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: resiliosync/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: sabnzbd/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: scrutiny/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: scrutiny_fa/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: seafile/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: seerr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: signalk/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: social_to_mealie/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: sonarr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: sponsorblockcast/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: spotweb/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: tandoor_recipes/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: tdarr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: teamspeak/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: transmission/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: transmission_openvpn/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: ubooquity/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: unpackerr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: webtop/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: webtop_kde/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: wger/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: whatsapper/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: whoogle/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: xteve/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: zoneminder/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: zzz_archived_code-server/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: zzz_archived_jellyseerr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: zzz_archived_omada/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: zzz_archived_omada_v3/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: zzz_archived_ombi/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: zzz_archived_overseerr/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: zzz_archived_paperless_ngx/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: zzz_archived_papermerge/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: zzz_archived_plex_meta_manager/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: zzz_archived_tor/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 35 occurrences GitHub Action is tag-pinned rather than SHA-pinned
jitterbit/get-changed-files@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
10 files, 35 locations
.github/workflows/onpush_builder.yaml:90, 94, 113, 303, 382 (10 hits)
.github/workflows/onpr_check-pr.yaml:78, 97, 173, 176, 180, 194, 208, 222, +1 more (9 hits)
.github/workflows/weekly_crlftolf.yaml:18, 21, 34, 53 (4 hits)
.github/workflows/archived_lint-checks.yaml:20, 41, 63 (3 hits)
.github/workflows/lint.yml:145 (2 hits)
.github/workflows/weekly_reduceimagesize.yml:34 (2 hits)
.github/workflows/weekly_stats.yaml:112 (2 hits)
.github/workflows/daily_README.yaml:231
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/lint.yml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/onpush_builder.yaml CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in webtrees/rootfs/etc/cont-init.d/99-run.sh:163
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
webtrees/rootfs/etc/cont-init.d/99-run.sh:163 Subprocess shell true
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — .github/generate_map.py:41
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph network Security conf 1.00 Privileged port 1000 in use
Port 1000 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
battybirdnet-pi/Dockerfile Ports
medium System graph network Security conf 1.00 Privileged port 11 in use
Port 11 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
portainer/Dockerfile Ports
medium System graph network Security conf 1.00 Privileged port 64 in use
Port 64 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
portainer/Dockerfile Ports
medium System graph network Security conf 1.00 Privileged port 81 in use
Port 81 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
nginx_webserver_proxy/config.yaml Ports
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 2 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: "vaultwarden/server:latest"
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
bitwarden/Dockerfile:21 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: alpine:3.21
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
bentopdf/Dockerfile:6 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: alpine:3.22
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
maintainerr/Dockerfile:20 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: alpine:3.22
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
netalertx/Dockerfile:20 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: anthonyraymond/joal:$BUILD_UPSTREAM
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
joal/Dockerfile:20 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: elasticsearch:$BUILD_UPSTREAM
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
elasticsearch/Dockerfile:18 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ghcr.io/cleanuparr/cleanuparr:${BUILD_UPSTREAM}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
cleanuparr/Dockerfile:22 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ghcr.io/maintainerr/maintainerr:${BUILD_UPSTREAM}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
maintainerr/Dockerfile:49 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: m4dm4rtig4n/myelectricaldata:latest-dev
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
enedisgateway2mqtt_dev/Dockerfile:18 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:20-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
birdnet-pipy/Dockerfile:19 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:22
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
mealie/Dockerfile:18 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: node:24
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
ente/Dockerfile:9 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: openjdk:17-jdk-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
comixed/Dockerfile:20 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: portainer/agent:alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
portainer_agent/Dockerfile:21 containersPinned dependencies
low System graph cicd CI/CD security conf 1.00 34 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
12 files, 33 locations
.github/workflows/onpush_builder.yaml:25, 59, 111, 136, 334, 405 (8 hits)
.github/workflows/lint.yml:25, 85 (4 hits)
.github/workflows/onpr_check-pr.yaml:21, 75, 93, 102 (4 hits)
.github/workflows/archived_lint-checks.yaml:16, 37, 57 (3 hits)
.github/workflows/generate_stargazer_map.yml:12, 15 (3 hits)
.github/workflows/on_issues_ping_submitter.yml:17 (2 hits)
.github/workflows/weekly_crlftolf.yaml:15, 32 (2 hits)
.github/workflows/weekly_reduceimagesize.yml:17 (2 hits)
CI/CD securitySupply chainGitHub Actions
low System graph software Dead code conf 1.00 Possibly dead Python function: automatic_mqtt_publish
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
birdnet-pi/rootfs/helpers/birdnet_to_mqtt.py:59
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/c8a81978-840b-4407-a33e-14d56d62439c/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/c8a81978-840b-4407-a33e-14d56d62439c/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.