Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 51.7s for a 170.5 MB repo slow.
  • Repobility's analysis ran in 55.0s after the clone landed.

home-assistant/core

https://github.com/home-assistant/core · scanned 2026-05-21 18:15 UTC (2 weeks ago) · 10 languages

2255 findings (179 legacy + 2076 scanner) 11/13 scanners ran 100th percentile · Python · huge (>500K LoC) Scanner says 70 (higher by 19)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks ago · v2 · 1217 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
76.8
/100
Repobility
83
179 legacy
9-layer
70
100.0% cov · 1038 gaps
Critical
51
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 100.0 0.15 15.00
practices_score 94.0 0.15 14.10
code_quality 66.0 0.10 6.60
Overall 1.00 89.7
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 51 High 143 Medium 106 Low 723 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 179 9-layer 1038 Crowd 0 Layer: Quality 1032 Security 130 Cicd 15 Software 16 Api 1 Data 1 Network 17 Hardware 4 Frontend 1
Scan summary Repository scanned at 70.3/100 with 100.0% coverage. It contains 2174 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 1038 findings — concentrated in quality (887), security (119), network (17). Risk profile is high: 47 critical, 13 high, 99 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 947 of 1217 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy quality quality conf 1.00 ✓ Repobility [MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.
Add `import platform` at the top of the file.
pylint/plugins/pylint_home_assistant/helpers/module_info.py:71 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.
Add `import platform` at the top of the file.
homeassistant/const.py:29 qualitylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yaml:1598 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci.yaml:1428 dependencylegacy
low Legacy security credential_exposure conf 0.90 [SEC002] Hardcoded API Key: Hardcoded API key found in source code.
Use environment variables. Add the pattern to .gitignore.
homeassistant/components/aladdin_connect/api.py:11 credential_exposurelegacy
critical Legacy security auth conf 1.00 [SEC099] JWT decoded without signature verification: JWT token is parsed without verifying its signature. The token body can be tampered with arbitrarily by an attacker.
Use jwt.decode(token, key, algorithms=[...]) without options={'verify_signature': False}. If you genuinely need to peek without verifying (rare — e.g. logging the kid before fetching the key), use jwt.get_unverified_header() instead and clearly comment.
homeassistant/components/august/config_flow.py:38 authlegacy
critical Legacy security auth conf 1.00 [SEC099] JWT decoded without signature verification: JWT token is parsed without verifying its signature. The token body can be tampered with arbitrarily by an attacker.
Use jwt.decode(token, key, algorithms=[...]) without options={'verify_signature': False}. If you genuinely need to peek without verifying (rare — e.g. logging the kid before fetching the key), use jwt.get_unverified_header() instead and clearly comment.
homeassistant/components/aladdin_connect/config_flow.py:58 authlegacy
critical 9-layer security owasp conf 1.00 Insecure pattern 'private_key_in_repo' in homeassistant/components/mqtt/config_flow.py:5084
Found a known-risky pattern (private_key_in_repo). Review and replace if possible.
homeassistant/components/mqtt/config_flow.py:5084 owaspprivate_key_in_repo
critical 9-layer security owasp conf 1.00 Insecure pattern 'private_key_in_repo' in homeassistant/components/weatherkit/config_flow.py:116
Found a known-risky pattern (private_key_in_repo). Review and replace if possible.
homeassistant/components/weatherkit/config_flow.py:116 owaspprivate_key_in_repo
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/actiontec/device_tracker.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/actiontec/device_tracker.py:88 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/aladdin_connect/api.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
homeassistant/components/aladdin_connect/api.py:11 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/alexa/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/alexa/const.py:44 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/api/__init__.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/api/__init__.py:62 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/aquostv/media_player.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/aquostv/media_player.py:34 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/aruba/device_tracker.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/aruba/device_tracker.py:94 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/aruba/device_tracker.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/aruba/device_tracker.py:112 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/elkm1/config_flow.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/elkm1/config_flow.py:342 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/elmax/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/elmax/const.py:7 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/enigma2/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/enigma2/const.py:15 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/fyta/config_flow.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/fyta/config_flow.py:65 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/growatt_server/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/growatt_server/const.py:15 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/growatt_server/number.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
homeassistant/components/growatt_server/number.py:61 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/growatt_server/number.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
homeassistant/components/growatt_server/number.py:71 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/growatt_server/number.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
homeassistant/components/growatt_server/number.py:81 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/hassio/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/hassio/const.py:59 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/heos/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/heos/const.py:3 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/icloud/config_flow.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/icloud/config_flow.py:128 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/icloud/config_flow.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/icloud/config_flow.py:309 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/input_text/__init__.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/input_text/__init__.py:40 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/insteon/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/insteon/const.py:60 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/mqtt/config_flow.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/mqtt/config_flow.py:441 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/nfandroidtv/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/nfandroidtv/const.py:28 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/nfandroidtv/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/nfandroidtv/const.py:34 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/onvif/config_flow.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/onvif/config_flow.py:369 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/pi_hole/__init__.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/pi_hole/__init__.py:149 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/pi_hole/__init__.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/pi_hole/__init__.py:181 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/pushsafer/notify.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/pushsafer/notify.py:53 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/rainmachine/config_flow.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/rainmachine/config_flow.py:159 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/ridwell/strings.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/ridwell/strings.json:24 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/sigfox/sensor.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/sigfox/sensor.py:28 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/slack/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/slack/const.py:8 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/solarlog/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/solarlog/const.py:8 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/switchbot/services.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/switchbot/services.py:14 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/switchbot/services.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/switchbot/services.py:16 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/telegram_bot/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/telegram_bot/const.py:114 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/text/__init__.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/text/__init__.py:96 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/thomson/device_tracker.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/thomson/device_tracker.py:100 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/unifi/hub/hub.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/unifi/hub/hub.py:143 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/watttime/strings.json
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/watttime/strings.json:38 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/xeoma/camera.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/xeoma/camera.py:24 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/xiaomi_miio/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/xiaomi_miio/const.py:23 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/xthings_cloud/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/xthings_cloud/const.py:13 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/components/zwave_js/const.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/components/zwave_js/const.py:134 secrets
critical 9-layer security secrets conf 1.00 Possible secret in homeassistant/helpers/selector.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
homeassistant/helpers/selector.py:2040 secrets
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
homeassistant/components/datadog/__init__.py:78 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
homeassistant/components/backup/http.py:54 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
homeassistant/components/arcam_fmj/__init__.py:76 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
homeassistant/components/ecovacs/controller.py:16 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
homeassistant/components/ecovacs/config_flow.py:14 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.
Review and fix per the pattern semantics. See CWE-78 / for context.
homeassistant/components/command_line/notify.py:55 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._async_dispatch` used but never assigned in __init__: Method `_async_watch` of class `_WatchPendingSetups` reads `self._async_dispatch`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._async_dispatch = <default>` in __init__, or add a class-level default.
homeassistant/bootstrap.py:1017 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._async_dispatch` used but never assigned in __init__: Method `async_stop` of class `_WatchPendingSetups` reads `self._async_dispatch`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._async_dispatch = <default>` in __init__, or add a class-level default.
homeassistant/bootstrap.py:1052 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._async_flow_handler_to_flow_result` used but never assigned in __init__: Method `async_get` of class `FlowManager` reads `self._async_flow_handler_to_flow_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._async_flow_handler_to_flow_result = <default>` in __init__, or add a class-level default.
homeassistant/data_entry_flow.py:233 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._async_flow_handler_to_flow_result` used but never assigned in __init__: Method `async_progress_by_handler` of class `FlowManager` reads `self._async_flow_handler_to_flow_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._async_flow_handler_to_flow_result = <default>` in __init__, or add a class-level default.
homeassistant/data_entry_flow.py:254 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._async_flow_handler_to_flow_result` used but never assigned in __init__: Method `async_progress` of class `FlowManager` reads `self._async_flow_handler_to_flow_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._async_flow_handler_to_flow_result = <default>` in __init__, or add a class-level default.
homeassistant/data_entry_flow.py:238 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._async_process_integration` used but never assigned in __init__: Method `async_get_integration_with_requirements` of class `RequirementsManager` reads `self._async_process_integration`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._async_process_integration = <default>` in __init__, or add a class-level default.
homeassistant/requirements.py:166 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._async_process_requirements` used but never assigned in __init__: Method `async_process_requirements` of class `RequirementsManager` reads `self._async_process_requirements`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._async_process_requirements = <default>` in __init__, or add a class-level default.
homeassistant/requirements.py:306 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._async_schedule_next` used but never assigned in __init__: Method `_async_watch` of class `_WatchPendingSetups` reads `self._async_schedule_next`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._async_schedule_next = <default>` in __init__, or add a class-level default.
homeassistant/bootstrap.py:1030 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._async_schedule_next` used but never assigned in __init__: Method `async_start` of class `_WatchPendingSetups` reads `self._async_schedule_next`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._async_schedule_next = <default>` in __init__, or add a class-level default.
homeassistant/bootstrap.py:1048 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._async_watch` used but never assigned in __init__: Method `_async_schedule_next` of class `_WatchPendingSetups` reads `self._async_watch`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._async_watch = <default>` in __init__, or add a class-level default.
homeassistant/bootstrap.py:1043 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._find_missing_requirements` used but never assigned in __init__: Method `async_process_requirements` of class `RequirementsManager` reads `self._find_missing_requirements`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._find_missing_requirements = <default>` in __init__, or add a class-level default.
homeassistant/requirements.py:305 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._find_missing_requirements` used but never assigned in __init__: Method `async_process_requirements` of class `RequirementsManager` reads `self._find_missing_requirements`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._find_missing_requirements = <default>` in __init__, or add a class-level default.
homeassistant/requirements.py:299 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._indent` used but never assigned in __init__: Method `output` of class `ConditionErrorIndex` reads `self._indent`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._indent = <default>` in __init__, or add a class-level default.
homeassistant/exceptions.py:203 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._indent` used but never assigned in __init__: Method `output` of class `ConditionErrorIndex` reads `self._indent`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._indent = <default>` in __init__, or add a class-level default.
homeassistant/exceptions.py:199 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._indent` used but never assigned in __init__: Method `output` of class `ConditionErrorMessage` reads `self._indent`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._indent = <default>` in __init__, or add a class-level default.
homeassistant/exceptions.py:168 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._loop_factory` used but never assigned in __init__: Method `loop_name` of class `HassEventLoopPolicy` reads `self._loop_factory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._loop_factory = <default>` in __init__, or add a class-level default.
homeassistant/runner.py:187 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._raise_for_failed_requirements` used but never assigned in __init__: Method `async_process_requirements` of class `RequirementsManager` reads `self._raise_for_failed_requirements`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._raise_for_failed_requirements = <default>` in __init__, or add a class-level default.
homeassistant/requirements.py:301 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.async_get_integration_with_requirements` used but never assigned in __init__: Method `_async_process_integration` of class `RequirementsManager` reads `self.async_get_integration_with_requirements`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.async_get_integration_with_requirements = <default>` in __init__, or add a class-level default.
homeassistant/requirements.py:236 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.async_process_requirements` used but never assigned in __init__: Method `_async_process_integration` of class `RequirementsManager` reads `self.async_process_requirements`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.async_process_requirements = <default>` in __init__, or add a class-level default.
homeassistant/requirements.py:189 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.output` used but never assigned in __init__: Method `__str__` of class `ConditionError` reads `self.output`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.output = <default>` in __init__, or add a class-level default.
homeassistant/exceptions.py:151 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.type` used but never assigned in __init__: Method `output` of class `ConditionErrorIndex` reads `self.type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.type = <default>` in __init__, or add a class-level default.
homeassistant/exceptions.py:203 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.type` used but never assigned in __init__: Method `output` of class `ConditionErrorIndex` reads `self.type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.type = <default>` in __init__, or add a class-level default.
homeassistant/exceptions.py:200 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.type` used but never assigned in __init__: Method `output` of class `ConditionErrorMessage` reads `self.type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.type = <default>` in __init__, or add a class-level default.
homeassistant/exceptions.py:168 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `mcr.microsoft.com/vscode/devcontainers/base:debian` not pinned by digest: `FROM mcr.microsoft.com/vscode/devcontainers/base:debian` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM mcr.microsoft.com/vscode/devcontainers/base:debian@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
Dockerfile.dev:2 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `python:3.14.5-alpine` not pinned by digest: `FROM python:3.14.5-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM python:3.14.5-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
script/hassfest/docker/Dockerfile:5 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/adrienverge/yamllint.git` pinned to mutable rev `v1.38.0`: `.pre-commit-config.yaml` references `https://github.com/adrienverge/yamllint.git` at `rev: v1.38.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:39 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.15.13`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.15.13`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:2 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/cdce8p/python-typing-update` pinned to mutable rev `v0.6.0`: `.pre-commit-config.yaml` references `https://github.com/cdce8p/python-typing-update` at `rev: v0.6.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:51 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/codespell-project/codespell` pinned to mutable rev `v2.4.2`: `.pre-commit-config.yaml` references `https://github.com/codespell-project/codespell` at `rev: v2.4.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:10 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v6.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:27 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/rbubley/mirrors-prettier` pinned to mutable rev `v3.6.2`: `.pre-commit-config.yaml` references `https://github.com/rbubley/mirrors-prettier` at `rev: v3.6.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:43 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED131] pre-commit hook `https://github.com/zizmorcore/zizmor-pre-commit` pinned to mutable rev `v1.24.1`: `.pre-commit-config.yaml` references `https://github.com/zizmorcore/zizmor-pre-commit` at `rev: v1.24.1`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed).
.pre-commit-config.yaml:20 dependencylegacy
high Legacy quality quality conf 1.00 [SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).
Add `filter='data'` (Python ≥ 3.12) or manually validate member paths against `os.path.abspath`.
homeassistant/backup_restore.py:93 qualitylegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
homeassistant/components/downloader/services.py:77 injectionlegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
homeassistant/components/acer_projector/switch.py:121 injectionlegacy
high Legacy cicd docker conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
Dockerfile.dev:57 dockerlegacy
high 9-layer quality integrity conf 1.00 Blocking `requests.get(...)` inside `async def download_file` — homeassistant/components/downloader/services.py:64
Sync I/O inside an async function blocks the event loop. While `requests.get(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_th…
homeassistant/components/downloader/services.py:64 integritysync-io-in-asyncperformance
high 9-layer quality integrity conf 1.00 Blocking `requests.get(...)` inside `async def upload_file_from_url` — homeassistant/components/xmpp/notify.py:274
Sync I/O inside an async function blocks the event loop. While `requests.get(...)` is running, *all* other coroutines on this loop are paused — silent throughput collapse under concurrency. Use the async equivalent (`httpx.AsyncClient`, `asyncio.sleep`, `aiofiles`) or wrap with `await asyncio.to_th…
homeassistant/components/xmpp/notify.py:274 integritysync-io-in-asyncperformance
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
home-assistant/actions/helpers/version@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/builder.yml:52 supply-chaingithub-actionspinned-dependencies
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
home-assistant/actions/helpers/verify-version@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/builder.yml:57 supply-chaingithub-actionspinned-dependencies
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
home-assistant/actions/helpers/git-init@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/builder.yml:300 supply-chaingithub-actionspinned-dependencies
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
home-assistant/actions/helpers/version-push@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/builder.yml:307 supply-chaingithub-actionspinned-dependencies
high 9-layer cicd supply-chain conf 1.00 GitHub Action tracks a moving branch
home-assistant/actions/helpers/version-push@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/builder.yml:317 supply-chaingithub-actionspinned-dependencies
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in homeassistant/components/python_script/__init__.py:287
Found a known-risky pattern (exec_used). Review and replace if possible.
homeassistant/components/python_script/__init__.py:287 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'tls_verify_false' in homeassistant/components/august/config_flow.py:41
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
homeassistant/components/august/config_flow.py:41 owasptls_verify_false
high 9-layer security owasp conf 1.00 Insecure pattern 'tls_verify_false' in homeassistant/components/google_assistant/trait.py:2342
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
homeassistant/components/google_assistant/trait.py:2342 owasptls_verify_false
high 9-layer security owasp conf 1.00 Insecure pattern 'tls_verify_false' in homeassistant/components/huawei_lte/utils.py:39
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
homeassistant/components/huawei_lte/utils.py:39 owasptls_verify_false
high 9-layer security owasp conf 1.00 Insecure pattern 'tls_verify_false' in homeassistant/components/plex/server.py:167
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
homeassistant/components/plex/server.py:167 owasptls_verify_false
high 9-layer security owasp conf 1.00 Insecure pattern 'tls_verify_false' in homeassistant/components/yale/config_flow.py:39
Found a known-risky pattern (tls_verify_false). Review and replace if possible.
homeassistant/components/yale/config_flow.py:39 owasptls_verify_false
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
homeassistant/requirements.py:243 qualitylegacy
medium Legacy security injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
homeassistant/components/command_line/notify.py:55 injectionlegacy
medium Legacy security path_traversal conf 1.00 [SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
homeassistant/backup_restore.py:93 path_traversallegacy
medium Legacy security crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
homeassistant/components/elmax/common.py:20 cryptolegacy
medium Legacy security crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
homeassistant/components/august/config_flow.py:41 cryptolegacy
medium Legacy quality quality conf 1.00 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident.
Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly.
homeassistant/components/bond/entity.py:151 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass.
Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files.
homeassistant/components/demo/update.py:36 qualitylegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
script/hassfest/docker/Dockerfile:5 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
Dockerfile:6 dockerlegacy
medium 9-layer data analyzer-error conf 1.00 Analyzer timeout: data.databases
analyzer exceeded 60.0s wall-clock (thread mode — daemon abandoned). Bump REPOBILITY_ANALYZER_TIMEOUT_S if expected.
analyzer-errortimeout
medium 9-layer software analyzer-error conf 1.00 Analyzer timeout: software.tree
analyzer exceeded 60.0s wall-clock (thread mode — daemon abandoned). Bump REPOBILITY_ANALYZER_TIMEOUT_S if expected.
analyzer-errortimeout
medium 9-layer security auth conf 1.00 Django CBV `_BaseOnboardingStepView` lacks `LoginRequiredMixin` — homeassistant/components/onboarding/views.py:132
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/onboarding/views.py:132 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `AlexaIntentsView` lacks `LoginRequiredMixin` — homeassistant/components/alexa/intent.py:62
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/alexa/intent.py:62 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `AnalyticsOnboardingView` lacks `LoginRequiredMixin` — homeassistant/components/onboarding/views.py:344
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/onboarding/views.py:344 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `APIComponentsView` lacks `LoginRequiredMixin` — homeassistant/components/api/__init__.py:461
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/api/__init__.py:461 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `APIDomainServicesView` lacks `LoginRequiredMixin` — homeassistant/components/api/__init__.py:377
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/api/__init__.py:377 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `APIEntityStateView` lacks `LoginRequiredMixin` — homeassistant/components/api/__init__.py:236
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/api/__init__.py:236 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `APIEventListenersView` lacks `LoginRequiredMixin` — homeassistant/components/api/__init__.py:315
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/api/__init__.py:315 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `APIEventView` lacks `LoginRequiredMixin` — homeassistant/components/api/__init__.py:327
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/api/__init__.py:327 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `APIServicesView` lacks `LoginRequiredMixin` — homeassistant/components/api/__init__.py:365
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/api/__init__.py:365 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `APIStatesView` lacks `LoginRequiredMixin` — homeassistant/components/api/__init__.py:207
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/api/__init__.py:207 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `APITemplateView` lacks `LoginRequiredMixin` — homeassistant/components/api/__init__.py:479
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/api/__init__.py:479 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `BackupInfoView` lacks `LoginRequiredMixin` — homeassistant/components/backup/onboarding.py:66
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/backup/onboarding.py:66 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `CheckConfigView` lacks `LoginRequiredMixin` — homeassistant/components/config/core.py:26
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/config/core.py:26 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `ClearCompletedItemsView` lacks `LoginRequiredMixin` — homeassistant/components/shopping_list/__init__.py:261
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/shopping_list/__init__.py:261 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `CloudResendConfirmView` lacks `LoginRequiredMixin` — homeassistant/components/cloud/http_api.py:389
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/cloud/http_api.py:389 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `ConfigManagerAvailableFlowView` lacks `LoginRequiredMixin` — homeassistant/components/config/config_entries.py:241
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/config/config_entries.py:241 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `ConfigManagerEntryResourceReloadView` lacks `LoginRequiredMixin` — homeassistant/components/config/config_entries.py:121
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/config/config_entries.py:121 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `ConfigManagerEntryResourceView` lacks `LoginRequiredMixin` — homeassistant/components/config/config_entries.py:100
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/config/config_entries.py:100 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `ConversationProcessView` lacks `LoginRequiredMixin` — homeassistant/components/conversation/http.py:240
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/conversation/http.py:240 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `CoreConfigOnboardingView` lacks `LoginRequiredMixin` — homeassistant/components/onboarding/views.py:225
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/onboarding/views.py:225 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `CreateShoppingListItemView` lacks `LoginRequiredMixin` — homeassistant/components/shopping_list/__init__.py:247
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/shopping_list/__init__.py:247 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `FileUploadView` lacks `LoginRequiredMixin` — homeassistant/components/file_upload/__init__.py:108
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/file_upload/__init__.py:108 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `FirmwareUploadView` lacks `LoginRequiredMixin` — homeassistant/components/zwave_js/api.py:2532
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/zwave_js/api.py:2532 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `FoursquarePushReceiver` lacks `LoginRequiredMixin` — homeassistant/components/foursquare/__init__.py:82
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/foursquare/__init__.py:82 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `GoogleActionsSyncView` lacks `LoginRequiredMixin` — homeassistant/components/cloud/http_api.py:226
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/cloud/http_api.py:226 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `GoogleAssistantView` lacks `LoginRequiredMixin` — homeassistant/components/google_assistant/http.py:368
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/google_assistant/http.py:368 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `HassIOAddonPanel` lacks `LoginRequiredMixin` — homeassistant/components/hassio/addon_panel.py:41
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/hassio/addon_panel.py:41 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `HassIOBaseAuth` lacks `LoginRequiredMixin` — homeassistant/components/hassio/auth.py:35
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/hassio/auth.py:35 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `HassIODiscovery` lacks `LoginRequiredMixin` — homeassistant/components/hassio/discovery.py:72
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/hassio/discovery.py:72 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `HTML5PushRegistrationView` lacks `LoginRequiredMixin` — homeassistant/components/html5/notify.py:205
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/html5/notify.py:205 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `HueAllGroupsStateView` lacks `LoginRequiredMixin` — homeassistant/components/emulated_hue/hue_api.py:175
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/emulated_hue/hue_api.py:175 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `HueGroupView` lacks `LoginRequiredMixin` — homeassistant/components/emulated_hue/hue_api.py:196
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/emulated_hue/hue_api.py:196 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `HueOneLightChangeView` lacks `LoginRequiredMixin` — homeassistant/components/emulated_hue/hue_api.py:343
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/emulated_hue/hue_api.py:343 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `HueOneLightStateView` lacks `LoginRequiredMixin` — homeassistant/components/emulated_hue/hue_api.py:300
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/emulated_hue/hue_api.py:300 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `HueUnauthorizedUser` lacks `LoginRequiredMixin` — homeassistant/components/emulated_hue/hue_api.py:137
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/emulated_hue/hue_api.py:137 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `HueUsernameView` lacks `LoginRequiredMixin` — homeassistant/components/emulated_hue/hue_api.py:150
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/emulated_hue/hue_api.py:150 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `ImageUploadView` lacks `LoginRequiredMixin` — homeassistant/components/image_upload/__init__.py:166
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/image_upload/__init__.py:166 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `IntegrationOnboardingView` lacks `LoginRequiredMixin` — homeassistant/components/onboarding/views.py:271
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/onboarding/views.py:271 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `IntentHandleView` lacks `LoginRequiredMixin` — homeassistant/components/intent/__init__.py:627
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/intent/__init__.py:627 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `iOSConfigView` lacks `LoginRequiredMixin` — homeassistant/components/ios/__init__.py:311
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/ios/__init__.py:311 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `iOSIdentifyDeviceView` lacks `LoginRequiredMixin` — homeassistant/components/ios/__init__.py:327
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/ios/__init__.py:327 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `iOSPushConfigView` lacks `LoginRequiredMixin` — homeassistant/components/ios/__init__.py:295
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/ios/__init__.py:295 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `LinkUserView` lacks `LoginRequiredMixin` — homeassistant/components/auth/__init__.py:408
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/auth/__init__.py:408 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `MerakiView` lacks `LoginRequiredMixin` — homeassistant/components/meraki/device_tracker.py:45
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/meraki/device_tracker.py:45 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `ModelContextProtocolMessagesView` lacks `LoginRequiredMixin` — homeassistant/components/mcp_server/http.py:201
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/mcp_server/http.py:201 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `ModelContextProtocolSSEView` lacks `LoginRequiredMixin` — homeassistant/components/mcp_server/http.py:152
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/mcp_server/http.py:152 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `ModelContextProtocolStreamableView` lacks `LoginRequiredMixin` — homeassistant/components/mcp_server/http.py:238
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/mcp_server/http.py:238 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `PushBotView` lacks `LoginRequiredMixin` — homeassistant/components/telegram_bot/webhooks.py:147
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/telegram_bot/webhooks.py:147 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `RegistrationsView` lacks `LoginRequiredMixin` — homeassistant/components/mobile_app/http_api.py:42
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/mobile_app/http_api.py:42 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `RepairsFlowResourceView` lacks `LoginRequiredMixin` — homeassistant/components/repairs/websocket_api.py:143
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/repairs/websocket_api.py:143 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `RestoreBackupView` lacks `LoginRequiredMixin` — homeassistant/components/backup/onboarding.py:85
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/backup/onboarding.py:85 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `RevokeTokenView` lacks `LoginRequiredMixin` — homeassistant/components/auth/__init__.py:205
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/auth/__init__.py:205 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `ShoppingListView` lacks `LoginRequiredMixin` — homeassistant/components/shopping_list/__init__.py:215
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/shopping_list/__init__.py:215 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `SpeechToTextView` lacks `LoginRequiredMixin` — homeassistant/components/stt/__init__.py:255
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/stt/__init__.py:255 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `TextToSpeechUrlView` lacks `LoginRequiredMixin` — homeassistant/components/tts/__init__.py:1212
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/tts/__init__.py:1212 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `TokenView` lacks `LoginRequiredMixin` — homeassistant/components/auth/__init__.py:234
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/auth/__init__.py:234 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `UpdateShoppingListItemView` lacks `LoginRequiredMixin` — homeassistant/components/shopping_list/__init__.py:227
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/shopping_list/__init__.py:227 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `UploadBackupView` lacks `LoginRequiredMixin` — homeassistant/components/backup/http.py:171
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/backup/http.py:171 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `UploadBackupView` lacks `LoginRequiredMixin` — homeassistant/components/backup/onboarding.py:130
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/backup/onboarding.py:130 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `UploadMediaView` lacks `LoginRequiredMixin` — homeassistant/components/media_source/local_source.py:335
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/media_source/local_source.py:335 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `UserOnboardingView` lacks `LoginRequiredMixin` — homeassistant/components/onboarding/views.py:160
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/onboarding/views.py:160 authauth.django.unauth_view
medium 9-layer security auth conf 1.00 Django CBV `WaitIntegrationOnboardingView` lacks `LoginRequiredMixin` — homeassistant/components/onboarding/views.py:320
Class-based view defines mutating methods (post/put/delete) without inheriting `LoginRequiredMixin`. If auth is enforced via `dispatch()` override or middleware, dismiss this finding.
homeassistant/components/onboarding/views.py:320 authauth.django.unauth_view
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: script/hassfest/docker/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/ci.yaml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/builder.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in homeassistant/components/command_line/notify.py:60
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
homeassistant/components/command_line/notify.py:60 owaspsubprocess_shell_true
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — homeassistant/components/seven_segments/image_processing.py:118
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/currencies.py:10
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/hassfest/manifest.py:432
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/hassfest/requirements.py:504
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/hassfest/serializer.py:76
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/install_integration_requirements.py:54
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/languages.py:13
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/microsoft_tts.py:13
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/scaffold/__main__.py:45
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/split_tests.py:169
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/translations/download.py:24
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/translations/upload.py:21
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — script/version_bump.py:194
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer network security conf 1.00 Privileged port 10 in use
Port 10 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
homeassistant/components/hdmi_cec/services.yaml securityports
medium 9-layer network security conf 1.00 Privileged port 19 in use
Port 19 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
homeassistant/components/opentherm_gw/services.yaml securityports
medium 9-layer network security conf 1.00 Privileged port 20 in use
Port 20 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
homeassistant/components/google/services.yaml securityports
medium 9-layer network security conf 1.00 Privileged port 21 in use
Port 21 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
homeassistant/components/datetime/services.yaml securityports
medium 9-layer network security conf 1.00 Privileged port 256 in use
Port 256 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
Dockerfile securityports
medium 9-layer network security conf 1.00 Privileged port 30 in use
Port 30 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
homeassistant/components/todoist/services.yaml securityports
medium 9-layer network security conf 1.00 Privileged port 34 in use
Port 34 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
homeassistant/components/opentherm_gw/services.yaml securityports
medium 9-layer network security conf 1.00 Privileged port 35 in use
Port 35 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
homeassistant/components/datetime/services.yaml securityports
medium 9-layer network security conf 1.00 Privileged port 36 in use
Port 36 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
homeassistant/components/hdmi_cec/services.yaml securityports
medium 9-layer network security conf 1.00 Privileged port 675 in use
Port 675 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
Dockerfile securityports
low Legacy cicd docker conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore dockerlegacy
low Legacy software race_condition conf 1.00 [SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason.
Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`.
homeassistant/components/downloader/services.py:133 race_conditionlegacy
high Legacy cicd docker conf 0.72 Dockerfile keeps pip download cache
Use `pip install --no-cache-dir ...` in container builds.
Dockerfile.dev:50 dockerlegacy
high Legacy cicd docker conf 0.72 Dockerfile keeps pip download cache
Use `pip install --no-cache-dir ...` in container builds.
Dockerfile.dev:46 dockerlegacy
high Legacy cicd docker conf 0.72 Dockerfile keeps pip download cache
Use `pip install --no-cache-dir ...` in container builds.
Dockerfile:53 dockerlegacy
high Legacy cicd docker conf 0.72 Dockerfile keeps pip download cache
Use `pip install --no-cache-dir ...` in container builds.
Dockerfile:43 dockerlegacy
low Legacy quality quality conf 0.64 Duplicate top-level symbol appears in a patch-style file
Keep one authoritative implementation, update imports to point at it, and remove or rename the duplicate symbol.
homeassistant/components/zwave_js/triggers/value_updated.py:1 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/androidtv_remote/config_flow.py:258 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/amberelectric/services.py:43 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/altruist/sensor.py:5 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/airzone_cloud/water_heater.py:127 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/airzone_cloud/sensor.py:183 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/airzone_cloud/climate.py:36 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/airzone_cloud/binary_sensor.py:142 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/airthings_ble/sensor.py:91 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/airnow/config_flow.py:74 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/airly/config_flow.py:60 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/air_quality/trigger.py:2 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/components/acmeda/sensor.py:6 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/auth/providers/insecure_example.py:45 qualitylegacy
high Legacy quality quality conf 0.86 Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
homeassistant/auth/providers/homeassistant.py:322 qualitylegacy
low Legacy quality quality conf 0.68 Multiple AI-agent scaffold marker files are present
Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior.
.github/copilot-instructions.md:1 qualitylegacy
high Legacy quality quality conf 0.62 Source file name looks like an AI patch artifact
Rename it to the domain concept it implements or merge it into the existing module it was meant to change.
homeassistant/components/zwave_js/triggers/value_updated.py:1 qualitylegacy
low 9-layer quality maintenance conf 1.00 270 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer hardware supply-chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: python:3.14.5-alpine
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
script/hassfest/docker/Dockerfile:5 supply-chaindockerpinned-dependencies
low 9-layer security owasp conf 1.00 Insecure pattern 'debug_true' in homeassistant/bootstrap.py:322
Found a known-risky pattern (debug_true). Review and replace if possible.
homeassistant/bootstrap.py:322 owaspdebug_true
low 9-layer security owasp conf 1.00 Insecure pattern 'debug_true' in homeassistant/components/uhoo/config_flow.py:46
Found a known-risky pattern (debug_true). Review and replace if possible.
homeassistant/components/uhoo/config_flow.py:46 owaspdebug_true
low 9-layer security owasp conf 1.00 Insecure pattern 'debug_true' in homeassistant/core_config.py:412
Found a known-risky pattern (debug_true). Review and replace if possible.
homeassistant/core_config.py:412 owaspdebug_true
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_async_restore_network_backup` in homeassistant/components/zwave_js/config_flow.py:1103
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_backup_details_to_agent_backup` in homeassistant/components/hassio/backup.py:119
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_cv_zigpy_network_backup` in homeassistant/components/zha/websocket_api.py:281
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_get_write_api_mock_v1` in tests/components/influxdb/__init__.py:85
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_get_write_api_mock_v1` in tests/components/influxdb/test_config_flow.py:42
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_get_write_api_mock_v1` in tests/components/influxdb/test_init.py:27
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_migrate_alexa_entity_settings_v1` in homeassistant/components/cloud/alexa_config.py:204
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_setup_legacy` in tests/components/tomorrowio/test_weather.py:86
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_setup_list_folder_with_backup` in tests/components/dropbox/test_backup.py:77
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_supported_legacy` in homeassistant/components/cloud/google_config.py:102
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `actual_v1` in homeassistant/components/blue_current/sensor.py:25
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `actual_v1` in tests/components/blue_current/test_sensor.py:15
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `add_backup` in homeassistant/components/zha/repairs/network_settings_inconsistent.py:139
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `agent_backup` in tests/components/idrive_e2/conftest.py:26
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `aiohue_v1` in tests/components/hue/conftest.py:10
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `aiohue_v2` in tests/components/hue/test_init.py:5
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `aliases_v2` in homeassistant/helpers/entity_registry.py:395
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `aliases_v2` in tests/helpers/test_entity_registry.py:844
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `another_old` in tests/components/labs/test_init.py:120
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `apc_deprecated` in homeassistant/components/apcupsd/const.py:15
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `api_password_deprecated` in homeassistant/components/esphome/manager.py:164
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `api_password_deprecated` in tests/components/esphome/test_manager.py:716
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `assist_in_progress_deprecated` in homeassistant/components/voip/binary_sensor.py:70
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `assist_in_progress_deprecated` in homeassistant/components/voip/repairs.py:16
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `assist_in_progress_deprecated` in tests/components/voip/test_binary_sensor.py:115
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `assistant_v2` in homeassistant/backup_restore.py:21
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `assistant_v2` in homeassistant/components/backup/const.py:31
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `assistant_v2` in homeassistant/components/recorder/__init__.py:53
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `assistant_v2` in tests/components/recorder/test_websocket_api.py:3321
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `AsusWrtLegacy` in homeassistant/components/asuswrt/bridge.py:9
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `AsusWrtLegacy` in tests/components/asuswrt/conftest.py:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_attach_trigger_v1` in homeassistant/components/hue/device_trigger.py:13
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_check_create_deprecated` in homeassistant/components/ring/binary_sensor.py:28
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_check_create_deprecated` in homeassistant/components/ring/entity.py:102
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_check_create_deprecated` in homeassistant/components/ring/sensor.py:39
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_check_create_deprecated` in homeassistant/components/ring/siren.py:33
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_check_create_deprecated` in homeassistant/components/ring/switch.py:24
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_check_create_deprecated` in homeassistant/components/tplink/deprecate.py:32
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_check_create_deprecated` in homeassistant/components/tplink/entity.py:39
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_create_backup` in homeassistant/components/backup/services.py:14
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_create_backup` in homeassistant/components/hassio/addon_manager.py:236
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_create_backup` in homeassistant/components/zwave_js/__init__.py:1156
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_create_backup` in tests/components/backup/test_init.py:39
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_create_backup` in tests/components/hassio/test_update.py:166
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_create_backup` in tests/components/hassio/test_websocket_api.py:398
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_delete_backup` in homeassistant/components/sftp_storage/client.py:164
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/aws_s3/backup.py:113
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/azure_storage/backup.py:116
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/backblaze_b2/backup.py:204
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/backup/agent.py:42
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/cloud/backup.py:82
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/cloudflare_r2/backup.py:110
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/idrive_e2/backup.py:108
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/kitchen_sink/backup.py:76
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/onedrive/backup.py:132
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/onedrive_for_business/backup.py:132
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/sftp_storage/backup.py:63
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_download_backup` in homeassistant/components/webdav/backup.py:121
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_entry_is_legacy` in homeassistant/components/lifx/__init__.py:31
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `async_entry_is_legacy` in homeassistant/components/lifx/config_flow.py:28
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code

Showing first 300 of 947. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/ca1385e6-ca8b-4803-a946-80232c7fd7cd/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/ca1385e6-ca8b-4803-a946-80232c7fd7cd/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.