forcedotcom/salesforcedx-vscode

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

59 of your 116 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Upstream (GitHub) caused delay on this scan — not Repobility.

GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
Clone from GitHub took 104.04s for a 88.9 MB repo slow.
Repobility's analysis ran in 14.23s after the clone landed.

https://github.com/forcedotcom/salesforcedx-vscode · scanned 2026-06-05 21:57 UTC (1 week, 2 days ago) · 10 languages

1185 raw signals (101 security + 1084 graph) 11/13 scanners ran 93rd percentile · Typescript · large (100-500K LoC) System graph score 56 (higher by 30)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 2 days ago · v2 · 346 actionable findings from 2 signal sources. 297 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

100.0% cov · 308 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	60.0	0.15	9.00
`security_score`	100.0	0.25	25.00
`testing_score`	95.0	0.20	19.00
`documentation_score`	89.0	0.15	13.35
`practices_score`	76.0	0.15	11.40
`code_quality`	80.0	0.10	8.00
Overall		1.00	85.8

security_score may be inflated — optional security scanners were skipped on this fast scan

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 1 High 18 Medium 7 Low 190 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 38 System graph 308 Crowd 0 Layer: Security 5 Quality 101 Software 64 Cicd 6 Frontend 167 Api 3

Exclude dismissed / FP Exclude test files

Bug-class explainers. Each card groups findings of the same shape — these are the patterns most likely to ship to prod and reappear in future scans unless you systematically fix the cause, not just the instance.

Commented-out code 43 findings

What it is: Lines of source that were intentionally disabled but never deleted.

Why it matters: Git already remembers history — commented code rots, becomes wrong, and adds noise to diffs.

How AI causes it: AI sometimes comments out broken code instead of fixing it. Reviewers approve out of inertia.

Fix approach: Delete. Trust `git log`. If you really need to remember, save it in a notes file under `docs/`.

12 matching findings on this repo

info Commented-code block (10 lines) in config/jest.base.config.js:20
info Commented-code block (5 lines) in scripts/xsd/jsonToXsdConverter.ts:17
info Commented-code block (6 lines) in packages/salesforcedx-vscode-metadata/test/je…
info Commented-code block (5 lines) in packages/salesforcedx-vscode-services/src/cor…
info Commented-code block (5 lines) in packages/salesforcedx-vscode-org-browser/src/…
info Commented-code block (6 lines) in packages/salesforcedx-vscode-lightning/src/re…
info Commented-code block (6 lines) in packages/salesforcedx-vscode-lightning/src/re…
info Commented-code block (5 lines) in packages/salesforcedx-vscode-lightning/src/re…
info Commented-code block (7 lines) in packages/salesforcedx-vscode-lightning/src/re…
info Commented-code block (5 lines) in packages/salesforcedx-vscode-lightning/src/re…
info Commented-code block (5 lines) in packages/salesforcedx-vscode-lightning/src/re…
info Commented-code block (5 lines) in packages/salesforcedx-vscode-lightning/src/re…

View all commented-out code findings →

Config drift 16 findings

What it is: Settings duplicated across env files, Docker compose, K8s, and code defaults, all with slightly different values.

Why it matters: Production behaviour depends on whichever copy your loader reads first. Subtle bugs in staging that don't reproduce in dev.

How AI causes it: AI writes new config from memory rather than reading the existing source.

Fix approach: Pick one source of truth (env vars + a settings module). Have every other place import from there. Lint for duplicates in CI.

12 matching findings on this repo

high [SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers c… packages/salesforcedx-vscode-apex-oas/src/command…:65
low File has no detected symbols: jest.config.js
low File has no detected symbols: config/jest.integration.config.js
low File has no detected symbols: config/jest.base.config.js
low File has no detected symbols: config/__mocks__/o11y_schema_sf_pdp.js
low File has no detected symbols: test-workspaces/standard-workspace/rollup.config.…
low File has no detected symbols: packages/salesforcedx-vscode-apex-oas/jest.config…
low File has no detected symbols: packages/salesforcedx-vscode-core/jest.config.js
low File has no detected symbols: packages/salesforcedx-vscode-core/test/playwright…
low File has no detected symbols: packages/salesforcedx-vscode-core/test/playwright…
low File has no detected symbols: packages/salesforcedx-vscode-core/test/jest/util/…
low Stray `console.log` in TS/JS — packages/salesforcedx-vscode-core/src/util/cliCo…

View all config drift findings →

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/cb3b4ab7-4174-4cf8-8837-b27373a55781/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/cb3b4ab7-4174-4cf8-8837-b27373a55781/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.