Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
6 of your 91 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.44s · analysis 3.52s · 0.1 MB · GitHub preflight 451ms

bitcoinfuzz/bitcoinfuzz

https://github.com/bitcoinfuzz/bitcoinfuzz · scanned 2026-06-05 19:38 UTC (4 days, 14 hours ago) · 10 languages

171 raw signals (87 security + 84 graph) 20th percentile · Cpp · tiny (<2K LoC) System graph score 90 (lower by 44)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 14 hours ago · v2 · 100 actionable findings from 2 signal sources. 29 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
70.8
/100
Security checks
52
84 findings
System graph
90
100.0% cov · 16 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 55.0 0.15 8.25
security_score 55.0 0.25 13.75
testing_score 0.0 0.20 0.00
documentation_score 40.0 0.15 6.00
practices_score 67.0 0.15 10.05
code_quality 80.0 0.10 8.00
Overall 1.00 46.0
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 77 Medium 7 Low 7 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 84 System graph 16 Crowd 0 Layer: Software 83 Quality 8 Cicd 2 Api 1 Hardware 3 Frontend 1 Security 2
Scan summary Quality grade D+ (46/100). Dimensions: security 55, maintainability 55. 87 findings (83 security). 1,009 lines analyzed.

Showing 92 of 100 actionable findings. 129 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks software dependencies conf 0.88 golang.org/x/crypto: GHSA-v778-237x-gjrc
Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2025-3487
Potential denial of service in golang.org/x/crypto
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2025-4116
Potential denial of service in golang.org/x/crypto/ssh/agent
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2025-4134
Unbounded memory consumption in golang.org/x/crypto/ssh
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2025-4135
Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5005
Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5006
Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5013
Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5014
Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5015
Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5016
Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5017
Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5018
Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5019
Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5020
Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5021
Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5023
Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/crypto: GO-2026-5033
Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/sys: GO-2026-5024
Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-2598
Verify panics on certificates with an unknown public key algorithm in crypto/x509
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-2599
Memory exhaustion in multipart form parsing in net/textproto and net/http
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-2600
Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-2609
Comments in display names are incorrectly handled in net/mail
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-2610
Errors returned from JSON marshaling may break template escaping in html/template
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-2687
HTTP/2 CONTINUATION flood in net/http
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-2887
Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-2888
Mishandling of corrupt central directory record in archive/zip
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-2963
Denial of service due to improper 100-continue handling in net/http
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-3105
Stack exhaustion in all Parse functions in go/parser
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-3106
Stack exhaustion in Decoder.Decode in encoding/gob
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2024-3107
Stack exhaustion in Parse in go/build/constraint
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3373
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3420
Sensitive headers incorrectly sent after cross-domain redirect in net/http
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3447
Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3503
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3563
Request smuggling due to acceptance of invalid chunked data in net/http
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3750
Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3751
Sensitive headers not cleared on cross-origin redirect in net/http
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3849
Incorrect results returned from Rows.Scan in database/sql
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3956
Unexpected paths returned from LookPath in os/exec
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4006
Excessive CPU consumption in ParseAddress in net/mail
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4008
ALPN negotiation error contains attacker controlled information in crypto/tls
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4012
Lack of limit when parsing cookies can cause memory exhaustion in net/http
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4014
Unbounded allocation when parsing GNU sparse map in archive/tar
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4015
Excessive CPU consumption in Reader.ReadResponse in net/textproto
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4155
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4175
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4337
Unexpected session resumption in crypto/tls
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in crypto/tls
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4403
Improper access to parent directory of root in os
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4601
Incorrect parsing of IPv6 host literals in net/url
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4602
FileInfo can escape from a Root in os
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4603
URLs in meta content attribute actions are not escaped in html/template
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4864
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4869
Unbounded allocation for old GNU sparse in archive/tar
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4946
Inefficient policy validation in crypto/x509
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4947
Unexpected work during chain building in crypto/x509
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4971
Panic in Dial and LookupPort when handling NUL byte on Windows in net
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4976
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4977
Quadratic string concatenation in consumePhrase in net/mail
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4980
Escaper bypass leads to XSS in html/template
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4981
Crash when handling long CNAME response in net
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4982
Bypass of meta content URL escaping causes XSS in html/template
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4986
Quadratic string concatentation in consumeComment in net/mail
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5037
Inefficient candidate hostname parsing in crypto/x509
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5038
Quadratic complexity in WordDecoder.DecodeHeader in mime
btcd_lib/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5039
Arbitrary inputs are included in errors without any escaping in net/textproto
btcd_lib/go.mod
high Security checks software dependencies conf 0.90 GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)
`uses: actions/checkout@v4` is 2 major version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
.github/workflows/workflow.yml:16
medium Security checks software dependencies conf 0.88 miniscript: GHSA-rv9v-r4vm-gj8x
Miniscript allows stack consumption
rust_bitcoin_lib/Cargo.lock
medium System graph hardware Security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/rust-toolchain@nightly can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
3 files, 4 locations
.github/workflows/workflow.yml:21, 32 (2 hits)
.github/workflows/commit-by-commit-build.yml:84
.github/workflows/format-check.yml:20
CI/CD securitySupply chainGitHub Actions
medium System graph security security conf 1.00 Insecure pattern 'subprocess_shell_true' in auto_build.py:31
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
auto_build.py:31 Subprocess shell true
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — auto_build.py:28
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 18 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks quality Documentation No LICENSE file
Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft).
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: ubuntu:24.04
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:2 containersPinned dependencies
low System graph cicd CI/CD security conf 1.00 27 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
5 files, 27 locations
.github/workflows/workflow.yml:16, 20, 25, 26, 35, 40, 46, 68, +3 more (11 hits)
.github/workflows/commit-by-commit-build.yml:17, 59, 78, 87, 92, 98, 103 (7 hits)
.github/workflows/format-check.yml:17, 25, 30, 36, 41 (5 hits)
.github/workflows/docker-image-check.yml:16, 34 (2 hits)
.github/workflows/test.yml:20, 30 (2 hits)
CI/CD securitySupply chainGitHub Actions
low System graph software Dead code conf 1.00 Possibly dead Python function: block_parse
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
modules/pybitcoinkernel/pybitcoinkernel_lib.py:19
low System graph software Dead code conf 1.00 Possibly dead Python function: run_sequential
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
auto_build.py:170
low System graph software Dead code conf 1.00 Possibly dead Python function: transaction_parse
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
modules/pybitcoinkernel/pybitcoinkernel_lib.py:4
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/cc090b01-6f75-4ad6-b310-6b73a5390cb5/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/cc090b01-6f75-4ad6-b310-6b73a5390cb5/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.