Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
29 of your 113 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 4.51s · analysis 16.06s · 21.7 MB · GitHub API rate-limit (preflight)

getlago/lago-api

https://github.com/getlago/lago-api · scanned 2026-06-05 12:59 UTC (5 days, 7 hours ago) · 10 languages

233 raw signals (105 security + 128 graph) 11/13 scanners ran

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 7 hours ago · v2 · 84 actionable findings from 2 signal sources. 85 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
72.8
/100
Security checks
78
60 findings
System graph
68
100.0% cov · 24 findings
Critical
16
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 65.0 0.15 9.75
security_score 100.0 0.25 25.00
testing_score 0.0 0.20 0.00
documentation_score 75.0 0.15 11.25
practices_score 91.0 0.15 13.65
code_quality 80.0 0.10 8.00
Overall 1.00 67.7
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 16 High 37 Medium 10 Low 12 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 60 System graph 24 Crowd 0 Layer: Quality 11 Security 49 Cicd 13 Software 5 Api 1 Hardware 4 Frontend 1
Scan summary Quality grade B- (68/100). Dimensions: security 100, maintainability 65. 105 findings (56 security). 257,708 lines analyzed.

Showing 60 of 84 actionable findings. 169 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 3 occurrences [SEC096] Rails: SQL injection via where("#{...}") or find_by_sql: ActiveRecord where() / find_by_sql with interpolation enables SQL injection. Concept from Brakeman check_sql — re-authored from OWASP CWE-89.
Use parameterized form: `.where("name = ?", user_input)` or named placeholders.
3 files, 3 locations
app/jobs/clock/terminate_ended_subscriptions_job.rb:9
app/models/daily_usage.rb:15
app/queries/customers_query.rb:76
critical System graph security Secrets conf 1.00 Possible secret in app/models/concerns/organizations/authentication_methods.rb
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
app/models/concerns/organizations/authentication_methods.rb:7
critical System graph security Secrets conf 1.00 Possible secret in config/i18n-tasks.yml
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
config/i18n-tasks.yml:110
critical System graph security Secrets conf 1.00 4 occurrences Possible secret in db/seeds/01_base.rb
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 27, 30, 37, 45
db/seeds/01_base.rb:27, 30, 37, 45 (4 hits)
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /adyen/:organization_id.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
config/routes.rb:202
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /cashfree/:organization_id.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
config/routes.rb:199
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /flutterwave/:organization_id.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
config/routes.rb:200
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /gocardless/:organization_id.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
config/routes.rb:201
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /invoices/:id.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
config/routes.rb:216
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /moneyhash/:organization_id.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
config/routes.rb:203
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /payment_receipts/:id.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
config/routes.rb:217
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /subscriptions/:external_id.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
config/routes.rb:97
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /wallets/:id.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
config/routes.rb:182
high Security checks security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /wallets/:id/wallet_transactions.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
config/routes.rb:174
high Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences [MINED118] Dockerfile FROM `ruby:4.0.2-slim` not pinned by digest: `FROM ruby:4.0.2-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM ruby:4.0.2-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
2 files, 3 locations
Dockerfile:9, 32 (2 hits)
Dockerfile.dev:9
high Security checks security secrets conf 1.00 [SEC120] Hardcoded HMAC key or JWT signing secret: JWT/HMAC signing secret hardcoded in source. Anyone with source access can forge tokens; secret leaks via git history.
Load from environment variable or secret manager: `process.env.JWT_SECRET`, `os.environ['JWT_SECRET']`. Generate with `openssl rand -base64 64`. Rotate.
app/models/webhook.rb:47
high Security checks security secrets conf 1.00 [SEC120] Hardcoded HMAC key or JWT signing secret: JWT/HMAC signing secret hardcoded in source. Anyone with source access can forge tokens; secret leaks via git history.
Load from environment variable or secret manager: `process.env.JWT_SECRET`, `os.environ['JWT_SECRET']`. Generate with `openssl rand -base64 64`. Rotate.
app/controllers/api/v1/organizations_controller.rb:37
high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
Dockerfile.dev:15 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.92 Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
Dockerfile:17 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 24 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + …
6 files, 24 locations
.github/workflows/release.yml:35, 42, 47, 58, 105, 112, 115, 151 (9 hits)
.github/workflows/internal-build.yml:21, 29, 44 (5 hits)
.github/workflows/migrations-test.yml:46, 51 (4 hits)
.github/workflows/front-compatibility.yml:41 (2 hits)
.github/workflows/linters.yml:19 (2 hits)
.github/workflows/spec.yml:71 (2 hits)
CI/CD securitySupply chainGitHub Actions
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 19 occurrences GitHub Action is tag-pinned rather than SHA-pinned
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lo…
6 files, 19 locations
.github/workflows/front-compatibility.yml:28, 34, 49 (6 hits)
.github/workflows/release.yml:31, 78, 97 (6 hits)
.github/workflows/linters.yml:15 (2 hits)
.github/workflows/migrations-test.yml:44 (2 hits)
.github/workflows/spec.yml:69 (2 hits)
.github/workflows/internal-build.yml:18
CI/CD securitySupply chainGitHub Actions
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 11.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /adyen/:organization_id.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
config/routes.rb:202
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /flutterwave/:organization_id.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
config/routes.rb:200
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /gocardless/:organization_id.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
config/routes.rb:201
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /invoices.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
config/routes.rb:209
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /memberships.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
config/routes.rb:207
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /moneyhash/:organization_id.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
config/routes.rb:203
high Security checks security auth conf 0.66 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /organizations.
Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml.
config/routes.rb:208
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /analytics/usage.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
config/routes.rb:42
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /applied_coupons.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
config/routes.rb:56
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /billing_entities.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
config/routes.rb:44
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /credit_notes.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
config/routes.rb:57
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /customers.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
config/routes.rb:46
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /graphql.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
config/routes.rb:13
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /invoices.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
config/routes.rb:58
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /payment_requests.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
config/routes.rb:60
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /payments.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
config/routes.rb:59
high Security checks security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /subscriptions.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
config/routes.rb:61
medium Security checks cicd CI/CD security conf 0.62 Docker build secret exposed through ARG
Replace secret ARG usage with `RUN --mount=type=secret,id=name ...` and pass the value with `docker build --secret`.
Dockerfile:42 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
Dockerfile.dev:10 CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
Dockerfile:33 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.76 Dockerfile copies broad context with incomplete .dockerignore
Tighten .dockerignore or replace COPY . with explicit COPY statements.
Dockerfile:54 CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.86 2 occurrences Dockerfile separates apt update from install
Combine update and install in the same RUN instruction and clean package indexes in that layer.
lines 16, 37
Dockerfile:16, 37 (2 hits)
CI/CD securitycontainers
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored.
.well-known/security.txt
medium Security checks quality Quality conf 0.83 robots.txt does not declare any User-agent rules
Add at least `User-agent: *` and explicit Allow/Disallow rules.
public/robots.txt
medium System graph hardware Security conf 1.00 Dockerfile runs as root: Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in config/application.rb:34
Found a known-risky pattern (weak_hash). Review and replace if possible.
config/application.rb:34 Weak hash
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 1 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks cicd CI/CD security conf 0.72 .dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore CI/CD securitycontainers
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior.
low Security checks cicd CI/CD security conf 0.72 3 occurrences Dockerfile installs recommended OS packages
Add `--no-install-recommends` and explicitly list only packages the image needs.
2 files, 3 locations
Dockerfile:17, 38 (2 hits)
Dockerfile.dev:15
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.74 Dockerfile leaves apt package indexes in the image layer
End the apt install layer with `rm -rf /var/lib/apt/lists/*`.
Dockerfile.dev:15 CI/CD securitycontainers
low Security checks quality Quality conf 0.60 15 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 13 locations
app/controllers/api/v1/subscriptions/entitlements_controller.rb:20, 55 (2 hits)
app/controllers/api/v1/analytics/invoiced_usages_controller.rb:7
app/controllers/api/v1/analytics/mrrs_controller.rb:7
app/controllers/api/v1/analytics/overdue_balances_controller.rb:7
app/controllers/api/v1/plans/entitlements_controller.rb:66
app/controllers/api/v1/subscriptions/alerts_controller.rb:31
app/controllers/api/v1/subscriptions/charges/filters_controller.rb:6
app/controllers/api/v1/subscriptions/charges_controller.rb:8
duplicationquality
low Security checks quality Quality conf 0.74 robots.txt does not advertise a sitemap
Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt.
public/robots.txt
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 Docker base image is tag-pinned but not digest-pinned: golang:${GO_VERSION}
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:3 containersPinned dependencies
low System graph hardware Supply chain conf 1.00 2 occurrences Docker base image is tag-pinned but not digest-pinned: ruby:4.0.2-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
lines 9, 32
Dockerfile:9, 32 (2 hits)
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: app/assets/config/manifest.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/d5bbf7bb-a3db-4b3d-8722-27b2b726c0b2/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/d5bbf7bb-a3db-4b3d-8722-27b2b726c0b2/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.