← Back to scan
File as GitHub Issue repo: sartography/spiff-arena

Push this scan report to sartography/spiff-arena

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Ssti Jinja From String

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT MINED107 [MINED107] Missing import: `subprocess` used but not imported: The file uses `subprocess.… spiff-arena-common/src/spiff_arena_comm…:620
CRIT MINED107 [MINED107] Missing import: `string` used but not imported: The file uses `string.somethin… spiffworkflow-backend/src/spiffworkflow…:45
CRIT MINED019 [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RC… spiffworkflow-backend/src/spiffworkflow…:30
CRIT MINED019 [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RC… spiffworkflow-backend/src/spiffworkflow…:231
CRIT MINED019 [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RC… spiffworkflow-backend/src/spiffworkflow…:71
CRIT DKC007 Compose service contains a literal secret environment value spiffworkflow-backend/docker-compose.yml:77
CRIT DKC007 Compose service contains a literal secret environment value spiffworkflow-backend/docker-compose.yml
CRIT DKC007 Compose service contains a literal secret environment value docker-compose.yml:26
CRIT MINED116 [MINED116] Workflow uses `secrets.COMMON_PYPI_KEY` on a `pull_request` trigger: This work… .github/workflows/common.yml:40
CRIT MINED116 [MINED116] Workflow uses `secrets.SONAR_TOKEN` on a `pull_request` trigger: This workflow… .github/workflows/tests.yml:397
CRIT MINED116 [MINED116] Workflow uses `secrets.SONAR_TOKEN` on a `pull_request` trigger: This workflow… .github/workflows/tests.yml:342
CRIT MINED116 [MINED116] Workflow uses `secrets.SPIFFWORKS_WEBSITE_UPDATE_TOKEN` on a `pull_request` tr… .github/workflows/docs.yml:66
CRIT SEC003 [SEC003] Hardcoded Secret: Hardcoded secret key found in source code. spiffworkflow-backend/src/spiffworkflow…:14
CRIT JRN001 Token handoff appears to use a callback URL or fragment spiffworkflow-frontend/src/views/Authen…:29
HIGH SEC083 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can c… spiffworkflow-frontend/src/services/Dat…:185
HIGH SEC027 [SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers can expand … spiffworkflow-frontend/src/components/m…:50
HIGH SEC030 [SEC030] Open Redirect — user-controlled redirect target: Redirect target is taken direct… spiffworkflow-backend/src/spiffworkflow…:168
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… spiffworkflow-backend/src/spiffworkflow…:37
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… spiffworkflow-backend/src/spiffworkflow…:75
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… spiffworkflow-backend/src/spiffworkflow…:4
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). spiffworkflow-backend/src/spiffworkflow…:102
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … spiffworkflow-backend/src/spiffworkflow…:55
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … spiffworkflow-backend/src/spiffworkflow…:47
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … spiff-arena-common/src/spiff_arena_comm…:35
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… spiffworkflow-backend/src/spiffworkflow…:27
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… spiff-arena-common/src/spiff_arena_comm…:150
HIGH MINED001 [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows e… spiff-arena-common/src/spiff_arena_comm…:5
HIGH DKR014 Dockerfile copies the entire context without .dockerignore spiffworkflow-frontend/Dockerfile:37
HIGH DKR014 Dockerfile copies the entire context without .dockerignore spiffworkflow-backend/Dockerfile:51
HIGH DKR014 Dockerfile copies the entire context without .dockerignore connector-proxy-demo/Dockerfile:44
HIGH MINED115 [MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v4.35.1`: `… .github/workflows/snyk-security.yml:187
HIGH MINED115 [MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v4.35.1`: `… .github/workflows/snyk-security.yml:112
HIGH MINED115 [MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v4.35.1`: `… .github/workflows/build_docker_images.y…:164
HIGH MINED118 [MINED118] Dockerfile FROM `nginx:1.29-alpine` not pinned by digest: `FROM nginx:1.29-alp… connector-proxies/aggregate/dev.Dockerf…:1
HIGH MINED118 [MINED118] Dockerfile FROM `nginx:1.29-alpine` not pinned by digest: `FROM nginx:1.29-alp… connector-proxies/aggregate/Dockerfile:1
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.13.13-slim-trixie` not pinned by digest: `FROM pytho… connector-proxies/async-http/dev.Docker…:1
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.13.13-slim-trixie` not pinned by digest: `FROM pytho… connector-proxies/async-http/Dockerfile:1
HIGH MINED118 [MINED118] Dockerfile FROM `quay.io/keycloak/keycloak:22.0.4` not pinned by digest: `FROM… spiffworkflow-backend/keycloak/Dockerfi…:15
HIGH MINED118 [MINED118] Dockerfile FROM `quay.io/keycloak/keycloak:22.0.4` not pinned by digest: `FROM… spiffworkflow-backend/keycloak/Dockerfi…:1
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.13.13-slim-trixie` not pinned by digest: `FROM pytho… spiffworkflow-backend/dev.Dockerfile:1
HIGH MINED131 [MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-prettier` pinned to mut… spiffworkflow-backend/.pre-commit-confi…:38
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.13.13-slim-trixie` not pinned by digest: `FROM pytho… spiffworkflow-backend/Dockerfile:2
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.13.13-slim-trixie` not pinned by digest: `FROM pytho… connector-proxy-demo/dev.Dockerfile:1
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.13.13-slim-trixie` not pinned by digest: `FROM pytho… connector-proxy-demo/Dockerfile:2
HIGH MINED118 [MINED118] Dockerfile FROM `node:24.15.0-trixie-slim` not pinned by digest: `FROM node:24… spiffworkflow-frontend/dev.Dockerfile:1
HIGH MINED118 [MINED118] Dockerfile FROM `nginx:1.29-alpine` not pinned by digest: `FROM nginx:1.29-alp… spiffworkflow-frontend/Dockerfile:45
HIGH MINED118 [MINED118] Dockerfile FROM `node:24.15.0-trixie-slim` not pinned by digest: `FROM node:24… spiffworkflow-frontend/Dockerfile:2
HIGH MINED122 [MINED122] package.json dep `bpmn-js-spiffworkflow` pulled from URL/Git: `dependencies.bp… spiffworkflow-frontend/package.json:1
HIGH MINED118 [MINED118] Dockerfile FROM `python:3.13.13-slim-trixie` not pinned by digest: `FROM pytho… dev.Dockerfile:1
HIGH DKC011 Database service publishes a host port spiffworkflow-backend/docker-compose.yml:12
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiff-arena-common/src/spiff_arena_comm…:242
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:237
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:95
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:756
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:124
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:305
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:328
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:312
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:100
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:48
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:427
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:316
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:60
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:53
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:1614
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:1474
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:1465
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:364
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/src/spiffworkflow…:15
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/bin/load_tests/me…:395
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/bin/load_tests/me…:357
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/bin/load_tests/co…:285
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/bin/openapi/dump_…:268
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/bin/openapi/extra…:366
MED MINED111 [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that r… spiffworkflow-backend/bin/delete_user_d…:146
MED SEC046 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning win… spiffworkflow-frontend/src/services/Use…:112
MED ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. spiffworkflow-frontend/src/rjsf/custom_…:78
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … spiffworkflow-backend/src/spiffworkflow…:43
MED SEC127 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as T… spiffworkflow-backend/src/spiffworkflow…:36
MED COMP001 [COMP001] High cognitive complexity: Function `cov_tasks` has cognitive complexity 20 (So… spiff-arena-common/src/spiff_arena_comm…:49
MED DKR003 Compose service `spiffworkflow-backend` image uses the latest tag docker-compose.yml:26
MED DKR003 Compose service `spiffworkflow-frontend` image uses the latest tag docker-compose.yml:3
MED DKR002 Compose service `match-volume-ownership` image has no explicit tag docker-compose.yml:17
MED DKR017 Dockerfile installs dependencies after copying the full source tree connector-proxy-demo/Dockerfile:45
MED DKR007 Docker build context has no .dockerignore .dockerignore
MED DKR001 Docker final stage has no non-root USER spiffworkflow-frontend/Dockerfile:45
MED DKR001 Docker final stage has no non-root USER spiffworkflow-backend/keycloak/Dockerfi…:16
MED DKR001 Docker final stage has no non-root USER spiffworkflow-backend/Dockerfile:57
MED DKR001 Docker final stage has no non-root USER connector-proxy-demo/Dockerfile:51
MED DKR001 Docker final stage has no non-root USER connector-proxies/async-http/Dockerfile:1
MED DKR001 Docker final stage has no non-root USER connector-proxies/aggregate/Dockerfile:1
MED WEB003 Public web service has no security.txt .well-known/security.txt
LOW COMP001 [COMP001] High cognitive complexity: Function `_embedded_subprocess_ids` has cognitive co… spiff-arena-common/src/spiff_arena_comm…:10
LOW COMP001 [COMP001] High cognitive complexity: Function `redacted` has cognitive complexity 10 (Son… connector-proxies/async-http/main.py:50
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/views/public…:120
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/views/TaskSh…:286
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/views/TaskSh…:16
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/views/StartP…:17
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/views/Proces…:20
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/views/Proces…:19
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/views/Instan…:35
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/views/DataSt…:23
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/hooks/usePro…:75
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/components/m…:56
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/components/T…:126
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/components/R…:72
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/components/P…:4
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/src/components/P…:153
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/packages/bpmn-js…:23
LOW AIC003 Duplicated implementation block across source files spiffworkflow-frontend/packages/bpmn-js…:17
LOW DKR010 Dockerfile leaves apt package indexes in the image layer spiffworkflow-backend/Dockerfile:48
LOW DKR010 Dockerfile leaves apt package indexes in the image layer connector-proxy-demo/Dockerfile:37
LOW DKR011 Dockerfile installs recommended OS packages spiffworkflow-frontend/Dockerfile:11
LOW DKR011 Dockerfile installs recommended OS packages spiffworkflow-backend/Dockerfile:48
LOW DKR012 Dockerfile keeps pip download cache spiffworkflow-backend/Dockerfile:44
LOW DKR012 Dockerfile keeps pip download cache spiffworkflow-backend/Dockerfile:33
LOW DKR012 Dockerfile keeps pip download cache spiffworkflow-backend/Dockerfile:32
LOW DKR011 Dockerfile installs recommended OS packages spiffworkflow-backend/Dockerfile:26
LOW DKR011 Dockerfile installs recommended OS packages connector-proxy-demo/Dockerfile:37
LOW DKR012 Dockerfile keeps pip download cache connector-proxy-demo/Dockerfile:34
LOW DKR011 Dockerfile installs recommended OS packages connector-proxy-demo/Dockerfile:23
LOW AIC009 Multiple AI-agent scaffold marker files are present .github/copilot-instructions.md:1
LOW DKC010 Compose service lacks no-new-privileges hardening spiffworkflow-frontend/docker-compose.y…:2
LOW DKC010 Compose service lacks no-new-privileges hardening spiffworkflow-backend/docker-compose.yml:77
LOW DKC010 Compose service lacks no-new-privileges hardening spiffworkflow-backend/docker-compose.yml
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:68
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:26
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:3
LOW DKC010 Compose service lacks no-new-privileges hardening connector-proxies/async-http/docker-com…:1
LOW AIC002 Source file name looks like an AI patch artifact spiffworkflow-backend/src/spiffworkflow…:1
LOW DKC017 Database password is wired through an environment variable placeholder spiffworkflow-backend/docker-compose.yml:12
LOW DKC006 Compose service does not declare a runtime user spiffworkflow-frontend/docker-compose.y…:2
LOW DKC006 Compose service does not declare a runtime user spiffworkflow-backend/docker-compose.yml:77
LOW DKC006 Compose service does not declare a runtime user spiffworkflow-backend/docker-compose.yml
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:68
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:3
LOW DKC006 Compose service does not declare a runtime user connector-proxies/async-http/docker-com…:1
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … spiffworkflow-frontend/src/views/StartP…:139
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … spiffworkflow-frontend/src/config.tsx:42
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … spiffworkflow-frontend/src/components/P…:64
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… spiffworkflow-frontend/src/App.tsx:38
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … spiffworkflow-frontend/packages/bpmn-js…:68
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … spiffworkflow-frontend/packages/bpmn-js…:202
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … spiffworkflow-frontend/packages/bpmn-js…:87
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. spiffworkflow-frontend/src/hooks/useKey…:174
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. spiffworkflow-frontend/src/components/P…:61
INFO MINED054 [MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely. spiffworkflow-frontend/packages/bpmn-js…:26
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. spiffworkflow-frontend/packages/bpmn-js…:35
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. spiffworkflow-frontend/packages/bpmn-js…:7
INFO MINED052 [MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety. spiffworkflow-frontend/packages/bpmn-js…:13
INFO MINED076 [MINED076] Catch And Reraise Noop: except X: raise X — adds no value, hides traceback if … spiffworkflow-backend/src/spiffworkflow…:54
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… spiffworkflow-backend/src/spiffworkflow…:60
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. spiffworkflow-backend/src/spiffworkflow…:39
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. spiffworkflow-backend/src/spiffworkflow…:13
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. spiffworkflow-backend/src/spiffworkflow…:14
INFO MINED065 [MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser o… spiffworkflow-backend/src/spiffworkflow…:100
INFO MINED072 [MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in. spiffworkflow-backend/src/spiffworkflow…:18
INFO MINED072 [MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in. spiffworkflow-backend/src/spiffworkflow…:27
INFO MINED072 [MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in. spiff-arena-common/src/spiff_arena_comm…:5
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… spiffworkflow-backend/src/spiffworkflow…:28
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… spiff-arena-common/src/spiff_arena_comm…:151
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… spiff-arena-common/src/spiff_arena_comm…:6
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… spiffworkflow-backend/docker-compose.yml:50
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… docker-compose.yml:44
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… .devcontainer/nginx.conf:7
Reset to top 5 165 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `sartography/spiff-arena`

**Score: 70/100 (A-)**  ·  216 findings  ·  scanned 2026-06-05 19:16 UTC  ·  101,643 LOC

| Severity | Count |
|---|---|
| CRITICAL | 14 |
| HIGH | 36 |
| MEDIUM | 42 |
| LOW | 45 |

📊 [Full filterable report](https://repobility.com/scan/dcdaf7ef-267f-49f9-92a1-e14f4851e3ce/)  ·  ![scorecard](https://repobility.com/scan/dcdaf7ef-267f-49f9-92a1-e14f4851e3ce/report.png?v=1780687007-s2)

### Top findings

1. **CRITICAL** `MINED107` — Missing import: `subprocess` used but not imported
   `spiff-arena-common/src/spiff_arena_common/runner.py:620` · ✓ Repobility
2. **CRITICAL** `MINED107` — Missing import: `string` used but not imported
   `spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_all_permissions.py:45` · ✓ Repobility
3. **CRITICAL** `MINED019` — Ssti Jinja From String
   `spiffworkflow-backend/src/spiffworkflow_backend/services/jinja_service.py:30` · CWE-94 · ✓ Repobility
4. **CRITICAL** `MINED019` — Ssti Jinja From String
   `spiffworkflow-backend/src/spiffworkflow_backend/routes/public_controller.py:231` · CWE-94 · ✓ Repobility
5. **CRITICAL** `MINED019` — Ssti Jinja From String
   `spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py:71` · CWE-94 · ✓ Repobility

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/dcdaf7ef-267f-49f9-92a1-e14f4851e3ce/_
Megaproject â high spam risk
Could not determine 'sartography/spiff-arena' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.