Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
5 of your 52 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 1.55s · analysis 8.89s · 2.3 MB · GitHub API rate-limit (preflight)

open-telemetry/opentelemetry-kotlin

https://github.com/open-telemetry/opentelemetry-kotlin · scanned 2026-06-05 17:15 UTC (4 days, 21 hours ago) · 10 languages

64 raw signals (48 security + 16 graph) 71st percentile · Kotlin · medium (20-100K LoC) System graph score 85 (lower by 21)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 21 hours ago · v2 · 16 actionable findings from 2 signal sources. 38 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
76.3
/100
Security checks
68
11 findings
System graph
85
66.7% cov · 5 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 98.7 0.25 24.68
testing_score 15.0 0.20 3.00
documentation_score 89.0 0.15 13.35
practices_score 72.0 0.15 10.80
code_quality 60.7 0.10 6.07
Overall 1.00 63.9
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 1 Medium 4 Low 2 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 11 System graph 5 Crowd 0 Layer: Software 3 Quality 7 Cicd 2 Api 1 Network 2 Frontend 1
Scan summary Quality grade C+ (64/100). Dimensions: security 99, maintainability 40. 48 findings (3 security). 54,793 lines analyzed.

Showing 7 of 16 actionable findings. 54 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Security checks cicd CI/CD security conf 0.35 ✓ Repobility Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
.github/workflows/ci-build.yml:50 CI/CD securityworkflow secretsGitHub Actions
high Security checks software dependencies conf 0.90 ✓ Repobility Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo
`gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,462 bytes) committed to a repo that otherwise has 926 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
gradle/wrapper/gradle-wrapper.jar:1
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
kotlin-js-store/yarn.lock
medium System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
4 files, 4 locations
.github/workflows/prepare-release-branch.yml
.github/workflows/release.yml
.github/workflows/scorecard.yml
.github/workflows/update-semconv.yml
CI/CD securitySupply chainGithub actions
medium System graph network Security conf 1.00 Privileged port 10 in use
Port 10 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/scorecard.yml Ports
medium System graph network Security conf 1.00 Privileged port 55 in use
Port 55 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/scorecard.yml Ports
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 12 locations
compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/tracing/model/ReadWriteSpanAdapter.kt:68
compat/src/jvmAndAndroidMain/kotlin/io/opentelemetry/kotlin/tracing/model/SpanAdapter.kt:57
compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/fakes/otel/java/FakeOtelJavaSpanExporter.kt:10
compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/tracing/SpanExportTest.kt:100
compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/tracing/export/SpanExporterAdapterTest.kt:20
compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/tracing/export/SpanProcessorAdapterTest.kt:17
compat/src/jvmTest/kotlin/io/opentelemetry/kotlin/tracing/model/ReadableSpanAdapterTest.kt:41
exporters-core/src/commonMain/kotlin/io/opentelemetry/kotlin/tracing/export/BatchSpanProcessorImpl.kt:20
duplicationquality
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/de553085-6ba4-4e2b-b556-6744ee469b1b/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/de553085-6ba4-4e2b-b556-6744ee469b1b/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.