syncthing/syncthing

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

73 of your 207 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.9s · analysis 9.38s · 10.1 MB · GitHub API rate-limit (preflight)

https://github.com/syncthing/syncthing · scanned 2026-06-05 07:18 UTC (1 week, 3 days ago) · 10 languages

317 raw signals (191 security + 126 graph) 35th percentile · Go · large (100-500K LoC) System graph score 74 (lower by 5)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 3 days ago · v2 · 133 actionable findings from 2 signal sources. 121 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

100.0% cov · 42 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	85.0	0.15	12.75
`security_score`	21.6	0.25	5.40
`testing_score`	90.0	0.20	18.00
`documentation_score`	76.0	0.15	11.40
`practices_score`	100.0	0.15	15.00
`code_quality`	61.2	0.10	6.12
Overall		1.00	68.7

Severity distribution — click a segment to filter

Active filters: severity: info × excluding tests × Reset all

Severity: Critical 4 High 60 Medium 9 Low 37 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 91 System graph 42 Crowd 0 Layer: Quality 38 Software 73 Cicd 7 Security 7 Api 1 Frontend 4 Hardware 3

Exclude dismissed / FP Exclude test files

Scan summary Quality grade B- (69/100). Dimensions: security 22, maintainability 85. 191 findings (111 security). 125,446 lines analyzed.

Showing 23 of 133 actionable findings. 254 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

info Security checks quality Quality conf 1.00 ✓ Repobility [MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.

Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context.

cmd/syncthing/cli/client.go:60

info Security checks quality Quality conf 1.00 ✓ Repobility [MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.

Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context.

cmd/strelaysrv/main.go:178

info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.

Review and fix per the pattern semantics. See CWE-754 / for context.

3 files, 3 locations

cmd/infra/stcrashreceiver/diskstore.go:134

cmd/syncthing/cli/operations.go:107

cmd/syncthing/cli/utils.go:35

info Security checks software Ssrf conf 1.00 3 occurrences [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.

Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…

3 files, 3 locations

cmd/dev/stevents/main.go:45

cmd/syncthing/openurl_unix.go:19

cmd/syncthing/openurl_windows.go:14

info Security checks quality Quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).

Use a literal RegExp or whitelist-validate user input before constructing patterns.

gui/default/syncthing/core/uncamelFilter.js:15

info Security checks quality Quality conf 1.00 3 occurrences [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

Use execFile / spawn with separate args array; never pass shell strings.

3 files, 3 locations

internal/db/sqlite/basedb.go:272

internal/db/sqlite/db_kv.go:33

internal/db/sqlite/db_service.go:227

info Security checks quality Quality conf 1.00 [SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`.

Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials.

cmd/strelaysrv/status.go:40

Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials.

cmd/infra/stupgrades/main.go:151

info Security checks security path traversal conf 1.00 [SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly.

After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`.

cmd/infra/stcrashreceiver/main.go:57

info Security checks security Injection conf 1.00 3 occurrences [SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection).

For literal data structures: use ast.literal_eval(text) — only parses literals, raises on code. For formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists). For Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec'). If you genuinely need to execute admin-st…

3 files, 3 locations

internal/db/sqlite/basedb.go:69

internal/db/sqlite/db_kv.go:33

internal/db/sqlite/db_service.go:192

info Security checks quality Quality conf 1.00 3 occurrences [SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).

Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`.

3 files, 3 locations

cmd/infra/stcrashreceiver/main.go:95

cmd/infra/stupgrades/main.go:103

cmd/infra/ursrv/serve/serve.go:172

info Security checks cicd CI/CD security conf 0.90 7 occurrences Dockerfile base image has no explicit tag

Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review.

7 files, 7 locations

Dockerfile:29

Dockerfile.stcrashreceiver:1

Dockerfile.stdiscosrv:16

Dockerfile.strelaypoolsrv:1

Dockerfile.strelaysrv:16

Dockerfile.stupgrades:1

Dockerfile.ursrv:1

CI/CD securitycontainers

info Security checks quality Quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p

Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.

script/relnotes.go:106

info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context.

3 files, 3 locations

cmd/dev/stevents/main.go:45

cmd/infra/strelaypoolsrv/stats.go:165

cmd/syncthing/cli/client.go:107

info Security checks quality Quality conf 1.00 ✓ Repobility [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

Review and fix per the pattern semantics. See CWE-532 / for context.

gui/default/syncthing/core/eventService.js:25

info Security checks quality Quality conf 1.00 ✓ Repobility [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

Review and fix per the pattern semantics. See CWE-532 / for context.

gui/default/syncthing/core/durationFilter.js:62

info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.

Review and fix per the pattern semantics. See CWE-401 / for context.

3 files, 3 locations

cmd/dev/stdisco/main.go:54

cmd/dev/stfinddevice/main.go:99

cmd/infra/stcrashreceiver/main.go:62

info Security checks quality Quality conf 1.00 ✓ Repobility 3 occurrences [MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.

Review and fix per the pattern semantics. See CWE-755 / for context.

3 files, 3 locations

cmd/syncthing/blockprof.go:24

cmd/syncthing/heapprof.go:26

cmd/syncthing/perfstats_unix.go:33

info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in gui/default/syncthing/app.js:227

A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.

commented codeDead code

info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in gui/default/syncthing/core/eventService.js:11

A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.

commented codeDead code

info System graph quality Integrity conf 1.00 Commented-code block (5 lines) in gui/default/syncthing/core/syncthingController.js:1166

A long run of `//` or `#` lines usually means abandoned code. Delete or move to git history. Keeps the canvas + dead-code detection honest.

commented codeDead code

info System graph api Coverage conf 1.00 No API endpoints detected

The scanner did not find FastAPI/Flask/Express/NestJS/GraphQL/gRPC routes. If this repo exposes APIs, the framework may be unsupported.

info System graph frontend Coverage conf 1.00 No frontend routes/components detected

No React/Vue/Next routes were found. This is fine for backend-only repos.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/e2d7c0f7-b692-4ec4-b108-3322fb43d091/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/e2d7c0f7-b692-4ec4-b108-3322fb43d091/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.