Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
66 of your 184 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.02s · analysis 8.12s · 10.9 MB · GitHub API rate-limit (preflight)

redhat-appstudio/infra-deployments

https://github.com/redhat-appstudio/infra-deployments · scanned 2026-06-05 13:25 UTC (5 days, 6 hours ago) · 10 languages

236 raw signals (148 security + 88 graph) 10th percentile · Go · small (2-20K LoC) System graph score 77 (lower by 17)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 6 hours ago · v2 · 104 actionable findings from 2 signal sources. 88 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
60.5
/100
Security checks
44
83 findings
System graph
77
100.0% cov · 21 findings
Critical
9
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 31.7 0.25 7.92
testing_score 80.0 0.20 16.00
documentation_score 76.7 0.15 11.51
practices_score 79.0 0.15 11.85
code_quality 69.4 0.10 6.94
Overall 1.00 60.2
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 9 High 55 Medium 8 Low 15 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 83 System graph 21 Crowd 0 Layer: Quality 30 Cicd 6 Software 53 Security 11 Api 1 Network 2 Frontend 1
Scan summary Quality grade C+ (60/100). Dimensions: security 32, maintainability 40. 148 findings (75 security). 8,976 lines analyzed.

Showing 85 of 104 actionable findings. 192 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.
Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context.
components/konflux-operator/ci/openshift-overlay-e2e/ci-common.sh:119
critical Security checks security secrets conf 0.95 10 occurrences Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
6 files, 10 locations
components/pipeline-service/development/main-pipeline-service-configuration.yaml:1119, 1315 (2 hits)
components/pipeline-service/production/base/main-pipeline-service-configuration.yaml:1104, 1294 (2 hits)
components/pipeline-service/production/kflux-fedora-01/deploy.yaml:1540, 1730 (2 hits)
components/pipeline-service/production/kflux-osp-p01/deploy.yaml:1525, 1715 (2 hits)
components/kubearchive/production/kflux-ocp-p01/kubearchive.yaml:983
hack/new-cluster/templates/kubearchive/kubearchive.yaml:973
high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `platform` used but not imported
The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.
hack/kueue-vm-quotas/update-kueue-vm-quotas.py:99
critical Security checks security secrets conf 0.95 4 occurrences Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments
Gitleaks detected a committed secret or credential pattern.
3 files, 4 locations
hack/new-cluster/templates/kubearchive/kubearchive.yaml:970, 991 (2 hits)
components/kubearchive/production/kflux-ocp-p01/kubearchive.yaml:980
components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml:136
critical System graph security Secrets conf 1.00 Possible secret in argo-cd-apps/base/member/optional/helm/rekor/rekor.yaml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
argo-cd-apps/base/member/optional/helm/rekor/rekor.yaml:31
critical System graph security Secrets conf 1.00 Possible secret in components/konflux-kite/base/external-secrets/database-secret.yaml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
components/konflux-kite/base/external-secrets/database-secret.yaml:24
critical System graph security Secrets conf 1.00 2 occurrences Possible secret in components/konflux-operator/ci/openshift-overlay-e2e/ci-common.sh
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
lines 79, 81
components/konflux-operator/ci/openshift-overlay-e2e/ci-common.sh:79, 81 (2 hits)
critical System graph security Secrets conf 1.00 Possible secret in components/kubearchive/production/base/database-secret.yaml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
components/kubearchive/production/base/database-secret.yaml:27
critical System graph security Secrets conf 1.00 Possible secret in components/kubearchive/staging/stone-stage-p01/database-secret.yaml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
components/kubearchive/staging/stone-stage-p01/database-secret.yaml:26
critical System graph security Secrets conf 1.00 Possible secret in components/kubearchive/staging/stone-stg-rh01/database-secret.yaml
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
components/kubearchive/staging/stone-stg-rh01/database-secret.yaml:26
high Security checks security path traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
components/image-controller/production/stone-prd-rh01/resources/image_pruner/prune_images.py:43
high Security checks security secrets conf 1.00 [SEC021] Shell Trace Around Secret Handling: Shell xtrace is enabled near secret handling. CI and deployment logs can echo every command and expand secret values, turning a safe secret-store lookup into a credential leak.
Disable xtrace before reading secrets, re-enable it only after secret handling, and rotate any secret exposed in logs.
components/multi-platform-controller/base/host-config-chart/files/macos-mac2metal-arm64-init.sh:3
high Security checks security Crypto conf 1.00 [SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`.
Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`.
hack/quickcluster/setup-nfs-quickcluster.sh:22
high Security checks quality Quality conf 1.00 ✓ Repobility 25 occurrences `self.path` used but never assigned in __init__
Method `do_GET` of class `Handler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
2 files, 25 locations
hack/new-cluster/tasks/github/github-app-flow.py:48, 52, 55, 56, 57, 59, 64, 67, +8 more (16 hits)
hack/test-tekton-kueue-config.py:1515, 1556, 1562, 1568, 1571, 1574, 1589, 1599, +1 more (9 hits)
high Security checks software dependencies conf 0.90 ✓ Repobility Binary file `hack/kueue-vm-quotas/__pycache__/update-kueue-vm-quotas.cpython-313.pyc` committed in source repo
`hack/kueue-vm-quotas/__pycache__/update-kueue-vm-quotas.cpython-313.pyc` is a .pyc binary (18,981 bytes) committed to a repo that otherwise has 88 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary th…
hack/kueue-vm-quotas/__pycache__/update-kueue-vm-quotas.cpython-313.pyc:1
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
infra-tools/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5025
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
infra-tools/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5026
Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
infra-tools/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5027
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
infra-tools/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5028
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
infra-tools/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5029
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
infra-tools/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/net: GO-2026-5030
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
infra-tools/go.mod
high Security checks software dependencies conf 0.88 golang.org/x/sys: GO-2026-5024
Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3849
Incorrect results returned from Rows.Scan in database/sql
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-3956
Unexpected paths returned from LookPath in os/exec
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4006
Excessive CPU consumption in ParseAddress in net/mail
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4007
Quadratic complexity when checking name constraints in crypto/x509
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4008
ALPN negotiation error contains attacker controlled information in crypto/tls
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4009
Quadratic complexity when parsing some invalid inputs in encoding/pem
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4010
Insufficient validation of bracketed IPv6 hostnames in net/url
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4011
Parsing DER payload can cause memory exhaustion in encoding/asn1
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4012
Lack of limit when parsing cookies can cause memory exhaustion in net/http
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4013
Panic when validating certificates with DSA public keys in crypto/x509
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4014
Unbounded allocation when parsing GNU sparse map in archive/tar
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4015
Excessive CPU consumption in Reader.ReadResponse in net/textproto
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4155
Excessive resource consumption when printing error string for host certificate validation in crypto/x509
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2025-4175
Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4337
Unexpected session resumption in crypto/tls
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in crypto/tls
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4601
Incorrect parsing of IPv6 host literals in net/url
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4602
FileInfo can escape from a Root in os
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4603
URLs in meta content attribute actions are not escaped in html/template
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4864
TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4865
JsBraceDepth Context Tracking Bugs (XSS) in html/template
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4869
Unbounded allocation for old GNU sparse in archive/tar
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4870
Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4918
Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4946
Inefficient policy validation in crypto/x509
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4947
Unexpected work during chain building in crypto/x509
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4971
Panic in Dial and LookupPort when handling NUL byte on Windows in net
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4976
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4977
Quadratic string concatenation in consumePhrase in net/mail
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4980
Escaper bypass leads to XSS in html/template
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4981
Crash when handling long CNAME response in net
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4982
Bypass of meta content URL escaping causes XSS in html/template
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-4986
Quadratic string concatentation in consumeComment in net/mail
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5037
Inefficient candidate hostname parsing in crypto/x509
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5038
Quadratic complexity in WordDecoder.DecodeHeader in mime
infra-tools/go.mod
high Security checks software dependencies conf 0.88 stdlib: GO-2026-5039
Arbitrary inputs are included in errors without any escaping in net/textproto
infra-tools/go.mod
high Security checks software dependencies conf 0.90 ✓ Repobility Workflow declares `permissions: write-all`
The job's GITHUB_TOKEN gets EVERY permission scope. If the workflow is ever compromised (mutable action, fork PR, injected step), the attacker can push to main, publish packages, alter releases. Use least-privilege by listing only the scopes the job actually needs.
.github/workflows/kube-linter.yaml:12
high System graph cicd CI/CD security conf 1.00 pull_request_target workflow appears to check out untrusted PR code
pull_request_target runs with base-repo privileges. Checking out PR head code in that context can expose repository tokens or secrets to attacker-controlled code.
.github/workflows/verify-pipelines-configs.yaml CI/CD securitySupply chainGithub actions
low Security checks quality Error handling conf 0.55 ✓ Repobility Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
hack/new-cluster/tasks/github/github-app-flow.py:114 Error handlingquality
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
medium Security checks quality Quality conf 0.70 Public web app has no Content Security Policy
A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox.
index.html
medium Security checks quality Quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt
medium System graph cicd CI/CD security conf 1.00 15 occurrences GitHub Action is tag-pinned rather than SHA-pinned
helm/kind-action@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
7 files, 15 locations
.github/workflows/codecov.yaml:31, 78 (4 hits)
.github/workflows/kube-linter.yaml:23, 41, 53 (3 hits)
.github/workflows/enforce-ring-deployment.yaml:41 (2 hits)
.github/workflows/forbid-clusterpolicies.yaml:20 (2 hits)
.github/workflows/kyverno-policies-tests.yaml:19 (2 hits)
.github/workflows/chainsaw-tests.yaml:37
.github/workflows/verify-pipelines-configs.yaml:28
CI/CD securitySupply chainGitHub Actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/codecov.yaml CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/kube-linter.yaml CI/CD securitySupply chainGithub actions
medium System graph network Security conf 1.00 Privileged port 420 in use
Port 420 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
components/konflux-operator/ci/openshift-overlay-e2e/Dockerfile Ports
medium System graph network Security conf 1.00 Privileged port 44 in use
Port 44 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
components/cluster-as-a-service/development/add-hypershift-params.yaml Ports
low Security checks quality Error handling conf 1.00 3 occurrences [ERR003] Ignored Error (Go): Ignoring error return values.
Handle the error or use errcheck linter.
3 files, 3 locations
infra-tools/cmd/env-detector/main.go:217
infra-tools/cmd/render-diff/ci.go:69
infra-tools/internal/git/git.go:87
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
infra-tools/internal/logging/logging.go:33 duplicationquality
low Security checks quality Quality conf 0.64 Public docs site has no llms.txt
AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions.
llms.txt
low Security checks quality Quality conf 0.50 Public web app has no humans.txt
humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links.
humans.txt
low Security checks quality Quality conf 0.74 Public web app has no robots.txt
Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing.
robots.txt
low Security checks quality Quality conf 0.72 Public web app has no sitemap
A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss.
sitemap.xml
low System graph cicd CI/CD security conf 1.00 34 occurrences GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
12 files, 32 locations
.github/workflows/codecov.yaml:13, 16, 42, 45 (6 hits)
.github/workflows/pr-render-diff.yaml:15, 18, 68 (4 hits)
.github/workflows/test-tekton-kueue-config.yaml:17, 20 (4 hits)
.github/workflows/verify-kueue-queue-configs.yaml:18, 21 (4 hits)
.github/workflows/verify-pipelines-configs.yaml:23, 69, 86 (4 hits)
.github/workflows/enforce-ring-deployment.yaml:28, 32 (2 hits)
.github/workflows/operator-changelog.yaml:22, 23 (2 hits)
.github/workflows/validate-banner.yaml:20 (2 hits)
CI/CD securitySupply chainGitHub Actions
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `days_old` in components/image-controller/production/stone-prd-rh01/resources/image_pruner/prune_images.py:115
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `multiplatform_old` in hack/test-tekton-kueue-config.py:221
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: do_GET
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
hack/new-cluster/tasks/github/github-app-flow.py:46
low System graph software Dead code conf 1.00 Possibly dead Python function: log_message
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
hack/new-cluster/tasks/github/github-app-flow.py:41
low System graph quality Complexity conf 1.00 Very large file: hack/preview.sh (1176 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: hack/test-tekton-kueue-config.py (1638 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/e4073d0b-6e25-4181-ac51-c8ae54b701d6/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/e4073d0b-6e25-4181-ac51-c8ae54b701d6/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.