tw93/Mole

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

12 of your 58 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.37s · analysis 4.99s · 3.5 MB · GitHub API rate-limit (preflight)

https://github.com/tw93/Mole · scanned 2026-06-05 10:29 UTC (5 days, 12 hours ago) · 10 languages

90 raw signals (56 security + 34 graph) 60th percentile · Go · small (2-20K LoC) System graph score 83 (lower by 4)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 12 hours ago · v2 · 59 actionable findings from 2 signal sources. 14 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

88.9% cov · 12 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	100.0	0.15	15.00
`security_score`	55.0	0.25	13.75
`testing_score`	85.0	0.20	17.00
`documentation_score`	76.0	0.15	11.40
`practices_score`	100.0	0.15	15.00
`code_quality`	67.9	0.10	6.79
Overall		1.00	78.9

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 0 High 41 Medium 5 Low 8 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 47 System graph 12 Crowd 0 Layer: Software 39 Quality 10 Cicd 6 Api 1 Network 2 Frontend 1

Exclude dismissed / FP Exclude test files

Scan summary Quality grade B+ (79/100). Dimensions: security 55, maintainability 100. 56 findings (45 security). 15,318 lines analyzed.

Showing 54 of 59 actionable findings. 73 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Security checks quality Quality conf 1.00 3 occurrences [SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).

Use a constant command name and validate args via a whitelist.

3 files, 3 locations

cmd/analyze/delete.go:149

cmd/analyze/insights.go:172

cmd/analyze/main.go:200

low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 4 occurrences GitHub Action is tag-pinned rather than SHA-pinned

Action `actions/attest-build-provenance` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.

2 files, 4 locations

.github/workflows/release.yml:88 (2 hits)

.github/workflows/update-contributors.yml:22 (2 hits)

CI/CD securitySupply chainGitHub Actions

medium Security checks cicd CI/CD security conf 0.90 ✓ Repobility 6 occurrences GitHub Action is tag-pinned rather than SHA-pinned

Action `github/codeql-action/init` pinned to mutable ref `@v4` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.

2 files, 6 locations

.github/workflows/codeql.yml:39, 50 (4 hits)

.github/workflows/update-contributors.yml:55 (2 hits)

CI/CD securitySupply chainGitHub Actions

high Security checks cicd CI/CD security conf 0.90 ✓ Repobility GitHub Action is tag-pinned rather than SHA-pinned

Action `tw93/contributors-list` pinned to mutable ref `@master` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.

.github/workflows/update-contributors.yml:28 CI/CD securitySupply chainGitHub Actions

high Security checks software dependencies conf 0.88 golang.org/x/sys: GO-2026-5024

Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-3955

CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4006

Excessive CPU consumption in ParseAddress in net/mail

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4007

Quadratic complexity when checking name constraints in crypto/x509

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4008

ALPN negotiation error contains attacker controlled information in crypto/tls

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4009

Quadratic complexity when parsing some invalid inputs in encoding/pem

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4010

Insufficient validation of bracketed IPv6 hostnames in net/url

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4011

Parsing DER payload can cause memory exhaustion in encoding/asn1

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4012

Lack of limit when parsing cookies can cause memory exhaustion in net/http

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4013

Panic when validating certificates with DSA public keys in crypto/x509

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4014

Unbounded allocation when parsing GNU sparse map in archive/tar

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4015

Excessive CPU consumption in Reader.ReadResponse in net/textproto

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4155

Excessive resource consumption when printing error string for host certificate validation in crypto/x509

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2025-4175

Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4337

Unexpected session resumption in crypto/tls

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4340

Handshake messages may be processed at the incorrect encryption level in crypto/tls

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4341

Memory exhaustion in query parameter parsing in net/url

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4342

Excessive CPU consumption when building archive index in archive/zip

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4601

Incorrect parsing of IPv6 host literals in net/url

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4602

FileInfo can escape from a Root in os

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4603

URLs in meta content attribute actions are not escaped in html/template

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4864

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4865

JsBraceDepth Context Tracking Bugs (XSS) in html/template

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4869

Unbounded allocation for old GNU sparse in archive/tar

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4870

Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4918

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4946

Inefficient policy validation in crypto/x509

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4947

Unexpected work during chain building in crypto/x509

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4971

Panic in Dial and LookupPort when handling NUL byte on Windows in net

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4976

ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4977

Quadratic string concatenation in consumePhrase in net/mail

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4980

Escaper bypass leads to XSS in html/template

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4981

Crash when handling long CNAME response in net

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4982

Bypass of meta content URL escaping causes XSS in html/template

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-4986

Quadratic string concatentation in consumeComment in net/mail

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-5037

Inefficient candidate hostname parsing in crypto/x509

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-5038

Quadratic complexity in WordDecoder.DecodeHeader in mime

go.mod

high Security checks software dependencies conf 0.88 stdlib: GO-2026-5039

Arbitrary inputs are included in errors without any escaping in net/textproto

go.mod

high System graph cicd CI/CD security conf 1.00 GitHub Action tracks a moving branch

tw93/contributors-list@master can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.

.github/workflows/update-contributors.yml:28 CI/CD securitySupply chainGithub actions

high Security checks software dependencies conf 0.70 Remote install command pipes network code directly to a shell

Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.

README.md:41

medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/update-contributors.yml CI/CD securitySupply chainGithub actions

medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/release.yml CI/CD securitySupply chainGithub actions

medium System graph network Security conf 1.00 Privileged port 12 in use

Port 12 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

scripts/setup-quick-launchers.sh Ports

medium System graph network Security conf 1.00 Privileged port 20 in use

Port 20 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.

scripts/setup-quick-launchers.sh Ports

low Security checks quality Error handling conf 1.00 3 occurrences [ERR003] Ignored Error (Go): Ignoring error return values.

Handle the error or use errcheck linter.

3 files, 3 locations

cmd/analyze/cache.go:104

cmd/analyze/cleanable.go:55

cmd/analyze/delete.go:95

low System graph quality Complexity conf 1.00 Very large file: lib/clean/dev.sh (1929 lines)