openscreen

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

https://github.com/siddharthvaddem/openscreen.git · scanned 2026-05-17 02:50 UTC (18 hours, 23 minutes ago) · 10 languages

105 findings (17 legacy + 88 scanner) 8/10 scanners ran 72nd percentile · Typescript · medium (20-100K LoC) Scanner says 82 (lower by 3)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 18 hours, 23 minutes ago · v1 · 105 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON

{# ── 2026-05-17 R27 #5: score breakdown panel ────────────────────── Surfaces the score_breakdown JSON that's been silently stored on Repository for months. Turns hidden math into a trust signal. #}

Score breakdown â 2026-05-17-v4 calibration-aware

Component	Sub-score	Weight	Contribution
`structure_score`	85.0	0.15	12.75
`security_score`	89.6	0.25	22.40
`testing_score`	59.0	0.20	11.80
`documentation_score`	73.7	0.15	11.05
`practices_score`	90.0	0.15	13.50
`code_quality`	70.0	0.10	7.00
Overall		1.00	78.5

Calibrated penalty buckets (security_score): web: 3.0 Â· agent: 2.4 Â· threat: 5.0

Severity distribution — click a segment to filter

Active filters: layer: software × excluding tests × Reset all

Scan summary Repository scanned at 81.5/100 with 88.9% coverage. It contains 1044 nodes across 1 cross-layer flows, written primarily in mixed languages. Engine surfaced 88 findings — concentrated in software (41), cicd (17), quality (17). Risk profile is low: 0 critical, 0 high, 5 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 44 of 105 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.

Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…

src/components/video-editor/AddCustomFontDialog.tsx:37 ssrflegacy

electron/windows.ts:93 ssrflegacy

electron/native/wgc-capture/src/mf_encoder.cpp:117 ssrflegacy

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: electron/electron-env.d.ts