← Back to scan
File as GitHub Issue repo: controlplaneio-fluxcd/flux-operator

Push this scan report to controlplaneio-fluxcd/flux-operator

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Identified a Slack Bot token, which may compromise bot integrations and communication chan

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
CRIT MINED019 [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RC… internal/builder/resourceset.go:125
CRIT private-key Identified a Private Key, which may compromise cryptographic security and sensitive data … cmd/mcp/toolbox/library/index.gob:20390
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… cmd/mcp/toolbox/library/index.gob:13873
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… cmd/mcp/toolbox/library/index.gob:13803
CRIT slack-bot-token Identified a Slack Bot token, which may compromise bot integrations and communication cha… cmd/mcp/toolbox/library/index.gob:12939
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… cmd/mcp/toolbox/library/index.gob:7988
CRIT private-key Identified a Private Key, which may compromise cryptographic security and sensitive data … cmd/mcp/toolbox/library/index.gob:5595
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… internal/lkm/fetch.go:35
CRIT generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive… internal/lkm/fetch.go:27
CRIT private-key Identified a Private Key, which may compromise cryptographic security and sensitive data … docs/api/v1/resourcesetinputprovider.md:467
CRIT private-key Identified a Private Key, which may compromise cryptographic security and sensitive data … internal/controller/testdata/rsa-privat…:1
CRIT azure-ad-client-secret Azure AD Client Secret docs/web/web-sso-microsoft.md:71
CRIT azure-ad-client-secret Azure AD Client Secret docs/web/web-sso-microsoft.md:30
CRIT slack-bot-token Identified a Slack Bot token, which may compromise bot integrations and communication cha… cmd/mcp/toolbox/library/index.gob:124
CRIT MINED133 Hardcoded Microsoft Teams webhook URL in source web/src/mock/resource.js:4002
CRIT MINED133 Hardcoded Slack webhook URL in source web/src/mock/resource.js:3904
CRIT GHSA-5xrq-8626-4rwp vitest: GHSA-5xrq-8626-4rwp web/package-lock.json
HIGH SEC088 [SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables ce… internal/lkm/fetch.go:131
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … web/src/components/dashboards/cluster/C…:169
HIGH SEC128 [SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call … internal/controller/common.go:75
HIGH MINED004 [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums). internal/agentops/oci_push.go:187
HIGH SEC093 [SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name a… internal/cosign/sign.go:23
HIGH SEC093 [SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name a… internal/agentops/oci_push.go:144
HIGH MINED014 [MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in nod… internal/lkm/fetch.go:131
HIGH MINED014 [MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in nod… cmd/cli/skills_install.go:48
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… cmd/cli/diff_yaml.go:141
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… cmd/cli/create_secret_web_config.go:83
HIGH SEC029 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTT… cmd/cli/create_secret_githubapp.go:103
HIGH MINED016 [MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern. cmd/cli/export_report.go:84
HIGH MINED016 [MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern. cmd/cli/create_secret.go:36
HIGH MINED016 [MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern. cmd/cli/build_instance.go:117
HIGH MINED126 Workflow container/services image `registry:3` unpinned .github/workflows/e2e-cli.yaml:16
HIGH MINED115 Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.… .github/workflows/release.yaml:194
HIGH MINED118 Dockerfile FROM `gcr.io/distroless/static:nonroot` not pinned by digest cmd/mcp/Dockerfile:25
HIGH MINED118 Dockerfile FROM `gcr.io/distroless/static:debug-nonroot` not pinned by digest cmd/cli/Dockerfile:36
HIGH MINED118 Dockerfile FROM `gcr.io/distroless/static:nonroot` not pinned by digest Dockerfile:29
HIGH GO-2026-5039 stdlib: GO-2026-5039 go.mod
HIGH GO-2026-5038 stdlib: GO-2026-5038 go.mod
HIGH GO-2026-5037 stdlib: GO-2026-5037 go.mod
HIGH GO-2026-4986 stdlib: GO-2026-4986 go.mod
HIGH GO-2026-4982 stdlib: GO-2026-4982 go.mod
HIGH GO-2026-4981 stdlib: GO-2026-4981 go.mod
HIGH GO-2026-4980 stdlib: GO-2026-4980 go.mod
HIGH GO-2026-4977 stdlib: GO-2026-4977 go.mod
HIGH GO-2026-4976 stdlib: GO-2026-4976 go.mod
HIGH GO-2026-4971 stdlib: GO-2026-4971 go.mod
HIGH GO-2026-4947 stdlib: GO-2026-4947 go.mod
HIGH GO-2026-4946 stdlib: GO-2026-4946 go.mod
HIGH GO-2026-4918 stdlib: GO-2026-4918 go.mod
HIGH GO-2026-4870 stdlib: GO-2026-4870 go.mod
HIGH GO-2026-4869 stdlib: GO-2026-4869 go.mod
HIGH GO-2026-4866 stdlib: GO-2026-4866 go.mod
HIGH GO-2026-4865 stdlib: GO-2026-4865 go.mod
HIGH GO-2026-4864 stdlib: GO-2026-4864 go.mod
HIGH GO-2026-4603 stdlib: GO-2026-4603 go.mod
HIGH GO-2026-4602 stdlib: GO-2026-4602 go.mod
HIGH GO-2026-4601 stdlib: GO-2026-4601 go.mod
HIGH GO-2026-4600 stdlib: GO-2026-4600 go.mod
HIGH GO-2026-4599 stdlib: GO-2026-4599 go.mod
HIGH GO-2026-5030 golang.org/x/net: GO-2026-5030 go.mod
HIGH GO-2026-5029 golang.org/x/net: GO-2026-5029 go.mod
HIGH GO-2026-5028 golang.org/x/net: GO-2026-5028 go.mod
HIGH GO-2026-5027 golang.org/x/net: GO-2026-5027 go.mod
HIGH GO-2026-5026 golang.org/x/net: GO-2026-5026 go.mod
HIGH GO-2026-5025 golang.org/x/net: GO-2026-5025 go.mod
HIGH GO-2026-5033 golang.org/x/crypto: GO-2026-5033 go.mod
HIGH GO-2026-5023 golang.org/x/crypto: GO-2026-5023 go.mod
HIGH GO-2026-5021 golang.org/x/crypto: GO-2026-5021 go.mod
HIGH GO-2026-5020 golang.org/x/crypto: GO-2026-5020 go.mod
HIGH GO-2026-5019 golang.org/x/crypto: GO-2026-5019 go.mod
HIGH GO-2026-5018 golang.org/x/crypto: GO-2026-5018 go.mod
HIGH GO-2026-5017 golang.org/x/crypto: GO-2026-5017 go.mod
HIGH GO-2026-5016 golang.org/x/crypto: GO-2026-5016 go.mod
HIGH GO-2026-5015 golang.org/x/crypto: GO-2026-5015 go.mod
HIGH GO-2026-5014 golang.org/x/crypto: GO-2026-5014 go.mod
HIGH GO-2026-5013 golang.org/x/crypto: GO-2026-5013 go.mod
HIGH GO-2026-5006 golang.org/x/crypto: GO-2026-5006 go.mod
HIGH GO-2026-5005 golang.org/x/crypto: GO-2026-5005 go.mod
MED SEC134 [SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum… web/src/mock/report.js:249
MED SEC046 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning win… web/src/components/auth/LoginPage.jsx:74
MED SEC091 [SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/Read… internal/web/server.go:72
MED SEC091 [SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/Read… cmd/mcp/main.go:221
MED SEC014 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing ma… cmd/cli/skills_install.go:48
MED DKR002 Dockerfile base image has no explicit tag config/olm/build/Dockerfile:4
MED DKR007 Docker build context has no .dockerignore .dockerignore
MED DEPCUR-NPM npm package `jsdom` is 2 major version(s) behind (27.4.0 -> 29.1.1) web/package.json
MED DEPCUR-NPM npm package `@eslint/js` is 1 major version(s) behind (9.39.2 -> 10.0.1) web/package.json
MED GHSA-58qx-3vcg-4xpx ws: GHSA-58qx-3vcg-4xpx web/package-lock.json
MED GHSA-f886-m6hf-6m8v brace-expansion: GHSA-f886-m6hf-6m8v web/package-lock.json
MED GHSA-2g4f-4pwh-qvx6 ajv: GHSA-2g4f-4pwh-qvx6 web/package-lock.json
MED AIC001 Parallel implementation file sits beside a canonical file cmd/cli/skills_update.go:1
MED AGT007 localStorage write failures are swallowed silently web/src/utils/version.js:38
LOW ERR003 [ERR003] Ignored Error (Go): Ignoring error return values. cmd/cli/distro_decrypt_manifests.go:128
LOW ERR003 [ERR003] Ignored Error (Go): Ignoring error return values. cmd/cli/debug_web_cookie.go:70
LOW ERR003 [ERR003] Ignored Error (Go): Ignoring error return values. cmd/cli/create_secret_web_config.go:101
LOW DEPCUR-NPM npm package `autoprefixer` is minor version(s) behind (10.4.23 -> 10.5.0) web/package.json
LOW DEPCUR-NPM npm package `@vitest/coverage-v8` is minor version(s) behind (4.0.16 -> 4.1.8) web/package.json
LOW DEPCUR-NPM npm package `preact-iso` is minor version(s) behind (2.11.1 -> 2.12.0) web/package.json
LOW DEPCUR-NPM npm package `preact` is minor version(s) behind (10.28.2 -> 10.29.2) web/package.json
LOW DEPCUR-NPM npm package `js-yaml` is minor version(s) behind (4.1.1 -> 4.2.0) web/package.json
LOW DEPCUR-NPM npm package `@preact/signals` is minor version(s) behind (2.5.1 -> 2.9.1) web/package.json
LOW AIC003 Duplicated implementation block across source files internal/install/client.go:61
LOW AIC003 Duplicated implementation block across source files internal/controller/resourceset_control…:15
LOW AIC003 Duplicated implementation block across source files cmd/mcp/toolbox/suspend_reconciliation.…:31
LOW AIC003 Duplicated implementation block across source files cmd/mcp/toolbox/suspend_reconciliation.…:28
LOW AIC003 Duplicated implementation block across source files cmd/mcp/toolbox/suspend_reconciliation.…:24
LOW AIC003 Duplicated implementation block across source files cmd/mcp/toolbox/resume_reconciliation.go:31
LOW AIC003 Duplicated implementation block across source files cmd/mcp/toolbox/resume_reconciliation.go:28
LOW AIC003 Duplicated implementation block across source files cmd/mcp/toolbox/reconcile_source.go:31
LOW AIC003 Duplicated implementation block across source files cmd/mcp/toolbox/reconcile_resourceset.go:25
LOW AIC003 Duplicated implementation block across source files cmd/mcp/toolbox/reconcile_kustomization…:1
LOW AIC003 Duplicated implementation block across source files cmd/mcp/toolbox/install_instance.go:129
LOW AIC003 Duplicated implementation block across source files cmd/mcp/prompter/debug_kustomization.go:11
LOW AIC003 Duplicated implementation block across source files cmd/mcp/main.go:70
LOW AIC003 Duplicated implementation block across source files cmd/cli/version.go:32
LOW AIC003 Duplicated implementation block across source files cmd/cli/tree_resourceset.go:64
LOW AIC003 Duplicated implementation block across source files cmd/cli/tree_resourceset.go:27
LOW AIC003 Duplicated implementation block across source files cmd/cli/tree_kustomization.go:31
LOW AIC003 Duplicated implementation block across source files cmd/cli/suspend_resource.go:22
LOW AIC003 Duplicated implementation block across source files cmd/cli/resume_resource.go:28
LOW AIC003 Duplicated implementation block across source files cmd/cli/resume_instance.go:31
LOW AIC003 Duplicated implementation block across source files cmd/cli/get_resourceset.go:51
LOW AIC003 Duplicated implementation block across source files cmd/cli/create_secret_web_config.go:143
LOW AIC003 Duplicated implementation block across source files cmd/cli/create_secret_tls.go:88
LOW AIC003 Duplicated implementation block across source files cmd/cli/create_secret_ssh.go:111
LOW AIC003 Duplicated implementation block across source files cmd/cli/create_secret_sops.go:132
LOW AIC003 Duplicated implementation block across source files cmd/cli/create_secret_registry.go:87
LOW AIC003 Duplicated implementation block across source files cmd/cli/create_secret_proxy.go:87
LOW AIC003 Duplicated implementation block across source files cmd/cli/create_secret_githubapp.go:102
LOW AIC003 Duplicated implementation block across source files cmd/cli/build_resourceset.go:55
LOW AIC003 Duplicated implementation block across source files api/v1/resourcesetinputprovider_types.go:128
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … web/src/components/search/EventList.jsx:47
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … web/src/components/dashboards/resource/…:84
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… web/src/components/dashboards/resource/…:256
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… web/src/components/dashboards/resource/…:103
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… web/src/components/user/ProfilePage.jsx:153
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… web/src/components/dashboards/common/ya…:69
INFO MINED071 [MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases. internal/controller/resourceset_manager…:314
INFO MINED071 [MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases. cmd/mcp/toolbox/manager.go:249
INFO MINED049 [MINED049] Print Pii: Logging password/token/email/ssn directly to stdout. cmd/cli/debug_web_cookie.go:76
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… cmd/cli/distro.go:53
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… cmd/cli/diff_yaml.go:139
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… cmd/cli/completion_fish.go:19
INFO MINED060 [MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks g… cmd/cli/create_secret_basicauth.go:107
INFO MINED060 [MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks g… cmd/cli/completion.go:34
INFO MINED060 [MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks g… cmd/cli/build_instance.go:114
INFO DEPCUR-NPM npm package `postcss` is patch version(s) behind (8.5.12 -> 8.5.15) web/package.json
INFO DEPCUR-NPM npm package `@preact/preset-vite` is patch version(s) behind (2.10.2 -> 2.10.5) web/package.json
Reset to top 5 148 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `controlplaneio-fluxcd/flux-operator`

**Score: 72/100 (B)**  ·  155 findings  ·  scanned 2026-06-05 21:09 UTC  ·  148,166 LOC

| Severity | Count |
|---|---|
| CRITICAL | 17 |
| HIGH | 61 |
| MEDIUM | 14 |
| LOW | 39 |

📊 [Full filterable report](https://repobility.com/scan/f104ae14-dc29-43fb-b60b-d9c0168d1d86/)  ·  ![scorecard](https://repobility.com/scan/f104ae14-dc29-43fb-b60b-d9c0168d1d86/report.png?v=1780693790-s2)

### Top findings

1. **CRITICAL** `MINED019` — Ssti Jinja From String
   `internal/builder/resourceset.go:125` · CWE-94 · ✓ Repobility
2. **CRITICAL** `private-key` — Identified a Private Key, which may compromise cryptographic security and sensitive data e
   `cmd/mcp/toolbox/library/index.gob:20390`
3. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `cmd/mcp/toolbox/library/index.gob:13873`
4. **CRITICAL** `generic-api-key` — Detected a Generic API Key, potentially exposing access to various services and sensitive 
   `cmd/mcp/toolbox/library/index.gob:13803`
5. **CRITICAL** `slack-bot-token` — Identified a Slack Bot token, which may compromise bot integrations and communication chan
   `cmd/mcp/toolbox/library/index.gob:12939`

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/f104ae14-dc29-43fb-b60b-d9c0168d1d86/_
Already filed
This repo publishes a SECURITY.md policy and the scan contains 8 Critical/High security finding(s). Public issue filing would violate coordinated disclosure. Submit privately via the project's security reporting channel.
Megaproject â high spam risk
Could not determine 'controlplaneio-fluxcd/flux-operator' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
I read the warnings â override Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.