Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

Scan timing: clone 3.19s · analysis 9.58s · 27.5 MB · GitHub API rate-limit (preflight)

prometheus/prometheus

https://github.com/prometheus/prometheus · scanned 2026-05-23 23:58 UTC (3 weeks, 1 day ago) · 10 languages

416 raw signals (100 security + 316 graph) 11/13 scanners ran 97th percentile · Go · large (100-500K LoC) System graph score 77 (higher by 14)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 weeks, 1 day ago · v2 · 192 actionable findings from 2 signal sources. 66 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
84.4
/100
Security checks
92
35 findings
System graph
77
100.0% cov · 157 findings
Critical
3
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 100.0 0.25 25.00
testing_score 90.0 0.20 18.00
documentation_score 90.0 0.15 13.50
practices_score 100.0 0.15 15.00
code_quality 70.0 0.10 7.00
Overall 1.00 91.2
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: severity: high × excluding tests × Reset all
Severity: Critical 3 High 10 Medium 17 Low 111 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 35 System graph 157 Crowd 0 Layer: Quality 89 Security 14 Cicd 4 Software 55 Frontend 26 Network 1 Hardware 2 Api 1
Scan summary Quality grade A (91/100). Dimensions: security 100, maintainability 85. 100 findings (17 security). 363,042 lines analyzed.

Showing 10 of 192 actionable findings. 258 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
web/ui/mantine-ui/src/state/queryPageSlice.ts:115
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `gcr.io/distroless/static-debian13:nonroot-` not pinned by digest: `FROM gcr.io/distroless/static-debian13:nonroot-` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM gcr.io/distroless/static-debian13:nonroot-@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
Dockerfile.distroless:4
high Security checks software dependencies conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `quay.io/prometheus/busybox- (no tag)` not pinned by digest: `FROM quay.io/prometheus/busybox- (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM quay.io/prometheus/busybox- (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
Dockerfile:3
high Security checks software dependencies conf 0.90 ✓ Repobility 10 occurrences [MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
Replace with `quay.io/prometheus/golang-builder:1.26-base@sha256:<digest>`. Re-pin via Dependabot Docker scope.
2 files, 10 locations
.github/workflows/ci.yml:19, 36, 53, 68, 84, 99, 137, 157, +1 more (9 hits)
.github/workflows/repo_sync.yml:15
high System graph security Secrets conf 1.00 .env file present in repo: web/ui/react-app/.env
A raw .env file is in the working tree. Verify it isn't committed and that secrets are in a vault.
Config
high System graph security security conf 1.00 Insecure pattern 'eval_used' in promql/engine.go:1200
Found a known-risky pattern (eval_used). Review and replace if possible.
promql/engine.go:1200 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in promql/functions.go:2375
Found a known-risky pattern (eval_used). Review and replace if possible.
promql/functions.go:2375 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in promql/info.go:40
Found a known-risky pattern (eval_used). Review and replace if possible.
promql/info.go:40 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in promql/value.go:584
Found a known-risky pattern (eval_used). Review and replace if possible.
promql/value.go:584 Eval used
high Security checks quality Quality conf 0.72 3 occurrences Agent control bridge may listen on a network interface without visible auth
Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model.
3 files, 3 locations
discovery/moby/testdata/swarmprom/tasks.json:128
web/api/v1/testdata/openapi_3.1_golden.yaml:573
web/api/v1/testdata/openapi_3.2_golden.yaml:573
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/f49f0d4c-44f5-476f-ae97-1d983f63dbf9/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/f49f0d4c-44f5-476f-ae97-1d983f63dbf9/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.