openclaude

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

https://github.com/Gitlawb/openclaude · scanned 2026-05-17 03:05 UTC (18 hours, 50 minutes ago) · 10 languages

706 findings (22 legacy + 684 scanner) 50th percentile · Typescript · huge (>500K LoC) Scanner says 68 (higher by 8)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 18 hours, 50 minutes ago · v1 · 706 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON

100.0% cov · 684 gaps

{# ── 2026-05-17 R27 #5: score breakdown panel ────────────────────── Surfaces the score_breakdown JSON that's been silently stored on Repository for months. Turns hidden math into a trust signal. #}

Score breakdown â 2026-05-17-v4 calibration-aware

Component	Sub-score	Weight	Contribution
`structure_score`	85.0	0.15	12.75
`security_score`	75.5	0.25	18.88
`testing_score`	61.0	0.20	12.20
`documentation_score`	93.7	0.15	14.05
`practices_score`	75.0	0.15	11.25
`code_quality`	67.7	0.10	6.77
Overall		1.00	75.9

Calibrated penalty buckets (security_score): web: 3.0 Â· agent: 2.3 Â· threat: 16.1 Â· journey: 3.1

Severity distribution — click a segment to filter

Active filters: layer: software × excluding tests × Reset all

Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.

Scan summary Repository scanned at 68.0/100 with 100.0% coverage. It contains 15383 nodes across 3 cross-layer flows, written primarily in mixed languages. Engine surfaced 684 findings — concentrated in quality (526), frontend (93), software (52). Risk profile is high: 5 critical, 1 high, 11 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 57 of 706 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy software ssrf conf 1.00 [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.

Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400) Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…

scripts/system-check.ts:122 ssrflegacy

scripts/pr-intent-scan.ts:156 ssrflegacy

python/atomic_chat_provider.py:26 ssrflegacy

medium Legacy software redos conf 1.00 [SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more.

Three options, pick one: 1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is functionally equivalent to `a+` for matching purposes. 2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in replacement for `re` for most use cases. 3. Set a hard timeout: `s…

src/tools/shared/gitOperationTracking.ts:23 redoslegacy

src/tools/BashTool/readOnlyValidation.ts:1358 redoslegacy

low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: python/tests/conftest.py