UNIFIED
Repobility · multi-layer engine · AI coders
Complete repo analysis
Last scanned 1 hour, 30 minutes ago
·
v3
· last Δ
-0.1
(diff)
·
525 findings from
2 sources.
Findings combine the legacy security pipeline AND the multi-layer engine
(atlas, wiring, flows, ranked) AND verified AI agent contributions.
{# ── 2026-05-17 R27 #5: score breakdown panel ──────────────────────
Surfaces the score_breakdown JSON that's been silently stored on
Repository for months. Turns hidden math into a trust signal. #}
Score breakdown
â 2026-05-17-v4
calibration-aware
| Component |
Sub-score |
Weight |
Contribution |
structure_score |
85.0
|
0.15 |
12.75 |
security_score |
21.5
|
0.25 |
5.38 |
testing_score |
81.0
|
0.20 |
16.20 |
documentation_score |
75.0
|
0.15 |
11.25 |
practices_score |
75.0
|
0.15 |
11.25 |
code_quality |
43.0
|
0.10 |
4.30 |
| Overall |
|
1.00 |
61.1 |
Calibrated penalty buckets (security_score):
agent: 8.1 ·
authz: 4.6 ·
docker: 15.3 ·
threat: 37.0 ·
journey: 13.5
Severity distribution — click a segment to filter
Scan summary
Repository scanned at 78.8/100 with 100.0% coverage. It contains 5808 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 451 findings — concentrated in quality (164), cicd (147), frontend (79). Risk profile is high: 0 critical, 3 high, 86 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.
Showing 512 of 525 findings.
Click TP / FP to vote on a finding's accuracy — votes adjust the confidence
weighting and improve detection across the platform.
low
Legacy
security
credential_exposure
conf 1.00
[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.
Remove immediately and rotate the token. Use environment variables.
src/openhuman/memory/tree/jobs/redact.rs:164
credential_exposurelegacy
low
Legacy
security
credential_exposure
conf 1.00
[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.
Remove immediately and rotate the token. Use environment variables.
src/openhuman/memory/safety/mod.rs:410
credential_exposurelegacy
critical
Legacy
security
credential_exposure
conf 1.00
[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files.
Replace the value with a placeholder, revoke or rotate the exposed token, and store live values only in a masked secret store.
src/openhuman/memory/tree/jobs/redact.rs:137
credential_exposurelegacy
critical
Legacy
security
credential_exposure
conf 1.00
[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files.
Replace the value with a placeholder, revoke or rotate the exposed token, and store live values only in a masked secret store.
src/openhuman/memory/safety/mod.rs:351
credential_exposurelegacy
high
Legacy
security
credential_exposure
conf 1.00
[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation.
Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed.
scripts/act-staging.sh:127
credential_exposurelegacy
high
Legacy
security
credential_exposure
conf 1.00
[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation.
Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed.
scripts/act-build-desktop.sh:72
credential_exposurelegacy
high
Legacy
software
ssrf
conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching:
ALLOWED = {'images.example.com', 'cdn.example.com'}
host = urlparse(url).hostname
if host not in ALLOWED: abort(400)
Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
app/src-tauri/src/webview_accounts/runtime.js:440
ssrflegacy
high
Legacy
software
ssrf
conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching:
ALLOWED = {'images.example.com', 'cdn.example.com'}
host = urlparse(url).hostname
if host not in ALLOWED: abort(400)
Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
app/src-tauri/src/webview_accounts/mod.rs:49
ssrflegacy
high
Legacy
software
ssrf
conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches.
Validate the URL against an allowlist BEFORE fetching:
ALLOWED = {'images.example.com', 'cdn.example.com'}
host = urlparse(url).hostname
if host not in ALLOWED: abort(400)
Or use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request h…
app/src-tauri/src/cdp/session.rs:90
ssrflegacy
high
Legacy
security
auth
conf 0.78
Consent is collected in UI without visible backend audit persistence
Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state.
app/src/components/composio/ComposioConnectModal.tsx:783
authlegacy
high
Legacy
cicd
docker
conf 0.92
Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
e2e/Dockerfile:35
dockerlegacy
high
Legacy
cicd
docker
conf 0.92
Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
e2e/Dockerfile:30
dockerlegacy
high
Legacy
cicd
docker
conf 0.92
Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
.github/Dockerfile:52
dockerlegacy
high
Legacy
cicd
docker
conf 0.92
Dockerfile pipes a remote script into a shell
Download the artifact, verify its checksum or signature, pin the version, and then execute it.
.github/Dockerfile:46
dockerlegacy
high
Legacy
security
auth
conf 0.83
Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
app/src/components/settings/panels/AIPanel.tsx:2130
authlegacy
high
Legacy
security
auth
conf 0.83
Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
app/src/components/settings/panels/ComposioPanel.tsx:291
authlegacy
high
9-layer
hardware
supply-chain
conf 1.00
Dockerfile pipes a remote installer into a shell
Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.
.github/Dockerfile:46
supply-chaindockerremote-installer
high
9-layer
hardware
supply-chain
conf 1.00
Dockerfile pipes a remote installer into a shell
Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.
.github/Dockerfile:52
supply-chaindockerremote-installer
high
9-layer
hardware
supply-chain
conf 1.00
Dockerfile pipes a remote installer into a shell
Executing downloaded code during image build gives the remote endpoint build-time code execution. Prefer pinned packages or verify downloaded installers by checksum/signature.
e2e/Dockerfile:35
supply-chaindockerremote-installer
medium
Legacy
security
auth
conf 0.92
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
medium
Legacy
security
auth
conf 0.74
[AUC002] Low visible authorization coverage in route inventory: Only 15.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
authlegacy
medium
Legacy
quality
error_handling
conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
app/src-tauri/src/meet_audio/captions_bridge.js:158
error_handlinglegacy
medium
Legacy
quality
error_handling
conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
app/src-tauri/src/meet_audio/audio_bridge.js:209
error_handlinglegacy
medium
Legacy
quality
error_handling
conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
app/src-tauri/recipes/google-meet/recipe.js:47
error_handlinglegacy
medium
Legacy
security
injection
conf 0.50
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
Use subprocess with shell=False and a list of args. Never eval user input.
app/src/pages/conversations/utils/workerThreadRef.ts:34
injectionlegacy
medium
Legacy
security
path_traversal
conf 1.00
[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
Validate extracted paths with os.path.realpath() and ensure they stay within the target directory.
app/scripts/e2e-run-session.sh:501
path_traversallegacy
medium
Legacy
security
auth
conf 0.82
Browser storage is used for session token material
Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens.
app/src/store/coreModeSlice.ts:66
authlegacy
medium
Legacy
security
auth
conf 0.82
Browser storage is used for session token material
Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens.
app/src/utils/configPersistence.ts:219
authlegacy
medium
Legacy
security
auth
conf 0.82
Browser storage is used for session token material
Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens.
app/src/utils/configPersistence.ts:202
authlegacy
medium
Legacy
cicd
docker
conf 0.82
Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
e2e/Dockerfile:14
dockerlegacy
medium
Legacy
cicd
docker
conf 0.82
Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
.github/Dockerfile:1
dockerlegacy
medium
Legacy
quality
quality
conf 0.80
localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
app/src/store/index.ts:54
qualitylegacy
medium
Legacy
quality
quality
conf 0.80
localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
app/src/pages/onboarding/components/BetaBanner.tsx:22
qualitylegacy
medium
Legacy
quality
quality
conf 0.80
localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
app/src/components/settings/panels/AgentChatPanel.tsx:48
qualitylegacy
medium
Legacy
quality
quality
conf 0.80
localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
app/src/store/userScopedStorage.ts:46
qualitylegacy
medium
Legacy
quality
quality
conf 0.80
localStorage write failures are swallowed silently
Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics.
app/src/overlay/OverlayApp.tsx:412
qualitylegacy
medium
Legacy
quality
quality
conf 0.68
Ollama audio payload path may mislead users about direct model audio
Gate direct audio sending on a verified runtime capability check. Until supported, show a one-time notice that voice is transcribed in the browser and only text is sent to the model.
app/src/pages/Conversations.tsx:753
qualitylegacy
medium
Legacy
quality
quality
conf 0.82
Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
src/openhuman/memory/tree/canonicalize/email_clean.rs:1
qualitylegacy
medium
Legacy
quality
quality
conf 0.82
Parallel implementation file sits beside a canonical file
Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point.
remotion/src/Mascot/mascot-yellow-wave-alt.tsx:1
qualitylegacy
medium
Legacy
software
dependency
conf 0.70
Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
README.zh-CN.md:50
dependencylegacy
medium
9-layer
frontend
frontend-quality
conf 1.00
`dangerouslySetInnerHTML` used in a React component — app/src/features/human/Mascot/backend/BackendMascot.tsx:4
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library.
Why: OWASP basics. Already partially flagged by the security analyzer.
Rule id: fq.dangerous-html
frontend-qualityfq.dangerous-html
medium
9-layer
quality
integrity
conf 1.00
`fetch()` without try/.catch or AbortSignal — app/src/services/coreRpcClient.ts:319
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium
9-layer
quality
integrity
conf 1.00
`fetch()` without try/.catch or AbortSignal — app/src/test/mockApiCore.headersRedaction.test.ts:10
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium
9-layer
quality
integrity
conf 1.00
`fetch()` without try/.catch or AbortSignal — app/src/test/mockApiCore.portSelection.test.ts:53
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium
9-layer
quality
integrity
conf 1.00
`fetch()` without try/.catch or AbortSignal — app/src/utils/config.ts:41
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium
9-layer
quality
integrity
conf 1.00
`fetch()` without try/.catch or AbortSignal — app/test/e2e/helpers/core-rpc-node.ts:70
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium
9-layer
quality
integrity
conf 1.00
`fetch()` without try/.catch or AbortSignal — app/test/e2e/specs/rewards-progression-persistence.spec.ts:65
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium
9-layer
hardware
security
conf 1.00
Dockerfile runs as root: .github/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium
9-layer
hardware
security
conf 1.00
Dockerfile runs as root: e2e/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium
9-layer
quality
integrity
conf 1.00
Frontend route `/channels` has no Link/navigate to it — app/src/AppRoutes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `/custom` has no Link/navigate to it — app/src/components/__tests__/ProtectedRoute.test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `/dashboard` has no Link/navigate to it — app/src/components/__tests__/PublicRoute.test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `/login` has no Link/navigate to it — app/src/components/__tests__/ProtectedRoute.test.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `/onboarding/*` has no Link/navigate to it — app/src/AppRoutes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `/settings/*` has no Link/navigate to it — app/src/AppRoutes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `/webhooks` has no Link/navigate to it — app/src/AppRoutes.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `about` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `account` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `autocomplete-debug` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `autocomplete` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `billing` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `custom/inference` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `custom/memory` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `custom/oauth` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `custom/search` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `custom/voice` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `developer-options` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `features` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `mascot` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `memory-data` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `memory-debug` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `runtime-choice` has no Link/navigate to it — app/src/pages/onboarding/Onboarding.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `screen-awareness-debug` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `team/invites` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `team/manage/:teamId/invites` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `team/manage/:teamId/members` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `team/manage/:teamId` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `team/members` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
quality
integrity
conf 1.00
Frontend route `voice-debug` has no Link/navigate to it — app/src/pages/Settings.tsx
The route is registered but no `<Link to=…>` or `navigate(…)` in the codebase navigates here. Either it's reachable only via direct URL (intentional), it's dead, or the link broke during a refactor.
integrityorphan-pagewiring
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:84
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@cargo-llvm-cov can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:90
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:115
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@cargo-llvm-cov can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:130
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/typecheck.yml:57
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:87
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:201
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:236
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/
[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:245
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:259
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v4 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:339
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/
[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:348
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:351
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-staging.yml:102
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-staging.yml:286
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-staging.yml:288
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-ci-image.yml:27
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-ci-image.yml:33
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:112
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:433
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:435
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:457
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/
[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:510
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:512
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:698
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
docker/login-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:700
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/
[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-windows.yml:30
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
lycheeverse/lychee-action@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pr-quality.yml:57
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
maxim-lobanov/setup-xcode@v1 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:149
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:153
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/
[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:161
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-agent-review.yml:40
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/
[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-agent-review.yml:50
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
docker/setup-buildx-action@v3 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deploy-smoke.yml:48
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
docker/build-push-action@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deploy-smoke.yml:51
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
dtolnay/
[email protected] can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-packages.yml:43
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-packages.yml:45
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
pnpm/action-setup@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-packages.yml:172
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
Swatinem/rust-cache@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build.yml:29
supply-chaingithub-actionspinned-dependencies
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-staging.yml
supply-chaingithub-actionsleast-privilege
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/docker-ci-image.yml
supply-chaingithub-actionsleast-privilege
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-production.yml
supply-chaingithub-actionsleast-privilege
medium
9-layer
cicd
supply-chain
conf 1.00
GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-packages.yml
supply-chaingithub-actionsleast-privilege
low
Legacy
cicd
docker
conf 0.72
.dockerignore misses sensitive defaults
Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases.
.dockerignore
dockerlegacy
low
Legacy
cicd
docker
conf 0.62
Compose service lacks no-new-privileges hardening
Add `security_opt: ["no-new-privileges:true"]` unless the service has a documented need for privilege escalation.
docker-compose.yml:17
dockerlegacy
low
Legacy
cicd
docker
conf 0.72
Dockerfile installs recommended OS packages
Add `--no-install-recommends` and explicitly list only packages the image needs.
e2e/Dockerfile:35
dockerlegacy
low
Legacy
cicd
docker
conf 0.72
Dockerfile installs recommended OS packages
Add `--no-install-recommends` and explicitly list only packages the image needs.
e2e/Dockerfile:19
dockerlegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src/components/settings/panels/TeamMembersPanel.tsx:112
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src/components/settings/panels/TeamMembersPanel.tsx:110
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src/components/settings/panels/TeamInvitesPanel.tsx:108
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src/components/settings/panels/TeamInvitesPanel.tsx:107
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src/components/settings/panels/RecoveryPhrasePanel.tsx:389
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src/components/settings/panels/PrivacyPanel.tsx:211
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src/components/settings/panels/AutocompletePanel.tsx:7
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src/components/intelligence/MemoryWorkspace.tsx:380
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src/components/intelligence/MemorySyncConnections.tsx:33
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src/components/intelligence/IntelligenceSubconsciousTab.tsx:344
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src/components/channels/TelegramConfig.tsx:4
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/whatsapp_scanner/idb.rs:99
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/whatsapp_scanner/idb.rs:85
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/telegram_scanner/mod.rs:418
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/telegram_scanner/mod.rs:381
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/telegram_scanner/mod.rs:16
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/telegram_scanner/mod.rs:1
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/telegram_scanner/idb.rs:147
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/telegram_scanner/idb.rs:14
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/telegram_scanner/dom_snapshot.rs:37
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/slack_scanner/mod.rs:505
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/slack_scanner/mod.rs:468
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/slack_scanner/mod.rs:16
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/slack_scanner/idb.rs:144
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/slack_scanner/dom_snapshot.rs:1
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/meet_video/inject.rs:39
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/meet_scanner/mod.rs:55
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/imessage_scanner/mod.rs:321
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/discord_scanner/mod.rs:147
qualitylegacy
low
Legacy
quality
quality
conf 0.86
Duplicated implementation block across source files
Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used.
app/src-tauri/src/discord_scanner/mod.rs:110
qualitylegacy
low
9-layer
frontend
frontend-quality
conf 1.00
"active" state uses light bg in a dark theme — app/src/components/BottomTabBar.tsx:218
A ternary like `active ? 'bg-white' : '...'` (or bg-gray-100/200) on a dark theme produces jarring white pills. Use a dark-emphasized active state instead — border + ring or slightly brighter dark bg. Example: `active ? 'bg-gray-800 border-gray-500 ring-1 ring-blue-500/30' : '…'`.
Why: P-E in CHEC…
frontend-qualityfq.active-light-bg
low
9-layer
frontend
frontend-quality
conf 1.00
"active" state uses light bg in a dark theme — app/src/pages/Intelligence.tsx:157
A ternary like `active ? 'bg-white' : '...'` (or bg-gray-100/200) on a dark theme produces jarring white pills. Use a dark-emphasized active state instead — border + ring or slightly brighter dark bg. Example: `active ? 'bg-gray-800 border-gray-500 ring-1 ring-blue-500/30' : '…'`.
Why: P-E in CHEC…
frontend-qualityfq.active-light-bg
low
9-layer
quality
maintenance
conf 1.00
42 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low
9-layer
quality
integrity
conf 1.00
50 env vars used in code but missing from .env.example
Drift between code and config docs. The first few: `APPIUM_PORT`, `BACKEND_URL`, `CEF_CDP_HOST`, `CEF_CDP_PORT`, `DEBUG_E2E_DEEPLINK`, `DEBUG_TESTS`, `DEV`, `E2E_ARTIFACT_DIR` + 42 more. Add them (with a placeholder/comment) to .env.example so onboarding doesn't break.
integrityconfig-drift
low
9-layer
hardware
coverage
conf 1.00
Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low
9-layer
hardware
supply-chain
conf 1.00
Docker base image is tag-pinned but not digest-pinned: debian:bookworm-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:58
supply-chaindockerpinned-dependencies
low
9-layer
hardware
supply-chain
conf 1.00
Docker base image is tag-pinned but not digest-pinned: rust:1.93-bookworm
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
Dockerfile:12
supply-chaindockerpinned-dependencies
low
9-layer
hardware
supply-chain
conf 1.00
Docker base image is tag-pinned but not digest-pinned: ubuntu:22.04
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
.github/Dockerfile:1
supply-chaindockerpinned-dependencies
low
9-layer
hardware
supply-chain
conf 1.00
Docker base image is tag-pinned but not digest-pinned: ubuntu:22.04
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
e2e/Dockerfile:14
supply-chaindockerpinned-dependencies
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/eslint.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/postcss.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/__tests__/App.boot.test.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/constants/onboardingChat.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/polyfills.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/test/mockDefaultSkillStatusHooks.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/accounts.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/agentProfile.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/api.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/channels.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/global.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/intelligence.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/invite.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/modules.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/notifications.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/oauth.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/providerSurfaces.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/referral.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/rewards.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/skillStatus.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/team.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/thread.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/types/turnState.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/utils/cryptoKeys.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/utils/links.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/utils/openUrl.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/utils/semver.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/utils/withTimeout.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/src/vite-env.d.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/tailwind.config.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/test/checklist-parser.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/test/coverage-matrix-parser.test.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/test/e2e/mock-server.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/test/e2e/specs/channels-smoke.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/test/e2e/specs/chat-harness-send-stream.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/test/e2e/specs/settings-channels-permissions.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/test/e2e/specs/settings-data-management.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/test/e2e/specs/skill-socket-reconnect.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/test/e2e/specs/smoke.spec.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: app/test/vitest.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: remotion/remotion.config.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: remotion/src/Mascot/mascot-yellow-greeting.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: remotion/src/Mascot/mascot-yellow-idle.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: remotion/src/Mascot/mascot-yellow-pickup.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: remotion/src/Mascot/mascot-yellow-sleep.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: remotion/src/Mascot/mascot-yellow-talking.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: remotion/src/Mascot/mascot-yellow-thinking.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: remotion/src/Mascot/mascot-yellow-wave.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: remotion/src/Root.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
software
dead-code-candidate
conf 1.00
File has no detected symbols: scripts/tools-generator/__tests__/openClaw-formatter.test.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:29
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:33
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:56
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:79
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:94
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:110
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:123
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:134
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:148
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-python@v6 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:155
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/download-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:161
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/coverage.yml:191
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/typecheck.yml:22
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/typecheck.yml:26
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/typecheck.yml:53
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/contributor-rewards.yml:33
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:72
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:79
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:99
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:108
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:186
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:193
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:229
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:239
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:268
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:277
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:332
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-reusable.yml:342
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/weekly-code-review.yml:34
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/weekly-code-review.yml:39
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/weekly-code-review.yml:51
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/weekly-code-review.yml:66
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/weekly-code-review.yml:73
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/create-github-app-token@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-staging.yml:90
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-staging.yml:95
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-staging.yml:104
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-staging.yml:281
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-staging.yml:365
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/docker-ci-image.yml:22
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/installer-smoke.yml:22
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/installer-smoke.yml:33
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/create-github-app-token@v2 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:100
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:105
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:114
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:340
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:428
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:504
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:565
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:599
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:625
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:663
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:797
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-production.yml:814
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-windows.yml:20
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-windows.yml:25
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-windows.yml:41
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-windows.yml:53
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-windows.yml:61
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-windows.yml:82
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-windows.yml:106
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-windows.yml:113
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-windows.yml:120
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pr-quality.yml:25
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pr-quality.yml:41
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/pr-quality.yml:53
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:138
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:157
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:187
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:201
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:211
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:224
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:231
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/github-script@v8 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:287
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:683
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/build-desktop.yml:693
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-agent-review.yml:25
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/setup-node@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-agent-review.yml:45
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/cache@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-agent-review.yml:69
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/upload-artifact@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/e2e-agent-review.yml:123
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/deploy-smoke.yml:42
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-packages.yml:37
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-packages.yml:97
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-packages.yml:102
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-packages.yml:128
supply-chaingithub-actionspinned-dependencies
low
9-layer
cicd
supply-chain
conf 1.00
GitHub Action is tag-pinned rather than SHA-pinned
actions/checkout@v5 can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/release-packages.yml:144
supply-chaingithub-actionspinned-dependencies
Showing first 300 of 512. Refine filters or use the
legacy findings page for deep search.
{# ── 2026-05-17 Round 14: AI-agent bridge footer ──────────────────────
Discoverability: the /agents/voting/ guide + MCP manifest exist but
aren't linked from anywhere users actually land. Small, opt-in footer. #}