Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo

dograh-hq/dograh

https://github.com/dograh-hq/dograh.git · scanned 2026-05-17 19:38 UTC (2 weeks, 4 days ago) · 10 languages

681 findings (101 legacy + 580 scanner) 8/10 scanners ran 44th percentile · Python · large (100-500K LoC) Scanner says 53 (higher by 20)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 2 weeks, 4 days ago · v2 · 101 findings from 1 source. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
61.8
/100
Repobility
71
101 legacy
9-layer
53
100.0% cov · 0 gaps
Critical
5
click to filter
Agents
6
0 votes
Crowd
0
reported
Severity distribution — click a segment to filter
Active filters: layer: security × excluding tests × Reset all
Severity: Critical 5 High 71 Medium 9 Low 5 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 101 9-layer 0 Crowd 0 Layer: Quality 53 Security 20 Cicd 22 Software 6
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 52.8/100 with 100.0% coverage. It contains 5116 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 0 findings. Risk profile is low: 0 critical, 0 high, 0 medium. Recommended next step: open the software layer findings first — that's where the highest-impact wins live.

Showing 16 of 101 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Legacy security auth conf 0.88 Token handoff appears to use a callback URL or fragment
Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments.
ui/src/app/workflow/[workflowId]/run/[runId]/hooks/useWebSocketRTC.tsx:96 authlegacy
high Legacy security auth conf 0.70 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /results/:id/route.
Add ownership, tenant, relationship, or policy checks before reading or mutating the target object.
evals/visualizer/src/app/api/results/[id]/route.ts:7 authlegacy
high Legacy security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
ui/src/app/auth/signup/page.tsx:82 authlegacy
high Legacy security auth conf 0.83 Secret-like setting is echoed into a password input value
Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time.
ui/src/app/auth/login/page.tsx:70 authlegacy
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
high Legacy security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /audio/:filename/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
evals/visualizer/src/app/api/audio/[filename]/route.ts:15 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /auth/oss/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
ui/src/app/api/auth/oss/route.ts:14 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /config/auth/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
ui/src/app/api/config/auth/route.ts:6 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /config/sentry/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
ui/src/app/api/config/sentry/route.ts:3 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /config/version/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
ui/src/app/api/config/version/route.ts:9 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /impersonate.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
ui/src/app/impersonate/route.ts:11 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /results/:id/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
evals/visualizer/src/app/api/results/[id]/route.ts:7 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /results/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
evals/visualizer/src/app/api/results/route.ts:8 authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /auth/session/route.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
ui/src/app/api/auth/session/route.ts:7 authlegacy
medium Legacy security crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
api/tasks/arq.py:28 cryptolegacy
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/fca85d4e-dcc0-4eb6-858e-36c136019350/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/fca85d4e-dcc0-4eb6-858e-36c136019350/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.