Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
60 of your 77 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 3.01s · analysis 4.96s · 4.2 MB · GitHub API rate-limit (preflight)

github/spec-kit

https://github.com/github/spec-kit · scanned 2026-06-11 23:26 UTC (1 day, 9 hours ago) · 10 languages

735 raw signals (72 security + 663 graph) 98th percentile · Python · medium (20-100K LoC)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 day, 9 hours ago · v8 · 92 actionable findings from 2 signal sources. 90 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
90.7
/100
Security checks
92
30 findings
System graph
90
88.9% cov · 62 findings
Critical
0
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 85.0 0.15 12.75
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 100.0 0.15 15.00
practices_score 89.0 0.15 13.35
code_quality 38.3 0.10 3.83
Overall 1.00 89.9
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 0 High 3 Medium 3 Low 41 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 30 System graph 62 Crowd 0 Layer: Quality 73 Security 2 Cicd 3 Software 12 Api 1 Frontend 1
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Repository scanned at 89.8/100 with 88.9% coverage. It contains 3900 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 82 findings — concentrated in quality (62), software (12), cicd (5). Risk profile is low: 0 critical, 0 high, 6 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 33 of 92 actionable findings. 182 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Security checks quality Quality conf 1.00 ✓ Repobility 4 occurrences [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
2 files, 4 locations
src/specify_cli/_console.py:212 (2 hits)
src/specify_cli/workflows/steps/prompt/__init__.py:148 (2 hits)
high Security checks quality Quality conf 1.00 ✓ Repobility 23 occurrences `self._non_default_catalog_warning_shown` used but never assigned in __init__
Method `get_active_catalogs` of class `ExtensionCatalog` reads `self._non_default_catalog_warning_shown`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
4 files, 23 locations
src/specify_cli/integrations/base.py:1064, 1104, 1105, 1113, 1114, 1152, 1309, 1310, +12 more (20 hits)
src/specify_cli/extensions.py:2017
src/specify_cli/integrations/catalog.py:96
src/specify_cli/presets.py:2042
low Security checks quality Error handling conf 0.55 ✓ Repobility 11 occurrences Broad exception handler needs review
This handler catches Exception/BaseException. It is actionable when it swallows errors without logging, re-raising, or returning a structured error. Handlers that intentionally convert exceptions into typed error results should not be treated as high risk.
4 files, 11 locations
src/specify_cli/integrations/_migrate_commands.py:178, 279 (4 hits)
src/specify_cli/presets.py:1607, 1740 (4 hits)
src/specify_cli/__init__.py:234, 251 (2 hits)
src/specify_cli/commands/init.py:480
Error handlingquality
high Security checks software dependencies conf 0.70 2 occurrences Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
lines 15
docs/install/uv.md:15 (2 hits)
medium System graph cicd CI/CD security conf 1.00 5 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
5 files, 5 locations
.github/workflows/add-community-extension.lock.yml
.github/workflows/add-community-preset.lock.yml
.github/workflows/docs.yml
.github/workflows/release-trigger.yml
.github/workflows/release.yml
CI/CD securitySupply chainGithub actions
low Security checks quality Quality conf 0.60 8 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
4 files, 8 locations
src/specify_cli/integrations/_migrate_commands.py:6 (2 hits)
src/specify_cli/integrations/cline/__init__.py:64 (2 hits)
src/specify_cli/integrations/vibe/__init__.py:42 (2 hits)
src/specify_cli/workflows/steps/prompt/__init__.py:59 (2 hits)
duplicationquality
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 2 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/github-script` pinned to mutable ref `@v9` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 22
.github/workflows/catalog-assign.yml:22 (2 hits)
CI/CD securitySupply chainGitHub Actions
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 12 places
Functions with the same first-5-line body hash: src/specify_cli/integrations/base.py:build_exec_args, src/specify_cli/integrations/base.py:build_exec_args, src/specify_cli/integrations/base.py:build_exec_args, src/specify_cli/integrations/base.py:build_exec_args This is *the* AI-coder failure mode…
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 15 places
Functions with the same first-5-line body hash: src/specify_cli/integrations/base.py:setup, src/specify_cli/integrations/base.py:setup, src/specify_cli/integrations/base.py:setup, src/specify_cli/integrations/base.py:setup This is *the* AI-coder failure mode (4× more duplication in vibe-coded repo…
duplicatesduplication
low System graph quality Integrity conf 1.00 14 occurrences Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: src/specify_cli/__init__.py:preset_catalog_add, src/specify_cli/__init__.py:catalog_add This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
14 occurrences
repo-level (14 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 2 occurrences Near-duplicate function bodies in 3 places
Functions with the same first-5-line body hash: src/specify_cli/integrations/base.py:command_filename, src/specify_cli/integrations/base.py:command_filename, src/specify_cli/integrations/base.py:command_filename This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see htt…
2 occurrences
repo-level (2 hits)
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 4 places
Functions with the same first-5-line body hash: src/specify_cli/presets.py:get_hash, src/specify_cli/presets.py:get, src/specify_cli/extensions.py:get_hash, src/specify_cli/extensions.py:get This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hy…
duplicatesduplication
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 8 places
Functions with the same first-5-line body hash: src/specify_cli/integrations/trae/__init__.py:options, src/specify_cli/integrations/cursor_agent/__init__.py:options, src/specify_cli/integrations/hermes/__init__.py:options, src/specify_cli/integrations/kimi/__init__.py:options This is *the* AI-code…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `metadata_copy` in src/specify_cli/extensions.py:640
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `metadata_copy` in src/specify_cli/presets.py:506
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_canonical_dir_preferred_over_legacy` in tests/integrations/test_integration_opencode.py:155
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_restore_uses_deep_copy` in tests/test_extensions.py:851
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_restore_uses_deep_copy` in tests/test_presets.py:450
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `workflow_copy` in src/specify_cli/workflows/engine.py:516
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 3 occurrences Possibly dead Python function: repl
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
3 files, 3 locations
src/specify_cli/integrations/agy/__init__.py:58
src/specify_cli/integrations/base.py:1621
src/specify_cli/integrations/cline/__init__.py:97
low System graph quality Complexity conf 1.00 Very large file: src/specify_cli/__init__.py (3507 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/specify_cli/_version.py (1429 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/specify_cli/extensions.py (3350 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/specify_cli/integrations/base.py (1772 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: src/specify_cli/presets.py (3289 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/integrations/test_cli.py (1810 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/integrations/test_integration_catalog.py (1529 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/integrations/test_integration_subcommand.py (2435 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/test_extension_skills.py (1460 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/test_extensions.py (6382 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/test_presets.py (5831 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/test_timestamp_branches.py (1196 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: tests/test_workflows.py (3946 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/fd7adca4-f4b6-4783-9a75-00a79d91bfd4/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/fd7adca4-f4b6-4783-9a75-00a79d91bfd4/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.