Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
149 of your 316 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 4.37s · analysis 27.96s · 12.4 MB · GitHub API rate-limit (preflight)

yt-dlp/yt-dlp

https://github.com/yt-dlp/yt-dlp · scanned 2026-06-04 22:00 UTC (13 hours, 2 minutes ago) · 10 languages

667 findings (295 legacy + 372 scanner) 3rd percentile · Python · large (100-500K LoC) Scanner says 79 (lower by 29)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 13 hours, 1 minute ago · v2 · 481 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
57.6
/100
Repobility
37
295 legacy
9-layer
79
100.0% cov · 186 gaps
Critical
102
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 0.0 0.25 0.00
testing_score 43.0 0.20 8.60
documentation_score 93.6 0.15 14.04
practices_score 91.0 0.15 13.65
code_quality 45.0 0.10 4.50
Overall 1.00 49.8
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 102 High 129 Medium 53 Low 140 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 295 9-layer 186 Crowd 0 Layer: Quality 277 Software 39 Cicd 26 Security 131 Api 1 Network 4 Hardware 2 Frontend 1
Scan summary Repository scanned at 78.6/100 with 100.0% coverage. It contains 10183 nodes across 0 cross-layer flows, written primarily in mixed languages. Engine surfaced 186 findings — concentrated in quality (118), software (35), security (21). Risk profile is high: 12 critical, 1 high, 21 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 380 of 481 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

low Legacy security credential_exposure conf 0.90 [SEC002] Hardcoded API Key: Hardcoded API key found in source code.
Use environment variables. Add the pattern to .gitignore.
yt_dlp/extractor/scrippsnetworks.py:49 credential_exposurelegacy
low Legacy security credential_exposure conf 0.90 [SEC002] Hardcoded API Key: Hardcoded API key found in source code.
Use environment variables. Add the pattern to .gitignore.
yt_dlp/extractor/fox.py:57 credential_exposurelegacy
low Legacy security credential_exposure conf 0.90 [SEC002] Hardcoded API Key: Hardcoded API key found in source code.
Use environment variables. Add the pattern to .gitignore.
yt_dlp/extractor/cybrary.py:12 credential_exposurelegacy
critical Legacy security credential_exposure conf 1.00 [SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.
Remove immediately and rotate the token. Use environment variables.
yt_dlp/extractor/shahid.py:39 credential_exposurelegacy
critical Legacy security crypto conf 1.00 [SEC039] Plaintext-equivalent password hash — unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwords: there's no salt and no key-stretching. Attackers with the hash database can crack 90%+ of common passwords offline in hours. CWE-916 (use of password hash without computational effort).
Use a purpose-built password hash: - Python: passlib.hash.argon2.hash(password) - Python: bcrypt.hashpw(password.encode(), bcrypt.gensalt()) - Python: hashlib.pbkdf2_hmac('sha256', password, salt, 600000) - PHP: password_hash($password, PASSWORD_ARGON2ID) - Node.js: argon2.hash(password) …
yt_dlp/extractor/gofile.py:66 cryptolegacy
critical Legacy security secret conf 1.00 [SEC049] GCP API key: Google Cloud API key (AIza prefix). Ported from gitleaks gcp-api-key (MIT).
Restrict the key in Cloud Console (HTTP referrers / IP whitelist) and rotate. Move to Secret Manager.
yt_dlp/extractor/stacommu.py:15 secretlegacy
critical Legacy security secret conf 1.00 [SEC049] GCP API key: Google Cloud API key (AIza prefix). Ported from gitleaks gcp-api-key (MIT).
Restrict the key in Cloud Console (HTTP referrers / IP whitelist) and rotate. Move to Secret Manager.
yt_dlp/extractor/cybrary.py:12 secretlegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/vimeo.py:79 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/vimeo.py:64 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/weverse.py:70 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/vrt.py:52 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/vrt.py:51 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/zingmp3.py:65 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/wykop.py:25 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/stacommu.py:156 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/stacommu.py:125 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/videocampus_sachsen.py:146 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/yle_areena.py:108 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/xiaohongshu.py:30 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/videa.py:98 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/viddler.py:92 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/tvw.py:108 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/tver.py:312 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/toutv.py:46 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/toutv.py:38 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/trunews.py:27 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/trunews.py:20 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/shahid.py:40 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/shahid.py:20 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/rtp.py:149 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/skynewsau.py:28 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/scrippsnetworks.py:49 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/nytimes.py:26 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/pornhub.py:262 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/pornhub.py:255 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/pornhub.py:235 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/pornhub.py:223 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/pornhub.py:209 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/redbulltv.py:130 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/redbee.py:227 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/prosiebensat1.py:382 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/radiocanada.py:63 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/polskieradio.py:261 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/nfl.py:84 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/nfl.py:72 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/nfl.py:71 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/npr.py:69 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/ntvcojp.py:57 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/mzaalo.py:69 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/loco.py:91 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/nationalgeographic.py:83 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/dailymotion.py:60 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/espn.py:413 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/espn.py:403 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/espn.py:331 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/espn.py:324 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/espn.py:312 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/iqiyi.py:107 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/imggaming.py:15 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/fox.py:57 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/dangalplay.py:23 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/dropbox.py:33 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/ard.py:570 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/clyp.py:24 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/ciscolive.py:18 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/bitchute.py:255 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/blogger.py:16 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/bandlab.py:153 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/bibeltv.py:22 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/asobichannel.py:13 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/shahid.py:39 credential_exposurelegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `hmac` used but not imported
The file uses `hmac.something(...)` but never imports `hmac`. This raises NameError at runtime the first time the line executes.
yt_dlp/extractor/itv.py:77 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `html` used but not imported
The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.
yt_dlp/extractor/openload.py:204 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `html` used but not imported
The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.
yt_dlp/extractor/kukululive.py:91 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `json` used but not imported
The file uses `json.something(...)` but never imports `json`. This raises NameError at runtime the first time the line executes.
yt_dlp/extractor/wimtv.py:101 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `locale` used but not imported
The file uses `locale.something(...)` but never imports `locale`. This raises NameError at runtime the first time the line executes.
yt_dlp/extractor/mgtv.py:160 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `locale` used but not imported
The file uses `locale.something(...)` but never imports `locale`. This raises NameError at runtime the first time the line executes.
yt_dlp/extractor/lego.py:65 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `locale` used but not imported
The file uses `locale.something(...)` but never imports `locale`. This raises NameError at runtime the first time the line executes.
yt_dlp/extractor/theweatherchannel.py:41 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `stat` used but not imported
The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.
yt_dlp/extractor/bandcamp.py:246 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `string` used but not imported
The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
yt_dlp/postprocessor/ffmpeg.py:384 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `string` used but not imported
The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.
yt_dlp/utils/_utils.py:2445 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `warnings` used but not imported
The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
yt_dlp/extractor/youtube/_base.py:1063 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `warnings` used but not imported
The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.
yt_dlp/__init__.py:503 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Missing import: `xml` used but not imported
The file uses `xml.something(...)` but never imports `xml`. This raises NameError at runtime the first time the line executes.
yt_dlp/extractor/br.py:90 qualitylegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/wrestleuniverse.py:31 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/stacommu.py:177 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/googledrive.py:143 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/cybrary.py:12 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/vice.py:103 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/tbs.py:16 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/nbc.py:233 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/espn.py:332 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/go.py:41 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/go.py:34 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/go.py:22 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/aenetworks.py:26 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/blackboardcollaborate.py:163 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/adultswim.py:156 credential_exposurelegacy
critical Legacy security credential_exposure conf 0.95 Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
Gitleaks detected a committed secret or credential pattern.
yt_dlp/extractor/adultswim.py:87 credential_exposurelegacy
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/cybrary.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
yt_dlp/extractor/cybrary.py:12 secrets
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/fox.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
yt_dlp/extractor/fox.py:57 secrets
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/goplay.py
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
yt_dlp/extractor/goplay.py:318 secrets
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/imggaming.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
yt_dlp/extractor/imggaming.py:15 secrets
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/nationalgeographic.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
yt_dlp/extractor/nationalgeographic.py:83 secrets
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/nfl.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
yt_dlp/extractor/nfl.py:84 secrets
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/redbee.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
yt_dlp/extractor/redbee.py:227 secrets
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/scrippsnetworks.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
yt_dlp/extractor/scrippsnetworks.py:49 secrets
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/shahid.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
yt_dlp/extractor/shahid.py:20 secrets
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/skynewsau.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
yt_dlp/extractor/skynewsau.py:28 secrets
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/tver.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
yt_dlp/extractor/tver.py:312 secrets
critical 9-layer security secrets conf 1.00 Possible secret in yt_dlp/extractor/tver.py
Detected pattern matching generic_api_key. Rotate the credential and move to a secret manager.
yt_dlp/extractor/tver.py:349 secrets
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
yt_dlp/__pyinstaller/hook-yt_dlp.py:15 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
Review and fix per the pattern semantics. See CWE-755 / for context.
devscripts/tomlparse.py:129 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
yt_dlp/extractor/abcotvs.py:21 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
yt_dlp/downloader/bunnycdn.py:44 qualitylegacy
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
yt_dlp/dependencies/Cryptodome.py:15 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
yt_dlp/downloader/rtmp.py:92 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
yt_dlp/downloader/niconico.py:79 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.
Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately — assume it is compromised.
yt_dlp/extractor/shahid.py:39 qualitylegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
yt_dlp/downloader/soop.py:57 path_traversallegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
yt_dlp/downloader/niconico.py:28 path_traversallegacy
high Legacy security path_traversal conf 0.80 [SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads.
yt_dlp/downloader/bunnycdn.py:48 path_traversallegacy
high Legacy security secret conf 1.00 [SEC043] Secret stored in Odoo ir.config_parameter — broadly readable: ir.config_parameter is readable by any user with read access on the model — typically all internal users. Storing API keys, OAuth client secrets, or passwords there means any admin-account compromise, or any third-party module with broad read scope, exposes the credential. Odoo-specific instance of CWE-922 (insecure storage of sensitive info).
Move to environment variables (loaded at server start, not in DB): api_key = os.environ.get('STRIPE_API_KEY') Or use Odoo's dedicated 'res.config.settings' with restricted ACL: - Set groups='base.group_system' on the field - Use sudo() reads only from server-trusted code paths Or a secrets-ma…
yt_dlp/extractor/gofile.py:65 secretlegacy
high Legacy security secret conf 1.00 [SEC043] Secret stored in Odoo ir.config_parameter — broadly readable: ir.config_parameter is readable by any user with read access on the model — typically all internal users. Storing API keys, OAuth client secrets, or passwords there means any admin-account compromise, or any third-party module with broad read scope, exposes the credential. Odoo-specific instance of CWE-922 (insecure storage of sensitive info).
Move to environment variables (loaded at server start, not in DB): api_key = os.environ.get('STRIPE_API_KEY') Or use Odoo's dedicated 'res.config.settings' with restricted ACL: - Set groups='base.group_system' on the field - Use sudo() reads only from server-trusted code paths Or a secrets-ma…
yt_dlp/extractor/dropbox.py:62 secretlegacy
high Legacy security secret conf 1.00 [SEC043] Secret stored in Odoo ir.config_parameter — broadly readable: ir.config_parameter is readable by any user with read access on the model — typically all internal users. Storing API keys, OAuth client secrets, or passwords there means any admin-account compromise, or any third-party module with broad read scope, exposes the credential. Odoo-specific instance of CWE-922 (insecure storage of sensitive info).
Move to environment variables (loaded at server start, not in DB): api_key = os.environ.get('STRIPE_API_KEY') Or use Odoo's dedicated 'res.config.settings' with restricted ACL: - Set groups='base.group_system' on the field - Use sudo() reads only from server-trusted code paths Or a secrets-ma…
yt_dlp/extractor/ciscowebex.py:42 secretlegacy
high Legacy security secret conf 1.00 [SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT).
If the JWT is live, invalidate by rotating the signing key. Move tokens out of source.
yt_dlp/extractor/cloudflarestream.py:46 secretlegacy
high Legacy security secret conf 1.00 [SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT).
If the JWT is live, invalidate by rotating the signing key. Move tokens out of source.
yt_dlp/extractor/blackboardcollaborate.py:159 secretlegacy
high Legacy security secret conf 1.00 [SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT).
If the JWT is live, invalidate by rotating the signing key. Move tokens out of source.
yt_dlp/extractor/adultswim.py:87 secretlegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
devscripts/utils.py:30 qualitylegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
yt_dlp/extractor/appletrailers.py:166 injectionlegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
yt_dlp/extractor/aol.py:110 injectionlegacy
high Legacy security injection conf 1.00 [SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.
Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders).
yt_dlp/downloader/rtmp.py:44 injectionlegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._commits` used but never assigned in __init__
Method `apply_overrides` of class `CommitRange` reads `self._commits`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:355 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._commits` used but never assigned in __init__
Method `apply_overrides` of class `CommitRange` reads `self._commits`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:353 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._commits` used but never assigned in __init__
Method `apply_overrides` of class `CommitRange` reads `self._commits`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:371 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._commits` used but never assigned in __init__
Method `__contains__` of class `CommitRange` reads `self._commits`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:280 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._commits` used but never assigned in __init__
Method `__len__` of class `CommitRange` reads `self._commits`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:272 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._commits` used but never assigned in __init__
Method `__iter__` of class `CommitRange` reads `self._commits`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:269 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._end` used but never assigned in __init__
Method `_get_commits_and_fixes` of class `CommitRange` reads `self._end`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:285 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._format_authors` used but never assigned in __init__
Method `format_single_change` of class `Changelog` reads `self._format_authors`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:218 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._format_authors` used but never assigned in __init__
Method `format_single_change` of class `Changelog` reads `self._format_authors`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:211 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._format_group` used but never assigned in __init__
Method `format_module` of class `Changelog` reads `self._format_group`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:146 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._format_groups` used but never assigned in __init__
Method `__str__` of class `Changelog` reads `self._format_groups`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:129 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._format_issues` used but never assigned in __init__
Method `format_single_change` of class `Changelog` reads `self._format_issues`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:208 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._format_message_link` used but never assigned in __init__
Method `format_single_change` of class `Changelog` reads `self._format_message_link`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:214 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._format_message_link` used but never assigned in __init__
Method `format_single_change` of class `Changelog` reads `self._format_message_link`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:205 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._format_message_link` used but never assigned in __init__
Method `_prepare_cleanup_misc_items` of class `Changelog` reads `self._format_message_link`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:195 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._prepare_cleanup_misc_items` used but never assigned in __init__
Method `_format_group` of class `Changelog` reads `self._prepare_cleanup_misc_items`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:156 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._start` used but never assigned in __init__
Method `apply_overrides` of class `CommitRange` reads `self._start`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:342 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._start` used but never assigned in __init__
Method `_get_commits_and_fixes` of class `CommitRange` reads `self._start`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:306 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self._start` used but never assigned in __init__
Method `_get_commits_and_fixes` of class `CommitRange` reads `self._start`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:285 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.format_module` used but never assigned in __init__
Method `_format_groups` of class `Changelog` reads `self.format_module`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:139 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.format_single_change` used but never assigned in __init__
Method `_format_group` of class `Changelog` reads `self.format_single_change`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:170 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.format_single_change` used but never assigned in __init__
Method `_format_group` of class `Changelog` reads `self.format_single_change`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:181 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.format_single_change` used but never assigned in __init__
Method `_format_group` of class `Changelog` reads `self.format_single_change`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:176 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.repo_url` used but never assigned in __init__
Method `_format_issues` of class `Changelog` reads `self.repo_url`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:230 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility `self.repo_url` used but never assigned in __init__
Method `_format_message_link` of class `Changelog` reads `self.repo_url`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
devscripts/make_changelog.py:227 qualitylegacy
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in devscripts/utils.py:30
Found a known-risky pattern (exec_used). Review and replace if possible.
devscripts/utils.py:30 owaspexec_used
medium Legacy quality error_handling conf 1.00 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types.
devscripts/tomlparse.py:129 error_handlinglegacy
medium Legacy security crypto conf 1.00 [SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed.
yt_dlp/networking/_helper.py:110 cryptolegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
yt_dlp/extractor/academicearth.py:29 securitylegacy
medium Legacy quality quality conf 1.00 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident.
Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly.
yt_dlp/networking/websocket.py:18 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident.
Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly.
yt_dlp/networking/_helper.py:163 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident.
Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly.
yt_dlp/extractor/motherless.py:169 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/networking/__init__.py:37 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/networking/__init__.py:30 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/networking/__init__.py:23 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/networking/_requests.py:244 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/downloader/fc2.py:27 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/downloader/niconico.py:79 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/downloader/fragment.py:90 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/postprocessor/common.py:155 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/postprocessor/embedthumbnail.py:139 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/utils/_utils.py:4802 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/utils/_utils.py:185 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/dependencies/__init__.py:40 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/extractor/common.py:3912 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/extractor/wwe.py:132 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/YoutubeDL.py:3629 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/YoutubeDL.py:1717 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/YoutubeDL.py:667 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/cache.py:44 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/cookies.py:74 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/jsinterp.py:521 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/__init__.py:992 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/plugins.py:208 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
yt_dlp/plugins.py:76 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility Bare except continues silently
Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
devscripts/check-porn.py:32 qualitylegacy
medium Legacy cicd docker conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
bundle/docker/linux/Dockerfile:12 dockerlegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_assemble_formats` (dict)
`def _assemble_formats(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/brainpop.py:36 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_call_api` (dict)
`def _call_api(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/kick.py:26 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_call_api` (dict)
`def _call_api(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/pr0gramm.py:123 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_call_api` (dict)
`def _call_api(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/nexx.py:147 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_call_api` (dict)
`def _call_api(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/netverse.py:16 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_call_api` (dict)
`def _call_api(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/radiokapital.py:9 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_call_api` (dict)
`def _call_api(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/dangalplay.py:60 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_call_bamgrid_api` (dict)
`def _call_bamgrid_api(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/espn.py:334 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_delete_downloaded_files` (dict)
`def _delete_downloaded_files(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/YoutubeDL.py:3739 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_entries` (dict)
`def _entries(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/rcti.py:260 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_entries` (list)
`def _entries(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/gamejolt.py:301 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_extract_adaptive_formats` (dict)
`def _extract_adaptive_formats(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/brainpop.py:49 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_extract_cvp_info` (dict)
`def _extract_cvp_info(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/turner.py:50 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_extract_embeds` (dict)
`def _extract_embeds(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/generic.py:986 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_series_entries` (dict)
`def _series_entries(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/extractor/rcti.py:294 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_set_from_options_callback` (dict)
`def _set_from_options_callback(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/options.py:256 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `_wait_for_video` (dict)
`def _wait_for_video(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/YoutubeDL.py:1725 qualitylegacy
medium Legacy quality quality conf 1.00 ✓ Repobility Mutable default argument in `resf` (dict)
`def resf(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too.
yt_dlp/jsinterp.py:964 qualitylegacy
medium Legacy quality quality conf 0.78 Public web service has no security.txt
security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt.
.well-known/security.txt qualitylegacy
medium Legacy software dependency conf 0.88 uv: GHSA-4gg8-gxpx-9rph
uv is vulnerable to arbitrary file write through entry point names
uv.lock dependencylegacy
medium 9-layer hardware security conf 1.00 Dockerfile runs as root: bundle/docker/linux/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
securitycontainer
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/wiki.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-nightly.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release-master.yml supply-chaingithub-actionsleast-privilege
medium 9-layer cicd supply-chain conf 1.00 GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
.github/workflows/release.yml supply-chaingithub-actionsleast-privilege
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in yt_dlp/extractor/common.py:1398
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
yt_dlp/extractor/common.py:1398 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in yt_dlp/postprocessor/exec.py:21
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
yt_dlp/postprocessor/exec.py:21 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in yt_dlp/update.py:549
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
yt_dlp/update.py:549 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in yt_dlp/utils/_utils.py:886
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
yt_dlp/utils/_utils.py:886 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'subprocess_shell_true' in yt_dlp/YoutubeDL.py:1447
Found a known-risky pattern (subprocess_shell_true). Review and replace if possible.
yt_dlp/YoutubeDL.py:1447 owaspsubprocess_shell_true
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in yt_dlp/dependencies/Cryptodome.py:15
Found a known-risky pattern (weak_hash). Review and replace if possible.
yt_dlp/dependencies/Cryptodome.py:15 owaspweak_hash
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in yt_dlp/extractor/wrestleuniverse.py:129
Found a known-risky pattern (weak_hash). Review and replace if possible.
yt_dlp/extractor/wrestleuniverse.py:129 owaspweak_hash
medium 9-layer security owasp conf 1.00 Insecure pattern 'weak_hash' in yt_dlp/networking/_helper.py:141
Found a known-risky pattern (weak_hash). Review and replace if possible.
yt_dlp/networking/_helper.py:141 owaspweak_hash
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — devscripts/generate_aes_testdata.py:24
`subprocess.Popen(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — devscripts/generate_third_party_licenses.py:300
`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 Network/subprocess call without timeout or try/except — devscripts/utils.py:75
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
integrityfragile-runtimerobustness
medium 9-layer network security conf 1.00 Privileged port 256 in use
Port 256 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
bundle/docker/compose.yml securityports
medium 9-layer network security conf 1.00 Privileged port 36 in use
Port 36 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
bundle/docker/compose.yml securityports
medium 9-layer network security conf 1.00 Privileged port 64 in use
Port 64 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
bundle/docker/compose.yml securityports
medium 9-layer network security conf 1.00 Privileged port 865 in use
Port 865 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
bundle/docker/compose.yml securityports
medium 9-layer quality tests conf 1.00 Very low test-to-source ratio
62 test file(s) for 1148 source file(s) (ratio 0.05). Consider adding integration or unit tests for critical paths.
testscoverage
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
yt_dlp/extractor/stanfordoc.py:37 qualitylegacy
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
yt_dlp/extractor/lecturio.py:103 qualitylegacy
low Legacy quality quality conf 1.00 [SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites — the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p
Python: `f"prefix {var} suffix"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically.
yt_dlp/extractor/gdcvault.py:125 qualitylegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
bundle/docker/compose.yml:166 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
bundle/docker/compose.yml:146 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
bundle/docker/compose.yml:130 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
bundle/docker/compose.yml:110 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
bundle/docker/compose.yml:94 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
bundle/docker/compose.yml:74 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
bundle/docker/compose.yml:58 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
bundle/docker/compose.yml:38 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
bundle/docker/compose.yml:22 dockerlegacy
high Legacy cicd docker conf 0.56 Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
bundle/docker/compose.yml:2 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
bundle/docker/compose.yml:166 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
bundle/docker/compose.yml:146 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
bundle/docker/compose.yml:130 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
bundle/docker/compose.yml:110 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
bundle/docker/compose.yml:94 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
bundle/docker/compose.yml:74 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
bundle/docker/compose.yml:58 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
bundle/docker/compose.yml:38 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
bundle/docker/compose.yml:22 dockerlegacy
high Legacy cicd docker conf 0.62 Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
bundle/docker/compose.yml:2 dockerlegacy
low Legacy quality quality conf 0.74 robots.txt does not advertise a sitemap
Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly.
README.md qualitylegacy
low 9-layer quality maintenance conf 1.00 346 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
maintenance
low 9-layer hardware coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
coveragedeployment
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: devscripts/check-porn.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: devscripts/update_changelog.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: test/testdata/netrc/print_netrc.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: yt_dlp/__main__.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: yt_dlp/dependencies/Cryptodome.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: yt_dlp/extractor/_extractors.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: yt_dlp/extractor/youtube/jsc/_registry.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: yt_dlp/extractor/youtube/pot/_registry.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer software dead-code-candidate conf 1.00 File has no detected symbols: yt_dlp/version.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
dead-code-candidate
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_call_api_v1` in yt_dlp/extractor/hotstar.py:51
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_extract_comment_old` in yt_dlp/extractor/youtube/_video.py:2412
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_graphql_to_legacy` in yt_dlp/extractor/twitter.py:1073
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `_open_database_copy` in yt_dlp/cookies.py:164
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `abrjson_v2` in yt_dlp/extractor/fujitv.py:52
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `ATOS_copy` in yt_dlp/extractor/r7.py:37
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `check_deprecated` in yt_dlp/YoutubeDL.py:749
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `comments_v2` in yt_dlp/extractor/triller.py:56
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `ctx_copy` in yt_dlp/downloader/fragment.py:489
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `desc_video_view_v2` in yt_dlp/extractor/hellporno.py:48
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `description__copy` in yt_dlp/extractor/thehighwire.py:40
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `edgeinfo_v2` in yt_dlp/extractor/bilibili.py:261
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `format_copy` in yt_dlp/extractor/rai.py:162
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `ie_copy` in yt_dlp/postprocessor/ffmpeg.py:1163
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `info_copy` in yt_dlp/downloader/__init__.py:6
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `info_copy` in yt_dlp/downloader/websocket.py:16
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `info_copy` in yt_dlp/postprocessor/common.py:21
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `link_copy` in yt_dlp/extractor/startrek.py:64
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `masters_v1` in yt_dlp/extractor/masters.py:24
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `maven_legacy` in yt_dlp/extractor/cbc.py:943
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `md_old` in devscripts/update_requirements.py:698
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `p7xKrXUPBwoNE9x6mh_v1` in yt_dlp/extractor/filmarchiv.py:21
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `parti_v2` in yt_dlp/extractor/parti.py:9
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `s_v2` in yt_dlp/extractor/brainpop.py:132
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `sendotp_v1` in yt_dlp/extractor/zee5.py:108
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `streaks_info_v2` in yt_dlp/extractor/tver.py:121
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `template_v2` in yt_dlp/extractor/filmweb.py:26
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `test_copy` in test/test_networking.py:2048
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `TheTwelveYearOld` in yt_dlp/extractor/reddit.py:101
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Legacy-named symbol `wim_v1` in yt_dlp/extractor/wimbledon.py:49
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
integritylegacy-markerdead-code
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: test/helper.py:report_warning, test/helper.py:report_warning This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: test/helper.py:sanitize_got_info_dict, test/helper.py:sanitize This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: yt_dlp/aes.py:aes_cbc_encrypt_bytes, yt_dlp/aes.py:aes_cbc_encrypt This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry
low 9-layer quality integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: yt_dlp/__init__.py:validate_options, yt_dlp/__init__.py:validate This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.
integrityduplicatedry

Showing first 300 of 380. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/fe8748da-1f2f-4f59-9f1b-dbc2d86d5b99/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/fe8748da-1f2f-4f59-9f1b-dbc2d86d5b99/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.