Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
108 of your 316 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.8s · analysis 37.32s · 15.1 MB · GitHub API rate-limit (preflight)

MystenLabs/walrus

https://github.com/MystenLabs/walrus · scanned 2026-06-06 00:55 UTC (3 days, 20 hours ago) · 10 languages

545 raw signals (275 security + 270 graph) 5th percentile · Rust · large (100-500K LoC) System graph score 61 (lower by 8)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 days, 20 hours ago · v2 · 260 actionable findings from 2 signal sources. 125 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
50.8
/100
Security checks
41
144 findings
System graph
61
100.0% cov · 116 findings
Critical
4
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 9.6 0.25 2.40
testing_score 35.0 0.20 7.00
documentation_score 98.0 0.15 14.70
practices_score 94.0 0.15 14.10
code_quality 53.5 0.10 5.35
Overall 1.00 52.5
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 4 High 55 Medium 65 Low 98 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 144 System graph 116 Crowd 0 Layer: Security 20 Software 116 Cicd 14 Quality 71 Api 1 Frontend 24 Network 3 Hardware 11
Corpus Intelligence Cross-corpus context (cohort percentile, top patterns, fix plan) is shown only on repositories you own. Sign up and connect your repo to view it.
Scan summary Ranks in the 37th percentile among medium-sized repos. Strongest dependencies (90), documentation (83); weakest security (40), practices (45). 87 findings (8 critical, 4 high). Most common pattern: ts-non-null-assertion. ~117h tech debt (rating B).

Showing 215 of 260 actionable findings. 385 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Security checks quality Quality conf 1.00 ✓ Repobility [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
docs/site/src/shared/js/inline-imports.js:37
critical Security checks software dependencies conf 0.88 mysten-metrics: GHSA-g38r-8gmr-ghrf
`mysten-metrics` was removed from crates.io for malicious code
Cargo.lock
critical Security checks software dependencies conf 0.88 protobufjs: GHSA-xq3m-2v4x-88gg
Arbitrary code execution in protobufjs
docs/site/pnpm-lock.yaml
low Security checks cicd CI/CD security conf 0.35 ✓ Repobility 5 occurrences Workflow references repository secrets in a pull_request workflow
Fork pull_request runs do not receive normal repository secrets on GitHub Actions. Review this as a reliability/intent signal, not as direct fork-secret exfiltration. Raise severity only for pull_request_target or another trusted-context path that runs untrusted PR code with secrets.
lines 75, 100, 128, 172, 199
.github/workflows/code.yml:75, 100, 128, 172, 199 (5 hits)
CI/CD securityworkflow secretsGitHub Actions
critical System graph security Secrets conf 1.00 Possible secret in crates/walrus-sui/src/client/rpc_config.rs
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
crates/walrus-sui/src/client/rpc_config.rs:312
high Security checks software dependencies conf 0.88 @babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 backoff: RUSTSEC-2025-0012
`backoff` is unmaintained.
Cargo.lock
high Security checks software dependencies conf 0.88 bincode: RUSTSEC-2025-0141
Bincode is unmaintained
Cargo.lock
high Security checks cicd CI/CD security conf 0.90 Compose service bind-mounts a sensitive host path
Mounting broad host paths exposes host files to the container and can turn app compromise into host compromise.
docker/grafana-local/docker-compose.yaml:40 CI/CD securitycontainers
high Security checks software dependencies conf 0.88 derivative: RUSTSEC-2024-0388
`derivative` is unmaintained; consider using an alternative
Cargo.lock
high Security checks software dependencies conf 0.88 diesel-async: RUSTSEC-2026-0138
Unsound access to padding bytes while serializing date/time values using the Mysql backend
Cargo.lock
high Security checks software dependencies conf 0.88 diesel: RUSTSEC-2026-0111
Possible UTF-8 corruption in Diesels SQLite backend
Cargo.lock
high Security checks software dependencies conf 0.88 diesel: RUSTSEC-2026-0134
Unsound access to padding bytes while serializing date/time values using the Mysql backend
Cargo.lock
high Security checks software dependencies conf 0.88 diesel: RUSTSEC-2026-0135
Unsound transmute while debug/display printing batch Insert statements in Diesel's SQLite backend
Cargo.lock
high Security checks software dependencies conf 0.88 diesel: RUSTSEC-2026-0136
Command injection in Diesel's implementation of `COPY FROM`/`COPY TO`
Cargo.lock
high Security checks software dependencies conf 0.88 diesel: RUSTSEC-2026-0137
Possible unaligned data access for implementations of `SqliteAggregate`
Cargo.lock
high Security checks software dependencies conf 0.88 diesel: RUSTSEC-2026-0172
Possible use after free when deserializing a SQLite database via `SqliteConnection::deserialize_readonly_database`
Cargo.lock
high Security checks software dependencies conf 0.90 ✓ Repobility 18 occurrences Dockerfile FROM `debian:bookworm-slim` not pinned by digest
`FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
8 files, 18 locations
docker/walrus-service/Dockerfile:5, 30, 47, 61, 74 (5 hits)
docker/walrus-antithesis/build-walrus-image-for-antithesis/Dockerfile:11, 79 (2 hits)
docker/walrus-orchestrator/Dockerfile:5, 26 (2 hits)
docker/walrus-proxy/Dockerfile:1, 24 (2 hits)
docker/walrus-service/Dockerfile.walrus-backup:5, 30 (2 hits)
docker/walrus-stress/Dockerfile:5, 26 (2 hits)
docker/walrus-upload-relay/Dockerfile:5, 24 (2 hits)
docker/walrus-antithesis/build-test-config-image/Dockerfile:1
high Security checks software dependencies conf 0.88 fast-uri: GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to path traversal via percent-encoded dot segments
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fast-uri: GHSA-v39h-62p7-jpjc
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 fxhash: RUSTSEC-2025-0057
fxhash - no longer maintained
Cargo.lock
low Security checks cicd CI/CD security conf 0.90 ✓ Repobility 6 occurrences GitHub Action is tag-pinned rather than SHA-pinned
Action `actions/github-script` pinned to mutable ref `@v8` uses a mutable tag or branch. Pin external actions to a reviewed full commit SHA when the workflow is security-sensitive.
lines 78, 109, 127
.github/workflows/pages-preview.yaml:78, 109, 127 (6 hits)
CI/CD securitySupply chainGitHub Actions
high Security checks software dependencies conf 0.88 instant: RUSTSEC-2024-0384
`instant` is unmaintained
Cargo.lock
high Security checks software dependencies conf 0.88 lodash: GHSA-r5fr-rjxr-66jc
lodash vulnerable to Code Injection via `_.template` imports key names
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 lru: RUSTSEC-2026-0002
`IterMut` violates Stacked Borrows by invalidating internal pointer
Cargo.lock
high Security checks software dependencies conf 0.88 minimatch: GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 minimatch: GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.90 ✓ Repobility package.json dep `k6-jslib-utils` pulled from URL/Git
`dependencies.k6-jslib-utils` = `github:grafana/k6-jslib-utils` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
scripts/k6/package.json:1
high Security checks software dependencies conf 0.88 paste: RUSTSEC-2024-0436
paste - no longer maintained
Cargo.lock
high Security checks software dependencies conf 0.88 path-to-regexp: GHSA-37ch-88jc-xwx2
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers
2 files, 2 locations
docs/site/pnpm-lock.yaml
scripts/cache-inference/package-lock.json
high Security checks software dependencies conf 0.90 ✓ Repobility 7 occurrences pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`
`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v6.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.
lines 3, 13, 18, 22, 28, 33, 39
.pre-commit-config.yaml:3, 13, 18, 22, 28, 33, 39 (7 hits)
high Security checks software dependencies conf 0.88 proc-macro-error: RUSTSEC-2024-0370
proc-macro-error is unmaintained
Cargo.lock
high Security checks software dependencies conf 0.88 protobufjs: GHSA-66ff-xgx4-vchm
protobuf.js: Code injection through bytes field defaults in generated toObject code
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 protobufjs: GHSA-685m-2w69-288q
protobuf.js: Denial of service through unbounded protobuf recursion
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 protobufjs: GHSA-75px-5xx7-5xc7
protobuf.js: Code generation gadget after prototype pollution
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 protobufjs: GHSA-jvwf-75h9-cwgg
protobuf.js: Process-wide denial of service through unsafe option paths
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 rand: RUSTSEC-2026-0097
Rand is unsound with a custom logger using `rand::rng()`
Cargo.lock
high Security checks software dependencies conf 0.88 requests: PYSEC-2023-74
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent …
docs/examples/python/requirements.txt
high Security checks software dependencies conf 0.88 rsa: RUSTSEC-2023-0071
Marvin Attack: potential key recovery through timing sidechannels
Cargo.lock
high Security checks software dependencies conf 0.88 rustls-pemfile: RUSTSEC-2025-0134
rustls-pemfile is unmaintained
Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0098
Name constraints for URI names were incorrectly accepted
Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0099
Name constraints were accepted for certificates asserting a wildcard name
Cargo.lock
high Security checks software dependencies conf 0.88 rustls-webpki: RUSTSEC-2026-0104
Reachable panic in certificate revocation list parsing
Cargo.lock
high Security checks software dependencies conf 0.88 serialize-javascript: GHSA-5c6j-r48x-rmvq
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 tmp: GHSA-ph9p-34f9-6g65
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.90 ✓ Repobility Workflow container/services image `postgres:16` unpinned
`container/services image: postgres:16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines.
.github/workflows/code.yml:154
high Security checks software dependencies conf 0.88 ws: GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.88 yaml-rust: RUSTSEC-2024-0320
yaml-rust is unmaintained.
Cargo.lock
high System graph security security conf 1.00 Insecure pattern 'chmod_777' in crates/walrus-orchestrator/src/client/aws.rs:199
Found a known-risky pattern (chmod_777). Review and replace if possible.
crates/walrus-orchestrator/src/client/aws.rs:199 Chmod 777
high System graph security security conf 1.00 Insecure pattern 'chmod_777' in crates/walrus-orchestrator/src/monitor.rs:91
Found a known-risky pattern (chmod_777). Review and replace if possible.
crates/walrus-orchestrator/src/monitor.rs:91 Chmod 777
high System graph security security conf 1.00 Insecure pattern 'eval_used' in docs/site/src/shared/js/inline-imports.js:37
Found a known-risky pattern (eval_used). Review and replace if possible.
docs/site/src/shared/js/inline-imports.js:37 Eval used
medium Security checks software dependencies conf 0.88 @protobufjs/utf8: GHSA-q6x5-8v7m-xcrf
protobufjs has overlong UTF-8 decoding
docs/site/pnpm-lock.yaml
medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
high Security checks security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 33.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Only 33.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
high Security checks security auth conf 0.68 2 occurrences [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /v1/blobs.
A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /v1/blobs.
lines 472, 961
crates/walrus-service/src/client/daemon/auth.rs:472, 961 (2 hits)
low Security checks security Deserialization conf 1.00 [SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data.
docs/site/src/scripts/copy-yaml-files.js:56
medium Security checks software dependencies conf 0.88 2 occurrences brace-expansion: GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
2 files, 2 locations
docs/site/pnpm-lock.yaml
scripts/cache-inference/package-lock.json
medium Security checks cicd CI/CD security conf 0.94 3 occurrences Compose service `tempo` image uses the latest tag
The latest tag is mutable and can change without a code review, producing different images from the same source.
lines 2, 16, 40
docker/grafana-local/docker-compose.yaml:2, 16, 40 (3 hits)
CI/CD securitycontainers
medium Security checks cicd CI/CD security conf 0.90 Docker build context has no .dockerignore
Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts.
.dockerignore CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.82 6 occurrences Docker final stage has no non-root USER
Docker images run as root unless the image or Dockerfile switches to a non-root user.
6 files, 6 locations
docker/walrus-antithesis/build-walrus-image-for-antithesis/Dockerfile:80
docker/walrus-orchestrator/Dockerfile:26
docker/walrus-service/Dockerfile:74
docker/walrus-service/Dockerfile.walrus-backup:30
docker/walrus-stress/Dockerfile:26
docker/walrus-upload-relay/Dockerfile:24
CI/CD securitycontainers
medium Security checks software dependencies conf 0.88 dompurify: GHSA-39q2-94rc-95cp
DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-cj63-jhhr-wcxv
DOMPurify USE_PROFILES prototype pollution allows event handlers
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-cjmm-f4jc-qw8r
DOMPurify ADD_ATTR predicate skips URI validation
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-crv5-9vww-q3g8
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-h7mw-gpvr-xq4m
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-h8r8-wccr-v5f2
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-v2wj-7wpq-c8vv
DOMPurify contains a Cross-site Scripting vulnerability
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 dompurify: GHSA-v9jr-rg53-9pgp
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 follow-redirects: GHSA-r4q5-vmmm-2653
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 lodash: GHSA-f23m-r3pf-42rh
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 nanoid: GHSA-mwcw-c2x4-8c55
Predictable results in nanoid generation when given non-integer values
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.90 npm package `@eslint/js` is 1 major version(s) behind (9.32.0 -> 10.0.1)
`@eslint/js` is pinned/resolved at 9.32.0 but the latest stable release on the npm registry is 10.0.1 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
scripts/cache-inference/package.json
medium Security checks software dependencies conf 0.90 npm package `@types/k6` is 2 major version(s) behind (~0.48.0 -> 2.0.0)
`@types/k6` is pinned/resolved at ~0.48.0 but the latest stable release on the npm registry is 2.0.0 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
scripts/k6/package.json
medium Security checks software dependencies conf 0.88 2 occurrences picomatch: GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
2 files, 2 locations
docs/site/pnpm-lock.yaml
scripts/cache-inference/package-lock.json
medium Security checks software dependencies conf 0.88 postcss: GHSA-qx2v-qp2m-jg93
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 protobufjs: GHSA-2pr8-phx7-x9h3
protobuf.js: Denial of service from crafted field names in generated code
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 protobufjs: GHSA-fx83-v9x8-x52w
protobuf.js: Prototype injection in generated message constructors
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 protobufjs: GHSA-jggg-4jg4-v7c6
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 protobufjs: GHSA-q6x5-8v7m-xcrf
protobufjs has overlong UTF-8 decoding
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 qs: GHSA-q8mj-m7cp-5q26
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
docs/site/pnpm-lock.yaml
high Security checks software dependencies conf 0.70 5 occurrences Remote install command pipes network code directly to a shell
Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified.
5 files, 5 locations
.github/workflows/gen-sui-upgrade-version-pr.yml:76
docs/content/getting-started/advanced-setup.mdx:38
docs/content/getting-started/index.mdx:55
docs/content/sites/portals/deploy-locally.mdx:163
docs/content/walrus-client/walrus-cli.mdx:9
medium Security checks software dependencies conf 0.88 requests: GHSA-9hjg-9r4m-mvj7
Requests vulnerable to .netrc credentials leak via malicious URLs
docs/examples/python/requirements.txt
medium Security checks software dependencies conf 0.88 requests: GHSA-9wx4-h78v-vm56
Requests `Session` object does not verify requests after making first request with verify=False
docs/examples/python/requirements.txt
medium Security checks software dependencies conf 0.88 requests: GHSA-gc5v-m9x4-r6x2
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
docs/examples/python/requirements.txt
medium Security checks software dependencies conf 0.88 serialize-javascript: GHSA-qj8w-gfj5-8c6v
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 uuid: GHSA-w5hq-g745-h8pq
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 webpack-dev-server: GHSA-79cf-xcqc-c78w
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 ws: GHSA-58qx-3vcg-4xpx
ws: Uninitialized memory disclosure
docs/site/pnpm-lock.yaml
medium Security checks software dependencies conf 0.88 yaml: GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
docs/site/pnpm-lock.yaml
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — docs/site/src/components/LandingPage.tsx:455
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — docs/site/src/components/Search/CustomHitsContent.tsx:44
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — docs/site/src/components/Search/SearchModal.tsx:105
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — docs/site/src/shared/components/ImportContent/index.tsx:438
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph frontend Frontend quality conf 1.00 `dangerouslySetInnerHTML` used in a React component — docs/site/src/theme/TOCItems/Tree.tsx:22
Open XSS surface unless the input is provably trusted. Replace with explicit JSX or sanitize via a vetted library. Why: OWASP basics. Already partially flagged by the security analyzer. Rule id: fq.dangerous-html
Fq dangerous html
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — docs/site/src/shared/components/ImportContent/index.tsx:215
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — scripts/cache-inference/cache-inference.ts:61
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph hardware Supply chain conf 1.00 Docker base image uses a mutable or implicit tag: gcr.io/distroless/cc-debian12
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
docker/walrus-proxy/Dockerfile:24 containersPinned dependencies
medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/walrus-antithesis/build-test-config-image/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/walrus-antithesis/build-walrus-image-for-antithesis/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/walrus-orchestrator/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/walrus-proxy/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/walrus-service/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/walrus-stress/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph hardware Security conf 1.00 Dockerfile runs as root: docker/walrus-upload-relay/Dockerfile
No non-root USER set. Containers running as root expand the blast radius of any vulnerability inside the image.
Container
medium System graph cicd CI/CD security conf 1.00 GitHub Action is tag-pinned rather than SHA-pinned
taiki-e/install-action@cargo-hack can move without a code change in this repo. Pin third-party actions to a reviewed 40-character commit SHA.
.github/workflows/attach-binaries-to-release.yml:195 CI/CD securitySupply chainGithub actions
medium System graph cicd CI/CD security conf 1.00 4 occurrences GitHub Actions workflow grants broad write permissions
CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.
4 files, 4 locations
.github/workflows/gen-sui-upgrade-version-pr.yml
.github/workflows/pages-preview.yaml
.github/workflows/publish-docs.yaml
.github/workflows/version-bump.yml
CI/CD securitySupply chainGithub actions
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in docs/site/src/components/LandingPage.tsx:455
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
docs/site/src/components/LandingPage.tsx:455 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in docs/site/src/components/Search/CustomHitsContent.tsx:44
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
docs/site/src/components/Search/CustomHitsContent.tsx:44 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in docs/site/src/components/Search/SearchModal.tsx:105
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
docs/site/src/components/Search/SearchModal.tsx:105 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in docs/site/src/shared/components/ImportContent/index.tsx:438
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
docs/site/src/shared/components/ImportContent/index.tsx:438 Dangerous innerhtml
medium System graph security security conf 1.00 Insecure pattern 'dangerous_innerhtml' in docs/site/src/theme/TOCItems/Tree.tsx:22
Found a known-risky pattern (dangerous_innerhtml). Review and replace if possible.
docs/site/src/theme/TOCItems/Tree.tsx:22 Dangerous innerhtml
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — docs/examples/python/hello_walrus_jsonapi.py:30
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — docs/examples/python/hello_walrus_webapi.py:32
`requests.put(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — docs/examples/python/track_walrus_events.py:37
`requests.post(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/merge_sui_coins.py:40
`subprocess.run(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/release_notes.py:140
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — scripts/simtest/seed-search.py:22
`subprocess.check_output(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.
runtime safetyRobustness
medium System graph network Security conf 1.00 Privileged port 14 in use
Port 14 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/update-ws-install.yaml Ports
medium System graph network Security conf 1.00 Privileged port 3 in use
Port 3 is privileged (<1024). Make sure the service runs with the right caps or front it with a non-privileged port via a load balancer.
.github/workflows/update-ws-install.yaml Ports
low Security checks software dependencies conf 0.88 @ai-sdk/provider-utils: GHSA-866g-f22w-33x8
@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue
docs/site/pnpm-lock.yaml
low Security checks security auth conf 0.76 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
high Security checks cicd CI/CD security conf 0.56 4 occurrences Compose service does not declare a runtime user
If the image does not define USER internally, this service may run as root.
lines 2, 16, 27, 40
docker/grafana-local/docker-compose.yaml:2, 16, 27, 40 (4 hits)
CI/CD securitycontainers
high Security checks cicd CI/CD security conf 0.62 4 occurrences Compose service lacks no-new-privileges hardening
no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities.
lines 2, 16, 27, 40
docker/grafana-local/docker-compose.yaml:2, 16, 27, 40 (4 hits)
CI/CD securitycontainers
low Security checks software dependencies conf 0.88 diesel-async: GHSA-ff9q-rm55-q7qr
diesel-async may expose uninitialized padding bytes for MySQL temporal columns
Cargo.lock
low Security checks cicd CI/CD security conf 0.72 10 occurrences Dockerfile installs recommended OS packages
Installing recommended packages often pulls in unnecessary runtime surface area.
7 files, 10 locations
docker/walrus-service/Dockerfile:32, 49, 62, 75 (4 hits)
docker/walrus-antithesis/build-test-config-image/Dockerfile:4
docker/walrus-antithesis/build-walrus-image-for-antithesis/Dockerfile:82
docker/walrus-orchestrator/Dockerfile:28
docker/walrus-service/Dockerfile.walrus-backup:32
docker/walrus-stress/Dockerfile:28
docker/walrus-upload-relay/Dockerfile:25
CI/CD securitycontainers
low Security checks cicd CI/CD security conf 0.74 9 occurrences Dockerfile leaves apt package indexes in the image layer
Package indexes increase image size and can expose stale metadata in the final image layer.
6 files, 9 locations
docker/walrus-service/Dockerfile:32, 49, 62, 75 (4 hits)
docker/walrus-antithesis/build-walrus-image-for-antithesis/Dockerfile:82
docker/walrus-orchestrator/Dockerfile:28
docker/walrus-service/Dockerfile.walrus-backup:32
docker/walrus-stress/Dockerfile:28
docker/walrus-upload-relay/Dockerfile:25
CI/CD securitycontainers
low Security checks quality Quality conf 0.60 6 occurrences Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
5 files, 6 locations
crates/walrus-upload-relay/src/params.rs:65, 110 (2 hits)
crates/walrus-proxy/src/metrics.rs:65
crates/walrus-sdk/src/node_client/store_pipeline.rs:244
crates/walrus-sdk/src/node_client/streaming.rs:18
crates/walrus-storage-node-client/src/node_response.rs:57
duplicationquality
low Security checks software dependencies conf 0.90 npm package `@docusaurus/faster` is minor version(s) behind (^3.9.2 -> 3.10.1)
`@docusaurus/faster` is pinned/resolved at ^3.9.2 but the latest stable release on the npm registry is 3.10.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
docs/site/package.json
low Security checks software dependencies conf 0.90 4 occurrences npm package `@fortawesome/free-solid-svg-icons` is minor version(s) behind (^7.1.0 -> 7.2.0)
`@fortawesome/free-solid-svg-icons` is pinned/resolved at ^7.1.0 but the latest stable release on the npm registry is 7.2.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-upd…
4 occurrences
docs/site/package.json (4 hits)
low Security checks software dependencies conf 0.90 npm package `@fortawesome/react-fontawesome` is minor version(s) behind (^3.1.1 -> 3.3.1)
`@fortawesome/react-fontawesome` is pinned/resolved at ^3.1.1 but the latest stable release on the npm registry is 3.3.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update…
docs/site/package.json
low Security checks software dependencies conf 0.90 npm package `algoliasearch` is minor version(s) behind (^5.47.0 -> 5.53.0)
`algoliasearch` is pinned/resolved at ^5.47.0 but the latest stable release on the npm registry is 5.53.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
docs/site/package.json
low Security checks software dependencies conf 0.90 npm package `autoprefixer` is minor version(s) behind (^10.4.27 -> 10.5.0)
`autoprefixer` is pinned/resolved at ^10.4.27 but the latest stable release on the npm registry is 10.5.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
docs/site/package.json
low Security checks software dependencies conf 0.90 npm package `docusaurus-plugin-copy-page-button` is minor version(s) behind (^0.3.5 -> 0.8.1)
`docusaurus-plugin-copy-page-button` is pinned/resolved at ^0.3.5 but the latest stable release on the npm registry is 0.8.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-up…
docs/site/package.json
low Security checks software dependencies conf 0.90 npm package `js-yaml` is minor version(s) behind (4.1.1 -> 4.2.0)
`js-yaml` is pinned/resolved at 4.1.1 but the latest stable release on the npm registry is 4.2.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
docs/site/package.json
low Security checks software dependencies conf 0.90 npm package `markdown-it` is minor version(s) behind (^14.1.1 -> 14.2.0)
`markdown-it` is pinned/resolved at ^14.1.1 but the latest stable release on the npm registry is 14.2.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise.
docs/site/package.json
low Security checks software dependencies conf 0.90 npm package `react-instantsearch` is minor version(s) behind (^7.22.1 -> 7.35.0)
`react-instantsearch` is pinned/resolved at ^7.22.1 but the latest stable release on the npm registry is 7.35.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs rais…
docs/site/package.json
low Security checks software dependencies conf 0.88 rsa: GHSA-9c48-w39g-hm26
rsa crate has potential panic on a prime being equal to 1
Cargo.lock
low Security checks software dependencies conf 0.88 tmp: GHSA-52f5-9888-hmc6
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
docs/site/pnpm-lock.yaml
low System graph quality Maintenance conf 1.00 43 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph hardware Coverage conf 1.00 Containers defined but no K8s/orchestration manifest found
Repo has Dockerfiles/compose but no Kubernetes/Nomad manifests. If the target deployment is K8s, the manifests may live in a separate ops repo.
Deployment
low System graph hardware Supply chain conf 1.00 9 occurrences Docker base image is tag-pinned but not digest-pinned: debian:bookworm-slim
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
6 files, 9 locations
docker/walrus-service/Dockerfile:30, 47, 61, 74 (4 hits)
docker/walrus-antithesis/build-test-config-image/Dockerfile:1
docker/walrus-antithesis/build-walrus-image-for-antithesis/Dockerfile:79
docker/walrus-orchestrator/Dockerfile:26
docker/walrus-stress/Dockerfile:26
docker/walrus-upload-relay/Dockerfile:24
containersPinned dependencies
low System graph hardware Supply chain conf 1.00 6 occurrences Docker base image is tag-pinned but not digest-pinned: rust:1.96-bookworm
Container tags can be retagged upstream. Pin production base images to a reviewed digest (`image@sha256:...`) when reproducibility and supply-chain integrity matter.
6 files, 6 locations
docker/walrus-antithesis/build-walrus-image-for-antithesis/Dockerfile:11
docker/walrus-orchestrator/Dockerfile:5
docker/walrus-proxy/Dockerfile:1
docker/walrus-service/Dockerfile:5
docker/walrus-stress/Dockerfile:5
docker/walrus-upload-relay/Dockerfile:5
containersPinned dependencies
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/examples/python/hello_walrus_jsonapi.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/examples/python/track_walrus_events.py
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/site/sidebars.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/site/sidebarsWalrusMemory.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/site/src/components/OperatorsList/OperatorsList.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/site/src/components/PortalsList/PortalsList.tsx
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/site/src/css/fontawesome.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/site/src/scripts/prepare-walrus-memory.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/site/static/clarity.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/site/static/google-tag.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/cache-inference/types.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: scripts/k6/src/lib/constants.ts
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph quality Tests conf 1.00 Low test-to-source ratio
44 tests / 388 src (ratio 0.11).
low System graph quality Integrity conf 1.00 Near-duplicate function bodies in 2 places
Functions with the same first-5-line body hash: scripts/generate_network_reference.py:parse_yaml, scripts/generate_network_reference.py:parse This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separ…
duplicatesduplication
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `addLegacy` in docs/site/docusaurus.config.js:155
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `card__header__copy` in docs/site/src/shared/components/Cards/index.tsx:51
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph software Dead code conf 1.00 Possibly dead Python function: render_mainnet_packages
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/generate_network_reference.py:221
low System graph software Dead code conf 1.00 Possibly dead Python function: render_network_parameters
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/generate_network_reference.py:191
low System graph software Dead code conf 1.00 Possibly dead Python function: render_object_ids
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/generate_network_reference.py:242
low System graph software Dead code conf 1.00 Possibly dead Python function: render_reference_endpoints
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/generate_network_reference.py:262
low System graph software Dead code conf 1.00 Possibly dead Python function: render_rpc_endpoints
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/generate_network_reference.py:208
low System graph software Dead code conf 1.00 Possibly dead Python function: render_sites_packages
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/generate_network_reference.py:230
low System graph software Dead code conf 1.00 Possibly dead Python function: render_testnet_exchange_objects
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/generate_network_reference.py:257
low System graph software Dead code conf 1.00 Possibly dead Python function: render_token_units
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/generate_network_reference.py:286
low System graph software Dead code conf 1.00 Possibly dead Python function: render_upload_relays
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/generate_network_reference.py:274
low System graph software Dead code conf 1.00 Possibly dead Python function: replace
No callers detected by AST scan in this repo. Could be exported for external callers or a framework handler.
scripts/generate_network_reference.py:331
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/scripts/copy-markdown-files.js:239
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/scripts/copy-yaml-files.js:43
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/scripts/fetch-walrus-memory-docs.js:42
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/scripts/generate-import-context.js:78
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/scripts/generate-routes.js:130
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/scripts/serve-with-rewrites.js:130
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/scripts/test-markdown-export.js:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/scripts/transform-walrus-memory-docs.js:847
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/shared/components/ImportContent/utils.js:767
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/shared/js/convert-release-notes.js:52
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/shared/js/inline-imports.js:339
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/shared/js/serve-with-rewrites.js:132
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/shared/js/test-markdown-export.js:14
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/shared/js/update-cli-output.js:9
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — docs/site/src/shared/plugins/remark-glossary.js:77
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/cache-inference/cache-inference.ts:208
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/k6/src/lib/blob_history.ts:74
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — scripts/k6/src/lib/utils.ts:257
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph quality Complexity conf 1.00 Very large file: crates/typed-store/src/metrics.rs (1845 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/typed-store/src/rocks.rs (3044 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-core/src/encoding/quilt_encoding.rs (3523 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-e2e-tests/tests/test_client.rs (4382 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-sdk/src/node_client.rs (3445 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/client/cli/args.rs (2175 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/client/cli/cli_output.rs (1500 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/client/cli/runner.rs (2504 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/client/daemon/routes.rs (2341 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/node.rs (10702 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/node/config.rs (3404 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/node/dbtool.rs (1718 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/node/epoch_change_driver.rs (1360 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/node/event_blob_writer.rs (2211 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/node/server.rs (1579 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/node/storage.rs (2630 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/node/storage/blob_info.rs (2102 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/node/storage/blob_info/blob_info_v1.rs (1286 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/node/storage/database_config.rs (1357 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/node/storage/shard.rs (2319 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-service/src/test_utils.rs (3438 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-simtest/tests/simtest_core.rs (1733 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-sui/src/client.rs (2104 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-sui/src/client/dual_client.rs (1998 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-sui/src/client/read_client.rs (1462 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-sui/src/client/retry_client/retriable_sui_client.rs (2828 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: crates/walrus-sui/src/client/transaction_builder.rs (1435 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/ff188cb4-168c-4344-8a06-1c572ad3f0f5/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/ff188cb4-168c-4344-8a06-1c572ad3f0f5/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.