https://github.com/coleam00/Archon.git ·
lang: typescript ·
LOC: ·
source: corpus_mined
| Rule | Severity | Count |
|---|---|---|
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 13 |
AGT015 Remote install command pipes network code directly to a she… |
medium | 7 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 4 |
MINED044 Js Console Log Prod |
info | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 4 |
AGT007 localStorage write failures are swallowed silently |
medium | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 4 |
SEC002
Hardcoded API Key
packages/paths/src/telemetry.ts:46
· conf 0.90
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC022
Database URL With Embedded Credential
packages/core/src/db/connection.ts:50
· conf 1.00
[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working c…DKC011
Database service publishes a host port
docker-compose.yml:68
· conf 0.84
Database service publishes a host portMINED004
Weak Crypto
CWE-327
packages/core/src/utils/port-allocation.ts:24
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED012
Curl Pipe Bash
CWE-494
packages/providers/src/claude/binary-resolver.ts:101
· conf 1.00
[MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.MINED012
Curl Pipe Bash
CWE-494
scripts/install.sh:122
· conf 1.00
[MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
packages/server/src/index.ts:591
· conf 0.80
[MINED113] Express POST /webhooks/github has no auth: Express route POST /webhooks/github declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unau…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
packages/server/src/index.ts:637
· conf 0.80
[MINED113] Express POST /internal/git-credential has no auth: Express route POST /internal/git-credential declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELET…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
packages/server/src/index.ts:663
· conf 0.80
[MINED113] Express POST /webhooks/gitea has no auth: Express route POST /webhooks/gitea declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauth…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
packages/server/src/index.ts:691
· conf 0.80
[MINED113] Express POST /webhooks/gitlab has no auth: Express route POST /webhooks/gitlab declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unau…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-smoke.yml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-smoke.yml:20
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-smoke.yml:25
· conf 0.90
[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v4`: `uses: astral-sh/setup-uv@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-smoke.yml:38
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-smoke.yml:41
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-smoke.yml:68
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-smoke.yml:71
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-smoke.yml:76
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-smoke.yml:98
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-smoke.yml:101
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-smoke.yml:106
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/marketplace-auto-review.yml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/marketplace-auto-review.yml:18
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/marketplace-lint.yml:13
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/marketplace-lint.yml:14
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:41
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:44
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:211
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:223
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:226
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:232
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:262
· conf 0.90
[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:20
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:23
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:51
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
auth-service/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
deploy/Dockerfile.user.example:7
· conf 0.90
[MINED118] Dockerfile FROM `ghcr.io/coleam00/archon:latest` not pinned by digest: `FROM ghcr.io/coleam00/archon:latest` resolves the tag at build time. The registry CAN re-push a different image for …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:9
· conf 0.90
[MINED118] Dockerfile FROM `oven/bun:1.3.11-slim` not pinned by digest: `FROM oven/bun:1.3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so eve…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:54
· conf 0.90
[MINED118] Dockerfile FROM `oven/bun:1.3.11-slim` not pinned by digest: `FROM oven/bun:1.3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so eve…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/core/src/db/codebases.ts:86
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/git/src/repo.ts:45
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/providers/src/community/opencode/runtime.ts:85
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
packages/web/src/experiments/console/components/RunGraphPanel.tsx:98
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
packages/core/src/utils/credential-sanitizer.ts:18
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
.archon/scripts/maintainer-standup-gh-data.ts:17
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
packages/web/src/components/chat/MessageBubble.tsx:19
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
packages/web/src/experiments/console/components/ProjectRail.tsx:21
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
auth-service/server.js:131
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/adapters/src/community/chat/discord/adapter.ts:229
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/core/src/github-auth/auth.ts:171
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT007
localStorage write failures are swallowed silently
packages/web/src/components/layout/Sidebar.tsx:96
· conf 0.80
localStorage write failures are swallowed silentlyAGT007
localStorage write failures are swallowed silently
packages/web/src/components/workflows/WorkflowBuilder.tsx:84
· conf 0.80
localStorage write failures are swallowed silentlyAGT007
localStorage write failures are swallowed silently
packages/web/src/contexts/ProjectContext.tsx:41
· conf 0.80
localStorage write failures are swallowed silentlyAGT007
localStorage write failures are swallowed silently
packages/web/src/experiments/console/components/DraftRunCard.tsx:48
· conf 0.80
localStorage write failures are swallowed silentlyAGT014
Codex auth.json is read or copied without visible secret-file hardening
packages/providers/src/community/pi/provider.ts:230
· conf 0.74
Codex auth.json is read or copied without visible secret-file hardeningAGT014
Codex auth.json is read or copied without visible secret-file hardening
packages/server/src/scripts/setup-auth.ts:4
· conf 0.74
Codex auth.json is read or copied without visible secret-file hardeningAGT015
Remote install command pipes network code directly to a shell
.claude/skills/archon/references/troubleshooting.md:71
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
deploy/cloud-init.yml:62
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
.github/workflows/e2e-smoke.yml:47
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
packages/docs-web/src/content/docs/getting-started/ai-assistants.md:27
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
packages/docs-web/src/content/docs/guides/script-nodes.md:258
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
packages/docs-web/src/content/docs/index.mdx:33
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
README.md:113
· conf 0.70
Remote install command pipes network code directly to a shellAGT016
Codex session log reader may expose prompts or tool-call content
packages/providers/src/community/pi/provider.ts:325
· conf 0.73
Codex session log reader may expose prompts or tool-call contentAGT016
Codex session log reader may expose prompts or tool-call content
packages/providers/src/community/pi/session-resolver.ts:13
· conf 0.73
Codex session log reader may expose prompts or tool-call contentDKR001
Docker final stage has no non-root USER
Dockerfile:54
· conf 0.82
Docker final stage has no non-root USERDKR002
Dockerfile base image has no explicit tag
docker-compose.yml:38
· conf 0.90
Compose service `app` image has no explicit tagDKR002
Dockerfile base image has no explicit tag
Dockerfile.user.example:11
· conf 0.90
Dockerfile base image has no explicit tagDKR003
Dockerfile base image uses the latest tag
deploy/docker-compose.yml:13
· conf 0.94
Compose service `app` image uses the latest tagDKR003
Dockerfile base image uses the latest tag
deploy/Dockerfile.user.example:8
· conf 0.94
Dockerfile base image uses the latest tagDKR014
Dockerfile copies the entire context without .dockerignore
Dockerfile:44
· conf 0.76
Dockerfile copies broad context with incomplete .dockerignoreSEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
packages/web/src/components/layout/Header.tsx:32
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
.archon/scripts/maintainer-standup-gh-data.ts:17
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
packages/web/src/components/chat/MessageBubble.tsx:19
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
packages/web/src/experiments/console/components/ProjectRail.tsx:21
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …AIC002
Source file name looks like an AI patch artifact
packages/isolation/src/worktree-copy.ts:1
· conf 0.62
Source file name looks like an AI patch artifactAIC003
Duplicated implementation block across source files
packages/adapters/src/community/forge/gitlab/adapter.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapters/src/forge/github/adapter.ts:151
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapters/src/forge/github/types.ts:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/paths/src/archon-paths.ts:104
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/providers/src/codex/provider.ts:188
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/providers/src/community/opencode/session.ts:81
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/providers/src/community/pi/event-bridge.ts:8
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/web/src/components/workflows/ArtifactViewerModal.tsx:17
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/web/src/components/workflows/WorkflowLogs.tsx:403
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/web/src/lib/api.ts:68
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/web/src/routes/ChatPage.tsx:43
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/web/src/routes/ChatPage.tsx:85
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/workflows/src/executor.ts:34
· conf 0.86
Duplicated implementation block across source filesDKC006
Compose service does not declare a runtime user
deploy/docker-compose.yml:13
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker-compose.yml:38
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker-compose.yml:118
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
deploy/docker-compose.yml:13
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yml:38
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yml:118
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC017
Database password is wired through an environment variable placeholder
docker-compose.yml:68
· conf 0.58
Database password is wired through an environment variable placeholderDKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsDKR011
Dockerfile installs recommended OS packages
Dockerfile:67
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
Dockerfile:80
· conf 0.72
Dockerfile installs recommended OS packagesMINED043
Http Not Https
CWE-319
auth-service/test.js:20
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 27 more): Same pattern found in 27 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
.archon/scripts/echo-args.js:3
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
.archon/scripts/maintainer-standup-backfill-reviews.ts:50
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
.archon/scripts/maintainer-standup-gh-data.ts:310
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
packages/core/src/db/users.ts:31
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/core/src/utils/worktree-sync.ts:67
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED056
React Key As Index
CWE-682
packages/web/src/components/chat/ErrorCard.tsx:33
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
packages/web/src/components/workflows/ArtifactSummary.tsx:80
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
packages/web/src/components/workflows/NodeLibrary.tsx:28
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED098
Global Scope Pollution
packages/docs-web/public/brand/logo.jsx:111
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…MINED098
Global Scope Pollution
packages/docs-web/public/brand/standalone-tweaks-toggle.jsx:68
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…SEC020
Secret Printed to Logs
packages/cli/src/commands/validate.ts:38
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
packages/server/src/scripts/setup-auth.ts:102
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
packages/core/src/db/adapters/postgres.ts:86
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
packages/web/src/components/chat/MessageInput.tsx:159
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/03f8e180-87b4-4749-b483-9718dabd5226/.