← Legacy view v2 (rp.*)

coasty-ai/open-computer-use

https://github.com/coasty-ai/open-computer-use · lang: typescript · LOC: · source: user_submitted

Quality
83.8
Grade A-
Security
100.0
Findings
305
34 critical · 115 high
Status
completed
May 31, 2026 01:28
high: 115 medium: 97 info: 46 critical: 34 low: 13
Top rules by occurrence
RuleSeverityCount
MINED110 Blocking call inside async function high 25
MINED107 Missing Python import (NameError at runtime) critical 25
MINED111 Bare except continues silently medium 25
MINED106 Phantom test coverage (assertion-free test) high 25
MINED108 self.attribute used but never assigned in __init__ high 25
JRN003 Frontend API reference is not matched by discovered backend… medium 14
AGT012 Agent control bridge may listen on a network interface with… medium 12
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… medium 10
AUC003 [AUC003] Object-level route lacks visible authorization: A … high 10
JRN009 Secret-like setting is echoed into a password input value high 6
First 200 findings (severity-sorted)
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/chats/[chatId]/route.ts:91 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/electron/machines/[id]/approvals/[approvalId]/respond/route.ts:12 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/electron/machines/[id]/approvals/route.ts:12 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/projects/[projectId]/route.ts:10 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/projects/[projectId]/route.ts:14 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/projects/[projectId]/route.ts:18 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/swarm/[swarmId]/pause/route.ts:19 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/swarm/[swarmId]/resume/route.ts:19 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/swarm/[swarmId]/route.ts:16 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/swarm/[swarmId]/stop/route.ts:22 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high DKR001 Docker final stage has no non-root USER
docker/ai-desktop/Dockerfile:267 · conf 0.95 
Docker final stage runs as root
high JRN004 Consent is collected in UI without visible backend audit persistence
app/api/chats/[chatId]/route.ts:123 · conf 0.78 
Consent is collected in UI without visible backend audit persistence
high JRN009 Secret-like setting is echoed into a password input value
app/auth/login-page.tsx:861 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
app/auth/login-page.tsx:929 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
app/auth/reset-password/page.tsx:100 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
app/auth/reset-password/reset-password-form.tsx:100 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
electron/src/renderer/components/AuthScreen.tsx:249 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
electron/src/renderer/components/AuthScreen.tsx:263 · conf 0.83 
Secret-like setting is echoed into a password input value
high MINED001 Bare Except Pass CWE-755
campaigns/sender.py:67 · conf 1.00 
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
high MINED001 Bare Except Pass CWE-755
docker/ai-desktop/obfuscate.py:94 · conf 1.00 
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
high MINED004 Weak Crypto CWE-327
electron/src/main/native-screenshot.ts:124 · conf 1.00 
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
docker/ai-desktop/test_anti_detection.py:31 · conf 1.00 
[MINED106] Phantom test coverage: test_stealth_browser: Test function `test_stealth_browser` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cov…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
docker/ai-desktop/test_anti_detection.py:303 · conf 1.00 
[MINED106] Phantom test coverage: test_connection_to_existing: Test function `test_connection_to_existing` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
docker/ai-desktop/test_imports.py:21 · conf 1.00 
[MINED106] Phantom test coverage: test_import: Test function `test_import` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without veri…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/conftest.py:253 · conf 1.00 
[MINED106] Phantom test coverage: test_user_session: Test function `test_user_session` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/conftest.py:282 · conf 1.00 
[MINED106] Phantom test coverage: test_jwt: Test function `test_jwt` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying …
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/conftest.py:288 · conf 1.00 
[MINED106] Phantom test coverage: test_user_id: Test function `test_user_id` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without ve…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_05_internal_alb.py:487 · conf 1.00 
[MINED106] Phantom test coverage: test_internal_target_groups_have_healthy_targets: Test function `test_internal_target_groups_have_healthy_targets` runs code but contains no assert / expect / should…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_06_electron_flows.py:268 · conf 1.00 
[MINED106] Phantom test coverage: test_02_ws_connect_via_direct_alb_8001: Test function `test_02_ws_connect_via_direct_alb_8001` runs code but contains no assert / expect / should call — it passes re…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_06_electron_flows.py:364 · conf 1.00 
[MINED106] Phantom test coverage: test_04c_ws_auth_wrong_message_type: Test function `test_04c_ws_auth_wrong_message_type` runs code but contains no assert / expect / should call — it passes regardle…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_06_electron_flows.py:449 · conf 1.00 
[MINED106] Phantom test coverage: test_06_ws_same_machine_id_last_connection_wins: Test function `test_06_ws_same_machine_id_last_connection_wins` runs code but contains no assert / expect / should c…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_06_electron_flows.py:499 · conf 1.00 
[MINED106] Phantom test coverage: test_07_ws_close_code_on_server_disconnect: Test function `test_07_ws_close_code_on_server_disconnect` runs code but contains no assert / expect / should call — it p…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_06_electron_flows.py:879 · conf 1.00 
[MINED106] Phantom test coverage: test_18_ws_bad_path_not_matched_by_wildcard: Test function `test_18_ws_bad_path_not_matched_by_wildcard` runs code but contains no assert / expect / should call — it…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_10_security.py:584 · conf 1.00 
[MINED106] Phantom test coverage: test_frontend_cloudflare_rate_limit_is_documented: Test function `test_frontend_cloudflare_rate_limit_is_documented` runs code but contains no assert / expect / shou…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_11_observability.py:787 · conf 1.00 
[MINED106] Phantom test coverage: test_structured_log_parse_rate: Test function `test_structured_log_parse_rate` runs code but contains no assert / expect / should call — it passes regardless of beha…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_security_auth_deep.py:640 · conf 1.00 
[MINED106] Phantom test coverage: test_cross_tenant_chat_access_todo: Test function `test_cross_tenant_chat_access_todo` runs code but contains no assert / expect / should call — it passes regardless…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_security_auth_deep.py:826 · conf 1.00 
[MINED106] Phantom test coverage: test_health_does_not_require_credential: Test function `test_health_does_not_require_credential` runs code but contains no assert / expect / should call — it passes …
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_security_authz_idor.py:192 · conf 1.00 
[MINED106] Phantom test coverage: test_get_chat_fake_uuid_returns_404: Test function `test_get_chat_fake_uuid_returns_404` runs code but contains no assert / expect / should call — it passes regardle…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_security_authz_idor.py:203 · conf 1.00 
[MINED106] Phantom test coverage: test_get_chat_messages_fake_uuid_returns_404: Test function `test_get_chat_messages_fake_uuid_returns_404` runs code but contains no assert / expect / should call — …
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_security_dos_resilience.py:199 · conf 1.00 
[MINED106] Phantom test coverage: test_spoofed_client_ip_does_not_bypass_limit: Test function `test_spoofed_client_ip_does_not_bypass_limit` runs code but contains no assert / expect / should call — …
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_security_dos_resilience.py:280 · conf 1.00 
[MINED106] Phantom test coverage: test_burst_across_different_paths_still_rate_limited: Test function `test_burst_across_different_paths_still_rate_limited` runs code but contains no assert / expect …
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_security_injection_deep.py:590 · conf 1.00 
[MINED106] Phantom test coverage: test_path_traversal_on_create_folder_rejected: Test function `test_path_traversal_on_create_folder_rejected` runs code but contains no assert / expect / should call …
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_security_public_cua_keys.py:281 · conf 1.00 
[MINED106] Phantom test coverage: test_issuance_endpoint_is_rate_limited: Test function `test_issuance_endpoint_is_rate_limited` runs code but contains no assert / expect / should call — it passes re…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
tests/post_deploy/test_security_public_cua_keys.py:430 · conf 1.00 
[MINED106] Phantom test coverage: test_user_cannot_revoke_another_users_key: Test function `test_user_cannot_revoke_another_users_key` runs code but contains no assert / expect / should call — it pas…
medium AGT007 localStorage write failures are swallowed silently
app/components/landing/top-announcement-banner.tsx:81 · conf 0.80 
localStorage write failures are swallowed silently
medium AGT007 localStorage write failures are swallowed silently
app/components/layout/sidebar/sidebar-footer-section.tsx:830 · conf 0.80 
localStorage write failures are swallowed silently
medium AGT007 localStorage write failures are swallowed silently
components/common/oss-banner.tsx:74 · conf 0.80 
localStorage write failures are swallowed silently
medium AGT007 localStorage write failures are swallowed silently
electron/src/renderer/components/Overlay.tsx:797 · conf 0.80 
localStorage write failures are swallowed silently
medium AGT007 localStorage write failures are swallowed silently
lib/posthog/analytics.ts:34 · conf 0.80 
localStorage write failures are swallowed silently
medium AGT012 Agent control bridge may listen on a network interface without visible auth
docker/ai-desktop/ai_agent_server.py:3 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AGT012 Agent control bridge may listen on a network interface without visible auth
docker/ai-desktop/chrome-auth-wrapper.sh:36 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AGT012 Agent control bridge may listen on a network interface without visible auth
docker/ai-desktop/chrome-wrapper.sh:28 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AGT012 Agent control bridge may listen on a network interface without visible auth
docker/ai-desktop/startup.azure.sh:29 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AGT012 Agent control bridge may listen on a network interface without visible auth
docker/ai-desktop/startup.secure.sh:168 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AGT012 Agent control bridge may listen on a network interface without visible auth
docker/ai-desktop/startup.sh:33 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AGT012 Agent control bridge may listen on a network interface without visible auth
docker-compose.ai-desktop.yml:15 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AGT012 Agent control bridge may listen on a network interface without visible auth
electron/src/main/index.ts:5 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AGT012 Agent control bridge may listen on a network interface without visible auth
lib/azure/container-instances.ts:135 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AGT012 Agent control bridge may listen on a network interface without visible auth
lib/client-ip.ts:11 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AGT012 Agent control bridge may listen on a network interface without visible auth
lib/docker/docker-service.ts:27 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AGT012 Agent control bridge may listen on a network interface without visible auth
lib/services/agent-health-check.ts:27 · conf 0.72 
Agent control bridge may listen on a network interface without visible auth
medium AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
· conf 0.92 
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
· conf 0.74 
[AUC002] Low visible authorization coverage in route inventory: Only 32.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/machines/cleanup/route.ts:39 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/machines/[id]/settings/route.ts:11 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
app/api/swarms/shared/[id]/route.ts:11 · conf 0.66 
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
app/api/collaborative-rooms/route.ts:5 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
app/api/collaborative-rooms/route.ts:56 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
app/api/csrf/route.ts:5 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
app/api/developers/route.ts:76 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
app/api/user-memory/route.ts:20 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
app/api/user-memory/route.ts:79 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
app/api/validate-email/route.ts:7 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
app/auth/callback/route.ts:7 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
app/auth/desktop-callback/route.ts:12 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
app/blog/feed.xml/route.ts:19 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
campaigns/ab_testing.py:25 · conf 0.95 
[COMP001] High cognitive complexity: Function `get_variant_stats` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — n…
medium CORE_NO_CI No CI/CD configuration found 
No CI/CD configuration found
medium DKR002 Dockerfile base image has no explicit tag
docker-compose.yml:3 · conf 0.90 
Compose service `backend` image has no explicit tag
medium DKR002 Dockerfile base image has no explicit tag
docker-compose.yml:31 · conf 0.90 
Compose service `nextjs-app` image has no explicit tag
medium DKR004 Docker build secret exposed through ARG
Dockerfile:20 · conf 0.76 
Docker build secret exposed through ARG
medium DKR004 Docker build secret exposed through ARG
Dockerfile:24 · conf 0.76 
Docker build secret exposed through ARG
medium DKR004 Docker build secret exposed through ARG
Dockerfile:25 · conf 0.76 
Docker build secret exposed through ARG
medium DKR014 Dockerfile copies the entire context without .dockerignore
Dockerfile:46 · conf 0.76 
Dockerfile copies broad context with incomplete .dockerignore
medium ERR001 [ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
campaigns/sender.py:67 · conf 1.00 
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
medium ERR001 [ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
docker/ai-desktop/obfuscate.py:94 · conf 1.00 
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
app/api/chat/route.ts:235 · conf 1.00 
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
app/api/status/history/route.ts:79 · conf 1.00 
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
app/api/status/route.ts:44 · conf 1.00 
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/api/chats/[chatId]/messages/route.ts:23 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/api/files/route.ts:11 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/api/files/route.ts:141 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/api/machines/[id]/vnc/route.ts:131 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/components/chat/active-swarm-banner.tsx:49 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/components/chat/active-swarm-banner.tsx:63 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/components/chat/awaiting-human-banner.tsx:57 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/components/chat/awaiting-human-banner.tsx:146 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/components/chat/chat.tsx:574 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/components/chat/chat.tsx:1036 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/components/chat/chat-visibility-toggle.tsx:54 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/components/chat/chat-visibility-toggle.tsx:77 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/components/chat/chat-visibility-toggle.tsx:165 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
app/components/chat/file-attachment-display.tsx:86 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium MINED111 Bare except continues silently
campaigns/sender.py:55 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:205 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:280 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:298 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:2386 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:2531 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:2651 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:2710 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:2819 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:2902 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:2907 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:2944 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:2975 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:3054 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:3153 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:3269 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:4464 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:4994 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:5160 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:5388 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/ai_agent_server.py:5749 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/interactive_test.py:93 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/interactive_test.py:151 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
docker/ai-desktop/interactive_test.py:223 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
scripts/check_no_jwt_leak.py:130 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium SEC007 Unsafe Deserialization
docker/ai-desktop/obfuscate.py:57 · conf 1.00 
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
medium SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"
app/components/chat-input/button-view-screen.tsx:24 · conf 1.00 
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…
medium SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"
app/components/layout/dialog-publish.tsx:57 · conf 1.00 
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…
medium SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"
app/components/layout/settings/apikeys/byok-section.tsx:287 · conf 1.00 
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…
medium SEC045 eval()/exec() on stored or user-supplied data
app/components/chat/message-parser.tsx:50 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
docker/ai-desktop/obfuscate.py:60 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
electron/src/renderer/components/MessageItem.tsx:25 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC046 Client-side open redirect — window.location = server-supplied URL
app/components/chat/dialog-auth.tsx:54 · conf 1.00 
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…
medium SEC046 Client-side open redirect — window.location = server-supplied URL
app/components/chat-input/popover-content-auth.tsx:45 · conf 1.00 
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…
medium SEC046 Client-side open redirect — window.location = server-supplied URL
app/components/collaborative/dialog-collaborative-auth.tsx:53 · conf 1.00 
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…
medium SEC087 JS: weak Math.random for crypto
app/api/onboarding/route.ts:18 · conf 1.00 
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…
medium SEC119 World-writable / world-readable file permissions
docker/ai-desktop/obfuscate.py:111 · conf 1.00 
[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.
medium WEB015 Public web app has no Content Security Policy
index.html · conf 0.70 
Public web app has no Content Security Policy
low COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
campaigns/ab_testing.py:51 · conf 0.95 
[COMP001] High cognitive complexity: Function `determine_winner` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nes…
low COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
campaigns/db.py:203 · conf 0.95 
[COMP001] High cognitive complexity: Function `get_all_user_emails` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand —…
low DKC010 Compose service lacks no-new-privileges hardening
docker-compose.yml:3 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
docker-compose.yml:31 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKR008 .dockerignore misses sensitive defaults
.dockerignore · conf 0.72 
.dockerignore misses sensitive defaults
low DKR011 Dockerfile installs recommended OS packages
docker/ai-desktop/Dockerfile:15 · conf 0.72 
Dockerfile installs recommended OS packages
low DKR011 Dockerfile installs recommended OS packages
docker/ai-desktop/Dockerfile:41 · conf 0.72 
Dockerfile installs recommended OS packages
low DKR011 Dockerfile installs recommended OS packages
docker/ai-desktop/Dockerfile:62 · conf 0.72 
Dockerfile installs recommended OS packages
low DKR011 Dockerfile installs recommended OS packages
docker/ai-desktop/Dockerfile:74 · conf 0.72 
Dockerfile installs recommended OS packages
low DKR011 Dockerfile installs recommended OS packages
docker/ai-desktop/Dockerfile:104 · conf 0.72 
Dockerfile installs recommended OS packages
low DKR011 Dockerfile installs recommended OS packages
docker/ai-desktop/Dockerfile:155 · conf 0.72 
Dockerfile installs recommended OS packages
low SEC132 String concat where the language has interpolation (AI style drift)
scripts/check-userdata-size.mjs:195 · conf 1.00 
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…
low WEB011 Public web app has no humans.txt
humans.txt · conf 0.50 
Public web app has no humans.txt
info COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
· conf 0.20 
[COMP001] High cognitive complexity (and 5 more): Same pattern found in 5 additional files. Review if needed.
info ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
· conf 0.20 
[ERR002] Empty Catch Block (and 6 more): Same pattern found in 6 additional files. Review if needed.
info MINED043 Http Not Https CWE-319
· conf 0.20 
[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.
info MINED043 Http Not Https CWE-319
app/api/files/route.ts:149 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED043 Http Not Https CWE-319
app/blog/feed.xml/route.ts:44 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED043 Http Not Https CWE-319
app/components/chat-input/button-view-screen.tsx:23 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED044 Js Console Log Prod CWE-532
· conf 0.20 
[MINED044] Js Console Log Prod (and 114 more): Same pattern found in 114 additional files. Review if needed.
info MINED044 Js Console Log Prod CWE-532
app/api/chat/api.ts:51 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
app/api/chat/db.ts:102 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
app/api/chat/machine-status/[machineId]/route.ts:58 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED045 Ts Non Null Assertion CWE-476
· conf 0.20 
[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed.
info MINED045 Ts Non Null Assertion CWE-476
app/api/chat/utils.ts:118 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
app/api/collaborative-rooms/[roomId]/participants/route.ts:150 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
app/api/electron/proxy/[...path]/route.ts:111 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED047 Emoji In Source
· conf 0.20 
[MINED047] Emoji In Source (and 1 more): Same pattern found in 1 additional files. Review if needed.
info MINED047 Emoji In Source
app/components/chat/language-auto-scroll.tsx:41 · conf 1.00 
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.
info MINED047 Emoji In Source
app/components/chat/language-indicator.tsx:43 · conf 1.00 
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.
info MINED047 Emoji In Source
app/components/chat/language-scroll-bar.tsx:43 · conf 1.00 
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.
info MINED049 Print Pii CWE-532
app/api/files/route.ts:47 · conf 1.00 
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
info MINED049 Print Pii CWE-532
scripts/check_no_jwt_leak.py:142 · conf 1.00 
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
info MINED050 Stub Only Function CWE-1188
campaigns/sender.py:68 · conf 1.00 
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.
info MINED050 Stub Only Function CWE-1188
docker/ai-desktop/obfuscate.py:95 · conf 1.00 
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.
info MINED052 Ts Any Typed CWE-704
· conf 0.20 
[MINED052] Ts Any Typed (and 37 more): Same pattern found in 37 additional files. Review if needed.
info MINED052 Ts Any Typed CWE-704
app/api/collaborative-rooms/[roomId]/messages/route.ts:85 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
app/api/collaborative-rooms/[roomId]/participants/route.ts:70 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
app/api/collaborative-rooms/[roomId]/route.ts:127 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED054 Ts As Any CWE-704
· conf 0.20 
[MINED054] Ts As Any (and 38 more): Same pattern found in 38 additional files. Review if needed.
info MINED054 Ts As Any CWE-704
app/api/chat/api.ts:36 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED054 Ts As Any CWE-704
app/api/chat/utils.ts:270 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED054 Ts As Any CWE-704
app/api/credits/auto-refill/execute/route.ts:211 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED056 React Key As Index CWE-682
· conf 0.20 
[MINED056] React Key As Index (and 18 more): Same pattern found in 18 additional files. Review if needed.
info MINED056 React Key As Index CWE-682
app/blog/[id]/page.tsx:136 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
app/components/chat/run-feedback-bar.tsx:255 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
app/components/chat/search-images.tsx:26 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED058 React Dangerously Set Html CWE-79
· conf 0.20 
[MINED058] React Dangerously Set Html (and 3 more): Same pattern found in 3 additional files. Review if needed.
info MINED058 React Dangerously Set Html CWE-79
app/components/machines/machine-card-thumbnail.tsx:60 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED058 React Dangerously Set Html CWE-79
app/components/seo/json-ld.tsx:14 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED058 React Dangerously Set Html CWE-79
app/guide/tabs/swarm-mode.tsx:75 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED065 Cors Wildcard CWE-942CWE-346
docker-compose.yml:20 · conf 1.00 
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.
info SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
· conf 0.20 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed.
info SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"
· conf 0.20 
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer" (and 2 more): Same pattern found in 2 additional files. Review if needed.
info SEC045 eval()/exec() on stored or user-supplied data
· conf 0.20 
[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed.
info SEC085 JS: child_process.exec with non-literal
· conf 0.20 
[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.
info SEC100 CORS permissive Access-Control-Allow-Origin: *
· conf 0.20 
[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 3 more): Same pattern found in 3 additional files. Review if needed.
info SEC118 UUIDv1 / UUIDv3 used for security-sensitive identifier
app/api/create-chat/api.ts:21 · conf 0.10 
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.
info SEC128 Async function without await — fire-and-forget Promise (AI mistake)
· conf 0.20 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 additional files. Review if needed.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/0e944bde-4911-4fc7-bd85-665b19a7e379/.