← Legacy view v2 (rp.*)

nvidia/garak

https://github.com/NVIDIA/garak · lang: python · LOC: · source: user_submitted

Quality
79.1
Grade B+
Security
83.5
Findings
11
0 critical · 3 high
Status
completed
May 15, 2026 16:00
info: 5 high: 3 medium: 3
Top rules by occurrence
RuleSeverityCount
SEC015 Insecure Randomness for Security medium 4
SEC014 SSL Verification Disabled medium 2
SEC013 Path Traversal — User Input in File Path high 2
SEC004 SQL Injection Risk high 1
SEC011 Unsafe PyTorch Model Loading medium 1
SEC020 Secret Printed to Logs high 1
First 11 findings (severity-sorted)
high SEC004 SQL Injection Risk
garak/cli.py:563 · conf 0.50 
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
high SEC013 Path Traversal — User Input in File Path
tools/packagehallucination/javascript/main.py:45 · conf 0.80 
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
high SEC013 Path Traversal — User Input in File Path
tools/packagehallucination/ruby/main.py:43 · conf 0.80 
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
medium SEC011 Unsafe PyTorch Model Loading
garak/resources/autodan/autodan.py:142 · conf 1.00 
[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files.
medium SEC014 SSL Verification Disabled
garak/generators/rest.py:210 · conf 1.00 
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
medium SEC014 SSL Verification Disabled
garak/generators/websocket.py:245 · conf 1.00 
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
info SEC015 Insecure Randomness for Security
· conf 0.20 
[SEC015] Insecure Randomness for Security (and 6 more): Same pattern found in 6 additional files. Review if needed.
info SEC015 Insecure Randomness for Security
garak/command.py:20 · conf 0.25 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
info SEC015 Insecure Randomness for Security
garak/generators/base.py:64 · conf 0.25 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
info SEC015 Insecure Randomness for Security
garak/langproviders/remote.py:249 · conf 0.25 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
info SEC020 Secret Printed to Logs
garak/cli.py:662 · conf 0.10 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/1251ce22-878f-4008-a1db-1b422bd654c9/.