← Legacy view v2 (rp.*)

leehockin-ai/strategy-sim-coach

https://github.com/leehockin-ai/strategy-sim-coach.git · lang: typescript · LOC: · source: user_submitted

Quality

46.0

Grade D+

Security

66.7

Findings

2 critical · 3 high

Status

completed

May 25, 2026 16:10

info: 13 low: 4 medium: 4 high: 3 critical: 2

Top rules by occurrence

Rule	Severity	Count
`MINED044` Js Console Log Prod	info	4
`MINED052` Ts Any Typed	info	4
`MINED056` React Key As Index	info	2
`MINED054` Ts As Any	info	2
`MINED058` React Dangerously Set Html	info	1
`CORE_NO_README` No README file found	medium	1
`CORE_NO_CI` No CI/CD configuration found	medium	1
`WEB003` Public web service has no security.txt	medium	1
`CORE_NO_TESTS` No test files found	high	1
`SEC009` [SEC009] .env File Committed: .env file with secrets commit…	critical	1

First 26 findings (severity-sorted)

critical CORE_ENV_FILE .env file committed to repository

.env

.env file committed to repository

critical SEC009 [SEC009] .env File Committed: .env file with secrets committed to repository.

.env · conf 1.00

[SEC009] .env File Committed: .env file with secrets committed to repository.

high CORE_NO_TESTS No test files found

No test files found

high JRN009 Secret-like setting is echoed into a password input value

src/routes/login.tsx:118 · conf 0.83

Secret-like setting is echoed into a password input value

high SEC040 innerHTML XSS — template literal with server-supplied data

src/components/ui/chart.tsx:75 · conf 1.00

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

medium CORE_NO_CI No CI/CD configuration found

No CI/CD configuration found

medium CORE_NO_README No README file found

No README file found

medium WEB003 Public web service has no security.txt

.well-known/security.txt · conf 0.78

Public web service has no security.txt

medium WEB015 Public web app has no Content Security Policy

index.html · conf 0.70

Public web app has no Content Security Policy

low CORE_NO_LICENSE No LICENSE file

No LICENSE file

low WEB001 Public web app has no robots.txt

robots.txt · conf 0.74

Public web app has no robots.txt

low WEB002 Public web app has no sitemap

sitemap.xml · conf 0.72

Public web app has no sitemap

low WEB011 Public web app has no humans.txt

humans.txt · conf 0.50

Public web app has no humans.txt

info MINED044 Js Console Log Prod CWE-532

· conf 0.20

[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.

info MINED044 Js Console Log Prod CWE-532

src/integrations/supabase/auth-middleware.ts:21 · conf 1.00

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

info MINED044 Js Console Log Prod CWE-532

src/integrations/supabase/client.server.ts:18 · conf 1.00

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

info MINED044 Js Console Log Prod CWE-532

src/integrations/supabase/client.ts:17 · conf 1.00

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

info MINED052 Ts Any Typed CWE-704

· conf 0.20

[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed.

info MINED052 Ts Any Typed CWE-704

src/components/VoiceInput.tsx:17 · conf 1.00

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

info MINED052 Ts Any Typed CWE-704

src/routes/_authenticated.scenarios.tsx:46 · conf 1.00

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

info MINED052 Ts Any Typed CWE-704

src/routes/_authenticated.sessions.$sessionId.report.tsx:44 · conf 1.00

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

info MINED054 Ts As Any CWE-704

src/components/VoiceInput.tsx:24 · conf 1.00

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

info MINED054 Ts As Any CWE-704

src/routeTree.gen.ts:25 · conf 1.00

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

info MINED056 React Key As Index CWE-682

src/routes/_authenticated.sessions.$sessionId.report.tsx:136 · conf 1.00

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

info MINED056 React Key As Index CWE-682

src/routes/index.tsx:203 · conf 1.00

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

info MINED058 React Dangerously Set Html CWE-79

src/components/ui/chart.tsx:73 · conf 1.00

[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/1563a42b-e4f3-4ad6-924c-42cf6d363c92/.