← Legacy view v2 (rp.*)

legcord/legcord

https://github.com/Legcord/Legcord · lang: typescript · LOC: · source: user_submitted

Quality

69.1

Grade B-

Security

96.0

Findings

60

3 critical · 25 high

Status

completed

May 31, 2026 01:22

high: 25 info: 19 medium: 8 low: 5 critical: 3

Top rules by occurrence

Rule	Severity	Count
`MINED115` GitHub Action pinned to mutable ref (not 40-char SHA)	high	15
`SEC020` Secret Printed to Logs	high	4
`MINED045` Ts Non Null Assertion	info	4
`MINED044` Js Console Log Prod	info	4
`MINED042` Cpp New Without Delete	info	3
`SEC006` XSS Risk	high	3
`SEC045` eval()/exec() on stored or user-supplied data	medium	2
`SEC136` AI-typical over-broad exception handler swallowing all erro…	medium	2
`ERR002` [ERR002] Empty Catch Block: Empty catch blocks hide errors.	medium	2
`MINED043` Http Not Https	info	2

First 60 findings (severity-sorted)

critical MINED005 Lua Loadstring CWE-95

src/discord/preload/patches.mts:144 · conf 1.00

[MINED005] Lua Loadstring: loadstring/load executes Lua code. Code injection.

critical MINED035 Js New Function CWE-95

src/discord/preload/plugins.mts:62 · conf 1.00

[MINED035] Js New Function: new Function(...) compiles strings to functions.

critical SEC084 JS: require() with non-literal

src/discord/venmic.ts:28 · conf 1.00

[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).

high CORE_NO_TESTS No test files found

No test files found

high MINED002 Dart Null Bang CWE-476

src/discord/preload/titlebar.mts:33 · conf 1.00

[MINED002] Dart Null Bang: value! throws on null. Use ?. or null check.

high MINED008 Swift Force Unwrap CWE-476

src/discord/preload/titlebar.mts:33 · conf 1.00

[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let.

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/lint.yml:10 · conf 0.90

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/lint.yml:12 · conf 0.90

[MINED115] Action `biomejs/setup-biome` pinned to mutable ref `@v2`: `uses: biomejs/setup-biome@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/meta.yml:19 · conf 0.90

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/meta.yml:23 · conf 0.90

[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/package.yml:20 · conf 0.90

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/package.yml:28 · conf 0.90

[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/package.yml:31 · conf 0.90

[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/package.yml:44 · conf 0.90

[MINED115] Action `samuelmeuli/action-snapcraft` pinned to mutable ref `@v3`: `uses: samuelmeuli/action-snapcraft@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action o…

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/package.yml:47 · conf 0.90

[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v5`: `uses: actions/cache/restore@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/package.yml:72 · conf 0.90

[MINED115] Action `actions/cache/save` pinned to mutable ref `@v5`: `uses: actions/cache/save@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/package.yml:83 · conf 0.90

[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/package.yml:96 · conf 0.90

[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v6`: `uses: actions/download-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/package.yml:102 · conf 0.90

[MINED115] Action `ncipollo/release-action` pinned to mutable ref `@v1`: `uses: ncipollo/release-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/package.yml:115 · conf 0.90

[MINED115] Action `ncipollo/release-action` pinned to mutable ref `@v1`: `uses: ncipollo/release-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…

high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829

.github/workflows/winget.yml:9 · conf 0.90

[MINED115] Action `vedantmgoyal9/winget-releaser` pinned to mutable ref `@main`: `uses: vedantmgoyal9/winget-releaser@main` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…

high MINED122 package.json dep pulled from git URL or tarball CWE-829

package.json:1 · conf 0.90

[MINED122] package.json dep `arrpc` pulled from URL/Git: `dependencies.arrpc` = `github:Legcord/arrpc#efe7589762470d32b9ba10d529be5acc23cd0e19` bypasses the npm registry. No integrity hash, no versio…

high SEC027 XML External Entity (XXE) — Node.js xml parsers

scripts/utils/updateMeta.mts:55 · conf 1.00

[SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs.

high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input

src/discord/plugins/manager.ts:188 · conf 1.00

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input

src/protocol.ts:30 · conf 1.00

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

high SEC085 JS: child_process.exec with non-literal

src/common/themes.ts:27 · conf 1.00

[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

high SEC128 Async function without await — fire-and-forget Promise (AI mistake)

src/common/themes.ts:199 · conf 1.00

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

high SEC128 Async function without await — fire-and-forget Promise (AI mistake)

src/discord/preload/plugins.mts:133 · conf 1.00

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.

src/discord/globalKeybinds.ts:22 · conf 1.00

[ERR002] Empty Catch Block: Empty catch blocks hide errors.

medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.

src/discord/screenshare.ts:25 · conf 1.00

[ERR002] Empty Catch Block: Empty catch blocks hide errors.

medium SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"

src/shelter/settings/components/HeroUpdater.tsx:34 · conf 1.00

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

medium SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"

src/shelter/settings/components/SupportBanner.tsx:40 · conf 1.00

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

medium SEC045 eval()/exec() on stored or user-supplied data

src/common/themes.ts:27 · conf 1.00

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

medium SEC045 eval()/exec() on stored or user-supplied data

src/discord/preload/plugins.mts:62 · conf 1.00

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

medium SEC136 AI-typical over-broad exception handler swallowing all errors

src/discord/preload/patches.mts:139 · conf 1.00

[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…

medium SEC136 AI-typical over-broad exception handler swallowing all errors

src/shelter/screenshare/components/ScreensharePicker.tsx:29 · conf 1.00

[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…

low AIC003 Duplicated implementation block across source files

src/shelter/settings/components/icons/QuickActionIcons.tsx:38 · conf 0.86

Duplicated implementation block across source files

low AIC007 Generated build artifact directory is present at repository root

build:1 · conf 0.70

Generated build artifact directory is present at repository root

low SEC006 XSS Risk

src/discord/preload/titlebar.mts:22 · conf 0.40

[SEC006] XSS Risk: Direct HTML injection without sanitization.

low SEC006 XSS Risk

src/setup/preload.mts:18 · conf 0.40

[SEC006] XSS Risk: Direct HTML injection without sanitization.

low SEC006 XSS Risk

src/shelter/titlebar/index.ts:23 · conf 0.40

[SEC006] XSS Risk: Direct HTML injection without sanitization.

info MINED042 Cpp New Without Delete CWE-401

scripts/utils/updateMeta.mts:55 · conf 1.00

[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.

info MINED042 Cpp New Without Delete CWE-401

src/discord/preload/patches.mts:22 · conf 1.00

[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.

info MINED042 Cpp New Without Delete CWE-401

src/discord/preload/plugins.mts:62 · conf 1.00

[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.

info MINED043 Http Not Https CWE-319

assets/app/js/adguard.js:73 · conf 1.00

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

info MINED043 Http Not Https CWE-319

src/common/themes.ts:205 · conf 1.00

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

info MINED044 Js Console Log Prod CWE-532

· conf 0.20

[MINED044] Js Console Log Prod (and 41 more): Same pattern found in 41 additional files. Review if needed.

info MINED044 Js Console Log Prod CWE-532

assets/app/js/patchVencordQuickCSS.js:23 · conf 1.00

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

info MINED044 Js Console Log Prod CWE-532

scripts/copyVenmic.mts:16 · conf 1.00

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

info MINED044 Js Console Log Prod CWE-532

src/common/backup.ts:192 · conf 1.00

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

info MINED045 Ts Non Null Assertion CWE-476

· conf 0.20

[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed.

info MINED045 Ts Non Null Assertion CWE-476

src/discord/extensions/modloader.ts:58 · conf 1.00

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

info MINED045 Ts Non Null Assertion CWE-476

src/discord/menu.ts:48 · conf 1.00

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

info MINED045 Ts Non Null Assertion CWE-476

src/discord/preload/patches.mts:201 · conf 1.00

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

info MINED051 Csharp Null Forgive CWE-476

src/discord/preload/titlebar.mts:33 · conf 1.00

[MINED051] Csharp Null Forgive: x! tells compiler "definitely not null" — bypasses nullable check. NRE risk if wrong.

info MINED052 Ts Any Typed CWE-704

src/setup/preload.mts:35 · conf 1.00

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

info SEC020 Secret Printed to Logs

· conf 0.20

[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed.

info SEC020 Secret Printed to Logs

src/common/config.ts:237 · conf 0.10

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

info SEC020 Secret Printed to Logs

src/setup/main.ts:59 · conf 0.10

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

info SEC020 Secret Printed to Logs

src/setup/tray.ts:36 · conf 0.10

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/2025d0cc-4d3e-4226-82d5-1af68c4c8592/.