https://github.com/GyulyVGC/sniffnet.git ·
lang: rust ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
MINED003 Rust Unwrap In Prod |
high | 4 |
MINED126 GHA workflow container/services image unpinned |
high | 3 |
DKR011 Dockerfile installs recommended OS packages |
low | 2 |
AIC003 Duplicated implementation block across source files |
low | 2 |
MINED116 GHA pull_request workflow leaks secrets to forks |
critical | 2 |
MINED066 Rust Panic Macro |
info | 2 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 2 |
DKR007 Docker build context has no .dockerignore |
medium | 1 |
DKR014 Dockerfile copies the entire context without .dockerignore |
high | 1 |
MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/rust.yml:53
· conf 0.90
[MINED116] Workflow uses `secrets.NPCAP_OEM_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NPCAP_OEM_URL }` lets…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/rust.yml:85
· conf 0.90
[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets…CORE_NO_TESTS
No test files found
No test files foundDKR014
Dockerfile copies the entire context without .dockerignore
Dockerfile:15
· conf 0.92
Dockerfile copies the entire context without .dockerignoreMINED003
Rust Unwrap In Prod
CWE-755
build.rs:29
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
src/cli/mod.rs:43
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
src/gui/styles/types/palette.rs:227
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:32
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:35
· conf 0.90
[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:42
· conf 0.90
[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action o…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:12
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:13
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docker.yml:15
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:47
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:78
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:108
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:136
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:142
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:148
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:162
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:189
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:195
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:221
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:243
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:249
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:255
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:270
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:290
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:293
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/package.yml:299
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/rust.yml:38
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/rust.yml:39
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `rust:1.88-slim` not pinned by digest: `FROM rust:1.88-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:20
· conf 0.90
[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so eve…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/package.yml:119
· conf 0.90
[MINED126] Workflow container/services image `debian:latest` unpinned: `container/services image: debian:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow contain…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/package.yml:171
· conf 0.90
[MINED126] Workflow container/services image `debian:latest` unpinned: `container/services image: debian:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow contain…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/package.yml:230
· conf 0.90
[MINED126] Workflow container/services image `fedora:latest` unpinned: `container/services image: fedora:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow contain…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/gui/types/message.rs:159
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/gui/components/ellipsized_text.rs:137
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…CFG006
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.DKR001
Docker final stage has no non-root USER
Dockerfile:20
· conf 0.82
Docker final stage has no non-root USERDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreDKR017
Dockerfile installs dependencies after copying the full source tree
Dockerfile:17
· conf 0.90
Dockerfile installs dependencies after copying the full source treeAIC003
Duplicated implementation block across source files
src/chart/types/traffic_chart.rs:323
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/gui/pages/connection_details_page.rs:133
· conf 0.86
Duplicated implementation block across source filesDKR011
Dockerfile installs recommended OS packages
Dockerfile:4
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
Dockerfile:23
· conf 0.72
Dockerfile installs recommended OS packagesMINED003
Rust Unwrap In Prod
CWE-755
[MINED003] Rust Unwrap In Prod (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED047
Emoji In Source
src/translations/types/language.rs:158
· conf 1.00
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.MINED059
Rust Expect In Prod
CWE-755
src/utils/check_updates.rs:87
· conf 0.10
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED066
Rust Panic Macro
CWE-755
build.rs:77
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
src/utils/error_logger.rs:18
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/2ac48eb7-0d67-44e9-ba77-d2575dbfed53/.