https://github.com/juyterman1000/entroly ·
lang: python ·
LOC: ·
source: corpus_mined
| Rule | Severity | Count |
|---|---|---|
SEC020 Secret Printed to Logs |
high | 4 |
SEC007 Unsafe Deserialization |
medium | 4 |
SEC015 Insecure Randomness for Security |
medium | 4 |
SEC006 XSS Risk |
high | 4 |
SEC016 LLM Prompt Injection — User Input in AI Prompt |
high | 3 |
SEC022 Database URL With Embedded Credential |
critical | 3 |
SEC017 Unbounded Input to LLM/External API |
medium | 3 |
SEC005 Command Injection Risk |
high | 2 |
SEC004 SQL Injection Risk |
high | 2 |
SEC002 Hardcoded API Key |
critical | 2 |
SEC022
Database URL With Embedded Credential
examples/demo_full_experience.py:284
· conf 0.45
[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working c…SEC004
SQL Injection Risk
examples/demo_full_experience.py:65
· conf 0.50
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.SEC004
SQL Injection Risk
examples/demo_value.py:84
· conf 0.50
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.SEC005
Command Injection Risk
entroly-core/src/sast.rs:2625
· conf 0.80
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.SEC005
Command Injection Risk
entroly-wasm/src/sast.rs:2619
· conf 0.80
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.SEC013
Path Traversal — User Input in File Path
entroly/cli.py:1250
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC016
LLM Prompt Injection — User Input in AI Prompt
bench/fix_nb2.py:18
· conf 0.90
[SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL i…SEC016
LLM Prompt Injection — User Input in AI Prompt
bench/fix_nb5.py:19
· conf 0.90
[SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL i…SEC016
LLM Prompt Injection — User Input in AI Prompt
bench/fix_nb6.py:125
· conf 0.90
[SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL i…SEC020
Secret Printed to Logs
entroly/proxy.py:885
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
entroly/verify_claims.py:74
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
examples/demo_value.py:204
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC001
Hardcoded Password
entroly-core/src/sast.rs:2640
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC001
Hardcoded Password
entroly-wasm/src/sast.rs:2634
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC002
Hardcoded API Key
entroly-core/src/sast.rs:2539
· conf 0.30
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC002
Hardcoded API Key
entroly-wasm/src/sast.rs:2533
· conf 0.30
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC007
Unsafe Deserialization
entroly-core/src/sast.rs:462
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC007
Unsafe Deserialization
entroly/server.py:2817
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC007
Unsafe Deserialization
entroly-wasm/src/sast.rs:456
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC014
SSL Verification Disabled
entroly-core/src/sast.rs:598
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC014
SSL Verification Disabled
entroly-wasm/src/sast.rs:592
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC017
Unbounded Input to LLM/External API
bench/fix_nb2.py:18
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC017
Unbounded Input to LLM/External API
bench/fix_nb5.py:19
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC006
XSS Risk
entroly/controls_html.py:274
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
entroly/dashboard.py:673
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
examples/stream_claude_server.py:35
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC017
Unbounded Input to LLM/External API
bench/fix_nb6.py:125
· conf 0.30
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC022
Database URL With Embedded Credential
bench/compare.py:64
· conf 0.20
[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working c…SEC022
Database URL With Embedded Credential
entroly/benchmark_harness.py:36
· conf 0.20
[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working c…SEC006
XSS Risk
[SEC006] XSS Risk (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC007
Unsafe Deserialization
[SEC007] Unsafe Deserialization (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC015
Insecure Randomness for Security
[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC015
Insecure Randomness for Security
entroly/autotune.py:240
· conf 0.25
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
entroly-core/src/sast.rs:427
· conf 0.25
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
entroly-wasm/src/sast.rs:421
· conf 0.25
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 13 more): Same pattern found in 13 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/2e056297-f8d0-4ae0-ad1d-c05b27731c71/.