https://github.com/tinyhumansai/openhuman ·
lang: rust ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
MINED126 GHA workflow container/services image unpinned |
high | 15 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 6 |
MINED003 Rust Unwrap In Prod |
high | 4 |
MINED068 Rust Unsafe Block |
info | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
AGT015 Remote install command pipes network code directly to a she… |
medium | 4 |
ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. |
medium | 4 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 4 |
DKR001
Docker final stage has no non-root USER
Dockerfile:108
· conf 0.95
Docker final stage runs as rootDKR006
Dockerfile pipes a remote script into a shell
e2e/Dockerfile:30
· conf 0.92
Dockerfile pipes a remote script into a shellDKR006
Dockerfile pipes a remote script into a shell
e2e/Dockerfile:35
· conf 0.92
Dockerfile pipes a remote script into a shellDKR006
Dockerfile pipes a remote script into a shell
.github/Dockerfile:46
· conf 0.92
Dockerfile pipes a remote script into a shellDKR006
Dockerfile pipes a remote script into a shell
.github/Dockerfile:52
· conf 0.92
Dockerfile pipes a remote script into a shellJRN009
Secret-like setting is echoed into a password input value
app/src/components/settings/panels/AIPanel.tsx:2741
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
app/src/components/settings/panels/ComposioPanel.tsx:295
· conf 0.83
Secret-like setting is echoed into a password input valueMINED003
Rust Unwrap In Prod
CWE-755
app/src-tauri/src/companion_commands.rs:30
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
app/src-tauri/src/fake_camera/mod.rs:193
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
app/src-tauri/src/file_logging.rs:63
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED004
Weak Crypto
CWE-327
scripts/mock-api/socket/websocket.mjs:84
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED021
Path Traversal Os Join
CWE-22
scripts/test-proactive-welcome.sh:53
· conf 1.00
[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.MINED027
React State Array Mutation
CWE-682
app/src/store/accountsSlice.ts:49
· conf 1.00
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.MINED027
React State Array Mutation
CWE-682
app/src/store/notificationSlice.ts:80
· conf 1.00
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.MINED099
Hardcoded Secret
CWE-798
src/openhuman/agent_experience/types.rs:128
· conf 1.00
[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.MINED099
Hardcoded Secret
CWE-798
src/openhuman/memory/tree/jobs/redact.rs:164
· conf 1.00
[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/contributor-rewards.yml:33
· conf 0.90
[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:29
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:33
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:56
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:79
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:84
· conf 0.90
[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:94
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:110
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:115
· conf 0.90
[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:123
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:134
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:148
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:155
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:161
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v5`: `uses: actions/download-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yml:191
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-reusable.yml:72
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-reusable.yml:79
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-reusable.yml:87
· conf 0.90
[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-reusable.yml:99
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-reusable.yml:108
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/e2e-reusable.yml:165
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/typecheck.yml:22
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/typecheck.yml:26
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/typecheck.yml:53
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/typecheck.yml:57
· conf 0.90
[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:12
· conf 0.90
[MINED118] Dockerfile FROM `rust:1.93-bookworm` not pinned by digest: `FROM rust:1.93-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every b…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:65
· conf 0.90
[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so eve…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
e2e/Dockerfile:14
· conf 0.90
[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
.github/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/build.yml:21
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/coverage.yml:26
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/coverage.yml:72
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/coverage.yml:105
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/e2e-reusable.yml:68
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:latest` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:latest` without `@sha256:...` pulls a mu…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/e2e-reusable.yml:195
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:latest` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:latest` without `@sha256:...` pulls a mu…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/pr-quality.yml:20
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/pr-quality.yml:36
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/test-reusable.yml:44
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/test-reusable.yml:68
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/test-reusable.yml:102
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/test-reusable.yml:160
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/typecheck.yml:19
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/typecheck.yml:50
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/weekly-code-review.yml:30
· conf 0.90
[MINED126] Workflow container/services image `ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` unpinned: `container/services image: ghcr.io/tinyhumansai/openhuman_ci:rust-1.93.0` without `@sha256:...` …SEC018
AI-Agent Secret Retrieval Command
scripts/act-build-desktop.sh:72
· conf 1.00
[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but the…SEC018
AI-Agent Secret Retrieval Command
scripts/act-staging.sh:127
· conf 1.00
[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but the…SEC020
Secret Printed to Logs
scripts/mock-api/routes/telegram.mjs:52
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
app/src/components/accounts/RespondQueuePanel.tsx:82
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
app/src/components/ErrorFallbackScreen.tsx:98
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
app/src-tauri/src/deep_link_ipc_windows.rs:66
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
scripts/act-staging.sh:61
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
scripts/mock-api/routes/llm/dynamic.mjs:123
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
scripts/cancel-stale-pr-ci.mjs:106
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
scripts/mock-api/server.mjs:128
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
app/src/pages/conversations/utils/format.ts:111
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
app/src/pages/conversations/utils/workerThreadRef.ts:34
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).AGT007
localStorage write failures are swallowed silently
app/src/components/settings/panels/AgentChatPanel.tsx:48
· conf 0.80
localStorage write failures are swallowed silentlyAGT007
localStorage write failures are swallowed silently
app/src/overlay/OverlayApp.tsx:486
· conf 0.80
localStorage write failures are swallowed silentlyAGT007
localStorage write failures are swallowed silently
app/src/pages/onboarding/components/BetaBanner.tsx:22
· conf 0.80
localStorage write failures are swallowed silentlyAGT008
Ollama audio payload path may mislead users about direct model audio
app/src/pages/Conversations.tsx:664
· conf 0.68
Ollama audio payload path may mislead users about direct model audioAGT015
Remote install command pipes network code directly to a shell
README.de.md:55
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
README.ja-JP.md:55
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
README.ko.md:56
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
README.zh-CN.md:54
· conf 0.70
Remote install command pipes network code directly to a shellAIC001
Parallel implementation file sits beside a canonical file
remotion/src/Mascot/mascot-yellow-wave-alt.tsx:1
· conf 0.82
Parallel implementation file sits beside a canonical fileAIC001
Parallel implementation file sits beside a canonical file
src/openhuman/memory/tree/canonicalize/email_clean.rs:1
· conf 0.82
Parallel implementation file sits beside a canonical fileAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 22.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/api/rest_tests.rs:191
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/openhuman/mcp_server/http.rs:73
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/openhuman/mcp_server/http.rs:351
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/openhuman/mcp_server/http.rs:449
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/openhuman/runtime_python/bootstrap_tests.rs:32
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/openhuman/runtime_python/bootstrap_tests.rs:33
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…DKR001
Docker final stage has no non-root USER
e2e/Dockerfile:14
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
.github/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
app/src-tauri/src/meet_audio/audio_bridge.js:209
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
app/src-tauri/src/meet_audio/captions_bridge.js:158
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
app/src-tauri/src/meet_video/camera_bridge.js:138
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.JRN002
Browser storage is used for session token material
app/src/store/coreModeSlice.ts:67
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
app/src/utils/configPersistence.ts:239
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
app/src/utils/configPersistence.ts:256
· conf 0.82
Browser storage is used for session token materialJRN003
Frontend API reference is not matched by discovered backend routes
app/src/utils/tauriCommands/localAi.ts:199
· conf 0.74
Frontend API reference is not matched by discovered backend routesSEC001
Hardcoded Password
scripts/build-macos-signed.sh:76
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC001
Hardcoded Password
scripts/load-env.sh:15
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC005
Command Injection Risk
app/src/pages/conversations/utils/workerThreadRef.ts:34
· conf 0.50
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
app/src/utils/openUrl.ts:70
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
app/src/pages/conversations/utils/format.ts:111
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
app/src/pages/conversations/utils/workerThreadRef.ts:34
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
scripts/agent-batch/lib.mjs:116
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC087
JS: weak Math.random for crypto
app/src/utils/deviceFingerprint.ts:13
· conf 1.00
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
src/openhuman/redirect_links/store.rs:301
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
src/openhuman/tools/impl/network/mcp.rs:300
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…AIC003
Duplicated implementation block across source files
app/src/components/channels/TelegramConfig.tsx:5
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/intelligence/IntelligenceSubconsciousTab.tsx:381
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/intelligence/MemorySyncConnections.tsx:33
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/intelligence/MemoryWorkspace.tsx:420
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/ios/MobileTabBar.tsx:46
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/settings/panels/AutocompletePanel.tsx:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/settings/panels/DevicesPanel.tsx:227
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/settings/panels/RecoveryPhrasePanel.tsx:397
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/settings/panels/ScreenIntelligencePanel.tsx:128
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/settings/panels/TeamInvitesPanel.tsx:114
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/settings/panels/TeamInvitesPanel.tsx:115
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/settings/panels/TeamMembersPanel.tsx:118
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src/components/settings/panels/TeamMembersPanel.tsx:120
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/deep_link_ipc_windows.rs:89
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/imessage_scanner/mod.rs:321
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/meet_scanner/mod.rs:55
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/meet_video/inject.rs:39
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/slack_scanner/dom_snapshot.rs:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/slack_scanner/idb.rs:144
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/slack_scanner/mod.rs:468
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/slack_scanner/mod.rs:505
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/telegram_scanner/dom_snapshot.rs:37
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/telegram_scanner/idb.rs:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/telegram_scanner/idb.rs:147
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/telegram_scanner/mod.rs:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/telegram_scanner/mod.rs:381
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/telegram_scanner/mod.rs:418
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/wechat_scanner/dom_snapshot.rs:227
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/whatsapp_scanner/idb.rs:85
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
app/src-tauri/src/whatsapp_scanner/idb.rs:99
· conf 0.86
Duplicated implementation block across source filesDKC006
Compose service does not declare a runtime user
docker-compose.yml:17
· conf 0.56
Compose service does not declare a runtime userDKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsDKR011
Dockerfile installs recommended OS packages
e2e/Dockerfile:19
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
e2e/Dockerfile:35
· conf 0.72
Dockerfile installs recommended OS packagesSEC132
String concat where the language has interpolation (AI style drift)
app/src-tauri/src/meet_audio/audio_bridge.js:71
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…DKR002
Dockerfile base image has no explicit tag
e2e/docker-compose.yml:31
· conf 0.48
Compose service `e2e` image is selected through a build variableDKR002
Dockerfile base image has no explicit tag
e2e/docker-compose.yml:85
· conf 0.48
Compose service `inference-e2e` image is selected through a build variableERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
[ERR002] Empty Catch Block (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED003
Rust Unwrap In Prod
CWE-755
[MINED003] Rust Unwrap In Prod (and 278 more): Same pattern found in 278 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 26 more): Same pattern found in 26 additional files. Review if needed.MINED043
Http Not Https
CWE-319
app/src/components/LanguageSelect.tsx:34
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
app/src-tauri/src/cdp/target.rs:29
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
app/src/utils/ollamaUrlValidation.ts:23
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 77 more): Same pattern found in 77 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
app/src/App.tsx:166
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
app/src-tauri/src/meet_audio/audio_bridge.js:35
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
app/src-tauri/src/meet_video/camera_bridge.js:72
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
app/src/components/channels/mcp/InstallDialog.tsx:185
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
app/src/components/commands/CommandPalette.tsx:38
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
app/src/components/oauth/oauthAuthReadiness.ts:110
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED049
Print Pii
CWE-532
[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED049
Print Pii
CWE-532
scripts/test-channel-receive.mjs:84
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
scripts/test-proactive-welcome.sh:89
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
scripts/test-subconscious-ticks.sh:13
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED052
Ts Any Typed
CWE-704
app/src/components/chat/UnsubscribeApprovalCard.tsx:41
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED053
Placeholder Default Username
CWE-1392CWE-798
app/src/services/api/teamApi.ts:36
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED053
Placeholder Default Username
CWE-1392CWE-798
src/openhuman/people/types.rs:137
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED054
Ts As Any
CWE-704
app/src/polyfills.ts:15
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED056
React Key As Index
CWE-682
[MINED056] React Key As Index (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED056
React Key As Index
CWE-682
app/src/components/channels/mcp/ConfigAssistantPanel.tsx:106
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
app/src/components/commands/Kbd.tsx:20
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
app/src/components/ProgressIndicator.tsx:16
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED058
React Dangerously Set Html
CWE-79
app/src/features/human/Mascot/backend/BackendMascot.tsx:144
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED059
Rust Expect In Prod
CWE-755
[MINED059] Rust Expect In Prod (and 127 more): Same pattern found in 127 additional files. Review if needed.MINED059
Rust Expect In Prod
CWE-755
app/src-tauri-mobile/src/lib.rs:44
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
app/src-tauri/src/fake_camera/mod.rs:209
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
app/src-tauri/src/gmessages_scanner/idb.rs:212
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED066
Rust Panic Macro
CWE-755
[MINED066] Rust Panic Macro (and 20 more): Same pattern found in 20 additional files. Review if needed.MINED066
Rust Panic Macro
CWE-755
app/src-tauri/src/meet_video/frame_bus.rs:265
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
src/core/event_bus/native_request_tests.rs:149
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
src/openhuman/agent/dispatcher_tests.rs:47
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED068
Rust Unsafe Block
CWE-119
[MINED068] Rust Unsafe Block (and 12 more): Same pattern found in 12 additional files. Review if needed.MINED068
Rust Unsafe Block
CWE-119
app/src-tauri/src/deep_link_ipc_windows.rs:74
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED068
Rust Unsafe Block
CWE-119
app/src-tauri/src/main.rs:44
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED068
Rust Unsafe Block
CWE-119
app/src-tauri/src/native_notifications/mod.rs:120
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED098
Global Scope Pollution
app/src-tauri/src/meet_audio/audio_bridge.js:38
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…MINED098
Global Scope Pollution
app/src-tauri/src/meet_audio/captions_bridge.js:38
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…MINED098
Global Scope Pollution
app/src-tauri/src/meet_video/camera_bridge.js:314
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…SEC006
XSS Risk
app/src/features/human/Mascot/backend/BackendMascot.tsx:87
· conf 0.15
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC020
Secret Printed to Logs
app/src/pages/onboarding/pages/ApiKeysPage.tsx:13
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
app/src/pages/onboarding/steps/ApiKeysStep.tsx:45
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 45 more): Same pattern found in 45 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
app/src/components/walkthrough/walkthroughSteps.ts:179
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
app/src/services/transport/TunnelTransport.ts:265
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
app/src/utils/deviceFingerprint.ts:12
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed.SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
scripts/mock-api/routes/llm/dynamic.mjs:173
· conf 0.10
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/3117d5b4-46cd-4383-9f7a-e2577ccdb176/.