← Legacy view v2 (rp.*)

remsky/kokoro-fastapi

https://github.com/remsky/Kokoro-FastAPI · lang: python · LOC: · source: user_submitted

Quality
73.1
Grade B
Security
53.5
Findings
11
0 critical · 2 high
Status
completed
May 15, 2026 03:48
medium: 4 info: 3 high: 2 low: 2
Top rules by occurrence
RuleSeverityCount
SEC011 Unsafe PyTorch Model Loading medium 4
SEC020 Secret Printed to Logs high 4
SEC006 XSS Risk high 2
SEC002 Hardcoded API Key critical 1
First 11 findings (severity-sorted)
high SEC020 Secret Printed to Logs
examples/assorted_checks/benchmarks/benchmark_first_token.py:90 · conf 0.85 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
high SEC020 Secret Printed to Logs
examples/phoneme_examples/generate_phonemes.py:87 · conf 0.85 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
medium SEC002 Hardcoded API Key
examples/openai_streaming_audio.py:8 · conf 0.30 
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.
medium SEC011 Unsafe PyTorch Model Loading
api/src/core/paths.py:181 · conf 1.00 
[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files.
medium SEC011 Unsafe PyTorch Model Loading
examples/assorted_checks/test_voices/analyze_voice_dimensions.py:8 · conf 1.00 
[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files.
medium SEC011 Unsafe PyTorch Model Loading
examples/assorted_checks/test_voices/trim_voice_dimensions.py:37 · conf 1.00 
[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files.
low SEC006 XSS Risk
web/src/components/TextEditor.js:21 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
low SEC006 XSS Risk
web/src/components/VoiceSelector.js:104 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
info SEC011 Unsafe PyTorch Model Loading
· conf 0.20 
[SEC011] Unsafe PyTorch Model Loading (and 1 more): Same pattern found in 1 additional files. Review if needed.
info SEC020 Secret Printed to Logs
· conf 0.20 
[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.
info SEC020 Secret Printed to Logs
api/src/services/tts_service.py:169 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/379fc10a-3993-4a3f-9a62-1de646e19385/.