← Legacy view v2 (rp.*)

boxlite-ai/boxlite

https://github.com/boxlite-ai/boxlite · lang: typescript · LOC: · source: user_submitted

Quality
79.1
Grade B+
Security
100.0
Findings
309
2 critical · 137 high
Status
completed
May 31, 2026 01:24
high: 137 info: 77 medium: 56 low: 37 critical: 2
Top rules by occurrence
RuleSeverityCount
AIC003 Duplicated implementation block across source files low 30
MINED111 Bare except continues silently medium 25
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) high 25
MINED108 self.attribute used but never assigned in __init__ high 25
MINED106 Phantom test coverage (assertion-free test) high 25
MINED118 Dockerfile FROM not pinned by sha256 digest high 14
DKR001 Docker final stage has no non-root USER medium 7
MINED060 Go Context No Cancel info 4
ERR003 [ERR003] Ignored Error (Go): Ignoring error return values. medium 4
MINED003 Rust Unwrap In Prod high 4
First 200 findings (severity-sorted)
high DKR001 Docker final stage has no non-root USER
src/boxlite/resources/images/skillbox/Dockerfile:54 · conf 0.95 
Docker final stage runs as root
high DKR006 Dockerfile pipes a remote script into a shell
src/boxlite/resources/images/skillbox/Dockerfile:47 · conf 0.92 
Dockerfile pipes a remote script into a shell
high JRN009 Secret-like setting is echoed into a password input value
apps/dashboard/src/pages/Registries.tsx:198 · conf 0.83 
Secret-like setting is echoed into a password input value
high MINED001 Bare Except Pass CWE-755
examples/python/03_lifecycle/clone_export_import.py:78 · conf 1.00 
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
high MINED001 Bare Except Pass CWE-755
examples/python/03_lifecycle/manage_lifecycle.py:116 · conf 1.00 
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
high MINED001 Bare Except Pass CWE-755
examples/python/03_lifecycle/share_across_processes.py:151 · conf 1.00 
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.
high MINED003 Rust Unwrap In Prod CWE-755
sdks/c/build.rs:5 · conf 1.00 
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.
high MINED003 Rust Unwrap In Prod CWE-755
sdks/c/src/error.rs:123 · conf 1.00 
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.
high MINED003 Rust Unwrap In Prod CWE-755
src/boxlite/src/db/images.rs:192 · conf 1.00 
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.
high MINED004 Weak Crypto CWE-327
src/boxlite/src/images/archive/verifier.rs:87 · conf 1.00 
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
high MINED006 Overcatch Baseexception CWE-705
apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:129 · conf 1.00 
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
high MINED006 Overcatch Baseexception CWE-705
examples/python/04_interactive/install_claude_interactively.py:194 · conf 1.00 
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
high MINED006 Overcatch Baseexception CWE-705
examples/python/04_interactive/run_interactive_shell.py:46 · conf 1.00 
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
high MINED012 Curl Pipe Bash CWE-494
examples/python/04_interactive/install_claude_interactively.py:43 · conf 1.00 
[MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
high MINED012 Curl Pipe Bash CWE-494
scripts/common.sh:85 · conf 1.00 
[MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
high MINED016 Go Error Ignored CWE-754
apps/cli/cmd/snapshot/push.go:131 · conf 1.00 
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.
high MINED016 Go Error Ignored CWE-754
apps/cli/config/config.go:53 · conf 1.00 
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.
high MINED016 Go Error Ignored CWE-754
apps/cli/mcp/tools/create_sandbox.go:79 · conf 1.00 
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.
high MINED021 Path Traversal Os Join CWE-22
scripts/images/create-oci-bundle.sh:125 · conf 1.00 
[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain "../" — directory escape.
high MINED033 Go Recover Without Log CWE-755
apps/common-go/pkg/errors/middleware.go:176 · conf 1.00 
[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.
high MINED099 Hardcoded Secret CWE-798
src/boxlite/src/net/ca.rs:100 · conf 1.00 
[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
sdks/python/tests/test_box_management_mock.py:140 · conf 1.00 
[MINED106] Phantom test coverage: test_rest_runtime_images_unsupported: Test function `test_rest_runtime_images_unsupported` runs code but contains no assert / expect / should call — it passes regard…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
sdks/python/tests/test_box_management.py:193 · conf 1.00 
[MINED106] Phantom test coverage: test_cannot_remove_running_box: Test function `test_cannot_remove_running_box` runs code but contains no assert / expect / should call — it passes regardless of beha…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
sdks/python/tests/test_credential.py:80 · conf 1.00 
[MINED106] Phantom test coverage: test_rest_options_from_env_requires_url: Test function `test_rest_options_from_env_requires_url` runs code but contains no assert / expect / should call — it passes …
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
sdks/python/tests/test_errors.py:18 · conf 1.00 
[MINED106] Phantom test coverage: test_can_raise: Test function `test_can_raise` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage withou…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
sdks/python/tests/test_errors.py:55 · conf 1.00 
[MINED106] Phantom test coverage: test_can_catch_as_boxlite_error: Test function `test_can_catch_as_boxlite_error` runs code but contains no assert / expect / should call — it passes regardless of be…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
sdks/python/tests/test_errors.py:78 · conf 1.00 
[MINED106] Phantom test coverage: test_can_raise: Test function `test_can_raise` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage withou…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
sdks/python/tests/test_errors.py:83 · conf 1.00 
[MINED106] Phantom test coverage: test_can_catch_as_boxlite_error: Test function `test_can_catch_as_boxlite_error` runs code but contains no assert / expect / should call — it passes regardless of be…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
sdks/python/tests/test_errors.py:96 · conf 1.00 
[MINED106] Phantom test coverage: test_can_raise: Test function `test_can_raise` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage withou…
high MINED106 Phantom test coverage (assertion-free test) CWE-1126
sdks/python/tests/test_errors.py:101 · conf 1.00 
[MINED106] Phantom test coverage: test_can_catch_as_boxlite_error: Test function `test_can_catch_as_boxlite_error` runs code but contains no assert / expect / should call — it passes regardless of be…
medium AGT007 localStorage write failures are swallowed silently
apps/daemon/pkg/terminal/static/index.html:548 · conf 0.80 
localStorage write failures are swallowed silently
medium AGT015 Remote install command pipes network code directly to a shell
README.md:196 · conf 0.70 
Remote install command pipes network code directly to a shell
medium COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:105 · conf 0.95 
[COMP001] High cognitive complexity: Function `execute_code` has cognitive complexity 22 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested…
medium COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:169 · conf 0.95 
[COMP001] High cognitive complexity: Function `run` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches…
medium DKR001 Docker final stage has no non-root USER
apps/api/Dockerfile:1 · conf 0.82 
Docker final stage has no non-root USER
medium DKR001 Docker final stage has no non-root USER
apps/otel-collector/Dockerfile:47 · conf 0.82 
Docker final stage has no non-root USER
medium DKR001 Docker final stage has no non-root USER
apps/proxy/Dockerfile:46 · conf 0.82 
Docker final stage has no non-root USER
medium DKR001 Docker final stage has no non-root USER
apps/runner/Dockerfile:63 · conf 0.82 
Docker final stage has no non-root USER
medium DKR001 Docker final stage has no non-root USER
apps/snapshot-manager/Dockerfile:42 · conf 0.82 
Docker final stage has no non-root USER
medium DKR001 Docker final stage has no non-root USER
apps/ssh-gateway/Dockerfile:42 · conf 0.82 
Docker final stage has no non-root USER
medium ERR001 [ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
sdks/python/boxlite/interactivebox.py:291 · conf 1.00 
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
medium ERR001 [ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
sdks/python/boxlite/orchestration/box_runtime.py:173 · conf 1.00 
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
medium ERR001 [ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
sdks/python/boxlite/orchestration/guest/boxlite_runtime.py:147 · conf 1.00 
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.
medium MINED111 Bare except continues silently
apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:38 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:165 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:184 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/02_features/forward_ports.py:44 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/03_lifecycle/manage_lifecycle.py:110 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/03_lifecycle/manage_lifecycle.py:190 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/03_lifecycle/manage_lifecycle.py:287 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/03_lifecycle/manage_lifecycle.py:316 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/03_lifecycle/share_across_processes.py:140 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/03_lifecycle/share_across_processes.py:234 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/04_interactive/install_claude_interactively.py:196 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/04_interactive/run_interactive_shell.py:48 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/06_ai_agents/drive_box_with_llm.py:104 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/06_ai_agents/drive_box_with_minimax.py:133 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/06_ai_agents/run_openclaw.py:134 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/07_advanced/ai_pipeline/host.py:127 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/07_advanced/local_to_rest_migration.py:63 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/07_advanced/use_native_api.py:259 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
examples/python/08_rest_api/use_env_config.py:40 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
openapi/reference-server/server.py:829 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
openapi/reference-server/server.py:859 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
sdks/python/boxlite/orchestration/box_runtime.py:163 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
sdks/python/boxlite/orchestration/guest/boxlite_runtime.py:117 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
sdks/python/boxlite/orchestration/guest/boxlite_runtime.py:155 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium MINED111 Bare except continues silently
sdks/python/tests/test_symlink_escape.py:209 · conf 1.00 
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
medium SEC001 Hardcoded Password
apps/dashboard/src/components/Playground/Sandbox/CodeSnippets/python.ts:172 · conf 0.30 
[SEC001] Hardcoded Password: Hardcoded password found in source code.
medium SEC002 Hardcoded API Key
apps/api/src/audit/enums/audit-action.enum.ts:48 · conf 0.30 
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.
medium SEC002 Hardcoded API Key
openapi/reference-server/config.py:20 · conf 0.30 
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.
medium SEC007 Unsafe Deserialization
sdks/python/boxlite/orchestration/box_runtime.py:118 · conf 1.00 
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
medium SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"
apps/dashboard/src/components/sandboxes/SandboxDetails.tsx:174 · conf 1.00 
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…
medium SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"
apps/dashboard/src/components/SandboxTable/columns.tsx:80 · conf 1.00 
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…
medium SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"
apps/dashboard/src/hooks/useDocsSearchCommands.tsx:99 · conf 1.00 
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…
medium SEC045 eval()/exec() on stored or user-supplied data
apps/api/src/common/utils/docker-image.util.ts:154 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py:127 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
apps/dashboard/src/components/Playground/Sandbox/CodeSnippets/python.ts:114 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC091 Go: net/http server without timeouts
apps/cli/auth/auth.go:32 · conf 1.00 
[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).
medium SEC091 Go: net/http server without timeouts
apps/daemon/pkg/terminal/server.go:43 · conf 1.00 
[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).
medium SEC091 Go: net/http server without timeouts
apps/proxy/pkg/proxy/proxy.go:239 · conf 1.00 
[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).
medium SEC119 World-writable / world-readable file permissions
sdks/go/cmd/setup/main.go:167 · conf 1.00 
[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.
medium SEC134 AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
apps/api/src/config/dto/configuration.dto.ts:163 · conf 1.00 
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…
medium SEC134 AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
apps/dashboard/src/components/ui/stories/field.stories.tsx:38 · conf 1.00 
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…
medium SEC134 AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
examples/node/browserbox_puppeteer.js:177 · conf 1.00 
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…
medium SEC136 AI-typical over-broad exception handler swallowing all errors
sdks/python/boxlite/interactivebox.py:291 · conf 1.00 
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…
low AIC002 Source file name looks like an AI patch artifact
src/boxlite/src/jailer/shim_copy.rs:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_api_keys.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_audit.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_config.go:49 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_docker_registry.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_docker_registry.go:99 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_health.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_health.go:54 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_jobs.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_jobs.go:166 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_object_storage.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_object_storage.go:54 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_object_storage.go:56 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_preview.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_regions.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_regions.go:49 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_users.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_volumes.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_volumes.go:88 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_volumes.go:420 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_webhooks.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/api_webhooks.go:92 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/model_computer_use_status_response.go:58 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/model_computer_use_stop_response.go:76 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/model_create_linked_account.go:78 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/model_create_organization_role.go:98 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/model_create_runner.go:78 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/model_create_snapshot.go:266 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/model_create_snapshot.go:291 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/model_create_user.go:208 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/api-client-go/model_create_volume.go:57 · conf 0.86 
Duplicated implementation block across source files
low COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
examples/python/01_getting_started/list_boxes.py:13 · conf 0.95 
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches…
low DKR008 .dockerignore misses sensitive defaults
.dockerignore · conf 0.72 
.dockerignore misses sensitive defaults
low ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
apps/cli/apiclient/api_client.go:85 · conf 1.00 
[ERR003] Ignored Error (Go): Ignoring error return values.
low ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
apps/cli/auth/auth.go:51 · conf 1.00 
[ERR003] Ignored Error (Go): Ignoring error return values.
low ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
apps/cli/cmd/auth/login.go:178 · conf 1.00 
[ERR003] Ignored Error (Go): Ignoring error return values.
low SEC132 String concat where the language has interpolation (AI style drift)
apps/api/src/sandbox/entities/build-info.entity.ts:16 · conf 1.00 
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…
info COMP001 [COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
· conf 0.20 
[COMP001] High cognitive complexity (and 25 more): Same pattern found in 25 additional files. Review if needed.
info ERR001 [ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
· conf 0.20 
[ERR001] Silent Exception Swallowing (and 4 more): Same pattern found in 4 additional files. Review if needed.
info ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
· conf 0.20 
[ERR003] Ignored Error (Go) (and 15 more): Same pattern found in 15 additional files. Review if needed.
info MINED001 Bare Except Pass CWE-755
· conf 0.20 
[MINED001] Bare Except Pass (and 5 more): Same pattern found in 5 additional files. Review if needed.
info MINED003 Rust Unwrap In Prod CWE-755
· conf 0.20 
[MINED003] Rust Unwrap In Prod (and 47 more): Same pattern found in 47 additional files. Review if needed.
info MINED006 Overcatch Baseexception CWE-705
· conf 0.20 
[MINED006] Overcatch Baseexception (and 1 more): Same pattern found in 1 additional files. Review if needed.
info MINED016 Go Error Ignored CWE-754
· conf 0.20 
[MINED016] Go Error Ignored (and 20 more): Same pattern found in 20 additional files. Review if needed.
info MINED043 Http Not Https CWE-319
· conf 0.20 
[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed.
info MINED043 Http Not Https CWE-319
apps/api/src/main.ts:152 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED043 Http Not Https CWE-319
apps/api/src/region/dto/region.dto.ts:65 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED043 Http Not Https CWE-319
apps/api/src/sandbox/dto/runner-health.dto.ts:151 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED044 Js Console Log Prod CWE-532
· conf 0.20 
[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed.
info MINED044 Js Console Log Prod CWE-532
apps/api/src/common/providers/openfeature-posthog.provider.ts:38 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
apps/api/src/generate-openapi.ts:56 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
apps/api/src/sandbox/guards/region-sandbox-access.guard.ts:38 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED045 Ts Non Null Assertion CWE-476
· conf 0.20 
[MINED045] Ts Non Null Assertion (and 15 more): Same pattern found in 15 additional files. Review if needed.
info MINED045 Ts Non Null Assertion CWE-476
apps/api/src/organization/guards/organization-action.guard.ts:30 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
apps/api/src/region/guards/region-access.guard.ts:46 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
apps/api/src/sandbox-telemetry/services/sandbox-telemetry.service.ts:286 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED049 Print Pii CWE-532
· conf 0.20 
[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed.
info MINED049 Print Pii CWE-532
examples/python/04_interactive/install_claude_interactively.py:151 · conf 1.00 
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
info MINED049 Print Pii CWE-532
examples/python/06_ai_agents/run_openclaw.py:155 · conf 1.00 
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
info MINED049 Print Pii CWE-532
examples/python/06_ai_agents/use_skillbox.py:134 · conf 1.00 
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
info MINED050 Stub Only Function CWE-1188
· conf 0.20 
[MINED050] Stub Only Function (and 9 more): Same pattern found in 9 additional files. Review if needed.
info MINED050 Stub Only Function CWE-1188
examples/python/03_lifecycle/clone_export_import.py:79 · conf 1.00 
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.
info MINED050 Stub Only Function CWE-1188
examples/python/03_lifecycle/manage_lifecycle.py:117 · conf 1.00 
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.
info MINED050 Stub Only Function CWE-1188
examples/python/03_lifecycle/share_across_processes.py:152 · conf 1.00 
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.
info MINED052 Ts Any Typed CWE-704
· conf 0.20 
[MINED052] Ts Any Typed (and 29 more): Same pattern found in 29 additional files. Review if needed.
info MINED052 Ts Any Typed CWE-704
apps/api/src/audit/decorators/audit.decorator.ts:20 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
apps/api/src/audit/interceptors/audit.interceptor.ts:116 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
apps/api/src/auth/combined-auth.guard.ts:23 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED053 Placeholder Default Username CWE-1392CWE-798
apps/api/src/app.module.ts:44 · conf 1.00 
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.
info MINED054 Ts As Any CWE-704
apps/api/src/common/guards/authenticated-rate-limit.guard.ts:31 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED055 Npm Install No Lockfile CWE-1357
· conf 0.20 
[MINED055] Npm Install No Lockfile (and 4 more): Same pattern found in 4 additional files. Review if needed.
info MINED055 Npm Install No Lockfile CWE-1357
apps/api/src/sandbox/dto/build-info.dto.ts:13 · conf 1.00 
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.
info MINED055 Npm Install No Lockfile CWE-1357
apps/api/src/sandbox/dto/create-build-info.dto.ts:14 · conf 1.00 
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.
info MINED055 Npm Install No Lockfile CWE-1357
examples/python/02_features/copy_files.py:18 · conf 1.00 
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.
info MINED056 React Key As Index CWE-682
· conf 0.20 
[MINED056] React Key As Index (and 14 more): Same pattern found in 14 additional files. Review if needed.
info MINED056 React Key As Index CWE-682
apps/dashboard/src/components/CodeBlock.tsx:52 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
apps/dashboard/src/components/ComparisonTable.tsx:50 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
apps/dashboard/src/components/SandboxTable/filters/LabelFilter.tsx:83 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED058 React Dangerously Set Html CWE-79
apps/dashboard/src/components/ui/chart.tsx:76 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED058 React Dangerously Set Html CWE-79
apps/dashboard/src/hooks/useDocsSearchCommands.tsx:119 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED059 Rust Expect In Prod CWE-755
· conf 0.20 
[MINED059] Rust Expect In Prod (and 14 more): Same pattern found in 14 additional files. Review if needed.
info MINED059 Rust Expect In Prod CWE-755
sdks/c/build.rs:14 · conf 1.00 
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.
info MINED059 Rust Expect In Prod CWE-755
src/boxlite/src/event_listener/audit_event_listener.rs:57 · conf 1.00 
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.
info MINED059 Rust Expect In Prod CWE-755
src/boxlite/src/jailer/builder.rs:184 · conf 1.00 
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.
info MINED060 Go Context No Cancel CWE-401
· conf 0.20 
[MINED060] Go Context No Cancel (and 50 more): Same pattern found in 50 additional files. Review if needed.
info MINED060 Go Context No Cancel CWE-401
apps/api-client-go/api_audit.go:30 · conf 1.00 
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.
info MINED060 Go Context No Cancel CWE-401
apps/api-client-go/api_config.go:28 · conf 1.00 
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.
info MINED060 Go Context No Cancel CWE-401
apps/api-client-go/api_health.go:28 · conf 1.00 
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.
info MINED062 Python Dataclass No Fields
sdks/python/boxlite/exec.py:14 · conf 1.00 
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.
info MINED063 Toctou Os Path Exists CWE-367
examples/python/02_features/mount_host_dir.py:75 · conf 1.00 
[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/deleted between check and use.
info MINED066 Rust Panic Macro CWE-755
· conf 0.20 
[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed.
info MINED066 Rust Panic Macro CWE-755
src/boxlite/src/rest/error.rs:200 · conf 1.00 
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
info MINED066 Rust Panic Macro CWE-755
src/cli/src/commands/cp.rs:163 · conf 1.00 
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
info MINED066 Rust Panic Macro CWE-755
src/deps/bubblewrap-sys/build.rs:57 · conf 1.00 
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
info MINED067 Python Requests No Timeout CWE-400
examples/python/01_getting_started/run_codebox.py:53 · conf 1.00 
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.
info MINED067 Python Requests No Timeout CWE-400
examples/python/01_getting_started/run_codebox_sync.py:56 · conf 1.00 
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.
info MINED068 Rust Unsafe Block CWE-119
· conf 0.20 
[MINED068] Rust Unsafe Block (and 34 more): Same pattern found in 34 additional files. Review if needed.
info MINED068 Rust Unsafe Block CWE-119
sdks/c/src/box_handle.rs:112 · conf 1.00 
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.
info MINED068 Rust Unsafe Block CWE-119
sdks/c/src/copy.rs:55 · conf 1.00 
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.
info MINED068 Rust Unsafe Block CWE-119
sdks/c/src/error.rs:141 · conf 1.00 
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.
info MINED071 Go Panic Call CWE-755
src/deps/libgvproxy-sys/gvproxy-bridge/forked_tcp.go:46 · conf 1.00 
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.
info MINED074 Ai Tell Fake Citation
apps/api/src/config/dto/configuration.dto.ts:123 · conf 1.00 
[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.
info SEC020 Secret Printed to Logs
· conf 0.20 
[SEC020] Secret Printed to Logs (and 10 more): Same pattern found in 10 additional files. Review if needed.
info SEC020 Secret Printed to Logs
apps/api/src/auth/api-key.strategy.ts:42 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
info SEC020 Secret Printed to Logs
apps/api/src/user/user.controller.ts:361 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
info SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
· conf 0.20 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 52 more): Same pattern found in 52 additional files. Review if needed.
info SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"
· conf 0.20 
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer" (and 2 more): Same pattern found in 2 additional files. Review if needed.
info SEC045 eval()/exec() on stored or user-supplied data
· conf 0.20 
[SEC045] eval()/exec() on stored or user-supplied data (and 48 more): Same pattern found in 48 additional files. Review if needed.
info SEC085 JS: child_process.exec with non-literal
· conf 0.20 
[SEC085] JS: child_process.exec with non-literal (and 10 more): Same pattern found in 10 additional files. Review if needed.
info SEC091 Go: net/http server without timeouts
· conf 0.20 
[SEC091] Go: net/http server without timeouts (and 3 more): Same pattern found in 3 additional files. Review if needed.
info SEC093 Go: exec.Command with non-literal
· conf 0.20 
[SEC093] Go: exec.Command with non-literal (and 6 more): Same pattern found in 6 additional files. Review if needed.
info SEC118 UUIDv1 / UUIDv3 used for security-sensitive identifier
apps/dashboard/public/mockServiceWorker.js:115 · conf 0.10 
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.
info SEC128 Async function without await — fire-and-forget Promise (AI mistake)
· conf 0.20 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 17 more): Same pattern found in 17 additional files. Review if needed.
info SEC134 AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
· conf 0.20 
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code (and 2 more): Same pattern found in 2 additional files. Review if needed.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/51fceb34-d3ee-486b-ae87-8ff06a5e27b3/.