https://github.com/nicobailon/pi-subagents.git ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 4 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 4 |
MINED045 Ts Non Null Assertion |
info | 4 |
AIC003 Duplicated implementation block across source files |
low | 4 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 4 |
MINED044 Js Console Log Prod |
info | 4 |
SEC114 path.join / Path() on user-controlled segment without conta… |
high | 3 |
MINED027 React State Array Mutation |
high | 1 |
CORE_NO_LICENSE No LICENSE file |
low | 1 |
MINED027
React State Array Mutation
CWE-682
src/runs/shared/long-running-guard.ts:162
· conf 1.00
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:18
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:19
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v5`: `uses: actions/setup-node@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:18
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v5`: `uses: actions/setup-node@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …SEC040
innerHTML XSS — template literal with server-supplied data
src/agents/agent-serializer.ts:41
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
src/extension/doctor.ts:102
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
src/runs/background/run-id-resolver.ts:80
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC114
path.join / Path() on user-controlled segment without containment check
src/extension/doctor.ts:109
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…SEC114
path.join / Path() on user-controlled segment without containment check
src/runs/shared/single-output.ts:29
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…SEC114
path.join / Path() on user-controlled segment without containment check
src/shared/artifacts.ts:20
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/extension/control-notices.ts:34
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/extension/fanout-child.ts:112
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/shared/file-coalescer.ts:27
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AIC003
Duplicated implementation block across source files
src/extension/index.ts:188
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/intercom/intercom-bridge.ts:120
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/runs/shared/nested-events.ts:726
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/slash/slash-bridge.ts:142
· conf 0.86
Duplicated implementation block across source filesCORE_NO_LICENSE
No LICENSE file
No LICENSE fileMINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
install.mjs:24
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
src/extension/config.ts:13
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
src/extension/fanout-child.ts:109
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
src/agents/chain-serializer.ts:97
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
src/runs/background/result-watcher.ts:193
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
src/runs/background/top-level-async.ts:11
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/5767aa70-e926-4344-8830-617ecf01445e/.