https://github.com/vinayluffy-12/payrollproject.git ·
lang: javascript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED113 Express POST/PUT/DELETE/PATCH route without auth |
high | 25 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 10 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 4 |
SEC135 Auth/permission check missing on AI-generated endpoint |
high | 4 |
MINED116 GHA pull_request workflow leaks secrets to forks |
critical | 4 |
MINED044 Js Console Log Prod |
info | 4 |
DKC010 Compose service lacks no-new-privileges hardening |
low | 3 |
DKR014 Dockerfile copies the entire context without .dockerignore |
high | 3 |
DKC006 Compose service does not declare a runtime user |
low | 3 |
DKR001 Docker final stage has no non-root USER |
medium | 3 |
DKC007
Compose service contains a literal secret environment value
docker-compose.yml:4
· conf 0.96
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
docker-compose.yml:27
· conf 0.96
Compose service contains a literal secret environment valueMINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
payrollos/.github/workflows/ci-cd.yml:58
· conf 0.90
[MINED116] Workflow uses `secrets.AWS_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_ACCESS_KEY_ID…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
payrollos/.github/workflows/ci-cd.yml:59
· conf 0.90
[MINED116] Workflow uses `secrets.AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_SECRET_AC…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
payrollos/.github/workflows/ci-cd.yml:98
· conf 0.90
[MINED116] Workflow uses `secrets.KUBE_CONFIG_STAGING` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.KUBE_CONFIG_STA…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
payrollos/.github/workflows/ci-cd.yml:119
· conf 0.90
[MINED116] Workflow uses `secrets.KUBE_CONFIG_PRODUCTION` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.KUBE_CONFIG_…CORE_NO_TESTS
No test files found
No test files foundDKC011
Database service publishes a host port
docker-compose.yml:4
· conf 0.84
Database service publishes a host portDKC011
Database service publishes a host port
docker-compose.yml:17
· conf 0.84
Database service publishes a host portDKR014
Dockerfile copies the entire context without .dockerignore
payrollos/backend/Dockerfile:5
· conf 0.92
Dockerfile copies the entire context without .dockerignoreDKR014
Dockerfile copies the entire context without .dockerignore
payrollos/fraud-service/Dockerfile:5
· conf 0.92
Dockerfile copies the entire context without .dockerignoreDKR014
Dockerfile copies the entire context without .dockerignore
payrollos/frontend/Dockerfile:6
· conf 0.92
Dockerfile copies the entire context without .dockerignoreMINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
payrollos/fraud-service/main.py:49
· conf 0.80
[MINED112] FastAPI POST /api/v1/fraud/check-run has no auth: Handler `check_payroll_run` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appea…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/admin.js:26
· conf 0.80
[MINED113] Express PUT /verify/:requestId has no auth: Express route PUT /verify/:requestId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on un…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/attendance.js:47
· conf 0.80
[MINED113] Express POST /checkin has no auth: Express route POST /checkin declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated rout…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/attendance.js:110
· conf 0.80
[MINED113] Express POST /checkout has no auth: Express route POST /checkout declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated ro…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/auth.js:14
· conf 0.80
[MINED113] Express POST /login has no auth: Express route POST /login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes a…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/auth.js:94
· conf 0.80
[MINED113] Express POST /register has no auth: Express route POST /register declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated ro…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/auth.js:155
· conf 0.80
[MINED113] Express POST /verify-otp has no auth: Express route POST /verify-otp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticate…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/auth.js:172
· conf 0.80
[MINED113] Express POST /forgot-password has no auth: Express route POST /forgot-password declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unau…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/auth.js:206
· conf 0.80
[MINED113] Express POST /2fa/setup has no auth: Express route POST /2fa/setup declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated …MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/auth.js:240
· conf 0.80
[MINED113] Express POST /2fa/verify has no auth: Express route POST /2fa/verify declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticate…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/auth.js:309
· conf 0.80
[MINED113] Express POST /refresh has no auth: Express route POST /refresh declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated rout…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/auth.js:326
· conf 0.80
[MINED113] Express POST /logout has no auth: Express route POST /logout declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/currency.js:44
· conf 0.80
[MINED113] Express PUT /:code has no auth: Express route PUT /:code declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/employees.js:57
· conf 0.80
[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/employees.js:206
· conf 0.80
[MINED113] Express PUT /:id has no auth: Express route PUT /:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWA…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/employees.js:225
· conf 0.80
[MINED113] Express DELETE /:id has no auth: Express route DELETE /:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes a…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/fraud.js:29
· conf 0.80
[MINED113] Express POST /:id/investigate has no auth: Express route POST /:id/investigate declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unau…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/fraud.js:46
· conf 0.80
[MINED113] Express PUT /:id/resolve has no auth: Express route PUT /:id/resolve declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticate…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/leave.js:32
· conf 0.80
[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/leave.js:78
· conf 0.80
[MINED113] Express PUT /:id/approve has no auth: Express route PUT /:id/approve declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticate…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/payroll.js:26
· conf 0.80
[MINED113] Express POST /runs has no auth: Express route POST /runs declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/payroll.js:70
· conf 0.80
[MINED113] Express POST /runs/:id/calculate has no auth: Express route POST /runs/:id/calculate declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) o…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/payroll.js:211
· conf 0.80
[MINED113] Express POST /runs/:id/approve has no auth: Express route POST /runs/:id/approve declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on un…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/payroll.js:245
· conf 0.80
[MINED113] Express POST /runs/:id/disburse has no auth: Express route POST /runs/:id/disburse declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on …MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/reports.js:104
· conf 0.80
[MINED113] Express POST /generate-ai has no auth: Express route POST /generate-ai declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthentica…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
payrollos/backend/src/routes/wallet.js:45
· conf 0.80
[MINED113] Express POST /:id/withdraw has no auth: Express route POST /:id/withdraw declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenti…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
payrollos/.github/workflows/ci-cd.yml:14
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
payrollos/.github/workflows/ci-cd.yml:17
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
payrollos/.github/workflows/ci-cd.yml:37
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v4`: `uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
payrollos/.github/workflows/ci-cd.yml:53
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
payrollos/.github/workflows/ci-cd.yml:56
· conf 0.90
[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v1`: `uses: aws-actions/configure-aws-credentials@v1` resolves at workflow-run time. Tags and branches can be re-push…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
payrollos/.github/workflows/ci-cd.yml:64
· conf 0.90
[MINED115] Action `aws-actions/amazon-ecr-login` pinned to mutable ref `@v1`: `uses: aws-actions/amazon-ecr-login@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action o…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
payrollos/.github/workflows/ci-cd.yml:92
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
payrollos/.github/workflows/ci-cd.yml:95
· conf 0.90
[MINED115] Action `azure/k8s-set-context` pinned to mutable ref `@v2`: `uses: azure/k8s-set-context@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
payrollos/.github/workflows/ci-cd.yml:113
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
payrollos/.github/workflows/ci-cd.yml:116
· conf 0.90
[MINED115] Action `azure/k8s-set-context` pinned to mutable ref `@v2`: `uses: azure/k8s-set-context@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
payrollos/backend/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `node:18-alpine` not pinned by digest: `FROM node:18-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
payrollos/fraud-service/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `python:3.10-slim` not pinned by digest: `FROM python:3.10-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
payrollos/frontend/Dockerfile:2
· conf 0.90
[MINED118] Dockerfile FROM `node:18-alpine` not pinned by digest: `FROM node:18-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
payrollos/frontend/Dockerfile:10
· conf 0.90
[MINED118] Dockerfile FROM `nginx:alpine` not pinned by digest: `FROM nginx:alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
payrollos/backend/src/routes/auth.js:221
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC135
Auth/permission check missing on AI-generated endpoint
payrollos/backend/src/routes/attendance.js:47
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…SEC135
Auth/permission check missing on AI-generated endpoint
payrollos/backend/src/routes/auth.js:14
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…SEC135
Auth/permission check missing on AI-generated endpoint
payrollos/backend/src/routes/leave.js:32
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…CORE_NO_CI
No CI/CD configuration found
No CI/CD configuration foundDKC015
Database service has no healthcheck
docker-compose.yml:4
· conf 0.88
Database service has no healthcheckDKR001
Docker final stage has no non-root USER
payrollos/backend/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
payrollos/fraud-service/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
payrollos/frontend/Dockerfile:10
· conf 0.82
Docker final stage has no non-root USERDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreSEC139
AI-generated migration/route without companion test file
payrollos/fraud-service/main.py:48
· conf 1.00
[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks — exactly the surfaces that need tests — with no companion tes…AIC003
Duplicated implementation block across source files
payrollos/backend/api/index.js:4
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
payrollos/fraud-service/main.py:49
· conf 0.95
[COMP001] High cognitive complexity: Function `check_payroll_run` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — n…CORE_NO_LICENSE
No LICENSE file
No LICENSE fileDKC006
Compose service does not declare a runtime user
docker-compose.yml:27
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker-compose.yml:50
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker-compose.yml:64
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yml:27
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yml:50
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yml:64
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC015
Database service has no healthcheck
docker-compose.yml:17
· conf 0.72
Database service has no healthcheckDKC016
App service does not wait for database health
docker-compose.yml:27
· conf 0.68
App service does not wait for database healthMINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
api/index.js:12
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
payrollos/backend/api/index.js:12
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
payrollos/backend/src/app.js:40
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED047
Emoji In Source
payrollos/backend/src/routes/currency.js:16
· conf 1.00
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.MINED053
Placeholder Default Username
CWE-1392CWE-798
payrollos/backend/src/routes/employees.js:70
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED089
Js Always False If
CWE-561
payrollos/frontend/src/components/TopHeader.jsx:102
· conf 1.00
[MINED089] Js Always False If: if (false) — branch never taken. Dead code / disabled feature.SEC020
Secret Printed to Logs
payrollos/backend/src/middleware/auth.js:29
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
payrollos/backend/src/routes/auth.js:198
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC135
Auth/permission check missing on AI-generated endpoint
[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/5e3a4bfb-9ca7-4f09-bc7e-de3da5e404e0/.