https://github.com/gdluxx/gdluxx ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 29 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 14 |
MINED044 Js Console Log Prod |
info | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 3 |
JRN009 Secret-like setting is echoed into a password input value |
high | 3 |
SEC020 Secret Printed to Logs |
high | 2 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 2 |
MINED054 Ts As Any |
info | 1 |
WEB008 Public docs site has no llms.txt |
low | 1 |
MINED045 Ts Non Null Assertion |
info | 1 |
CORE_NO_TESTS
No test files found
No test files foundJRN009
Secret-like setting is echoed into a password input value
extension/src/content/views/settings/tabs/GdluxxTab.svelte:89
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
src/lib/components/auth/LoginForm.svelte:82
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
src/lib/components/auth/SetupForm.svelte:110
· conf 0.83
Secret-like setting is echoed into a password input valueMINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs.yml:27
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs.yml:30
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs.yml:34
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs.yml:39
· conf 0.90
[MINED115] Action `actions/configure-pages` pinned to mutable ref `@v4`: `uses: actions/configure-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs.yml:45
· conf 0.90
[MINED115] Action `actions/upload-pages-artifact` pinned to mutable ref `@v3`: `uses: actions/upload-pages-artifact@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs.yml:59
· conf 0.90
[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v4`: `uses: actions/deploy-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/extension-release.yml:15
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/extension-release.yml:24
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/extension-release.yml:39
· conf 0.90
[MINED115] Action `crazy-max/ghaction-import-gpg` pinned to mutable ref `@v6`: `uses: crazy-max/ghaction-import-gpg@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/extension-release.yml:101
· conf 0.90
[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v1`: `uses: softprops/action-gh-release@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/extension-release.yml:109
· conf 0.90
[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v1`: `uses: softprops/action-gh-release@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:20
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:27
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:34
· conf 0.90
[MINED115] Action `crazy-max/ghaction-import-gpg` pinned to mutable ref `@v6`: `uses: crazy-max/ghaction-import-gpg@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:18
· conf 0.90
[MINED118] Dockerfile FROM `node:20-slim` not pinned by digest: `FROM node:20-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…SEC020
Secret Printed to Logs
src/routes/api/extension/profiles/+server.ts:159
· conf 0.92
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/routes/api/command/start/+server.ts:67
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/routes/api/command/stream/+server.ts:21
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/routes/api/site-configs/lookup/+server.ts:45
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
src/routes/api/settings/user/+server.ts:53
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…DKR003
Dockerfile base image uses the latest tag
docker-compose.yml:3
· conf 0.94
Compose service `gdluxx` image uses the latest tagDKR014
Dockerfile copies the entire context without .dockerignore
Dockerfile:13
· conf 0.76
Dockerfile copies broad context with incomplete .dockerignoreWEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtWEB015
Public web app has no Content Security Policy
index.html
· conf 0.70
Public web app has no Content Security PolicyAIC003
Duplicated implementation block across source files
extension/src/content/lib/components/ui/Dropdown.svelte:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
extension/src/content/lib/components/ui/Info.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
extension/src/content/lib/utils/storageSubstitution.ts:56
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
extension/src/content/views/main/components/LinkList.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
extension/src/content/views/shared/filtering/SelectorInputs.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
extension/src/content/views/shared/substitution/SubProfileControls.svelte:88
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/icons/KeyIcon.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/icons/LogIcon.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/icons/LogIcon.svelte:4
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/icons/RunIcon.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/icons/SuccessIcon.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/icons/VersionIcon.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/icons/VersionIcon.svelte:4
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/jobs/JobOutputModal.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/jobs/JobOutputModal.svelte:160
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/jobs/JobsList.svelte:97
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/ui/Button.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/ui/Chip.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/ui/ConfirmModal.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/ui/ConfirmModal.svelte:16
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/ui/Info.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/ui/Info.svelte:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/ui/Info.svelte:94
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/ui/Modal.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/ui/Tooltip.svelte:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/components/ui/UploadModal.svelte:78
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/server/extensionProfileBackupManager.ts:10
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/stores/settingsStore.ts:23
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/lib/themes/codemirror/codemirror-light.ts:8
· conf 0.86
Duplicated implementation block across source filesDKC006
Compose service does not declare a runtime user
docker-compose.yml:3
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yml:3
· conf 0.62
Compose service lacks no-new-privileges hardeningDKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsWEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB005
robots.txt does not advertise a sitemap
extension/pnpm-lock.yaml
· conf 0.74
robots.txt does not advertise a sitemapWEB008
Public docs site has no llms.txt
llms.txt
· conf 0.64
Public docs site has no llms.txtWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtMINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
extension/entrypoints/popup/main.ts:18
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
extension/src/background/permissions.ts:20
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
extension/src/shared/settings.ts:23
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
src/routes/api/settings/server-logging/+server.ts:46
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED054
Ts As Any
CWE-704
src/hooks.server.ts:83
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.SEC020
Secret Printed to Logs
src/routes/api/extension/ping/+server.ts:19
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/5e6580f3-145e-402c-a28f-72aff412ab0b/.