alireza0/s-ui

[SEC096] Rails: SQL injection via where("#{...}") or find_by_sql: ActiveRecord where() / find_by_sql with interpolation enables SQL injection. Concept from Brakeman check_sql — re-authored from OWASP…

[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…

No test files found

[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.

[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.

[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.

[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.

[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …

[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …

[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …

[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…

[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…

[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …

[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …

[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …

[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…

[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…

[MINED115] Action `svenstaro/upload-release-action` pinned to mutable ref `@v2`: `uses: svenstaro/upload-release-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …

[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …

[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …

[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …

[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…

[MINED115] Action `svenstaro/upload-release-action` pinned to mutable ref `@v2`: `uses: svenstaro/upload-release-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…

[MINED118] Dockerfile FROM `golang:1.26-alpine` not pinned by digest: `FROM golang:1.26-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every b…

[MINED118] Dockerfile FROM `golang:1.26-alpine` not pinned by digest: `FROM golang:1.26-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every b…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification — MITM risk. Ported from gosec G402 (Apache-2.0).

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

Remote install command pipes network code directly to a shell

Remote install command pipes network code directly to a shell

[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

[AUC002] Low visible authorization coverage in route inventory: Only 6.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…

Docker final stage has no non-root USER

Docker final stage has no non-root USER

Compose service `s-ui` image has no explicit tag

Dockerfile base image has no explicit tag

Dockerfile base image has no explicit tag

Dockerfile copies broad context with incomplete .dockerignore

Dockerfile copies broad context with incomplete .dockerignore

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).

[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).

[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page w…

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.

Compose service does not declare a runtime user

Compose service lacks no-new-privileges hardening

.dockerignore misses sensitive defaults

[ERR003] Ignored Error (Go): Ignoring error return values.

[ERR003] Ignored Error (Go): Ignoring error return values.

[ERR003] Ignored Error (Go): Ignoring error return values.

[ERR003] Ignored Error (Go) (and 4 more): Same pattern found in 4 additional files. Review if needed.

[MINED016] Go Error Ignored (and 1 more): Same pattern found in 1 additional files. Review if needed.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED060] Go Context No Cancel (and 1 more): Same pattern found in 1 additional files. Review if needed.

[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.

[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.

[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.

[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.

[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed.