← Legacy view v2 (rp.*)

karenrlacour-collab/luminapost-elite

https://github.com/karenrlacour-collab/luminapost-elite.git · lang: typescript · LOC: · source: user_submitted

Quality

44.7

Grade D

Security

63.6

Findings

2 critical · 5 high

Status

completed

May 25, 2026 16:20

info: 9 high: 5 medium: 5 low: 4 critical: 2

Top rules by occurrence

Rule	Severity	Count
`MINED044` Js Console Log Prod	info	4
`MINED056` React Key As Index	info	3
`MINED058` React Dangerously Set Html	info	2
`SEC040` innerHTML XSS — template literal with server-supplied data	high	1
`AIC005` Duplicate top-level symbol appears in a patch-style file	low	1
`JRN004` Consent is collected in UI without visible backend audit pe…	high	1
`AIC001` Parallel implementation file sits beside a canonical file	medium	1
`CORE_NO_README` No README file found	medium	1
`CORE_NO_CI` No CI/CD configuration found	medium	1
`WEB005` robots.txt does not advertise a sitemap	low	1

First 25 findings (severity-sorted)

critical CORE_ENV_FILE .env file committed to repository

.env

.env file committed to repository

critical SEC009 [SEC009] .env File Committed: .env file with secrets committed to repository.

.env · conf 1.00

[SEC009] .env File Committed: .env file with secrets committed to repository.

high CORE_NO_TESTS No test files found

No test files found

high JRN004 Consent is collected in UI without visible backend audit persistence

src/routes/terms.tsx:10 · conf 0.78

Consent is collected in UI without visible backend audit persistence

high JRN009 Secret-like setting is echoed into a password input value

src/routes/login.tsx:46 · conf 0.83

Secret-like setting is echoed into a password input value

high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input

src/components/ArticleEditor.tsx:45 · conf 1.00

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

high SEC040 innerHTML XSS — template literal with server-supplied data

src/components/ui/chart.tsx:75 · conf 1.00

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

medium AIC001 Parallel implementation file sits beside a canonical file

src/routes/admin.articles.new.tsx:1 · conf 0.82

Parallel implementation file sits beside a canonical file

medium CORE_NO_CI No CI/CD configuration found

No CI/CD configuration found

medium CORE_NO_README No README file found

No README file found

medium WEB003 Public web service has no security.txt

.well-known/security.txt · conf 0.78

Public web service has no security.txt

medium WEB015 Public web app has no Content Security Policy

index.html · conf 0.70

Public web app has no Content Security Policy

low AIC005 Duplicate top-level symbol appears in a patch-style file

src/routes/admin.articles.new.tsx:1 · conf 0.64

Duplicate top-level symbol appears in a patch-style file

low CORE_NO_LICENSE No LICENSE file

No LICENSE file

low WEB005 robots.txt does not advertise a sitemap

public/robots.txt · conf 0.74

robots.txt does not advertise a sitemap

low WEB011 Public web app has no humans.txt

humans.txt · conf 0.50

Public web app has no humans.txt

info MINED044 Js Console Log Prod CWE-532

· conf 0.20

[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.

info MINED044 Js Console Log Prod CWE-532

src/integrations/supabase/auth-middleware.ts:21 · conf 1.00

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

info MINED044 Js Console Log Prod CWE-532

src/integrations/supabase/client.server.ts:18 · conf 1.00

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

info MINED044 Js Console Log Prod CWE-532

src/integrations/supabase/client.ts:17 · conf 1.00

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

info MINED056 React Key As Index CWE-682

src/components/BreakingTicker.tsx:33 · conf 1.00

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

info MINED056 React Key As Index CWE-682

src/components/ParticlesBackground.tsx:42 · conf 1.00

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

info MINED056 React Key As Index CWE-682

src/routes/about.tsx:91 · conf 1.00

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

info MINED058 React Dangerously Set Html CWE-79

src/components/ui/chart.tsx:73 · conf 1.00

[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.

info MINED058 React Dangerously Set Html CWE-79

src/routes/article.$slug.tsx:100 · conf 1.00

[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/6309549d-7da0-4fbd-99ea-56f06c1cc8a9/.