https://github.com/benavlabs/FastAPI-boilerplate.git ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
DKC006 Compose service does not declare a runtime user |
low | 9 |
DKC010 Compose service lacks no-new-privileges hardening |
low | 9 |
DKC016 App service does not wait for database health |
low | 9 |
DKC015 Database service has no healthcheck |
low | 6 |
AUC003 [AUC003] Object-level route lacks visible authorization: A … |
high | 5 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 5 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 3 |
DKR012 Dockerfile keeps pip download cache |
low | 2 |
SEC034 Log Injection / Log Forging — unsanitized user input in log |
medium | 2 |
DKR001 Docker final stage has no non-root USER |
medium | 2 |
AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
src/app/api/v1/posts.py:93
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
src/app/api/v1/tasks.py:37
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
src/app/core/utils/cache.py:234
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
src/app/core/utils/cache.py:253
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
src/app/core/utils/cache.py:260
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…DKR014
Dockerfile copies the entire context without .dockerignore
scripts/local_with_uvicorn/Dockerfile:17
· conf 0.92
Dockerfile copies the entire context without .dockerignoreSEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/app/core/config.py:113
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/app/core/setup.py:45
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/app/core/utils/rate_limit.py:27
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/app/api/v1/login.py:47
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/app/api/v1/posts.py:75
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/app/api/v1/posts.py:118
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/app/api/v1/users.py:65
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/app/api/v1/users.py:106
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC012
[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, p…DKC015
Database service has no healthcheck
scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml:38
· conf 0.88
Database service has no healthcheckDKC015
Database service has no healthcheck
scripts/local_with_uvicorn/docker-compose.yml:38
· conf 0.88
Database service has no healthcheckDKC015
Database service has no healthcheck
scripts/production_with_nginx/docker-compose.yml:38
· conf 0.88
Database service has no healthcheckDKR001
Docker final stage has no non-root USER
scripts/gunicorn_managing_uvicorn_workers/Dockerfile:15
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
scripts/production_with_nginx/Dockerfile:15
· conf 0.82
Docker final stage has no non-root USERDKR003
Dockerfile base image uses the latest tag
scripts/production_with_nginx/docker-compose.yml:55
· conf 0.94
Compose service `nginx` image uses the latest tagDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreSEC015
Insecure Randomness for Security
src/app/core/security.py:54
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC034
Log Injection / Log Forging — unsanitized user input in log
src/app/api/dependencies.py:92
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…SEC034
Log Injection / Log Forging — unsanitized user input in log
src/scripts/create_first_superuser.py:62
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtDKC006
Compose service does not declare a runtime user
scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml:1
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml:24
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml:65
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
scripts/local_with_uvicorn/docker-compose.yml:1
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
scripts/local_with_uvicorn/docker-compose.yml:24
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
scripts/local_with_uvicorn/docker-compose.yml:65
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
scripts/local_with_uvicorn/docker-compose.yml:79
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
scripts/production_with_nginx/docker-compose.yml:1
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
scripts/production_with_nginx/docker-compose.yml:24
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml:1
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml:24
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml:65
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
scripts/local_with_uvicorn/docker-compose.yml:1
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
scripts/local_with_uvicorn/docker-compose.yml:24
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
scripts/local_with_uvicorn/docker-compose.yml:65
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
scripts/local_with_uvicorn/docker-compose.yml:79
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
scripts/production_with_nginx/docker-compose.yml:1
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
scripts/production_with_nginx/docker-compose.yml:24
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC015
Database service has no healthcheck
scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml:47
· conf 0.72
Database service has no healthcheckDKC015
Database service has no healthcheck
scripts/local_with_uvicorn/docker-compose.yml:47
· conf 0.72
Database service has no healthcheckDKC015
Database service has no healthcheck
scripts/production_with_nginx/docker-compose.yml:47
· conf 0.72
Database service has no healthcheckDKC016
App service does not wait for database health
scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml:1
· conf 0.68
App service does not wait for database healthDKC016
App service does not wait for database health
scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml:24
· conf 0.68
App service does not wait for database healthDKC016
App service does not wait for database health
scripts/gunicorn_managing_uvicorn_workers/docker-compose.yml:65
· conf 0.68
App service does not wait for database healthDKC016
App service does not wait for database health
scripts/local_with_uvicorn/docker-compose.yml:1
· conf 0.68
App service does not wait for database healthDKC016
App service does not wait for database health
scripts/local_with_uvicorn/docker-compose.yml:24
· conf 0.68
App service does not wait for database healthDKC016
App service does not wait for database health
scripts/local_with_uvicorn/docker-compose.yml:65
· conf 0.68
App service does not wait for database healthDKC016
App service does not wait for database health
scripts/local_with_uvicorn/docker-compose.yml:79
· conf 0.68
App service does not wait for database healthDKC016
App service does not wait for database health
scripts/production_with_nginx/docker-compose.yml:1
· conf 0.68
App service does not wait for database healthDKC016
App service does not wait for database health
scripts/production_with_nginx/docker-compose.yml:24
· conf 0.68
App service does not wait for database healthDKR012
Dockerfile keeps pip download cache
scripts/gunicorn_managing_uvicorn_workers/Dockerfile:7
· conf 0.72
Dockerfile keeps pip download cacheDKR012
Dockerfile keeps pip download cache
scripts/production_with_nginx/Dockerfile:7
· conf 0.72
Dockerfile keeps pip download cacheReading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/7be2b6f3-5c00-44fb-b169-5c6bfae29bdf/.