https://github.com/generalaction/emdash ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 20 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 4 |
MINED044 Js Console Log Prod |
info | 4 |
SEC118 UUIDv1 / UUIDv3 used for security-sensitive identifier |
low | 4 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 4 |
ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. |
medium | 4 |
JRN009 Secret-like setting is echoed into a password input value |
high | 4 |
MINED045 Ts Non Null Assertion |
info | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
DKR001
Docker final stage has no non-root USER
tooling/byoi/Dockerfile:87
· conf 0.95
Docker final stage runs as rootDKR001
Docker final stage has no non-root USER
tooling/docker-ssh/dockerfile:124
· conf 0.95
Docker final stage runs as rootDKR006
Dockerfile pipes a remote script into a shell
tooling/byoi/Dockerfile:37
· conf 0.92
Dockerfile pipes a remote script into a shellDKR006
Dockerfile pipes a remote script into a shell
tooling/docker-ssh/dockerfile:54
· conf 0.92
Dockerfile pipes a remote script into a shellJRN009
Secret-like setting is echoed into a password input value
src/renderer/features/integrations/AsanaSetupForm.tsx:14
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
src/renderer/features/integrations/FeaturebaseSetupForm.tsx:14
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
src/renderer/features/integrations/LinearSetupForm.tsx:14
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
src/renderer/features/integrations/PlainSetupForm.tsx:14
· conf 0.83
Secret-like setting is echoed into a password input valueMINED027
React State Array Mutation
CWE-682
src/renderer/features/tasks/create-task-modal/workspace-settings-section.tsx:34
· conf 1.00
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-consistency-check.yml:16
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-consistency-check.yml:19
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-consistency-check.yml:24
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/nix-build.yml:15
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/nix-build.yml:18
· conf 0.90
[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v27`: `uses: cachix/install-nix-action@v27` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/nix-build.yml:23
· conf 0.90
[MINED115] Action `cachix/cachix-action` pinned to mutable ref `@v15`: `uses: cachix/cachix-action@v15` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/nix-build.yml:38
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-canary.yml:40
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-canary.yml:76
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-canary.yml:141
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-canary.yml:149
· conf 0.90
[MINED115] Action `apple-actions/import-codesign-certs` pinned to mutable ref `@v2`: `uses: apple-actions/import-codesign-certs@v2` resolves at workflow-run time. Tags and branches can be re-pushed b…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-prod.yml:41
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-prod.yml:74
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-prod.yml:136
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-prod.yml:143
· conf 0.90
[MINED115] Action `apple-actions/import-codesign-certs` pinned to mutable ref `@v2`: `uses: apple-actions/import-codesign-certs@v2` resolves at workflow-run time. Tags and branches can be re-pushed b…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/windows-beta-build.yml:19
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/windows-beta-build.yml:44
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/windows-beta-build.yml:49
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/windows-beta-build.yml:55
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/windows-beta-build.yml:92
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
tooling/byoi/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
tooling/docker-ssh/dockerfile:13
· conf 0.90
[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/release-canary.yml:17
· conf 0.90
[MINED126] Workflow container/services image `ubuntu:22.04` unpinned: `container/services image: ubuntu:22.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/release-prod.yml:18
· conf 0.90
[MINED126] Workflow container/services image `ubuntu:22.04` unpinned: `container/services image: ubuntu:22.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/main/app/protocol.ts:26
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/main/app/window.ts:42
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/main/core/app/controller.ts:77
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC035
Unbounded Resource Allocation — DoS risk
src/main/core/pty/persist-dropped-blob.ts:107
· conf 1.00
[SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust …SEC040
innerHTML XSS — template literal with server-supplied data
scripts/release/verify-linux.ts:108
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
src/main/core/execution-context/ssh-execution-context.ts:14
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
src/main/core/jira/jira-issue-provider.ts:152
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
src/main/core/agent-hooks/classifiers/codebuff.ts:23
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
scripts/release/build.ts:51
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
scripts/release/verify-linux.ts:16
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
src/main/core/app/utils.ts:14
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC114
path.join / Path() on user-controlled segment without containment check
src/main/core/projects/worktrees/hosts/local-worktree-host.ts:64
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/main/core/agent-hooks/hook-server.ts:39
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/main/core/conversations/conversation-session-supervisor.ts:103
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/main/core/conversations/impl/ssh-conversation.ts:187
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.DKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreDKR018
Database dump or local database file is included in Docker build context
.dockerignore
· conf 0.86
Database dump or local database file is included in Docker build contextERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
src/main/core/ssh/credentials/ssh-credential-service.ts:106
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
src/main/core/tasks/task-builder.ts:131
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
src/main/core/workspaces/byoi/provision-byoi-task.ts:150
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC003
Hardcoded Secret
src/main/core/account/services/credential-store.ts:4
· conf 0.30
[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.SEC003
Hardcoded Secret
src/main/core/asana/asana-connection-service.ts:47
· conf 0.30
[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.SEC003
Hardcoded Secret
src/main/core/featurebase/featurebase-connection-service.ts:38
· conf 0.30
[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
src/renderer/features/mcp/components/McpCard.tsx:99
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
scripts/release/build.ts:35
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
scripts/release/notarize-mac.ts:54
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
scripts/release/rebuild-native.ts:18
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC087
JS: weak Math.random for crypto
src/renderer/features/tasks/create-task-modal/use-branch-name.ts:27
· conf 1.00
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtWEB015
Public web app has no Content Security Policy
index.html
· conf 0.70
Public web app has no Content Security PolicyAIC003
Duplicated implementation block across source files
electron-builder.config.ts:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/auggie.ts:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/autohand.ts:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/autohand.ts:12
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/charm.ts:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/cline.ts:36
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/codebuff.ts:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/codebuff.ts:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/continue.ts:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/continue.ts:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/copilot.ts:16
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/cursor.ts:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/devin.ts:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/droid.ts:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/droid.ts:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/generic.ts:36
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/goose.ts:36
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/grok.ts:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/jules.ts:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/junie.ts:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/kilocode.ts:36
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/kimi.ts:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/kimi.ts:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/kiro.ts:12
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/letta.ts:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/mistral.ts:48
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/opencode.ts:12
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/pi.ts:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/pi.ts:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/main/core/agent-hooks/classifiers/pi.ts:12
· conf 0.86
Duplicated implementation block across source filesAIC007
Generated build artifact directory is present at repository root
build:1
· conf 0.70
Generated build artifact directory is present at repository rootDKC006
Compose service does not declare a runtime user
docker-compose.yaml:11
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yaml:11
· conf 0.62
Compose service lacks no-new-privileges hardeningDKR011
Dockerfile installs recommended OS packages
tooling/byoi/Dockerfile:27
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
tooling/byoi/Dockerfile:37
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
tooling/docker-ssh/dockerfile:44
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
tooling/docker-ssh/dockerfile:54
· conf 0.72
Dockerfile installs recommended OS packagesWEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB005
robots.txt does not advertise a sitemap
pnpm-lock.yaml
· conf 0.74
robots.txt does not advertise a sitemapWEB008
Public docs site has no llms.txt
llms.txt
· conf 0.64
Public docs site has no llms.txtWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
[ERR002] Empty Catch Block (and 10 more): Same pattern found in 10 additional files. Review if needed.MINED043
Http Not Https
CWE-319
src/main/core/shared/oauth-flow.ts:86
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
src/shared/repository-ref.ts:80
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
scripts/postinstall.ts:16
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
scripts/release/notarize-mac.ts:10
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
scripts/release/verify-mac.ts:9
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 30 more): Same pattern found in 30 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
scripts/release/build.ts:16
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
scripts/release/rebuild-native.ts:14
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
src/main/core/agent-hooks/classifier-wiring.ts:104
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED052
Ts Any Typed
CWE-704
src/renderer/_legacy/errorTracking.ts:27
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
src/renderer/features/tasks/diff-view/comments/monaco-comment-manager.ts:59
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED055
Npm Install No Lockfile
CWE-1357
scripts/postinstall.ts:17
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED056
React Key As Index
CWE-682
src/renderer/features/tasks/diff-view/main-panel/stacked-diff-view.tsx:144
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED058
React Dangerously Set Html
CWE-79
src/renderer/features/settings/components/IntegrationRow.tsx:111
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
src/renderer/features/skills/components/SkillIconRenderer.tsx:52
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
src/renderer/utils/mcpIcons.tsx:36
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.SEC003
Hardcoded Secret
[SEC003] Hardcoded Secret (and 6 more): Same pattern found in 6 additional files. Review if needed.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 24 more): Same pattern found in 24 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 12 more): Same pattern found in 12 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 8 more): Same pattern found in 8 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
src/main/core/agent-hooks/hook-server.ts:20
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
src/main/core/dependencies/install-runner.ts:65
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
src/main/core/tasks/operations/createTask.ts:206
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 38 more): Same pattern found in 38 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/8612bc46-7d0e-47c7-8171-c5618ca2d4f1/.