https://github.com/kreuzberg-dev/kreuzcrawl ·
lang: rust ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 9 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 6 |
MINED059 Rust Expect In Prod |
info | 4 |
DKR006 Dockerfile pipes a remote script into a shell |
high | 4 |
MINED003 Rust Unwrap In Prod |
high | 4 |
MINED048 Php Error Suppress |
info | 4 |
MINED043 Http Not Https |
info | 4 |
MINED013
Password In Url
CWE-200
crates/kreuzcrawl/src/interact/native.rs:85
· conf 1.00
[MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.MINED013
Password In Url
CWE-200
crates/kreuzcrawl/src/native_browser.rs:48
· conf 1.00
[MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/coverage.yaml:81
· conf 0.90
[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
crates/kreuzcrawl/src/api/router.rs:59
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…DKR006
Dockerfile pipes a remote script into a shell
docker/Dockerfile.alpine:23
· conf 0.92
Dockerfile pipes a remote script into a shellDKR006
Dockerfile pipes a remote script into a shell
docker/Dockerfile.musl-build:21
· conf 0.92
Dockerfile pipes a remote script into a shellDKR006
Dockerfile pipes a remote script into a shell
docker/Dockerfile.musl-ffi:21
· conf 0.92
Dockerfile pipes a remote script into a shellDKR006
Dockerfile pipes a remote script into a shell
docker/Dockerfile.musl-nif:21
· conf 0.92
Dockerfile pipes a remote script into a shellMINED003
Rust Unwrap In Prod
CWE-755
crates/kreuzcrawl-browser/build.rs:7
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
crates/kreuzcrawl-browser/src/dom/tree_sink.rs:272
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
crates/kreuzcrawl-browser/src/net/robots.rs:23
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED012
Curl Pipe Bash
CWE-494
scripts/ci/wasm/install-wasm-pack.sh:14
· conf 1.00
[MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_engine.py:34
· conf 1.00
[MINED106] Phantom test coverage: test_engine_batch_basic: Test function `test_engine_batch_basic` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_engine.py:60
· conf 1.00
[MINED106] Phantom test coverage: test_engine_map_basic: Test function `test_engine_map_basic` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_error.py:34
· conf 1.00
[MINED106] Phantom test coverage: test_error_401_unauthorized: Test function `test_error_401_unauthorized` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_error.py:43
· conf 1.00
[MINED106] Phantom test coverage: test_error_403_forbidden: Test function `test_error_403_forbidden` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_error.py:53
· conf 1.00
[MINED106] Phantom test coverage: test_error_404_page: Test function `test_error_404_page` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_error.py:62
· conf 1.00
[MINED106] Phantom test coverage: test_error_408_request_timeout: Test function `test_error_408_request_timeout` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_error.py:71
· conf 1.00
[MINED106] Phantom test coverage: test_error_410_gone: Test function `test_error_410_gone` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_error.py:80
· conf 1.00
[MINED106] Phantom test coverage: test_error_500_server: Test function `test_error_500_server` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_error.py:89
· conf 1.00
[MINED106] Phantom test coverage: test_error_502_bad_gateway: Test function `test_error_502_bad_gateway` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_error.py:98
· conf 1.00
[MINED106] Phantom test coverage: test_error_browser_launch_failure: Test function `test_error_browser_launch_failure` runs code but contains no assert / expect / should call — it passes regardless o…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_error.py:108
· conf 1.00
[MINED106] Phantom test coverage: test_error_browser_page_timeout: Test function `test_error_browser_page_timeout` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_filter.py:34
· conf 1.00
[MINED106] Phantom test coverage: test_filter_bm25_crawl_integration: Test function `test_filter_bm25_crawl_integration` runs code but contains no assert / expect / should call — it passes regardless…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_filter.py:62
· conf 1.00
[MINED106] Phantom test coverage: test_filter_bm25_high_threshold: Test function `test_filter_bm25_high_threshold` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_filter.py:76
· conf 1.00
[MINED106] Phantom test coverage: test_filter_bm25_relevant_pages: Test function `test_filter_bm25_relevant_pages` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_filter.py:104
· conf 1.00
[MINED106] Phantom test coverage: test_filter_noop_crawl_all_kept: Test function `test_filter_noop_crawl_all_kept` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_redirect.py:136
· conf 1.00
[MINED106] Phantom test coverage: test_redirect_loop: Test function `test_redirect_loop` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverag…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
e2e/python/tests/test_redirect.py:147
· conf 1.00
[MINED106] Phantom test coverage: test_redirect_max_exceeded: Test function `test_redirect_max_exceeded` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/ci/docker/test_docker.py:22
· conf 1.00
[MINED106] Phantom test coverage: test_version: Test function `test_version` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without ve…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/ci/docker/test_docker.py:29
· conf 1.00
[MINED106] Phantom test coverage: test_help: Test function `test_help` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifyin…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/ci/docker/test_docker.py:36
· conf 1.00
[MINED106] Phantom test coverage: test_scrape_help: Test function `test_scrape_help` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage wi…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/ci/docker/test_docker.py:43
· conf 1.00
[MINED106] Phantom test coverage: test_scrape_json: Test function `test_scrape_json` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage wi…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/ci/docker/test_docker.py:61
· conf 1.00
[MINED106] Phantom test coverage: test_nonroot_user: Test function `test_nonroot_user` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/ci/docker/test_docker.py:70
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_url: Test function `test_invalid_url` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage wi…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/api/test_contract.py:29
· conf 1.00
[MINED106] Phantom test coverage: test_all_endpoints_no_server_errors: Test function `test_all_endpoints_no_server_errors` runs code but contains no assert / expect / should call — it passes regardle…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/api/test_contract.py:44
· conf 1.00
[MINED106] Phantom test coverage: test_all_endpoints_response_conformance: Test function `test_all_endpoints_response_conformance` runs code but contains no assert / expect / should call — it passes …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:65
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:70
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-rust` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-rust@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:76
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-openssl` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-openssl@v1` resolves at workflow-run time. Tags and branches can be re-pushed b…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:79
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/build-rust-ffi` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/build-rust-ffi@v1` resolves at workflow-run time. Tags and branches can be re-pushed…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:84
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/build-rust-cli` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/build-rust-cli@v1` resolves at workflow-run time. Tags and branches can be re-pushed…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:101
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:174
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:179
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-rust` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-rust@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:184
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:225
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-openssl` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-openssl@v1` resolves at workflow-run time. Tags and branches can be re-pushed b…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:229
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-python-env` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-python-env@v1` resolves at workflow-run time. Tags and branches can be re-pu…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:236
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-node-workspace` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-node-workspace@v1` resolves at workflow-run time. Tags and branches can …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:240
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:246
· conf 0.90
[MINED115] Action `ruby/setup-ruby` pinned to mutable ref `@v1`: `uses: ruby/setup-ruby@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-act…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:254
· conf 0.90
[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:261
· conf 0.90
[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:267
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-php` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-php@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:275
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-elixir` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-elixir@v1` resolves at workflow-run time. Tags and branches can be re-pushed by …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:282
· conf 0.90
[MINED115] Action `dart-lang/setup-dart` pinned to mutable ref `@v1`: `uses: dart-lang/setup-dart@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:291
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-swift` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-swift@v1` resolves at workflow-run time. Tags and branches can be re-pushed by th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:298
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-zig` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-zig@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:304
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-wasm-pack` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-wasm-pack@v1` resolves at workflow-run time. Tags and branches can be re-push…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:310
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/setup-chrome` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/setup-chrome@v1` resolves at workflow-run time. Tags and branches can be re-pushed by …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci-e2e.yaml:329
· conf 0.90
[MINED115] Action `kreuzberg-dev/actions/install-task` pinned to mutable ref `@v1`: `uses: kreuzberg-dev/actions/install-task@v1` resolves at workflow-run time. Tags and branches can be re-pushed by …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/coverage.yaml:45
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/Dockerfile:4
· conf 0.90
[MINED118] Dockerfile FROM `rust:1.91-bookworm` not pinned by digest: `FROM rust:1.91-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every b…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/Dockerfile:42
· conf 0.90
[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so eve…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/Dockerfile.alpine:12
· conf 0.90
[MINED118] Dockerfile FROM `alpine:3.21` not pinned by digest: `FROM alpine:3.21` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potent…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/Dockerfile.alpine:52
· conf 0.90
[MINED118] Dockerfile FROM `alpine:3.21` not pinned by digest: `FROM alpine:3.21` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potent…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/Dockerfile.cli:4
· conf 0.90
[MINED118] Dockerfile FROM `rust:1.91-bookworm` not pinned by digest: `FROM rust:1.91-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every b…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/Dockerfile.cli:30
· conf 0.90
[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so eve…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/Dockerfile.musl-build:10
· conf 0.90
[MINED118] Dockerfile FROM `alpine:3.21` not pinned by digest: `FROM alpine:3.21` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potent…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/Dockerfile.musl-ffi:10
· conf 0.90
[MINED118] Dockerfile FROM `alpine:3.21` not pinned by digest: `FROM alpine:3.21` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potent…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/Dockerfile.musl-nif:10
· conf 0.90
[MINED118] Dockerfile FROM `alpine:3.21` not pinned by digest: `FROM alpine:3.21` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potent…MINED122
package.json dep pulled from git URL or tarball
CWE-829
e2e/wasm/package.json:1
· conf 0.90
[MINED122] package.json dep `@kreuzberg/kreuzcrawl-wasm` pulled from URL/Git: `devDependencies.@kreuzberg/kreuzcrawl-wasm` = `file:../../crates/kreuzcrawl-wasm/pkg/nodejs` bypasses the npm registry. …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/publish-docker.yaml:166
· conf 0.90
[MINED126] Workflow container/services image `kreuzcrawl-test:latest` unpinned: `container/services image: kreuzcrawl-test:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Trea…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
e2e/go/go.mod:9
· conf 0.90
[MINED128] go.mod replaces `github.com/kreuzberg-dev/kreuzcrawl/packages/go` — points to a LOCAL path: `replace github.com/kreuzberg-dev/kreuzcrawl/packages/go => ../../packages/go` overrides the can…MINED131
pre-commit hook pinned to branch/tag instead of SHA
CWE-829
.pre-commit-config.yaml:8
· conf 0.90
[MINED131] pre-commit hook `https://github.com/Goldziher/gitfluff` pinned to mutable rev `v0.8.0`: `.pre-commit-config.yaml` references `https://github.com/Goldziher/gitfluff` at `rev: v0.8.0`. If `{…MINED131
pre-commit hook pinned to branch/tag instead of SHA
CWE-829
.pre-commit-config.yaml:16
· conf 0.90
[MINED131] pre-commit hook `https://github.com/kreuzberg-dev/pre-commit-hooks` pinned to mutable rev `v1.2.3`: `.pre-commit-config.yaml` references `https://github.com/kreuzberg-dev/pre-commit-hooks`…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
crates/kreuzcrawl-bypass/src/provider.rs:162
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
crates/kreuzcrawl/src/browser_session_pool.rs:32
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
crates/kreuzcrawl/src/html/detection.rs:49
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
crates/kreuzcrawl/src/assets.rs:107
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
crates/kreuzcrawl/src/document.rs:45
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT012
Agent control bridge may listen on a network interface without visible auth
fixtures/stealth/stealth_ua_rotation_config.json:16
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT015
Remote install command pipes network code directly to a shell
scripts/ci/wasm/install-wasm-pack.sh:14
· conf 0.70
Remote install command pipes network code directly to a shellAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 33.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
crates/kreuzcrawl/src/api/router.rs:51
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
crates/kreuzcrawl/src/api/router.rs:52
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
crates/kreuzcrawl/src/api/router.rs:57
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
crates/kreuzcrawl/src/api/router.rs:58
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
crates/kreuzcrawl/src/api/router.rs:59
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
crates/kreuzcrawl/src/api/router.rs:60
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…MINED111
Bare except continues silently
scripts/ci/docker/test_docker.py:109
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/ci/ruby/vendor-kreuzcrawl-core.py:456
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
crates/kreuzcrawl/src/mcp/format.rs:180
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
crates/kreuzcrawl/src/waf/tests.rs:26
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
tools/benchmark-harness/src/cache.rs:191
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…AIC003
Duplicated implementation block across source files
crates/kreuzcrawl/src/interact/chromiumoxide.rs:108
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/kreuzcrawl/src/interact/chromiumoxide.rs:372
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/kreuzcrawl/src/tower/service.rs:114
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/kreuzcrawl/src/tower/tracing_layer.rs:29
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/csharp/Kreuzcrawl/CrawlEvent.cs:25
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/csharp/Kreuzcrawl/PageAction.cs:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/csharp/Kreuzcrawl/ScrapeResult.cs:12
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/elixir/lib/kreuzcrawl/batch_crawl_result.ex:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/elixir/lib/kreuzcrawl/batch_scrape_result.ex:4
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/elixir/lib/kreuzcrawl/batch_scrape_result.ex:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/elixir/lib/kreuzcrawl/batch_scrape_results.ex:8
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/elixir/lib/kreuzcrawl/crawl_result.ex:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/elixir/lib/kreuzcrawl/heading_info.ex:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/elixir/lib/kreuzcrawl/map_result.ex:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/go/include/kreuzcrawl.h:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/go/internal/ffi/kreuzcrawl.h:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/java/src/main/java/dev/kreuzberg/kreuzcrawl/BatchScrapeResults.java:29
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/java/src/main/java/dev/kreuzberg/kreuzcrawl/ScrapeResult.java:101
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/ArticleMetadata.kt:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/AssetCategory.kt:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/AuthConfig.kt:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/BatchCrawlResult.kt:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/BatchCrawlResults.kt:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/BatchCrawlStreamRequest.kt:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/BatchScrapeResult.kt:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/BatchScrapeResults.kt:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/BrowserBackend.kt:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/BrowserConfig.kt:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/BrowserExtras.kt:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/kotlin-android/src/main/kotlin/dev/kreuzberg/kreuzcrawl/android/BrowserMode.kt:1
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
packages/python/kreuzcrawl/api.py:104
· conf 0.95
[COMP001] High cognitive complexity: Function `_to_rust_browser_config` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understa…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
packages/python/kreuzcrawl/api.py:136
· conf 0.95
[COMP001] High cognitive complexity: Function `_to_rust_crawl_config` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand…DKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
packages/zig/examples/example.zig:5
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
test_apps/zig/src/markdown_test.zig:27
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
test_apps/zig/src/metadata_test.zig:27
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.MINED003
Rust Unwrap In Prod
CWE-755
[MINED003] Rust Unwrap In Prod (and 16 more): Same pattern found in 16 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED043
Http Not Https
CWE-319
crates/kreuzcrawl/src/browser_session_pool.rs:209
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
crates/kreuzcrawl/src/html/links.rs:37
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
crates/kreuzcrawl/src/interact/native.rs:84
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
test_apps/wasm/setup.ts:33
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED046
Dart Print
CWE-532
packages/dart/example/kreuzcrawl_example.dart:4
· conf 1.00
[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger.MINED048
Php Error Suppress
CWE-755
[MINED048] Php Error Suppress (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED048
Php Error Suppress
CWE-755
packages/zig/build.zig:1
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED048
Php Error Suppress
CWE-755
packages/zig/examples/example.zig:1
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED048
Php Error Suppress
CWE-755
packages/zig/src/main.zig:2
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED052
Ts Any Typed
CWE-704
test_apps/node/globalSetup.ts:9
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
test_apps/node/globalSetup.ts:25
· conf 0.10
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED055
Npm Install No Lockfile
CWE-1357
scripts/ci/python/smoke-test-wheel.sh:13
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED059
Rust Expect In Prod
CWE-755
[MINED059] Rust Expect In Prod (and 19 more): Same pattern found in 19 additional files. Review if needed.MINED059
Rust Expect In Prod
CWE-755
crates/kreuzcrawl-browser/build.rs:22
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
crates/kreuzcrawl-browser/src/dom/tree_sink.rs:66
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
crates/kreuzcrawl-browser/src/net/wreq_client.rs:42
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED066
Rust Panic Macro
CWE-755
crates/kreuzcrawl-browser/src/dom/tree_sink.rs:69
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
crates/kreuzcrawl/src/waf/tests.rs:221
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
packages/dart/rust/build.rs:38
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED068
Rust Unsafe Block
CWE-119
crates/kreuzcrawl-browser/src/dom/tree_sink.rs:22
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED070
Zig Undefined Init
test_apps/zig/build.zig:34
· conf 1.00
[MINED070] Zig Undefined Init: var x: T = undefined leaves memory uninitialized. Often a foot-gun.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 25 more): Same pattern found in 25 additional files. Review if needed.SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code (and 1 more): Same pattern found in 1 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/9547b571-0e8d-4259-aeef-b8d8016b44e9/.