https://github.com/bubkoo/html-to-image ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 3 |
SEC085 JS: child_process.exec with non-literal |
high | 3 |
MINED052 Ts Any Typed |
info | 2 |
MINED044 Js Console Log Prod |
info | 2 |
MINED043 Http Not Https |
info | 2 |
MINED054 Ts As Any |
info | 2 |
MINED045 Ts Non Null Assertion |
info | 1 |
AUC001 [AUC001] No Repobility access matrix policy found: The repo… |
medium | 1 |
MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:20
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:25
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:37
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v3`: `uses: actions/cache@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:54
· conf 0.90
[MINED115] Action `wow-actions/use-app-token` pinned to mutable ref `@v2`: `uses: wow-actions/use-app-token@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:27
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:30
· conf 0.90
[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v2`: `uses: github/codeql-action/init@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:36
· conf 0.90
[MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v2`: `uses: github/codeql-action/autobuild@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the acti…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:39
· conf 0.90
[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v2`: `uses: github/codeql-action/analyze@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action o…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/label-commands.yml:11
· conf 0.90
[MINED115] Action `bubkoo/use-app-token` pinned to mutable ref `@v1`: `uses: bubkoo/use-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/label-commands.yml:16
· conf 0.90
[MINED115] Action `bubkoo/label-commands` pinned to mutable ref `@v1`: `uses: bubkoo/label-commands@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/needs-more-info.yml:11
· conf 0.90
[MINED115] Action `bubkoo/use-app-token` pinned to mutable ref `@v1`: `uses: bubkoo/use-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/needs-more-info.yml:16
· conf 0.90
[MINED115] Action `bubkoo/needs-more-info` pinned to mutable ref `@v1`: `uses: bubkoo/needs-more-info@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pr-label-patch-size.yml:7
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pr-label-patch-size.yml:8
· conf 0.90
[MINED115] Action `bubkoo/use-app-token` pinned to mutable ref `@v1`: `uses: bubkoo/use-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pr-label-patch-size.yml:13
· conf 0.90
[MINED115] Action `pascalgn/size-label-action` pinned to mutable ref `@v0.1.1`: `uses: pascalgn/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the acti…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pr-label-status.yml:11
· conf 0.90
[MINED115] Action `bubkoo/use-app-token` pinned to mutable ref `@v1`: `uses: bubkoo/use-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pr-label-status.yml:16
· conf 0.90
[MINED115] Action `bubkoo/pr-triage` pinned to mutable ref `@v1`: `uses: bubkoo/pr-triage@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pr-label-title-body.yml:14
· conf 0.90
[MINED115] Action `bubkoo/use-app-token` pinned to mutable ref `@v1`: `uses: bubkoo/use-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pr-label-title-body.yml:19
· conf 0.90
[MINED115] Action `Naturalclar/issue-action` pinned to mutable ref `@v2.0.1`: `uses: Naturalclar/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action o…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-authors.yml:12
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-authors.yml:15
· conf 0.90
[MINED115] Action `bubkoo/use-app-token` pinned to mutable ref `@v1`: `uses: bubkoo/use-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-authors.yml:20
· conf 0.90
[MINED115] Action `bubkoo/update-authors` pinned to mutable ref `@v1`: `uses: bubkoo/update-authors@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-contributors.yml:14
· conf 0.90
[MINED115] Action `bubkoo/use-app-token` pinned to mutable ref `@v1`: `uses: bubkoo/use-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-contributors.yml:19
· conf 0.90
[MINED115] Action `bubkoo/contributors-list` pinned to mutable ref `@v1`: `uses: bubkoo/contributors-list@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; th…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/clone-node.ts:33
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/dataurl.ts:3
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/embed-images.ts:44
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC083
JS: new RegExp() with non-literal
src/embed-webfonts.ts:83
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
src/embed-resources.ts:60
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
src/embed-webfonts.ts:69
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
src/mimes.ts:18
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.SEC045
eval()/exec() on stored or user-supplied data
src/embed-resources.ts:60
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
src/embed-webfonts.ts:69
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
src/mimes.ts:18
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …AUC005
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.SEC006
XSS Risk
src/clone-node.ts:168
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.WEB005
robots.txt does not advertise a sitemap
pnpm-lock.yaml
· conf 0.74
robots.txt does not advertise a sitemapMINED043
Http Not Https
CWE-319
src/clone-node.ts:229
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
src/util.ts:226
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
src/dataurl.ts:105
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
src/embed-webfonts.ts:131
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
src/embed-images.ts:44
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED052
Ts Any Typed
CWE-704
src/apply-style.ts:23
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
src/util.ts:58
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
src/clone-node.ts:178
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
src/embed-images.ts:70
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/994c58b2-77b7-4f32-a964-5f2162ed51f1/.