https://github.com/prisma/prisma ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
DKC013 Database service has no persistent data volume |
medium | 17 |
DKC007 Compose service contains a literal secret environment value |
medium | 15 |
DKC006 Compose service does not declare a runtime user |
low | 11 |
DKC010 Compose service lacks no-new-privileges hardening |
low | 9 |
DKC011 Database service publishes a host port |
high | 8 |
MINED122 package.json dep pulled from git URL or tarball |
high | 5 |
MINED054 Ts As Any |
info | 4 |
SEC084 JS: require() with non-literal |
critical | 4 |
DKC007
Compose service contains a literal secret environment value
docker/docker-compose.yml:5
· conf 0.96
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
docker/docker-compose.yml:28
· conf 0.96
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
docker/docker-compose.yml:51
· conf 0.96
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
docker/docker-compose.yml:99
· conf 0.96
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
docker/docker-compose.yml:116
· conf 0.96
Compose service contains a literal secret environment valueDKC011
Database service publishes a host port
docker/docker-compose.yml:51
· conf 0.84
Database service publishes a host portDKC011
Database service publishes a host port
docker/docker-compose.yml:80
· conf 0.84
Database service publishes a host portDKC011
Database service publishes a host port
docker/docker-compose.yml:99
· conf 0.84
Database service publishes a host portDKC011
Database service publishes a host port
docker/docker-compose.yml:116
· conf 0.84
Database service publishes a host portDKC011
Database service publishes a host port
docker/docker-compose.yml:133
· conf 0.84
Database service publishes a host portDKC011
Database service publishes a host port
docker/docker-compose.yml:149
· conf 0.84
Database service publishes a host portDKC011
Database service publishes a host port
docker/docker-compose.yml:163
· conf 0.84
Database service publishes a host portDKC011
Database service publishes a host port
packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml:27
· conf 0.84
Database service publishes a host portDKC013
Database service has no persistent data volume
docker/docker-compose.yml:51
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
docker/docker-compose.yml:80
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
docker/docker-compose.yml:99
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
docker/docker-compose.yml:116
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
docker/docker-compose.yml:133
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
docker/docker-compose.yml:149
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
docker/docker-compose.yml:163
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
packages/client/tests/e2e/connection-limit-reached/docker-compose.yaml:8
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml:27
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-pg/docker-compose.yaml:8
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml:11
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml:23
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
packages/client/tests/e2e/mongodb-notablescan/docker-compose.yaml:8
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
packages/client/tests/e2e/pg-global-type-parsers/docker-compose.yaml:8
· conf 0.90
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
packages/client/tests/e2e/typed-sql/docker-compose.yaml:8
· conf 0.90
Database service has no persistent data volumeMINED032
Ts Nocheck Comment
CWE-704
packages/client-generator-ts/src/utils/addPreamble.ts:9
· conf 1.00
[MINED032] Ts Nocheck Comment: // @ts-nocheck silences all type checking for entire file.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/auto-close-github-discussions.yml:18
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/auto-close-github-discussions.yml:21
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/auto-close-github-discussions.yml:26
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/bundle-size.yml:30
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/bundle-size.yml:38
· conf 0.90
[MINED115] Action `andresz1/size-limit-action` pinned to mutable ref `@v1`: `uses: andresz1/size-limit-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql-analysis.yml:34
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql-analysis.yml:38
· conf 0.90
[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v3`: `uses: github/codeql-action/init@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql-analysis.yml:47
· conf 0.90
[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v3`: `uses: github/codeql-action/analyze@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action o…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:48
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:68
· conf 0.90
[MINED115] Action `peter-evans/find-comment` pinned to mutable ref `@v4`: `uses: peter-evans/find-comment@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:92
· conf 0.90
[MINED115] Action `benc-uk/workflow-dispatch` pinned to mutable ref `@v1`: `uses: benc-uk/workflow-dispatch@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:110
· conf 0.90
[MINED115] Action `peter-evans/find-comment` pinned to mutable ref `@v4`: `uses: peter-evans/find-comment@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:117
· conf 0.90
[MINED115] Action `peter-evans/create-or-update-comment` pinned to mutable ref `@v5`: `uses: peter-evans/create-or-update-comment@v5` resolves at workflow-run time. Tags and branches can be re-pushed…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:134
· conf 0.90
[MINED115] Action `peter-evans/create-or-update-comment` pinned to mutable ref `@v5`: `uses: peter-evans/create-or-update-comment@v5` resolves at workflow-run time. Tags and branches can be re-pushed…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-engines-version.yml:29
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-engines-version.yml:31
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4.0.0`: `uses: pnpm/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-engines-version.yml:33
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-engines-version.yml:65
· conf 0.90
[MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-engines-version.yml:74
· conf 0.90
[MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-engines-version.yml:83
· conf 0.90
[MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-engines-version.yml:92
· conf 0.90
[MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-engines-version.yml:102
· conf 0.90
[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-engines-version.yml:115
· conf 0.90
[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-engines-version.yml:149
· conf 0.90
[MINED115] Action `juliangruber/approve-pull-request-action` pinned to mutable ref `@v2`: `uses: juliangruber/approve-pull-request-action@v2` resolves at workflow-run time. Tags and branches can be r…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/update-engines-version.yml:163
· conf 0.90
[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/planetscale_proxy/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `ghcr.io/mattrobenolt/ps-http-sim:v0.0.11` not pinned by digest: `FROM ghcr.io/mattrobenolt/ps-http-sim:v0.0.11` resolves the tag at build time. The registry CAN re-push a …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
docker/planetscale_proxy/Dockerfile:5
· conf 0.90
[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is po…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
packages/client/tests/e2e/_utils/standard.dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `node:20.19` not pinned by digest: `FROM node:20.19` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentia…MINED122
package.json dep pulled from git URL or tarball
CWE-829
packages/client/tests/e2e/prisma-client-imports-mysql/package.json:1
· conf 0.90
[MINED122] package.json dep `db` pulled from URL/Git: `dependencies.db` = `link:custom` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git …MINED122
package.json dep pulled from git URL or tarball
CWE-829
packages/client/tests/e2e/prisma-client-imports-postgres/package.json:1
· conf 0.90
[MINED122] package.json dep `db` pulled from URL/Git: `dependencies.db` = `link:custom` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git …MINED122
package.json dep pulled from git URL or tarball
CWE-829
packages/client/tests/e2e/prisma-client-imports-sqlite/package.json:1
· conf 0.90
[MINED122] package.json dep `db` pulled from URL/Git: `dependencies.db` = `link:custom` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git …MINED122
package.json dep pulled from git URL or tarball
CWE-829
packages/client/tests/e2e/prisma-init-bun/package.json:1
· conf 0.90
[MINED122] package.json dep `prisma` pulled from URL/Git: `devDependencies.prisma` = `file:/tmp/prisma-0.0.0.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side sc…MINED122
package.json dep pulled from git URL or tarball
CWE-829
sandbox/d1/package.json:1
· conf 0.90
[MINED122] package.json dep `db` pulled from URL/Git: `dependencies.db` = `link:./node_modules/.prisma/client` bypasses the npm registry. No integrity hash, no version locking, no registry-side scann…SEC013
Path Traversal — User Input in File Path
packages/client/src/runtime/highlight/languages/sql.ts:22
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC013
Path Traversal — User Input in File Path
packages/internals/src/highlight/languages/sql.ts:22
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/adapter-mariadb/src/mariadb.ts:227
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/adapter-planetscale/src/planetscale.ts:205
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/cli/src/SubCommand.ts:125
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
eslint-local-rules/valid-exported-types-index.ts:24
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/cli/scripts/preinstall.ts:39
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/cli/src/platform/_lib/help.ts:12
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
packages/client/src/runtime/utils/createErrorMessageWithContext.ts:132
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
packages/cli/src/utils/prompt/utils/deepExtend.ts:42
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
packages/get-platform/src/test-utils/jestSnapshotSerializer.js:39
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
helpers/compile/plugins/replaceWithPlugin.ts:31
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
packages/adapter-better-sqlite3/src/better-sqlite3.ts:186
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
packages/adapter-d1/src/d1-worker.ts:172
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC100
CORS permissive Access-Control-Allow-Origin: *
packages/cli/src/studio-server.ts:47
· conf 1.00
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
eslint-local-rules/valid-exported-types-index.ts:26
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/cli/src/studio-server.ts:42
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/fetch-engine/src/getHash.ts:11
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT015
Remote install command pipes network code directly to a shell
CONTRIBUTING.md:35
· conf 0.70
Remote install command pipes network code directly to a shellAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.DKC007
Compose service contains a literal secret environment value
packages/client/tests/e2e/connection-limit-reached/docker-compose.yaml:8
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml:27
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-pg/docker-compose.yaml:8
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml:11
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml:23
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
packages/client/tests/e2e/pg-global-type-parsers/docker-compose.yaml:8
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
packages/client/tests/e2e/pg-self-signed-cert-error/docker-compose.yaml:8
· conf 0.56
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
packages/client/tests/e2e/typed-sql/docker-compose.yaml:8
· conf 0.56
Compose service contains a literal secret environment valueDKC013
Database service has no persistent data volume
docker/docker-compose.yml:5
· conf 0.74
Database service has no persistent data volumeDKC013
Database service has no persistent data volume
docker/docker-compose.yml:183
· conf 0.74
Database service has no persistent data volumeDKC016
App service does not wait for database health
docker/docker-compose.yml:244
· conf 0.86
App service does not wait for database healthDKC016
App service does not wait for database health
packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml:9
· conf 0.86
App service does not wait for database healthDKR001
Docker final stage has no non-root USER
docker/mongodb_replica/Dockerfile:3
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
docker/planetscale_proxy/Dockerfile:5
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
docker/postgres_ext/Dockerfile:2
· conf 0.82
Docker final stage has no non-root USERDKR003
Dockerfile base image uses the latest tag
docker/docker-compose.yml:226
· conf 0.94
Compose service `neon_wsproxy` image uses the latest tagDKR003
Dockerfile base image uses the latest tag
docker/planetscale_proxy/Dockerfile:5
· conf 0.94
Dockerfile base image uses the latest tagDKR003
Dockerfile base image uses the latest tag
packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml:9
· conf 0.94
Compose service `neon_wsproxy` image uses the latest tagDKR018
Database dump or local database file is included in Docker build context
.dockerignore
· conf 0.86
Database dump or local database file is included in Docker build contextERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/cli/src/utils/printUpdateMessage.ts:33
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC045
eval()/exec() on stored or user-supplied data
helpers/compile/plugins/replaceWithPlugin.ts:31
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
packages/adapter-better-sqlite3/src/better-sqlite3.ts:186
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
packages/adapter-d1/src/d1-worker.ts:172
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC125
AI placeholder credential left in source (your-api-key-here style)
packages/cli/src/postgres/link/Link.ts:155
· conf 1.00
[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pullin…SEC125
AI placeholder credential left in source (your-api-key-here style)
packages/cli/src/postgres/PostgresCommand.ts:29
· conf 1.00
[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pullin…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
packages/type-benchmark-tests/basic/basic.bench.ts:115
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC136
AI-typical over-broad exception handler swallowing all errors
packages/client/src/runtime/utils/SourceFileSlice.ts:23
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
packages/cli/src/Generate.ts:363
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
packages/fetch-engine/src/utils.ts:27
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…AIC003
Duplicated implementation block across source files
packages/adapter-d1/src/conversion.ts:54
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-d1/src/d1-worker.ts:77
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-libsql/src/conversion.ts:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-libsql/src/conversion.ts:119
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-libsql/src/errors.ts:53
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-libsql/src/libsql.ts:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-mssql/src/conversion.ts:99
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-mssql/src/mssql.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-neon/src/conversion.ts:333
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-pg/src/conversion.ts:10
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-pg/src/conversion.ts:341
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-pg/src/errors.ts:44
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-pg/src/pg.ts:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-planetscale/src/conversion.ts:127
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-planetscale/src/conversion.ts:129
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-planetscale/src/errors.ts:92
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-planetscale/src/planetscale.ts:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-ppg/src/conversion.ts:121
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/adapter-ppg/src/errors.ts:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/bundle-size/da-workers-libsql/index.js:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/client-engine-runtime/bench/sample-query-plans.ts:53
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/client-generator-ts/src/GenericsArgsInfo.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/client-generator-ts/src/TSClient/Args.ts:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/client-generator-ts/src/TSClient/Count.ts:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/client-generator-ts/src/TSClient/Input.ts:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/client-generator-ts/src/TSClient/Model.ts:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/client-generator-ts/src/TSClient/Output.ts:13
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/client-generator-ts/src/TSClient/Payload.ts:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/client-generator-ts/src/TSClient/PrismaClient.ts:20
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/cli/src/Validate.ts:50
· conf 0.86
Duplicated implementation block across source filesAIC009
Multiple AI-agent scaffold marker files are present
AGENTS.md:1
· conf 0.68
Multiple AI-agent scaffold marker files are presentDKC006
Compose service does not declare a runtime user
docker/docker-compose.yml:5
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker/docker-compose.yml:28
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker/docker-compose.yml:66
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker/docker-compose.yml:149
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker/docker-compose.yml:183
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker/docker-compose.yml:206
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker/docker-compose.yml:226
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker/docker-compose.yml:244
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml:9
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
packages/client/tests/e2e/pg-self-signed-cert-error/docker-compose.yaml:8
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
packages/client/tests/e2e/_utils/docker-compose.yaml:1
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
docker/docker-compose.yml:28
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker/docker-compose.yml:66
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker/docker-compose.yml:149
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker/docker-compose.yml:206
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker/docker-compose.yml:226
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker/docker-compose.yml:244
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml:9
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
packages/client/tests/e2e/pg-self-signed-cert-error/docker-compose.yaml:8
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
packages/client/tests/e2e/_utils/docker-compose.yaml:1
· conf 0.62
Compose service lacks no-new-privileges hardeningDKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsDKR011
Dockerfile installs recommended OS packages
docker/postgres_ext/Dockerfile:8
· conf 0.72
Dockerfile installs recommended OS packagesSEC022
Database URL With Embedded Credential
.github/workflows/scripts/setup-postgres.sh:24
· conf 0.20
[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working c…DKR002
Dockerfile base image has no explicit tag
docker/mongodb_replica/Dockerfile:3
· conf 0.48
Dockerfile base image is selected through a build variableDKR002
Dockerfile base image has no explicit tag
docker/postgres_ext/Dockerfile:2
· conf 0.48
Dockerfile base image is selected through a build variableMINED043
Http Not Https
CWE-319
packages/cli/src/management-api/auth.ts:36
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
packages/cli/src/studio-server.ts:62
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
packages/fetch-engine/src/getProxyAgent.ts:99
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 64 more): Same pattern found in 64 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
.github/workflows/scripts/auto-close-github-discussions.js:7
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
.github/workflows/scripts/detect-jobs-to-run.js:9
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
helpers/compile/build.ts:149
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
helpers/blaze/omit.ts:13
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/adapter-planetscale/src/planetscale.ts:240
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/client-engine-runtime/src/interpreter/in-memory-processing.ts:91
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 56 more): Same pattern found in 56 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
helpers/blaze/map.ts:41
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
helpers/blaze/omit.ts:29
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
helpers/blaze/pick.ts:29
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
[MINED054] Ts As Any (and 24 more): Same pattern found in 24 additional files. Review if needed.MINED054
Ts As Any
CWE-704
helpers/blaze/concat.ts:17
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
helpers/blaze/flatten.ts:20
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
helpers/blaze/get.ts:4
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.SEC020
Secret Printed to Logs
.github/workflows/scripts/auto-close-github-discussions.js:18
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
packages/migrate/src/bin.ts:83
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 15 more): Same pattern found in 15 additional files. Review if needed.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 20 more): Same pattern found in 20 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 13 more): Same pattern found in 13 additional files. Review if needed.SEC083
JS: new RegExp() with non-literal
[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC084
JS: require() with non-literal
[SEC084] JS: require() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
helpers/compile/plugins/fill-plugin/fillers/crypto.ts:4
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
packages/adapter-d1/src/d1-http.ts:338
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
packages/adapter-pg/src/pg.ts:328
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC136
AI-typical over-broad exception handler swallowing all errors
[SEC136] AI-typical over-broad exception handler swallowing all errors (and 1 more): Same pattern found in 1 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/a0302965-5ed4-4eba-a4e9-ef700afaebd1/.