https://github.com/modu-ai/moai-adk ·
lang: go ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 9 |
SEC112 Go html/template bypass — text/template used for HTML outpu… |
medium | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
SEC093 Go: exec.Command with non-literal |
high | 4 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 4 |
ERR003 [ERR003] Ignored Error (Go): Ignoring error return values. |
medium | 4 |
MINED060 Go Context No Cancel |
info | 4 |
MINED016 Go Error Ignored |
high | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
MINED018
Unsafe Deserialization Pickle
CWE-502
internal/hook/security/rules.go:199
· conf 1.00
[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:133
· conf 0.90
[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/claude-code-review.yml:48
· conf 0.90
[MINED116] Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLAUDE_CODE…MINED123
Trojan Source bidi character in source (CVE-2021-42574)
CWE-1007
docs-site/themes/hugo-geekdoc/static/js/2130-d110bcb1.chunk.min.js:1
· conf 0.90
[MINED123] Trojan Source bidi character (LRE) in source: Line 1 contains a Unicode bidirectional override character (U+202A LRE). This is the 'Trojan Source' attack (CVE-2021-42574): the character ma…MINED123
Trojan Source bidi character in source (CVE-2021-42574)
CWE-1007
docs-site/themes/hugo-geekdoc/static/js/katex-d2f1bcae.bundle.min.js:1
· conf 0.90
[MINED123] Trojan Source bidi character (LRE) in source: Line 1 contains a Unicode bidirectional override character (U+202A LRE). This is the 'Trojan Source' attack (CVE-2021-42574): the character ma…SEC079
Python: yaml.load without SafeLoader
internal/hook/security/rules.go:200
· conf 1.00
[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-…SEC081
Python: pickle.loads / marshal.loads on untrusted data
internal/hook/security/rules.go:199
· conf 1.00
[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).SEC084
JS: require() with non-literal
internal/hook/security/rules.go:192
· conf 1.00
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).SEC116
Ruby YAML.load / Marshal.load on untrusted input
internal/hook/security/rules.go:200
· conf 1.00
[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes — direct RCE on untrusted input. `unsafe_load` is even more dang…MINED012
Curl Pipe Bash
CWE-494
internal/update/updater.go:299
· conf 1.00
[MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.MINED016
Go Error Ignored
CWE-754
internal/bodp/audit_trail.go:58
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED016
Go Error Ignored
CWE-754
internal/cli/astgrep.go:196
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED016
Go Error Ignored
CWE-754
internal/cli/doctor_permission.go:160
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED033
Go Recover Without Log
CWE-755
internal/hook/trace/writer.go:66
· conf 1.00
[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:39
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:80
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:85
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:129
· conf 0.90
[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v6`: `uses: codecov/codecov-action@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:172
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:177
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/claude-code-review.yml:19
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:30
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:80
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:83
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:89
· conf 0.90
[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:94
· conf 0.90
[MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v4`: `uses: github/codeql-action/autobuild@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the acti…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:97
· conf 0.90
[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action o…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-i18n-check.yml:53
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-i18n-check.yml:99
· conf 0.90
[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-i18n-check.yml:165
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/label-sync.yml:42
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/label-sync.yml:45
· conf 0.90
[MINED115] Action `EndBug/label-sync` pinned to mutable ref `@v2`: `uses: EndBug/label-sync@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-pr-multi-os.yml:52
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-pr-multi-os.yml:57
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-install.yml:37
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-install.yml:72
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-install.yml:121
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-install.yml:167
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test-install.yml:202
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…SEC006
XSS Risk
internal/hook/security/rules.go:143
· conf 1.00
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
docs-site/api/i18n-detect.ts:109
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
internal/cli/wizard/types.go:27
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
internal/cli/worktree/project.go:31
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC085
JS: child_process.exec with non-literal
internal/cli/cc.go:27
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
internal/cli/cg.go:27
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
internal/github/issue_closer.go:124
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC093
Go: exec.Command with non-literal
internal/cli/astgrep.go:214
· conf 1.00
[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).SEC093
Go: exec.Command with non-literal
internal/cli/branch_protection.go:69
· conf 1.00
[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).SEC093
Go: exec.Command with non-literal
internal/cli/worktree/guard.go:285
· conf 1.00
[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).SEC100
CORS permissive Access-Control-Allow-Origin: *
internal/hook/security/rules.go:218
· conf 1.00
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…SEC114
path.join / Path() on user-controlled segment without containment check
internal/hook/instructions_loaded.go:46
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
internal/lsp/gopls/handler.go:49
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT007
localStorage write failures are swallowed silently
.moai/design/SPEC-V3R3-CLI-TUI-001/source/project/design-canvas.jsx:270
· conf 0.80
localStorage write failures are swallowed silentlyAGT015
Remote install command pipes network code directly to a shell
.moai/marketing/blog-posts/okky-ko.md:158
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
.moai/marketing/blog-posts/velog-ko.md:59
· conf 0.70
Remote install command pipes network code directly to a shellSEC005
Command Injection Risk
internal/hook/security/rules.go:181
· conf 0.50
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.SEC007
Unsafe Deserialization
internal/hook/security/rules.go:199
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC045
eval()/exec() on stored or user-supplied data
internal/cli/cc.go:27
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
internal/cli/cg.go:27
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
internal/github/issue_closer.go:124
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC087
JS: weak Math.random for crypto
.moai/brain/IDEA-002/claude-design-handoff/project/overlays.jsx:152
· conf 1.00
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…SEC112
Go html/template bypass — text/template used for HTML output, or template.HTML on user input
internal/cli/astgrep.go:164
· conf 1.00
[SEC112] Go html/template bypass — text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using…SEC112
Go html/template bypass — text/template used for HTML output, or template.HTML on user input
internal/cli/doctor_hook.go:102
· conf 1.00
[SEC112] Go html/template bypass — text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using…SEC112
Go html/template bypass — text/template used for HTML output, or template.HTML on user input
internal/cli/doctor_sandbox.go:141
· conf 1.00
[SEC112] Go html/template bypass — text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using…SEC119
World-writable / world-readable file permissions
internal/update/rollback.go:53
· conf 1.00
[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.SEC119
World-writable / world-readable file permissions
internal/update/updater.go:138
· conf 1.00
[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.SEC123
Production stack trace / debug output exposed
internal/hook/security/rules.go:208
· conf 1.00
[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page w…AIC002
Source file name looks like an AI patch artifact
internal/hook/auto_update.go:1
· conf 0.62
Source file name looks like an AI patch artifactAIC003
Duplicated implementation block across source files
internal/cli/migrate_agency_disk_windows.go:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
internal/design/dtcg/categories/typography.go:10
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
internal/harness/retention.go:63
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
internal/harness/tier/tier.go:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
internal/hook/user_prompt_submit.go:69
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
internal/loop/storage.go:68
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
internal/lsp/aggregator/aggregator.go:173
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
internal/lsp/hook/tracker.go:123
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
.moai/scripts/status-drift-cleanup.go:110
· conf 0.86
Duplicated implementation block across source filesERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
internal/astgrep/rules.go:36
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
internal/ciwatch/state.go:57
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
internal/cli/astgrep.go:130
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
[ERR003] Ignored Error (Go) (and 117 more): Same pattern found in 117 additional files. Review if needed.MINED016
Go Error Ignored
CWE-754
[MINED016] Go Error Ignored (and 13 more): Same pattern found in 13 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
docs-site/scripts/fix-mdx-formatting.js:70
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
docs-site/scripts/generate-favicons.js:27
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED056
React Key As Index
CWE-682
.moai/brain/IDEA-002/claude-design-handoff/project/overlays.jsx:64
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED060
Go Context No Cancel
CWE-401
[MINED060] Go Context No Cancel (and 23 more): Same pattern found in 23 additional files. Review if needed.MINED060
Go Context No Cancel
CWE-401
internal/cli/astgrep.go:212
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED060
Go Context No Cancel
CWE-401
internal/cli/github.go:143
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED060
Go Context No Cancel
CWE-401
internal/cli/mcp.go:44
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED069
Debug True Prod
CWE-489
internal/hook/security/rules.go:208
· conf 1.00
[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.MINED071
Go Panic Call
CWE-755
internal/cli/harness_route.go:146
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
internal/core/project/root.go:95
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
internal/tui/progress_line.go:175
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED098
Global Scope Pollution
.moai/brain/IDEA-002/claude-design-handoff/project/app.jsx:35
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 8 more): Same pattern found in 8 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed.SEC093
Go: exec.Command with non-literal
[SEC093] Go: exec.Command with non-literal (and 10 more): Same pattern found in 10 additional files. Review if needed.SEC112
Go html/template bypass — text/template used for HTML output, or template.HTML on user input
[SEC112] Go html/template bypass — text/template used for HTML output, or template.HTML on user input (and 10 more): Same pattern found in 10 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/b17cb6f7-f398-498c-b7bc-c52164018838/.