← Legacy view v2 (rp.*)

tryghost/ghost

https://github.com/TryGhost/Ghost.git · lang: javascript · LOC: · source: user_submitted

Quality
80.2
Grade A-
Security
100.0
Findings
52
0 critical · 9 high
Status
completed
May 17, 2026 19:44
low: 31 medium: 12 high: 9
Top rules by occurrence
RuleSeverityCount
AIC003 Duplicated implementation block across source files low 23
DKR001 Docker final stage has no non-root USER medium 4
SEC027 XML External Entity (XXE) — Node.js xml parsers high 3
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… high 3
WEB012 Service worker is present without a web app manifest medium 1
AUC001 [AUC001] No Repobility access matrix policy found: The repo… medium 1
AIC005 Duplicate top-level symbol appears in a patch-style file low 1
SEC015 Insecure Randomness for Security medium 1
SEC006 XSS Risk high 1
ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. medium 1
First 52 findings (severity-sorted)
high SEC006 XSS Risk
ghost/admin/app/components/gh-html-iframe.js:23 · conf 1.00 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
high SEC013 Path Traversal — User Input in File Path
apps/activitypub/src/views/inbox/components/inbox-list.tsx:42 · conf 0.80 
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
high SEC027 XML External Entity (XXE) — Node.js xml parsers
apps/admin-x-design-system/src/global/form/html-editor.tsx:28 · conf 1.00 
[SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs.
high SEC027 XML External Entity (XXE) — Node.js xml parsers
apps/admin-x-settings/src/components/settings/membership/member-emails/use-welcome-email-preview.ts:33 · conf 1.00 
[SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs.
high SEC027 XML External Entity (XXE) — Node.js xml parsers
apps/admin-x-settings/src/components/settings/site/announcement-bar/announcement-bar-preview.tsx:49 · conf 1.00 
[SEC027] XML External Entity (XXE) — Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs.
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/activitypub/src/api/activitypub.ts:533 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/activitypub/src/components/global/ap-avatar.tsx:101 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/activitypub/src/components/modals/new-note-modal.tsx:175 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC033 Prototype Pollution — unfiltered merge of user object
ghost/core/core/frontend/services/data/fetch-data.js:50 · conf 1.00 
[SEC033] Prototype Pollution — unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject propert…
medium AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
· conf 0.92 
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium DKR001 Docker final stage has no non-root USER
docker/dev-gateway/Dockerfile:1 · conf 0.82 
Docker final stage has no non-root USER
medium DKR001 Docker final stage has no non-root USER
docker/ghost-dev/Dockerfile:6 · conf 0.82 
Docker final stage has no non-root USER
medium DKR001 Docker final stage has no non-root USER
docker/tb-cli/Dockerfile:1 · conf 0.82 
Docker final stage has no non-root USER
medium DKR001 Docker final stage has no non-root USER
e2e/Dockerfile.e2e:12 · conf 0.82 
Docker final stage has no non-root USER
medium DKR014 Dockerfile copies the entire context without .dockerignore
Dockerfile.production:28 · conf 0.76 
Dockerfile copies broad context with incomplete .dockerignore
medium DKR017 Dockerfile installs dependencies after copying the full source tree
Dockerfile.production:32 · conf 0.90 
Dockerfile installs dependencies after copying the full source tree
medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
ghost/admin/app/components/gh-billing-iframe.js:131 · conf 1.00 
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
medium SEC015 Insecure Randomness for Security
apps/shade/src/components/patterns/filters.tsx:2694 · conf 1.00 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
medium WEB003 Public web service has no security.txt
.well-known/security.txt · conf 0.78 
Public web service has no security.txt
medium WEB012 Service worker is present without a web app manifest
manifest.json · conf 0.72 
Service worker is present without a web app manifest
medium WEB015 Public web app has no Content Security Policy
index.html · conf 0.70 
Public web app has no Content Security Policy
low AIC002 Source file name looks like an AI patch artifact
apps/admin/src/whats-new/hooks/use-whats-new.ts:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/components/global/ap-avatar.tsx:69 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/utils/posts.ts:18 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/explore/explore.tsx:27 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/inbox/components/inbox-list.tsx:41 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/inbox/components/reader.tsx:396 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/notifications/notifications.tsx:143 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/notifications/notifications.tsx:187 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/preferences/components/edit-profile.tsx:89 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/profile/components/actor-list.tsx:32 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/profile/components/actor-list.tsx:34 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/profile/components/likes.tsx:25 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/profile/components/posts.tsx:22 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/profile/components/posts.tsx:27 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/activitypub/src/views/profile/components/profile-page.tsx:90 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/admin-x-design-system/src/global/modal/preview-modal.tsx:98 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/admin-x-framework/src/vite.ts:65 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/admin-x-framework/vite.config.ts:33 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/admin-x-settings/src/components/settings/advanced/integrations/transistor-modal.tsx:61 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/admin-x-settings/src/components/settings/advanced/integrations/unsplash-modal.tsx:23 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/admin-x-settings/src/components/settings/advanced/integrations/zapier-modal.tsx:45 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/admin-x-settings/src/components/settings/advanced/migration-tools/universal-import-modal.tsx:28 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/admin-x-settings/src/components/settings/email-design/design-fields/heading-font-field.tsx:14 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
apps/admin-x-settings/src/components/settings/email-design/design-fields/link-color-field.tsx:5 · conf 0.86 
Duplicated implementation block across source files
low AIC005 Duplicate top-level symbol appears in a patch-style file
ghost/admin/app/components/gh-post-settings-menu/option-or-alt.js:1 · conf 0.64 
Duplicate top-level symbol appears in a patch-style file
low DKR008 .dockerignore misses sensitive defaults
.dockerignore · conf 0.72 
.dockerignore misses sensitive defaults
low DKR011 Dockerfile installs recommended OS packages
docker/ghost-dev/Dockerfile:9 · conf 0.72 
Dockerfile installs recommended OS packages
low WEB001 Public web app has no robots.txt
robots.txt · conf 0.74 
Public web app has no robots.txt
low WEB002 Public web app has no sitemap
sitemap.xml · conf 0.72 
Public web app has no sitemap
low WEB008 Public docs site has no llms.txt
llms.txt · conf 0.64 
Public docs site has no llms.txt
low WEB011 Public web app has no humans.txt
humans.txt · conf 0.50 
Public web app has no humans.txt

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/bffeb7cd-b7a6-4529-900f-44c7ae84f8f1/.