https://github.com/kaskydstoyey0u/whatsapp-webhook.git ·
lang: javascript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
SEC135 Auth/permission check missing on AI-generated endpoint |
high | 1 |
CORE_NO_LICENSE No LICENSE file |
low | 1 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 1 |
AUC005 [AUC005] No authorization-focused tests detected: No test f… |
low | 1 |
AUC001 [AUC001] No Repobility access matrix policy found: The repo… |
medium | 1 |
CFG006 [CFG006] Missing .gitignore: No .gitignore file. Risk of co… |
medium | 1 |
CORE_NO_CI No CI/CD configuration found |
medium | 1 |
MINED044 Js Console Log Prod |
info | 1 |
AUC002 [AUC002] Low visible authorization coverage in route invent… |
medium | 1 |
WEB003 Public web service has no security.txt |
medium | 1 |
CORE_NO_TESTS
No test files found
No test files foundMINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
index.js:22
· conf 0.80
[MINED113] Express POST /webhook has no auth: Express route POST /webhook declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated rout…SEC135
Auth/permission check missing on AI-generated endpoint
index.js:22
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
index.js:9
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…CFG006
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.CORE_NO_CI
No CI/CD configuration found
No CI/CD configuration foundWEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtAUC005
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.CORE_NO_LICENSE
No LICENSE file
No LICENSE fileMINED044
Js Console Log Prod
CWE-532
index.js:15
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/c1edb560-fa9f-40a6-83db-b76ecc3ebb74/.