https://github.com/vm0-ai/vm0 ·
lang: typescript ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
MINED126 GHA workflow container/services image unpinned |
high | 25 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED116 GHA pull_request workflow leaks secrets to forks |
critical | 25 |
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 18 |
JRN003 Frontend API reference is not matched by discovered backend… |
medium | 15 |
DKR011 Dockerfile installs recommended OS packages |
low | 7 |
MINED068 Rust Unsafe Block |
info | 4 |
MINED045 Ts Non Null Assertion |
info | 4 |
AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
turbo/apps/web/app/f/[userId]/[id]/[filename]/route.ts:45
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…DKR006
Dockerfile pipes a remote script into a shell
docker/toolchain/Dockerfile:19
· conf 0.92
Dockerfile pipes a remote script into a shellDKR006
Dockerfile pipes a remote script into a shell
docker/toolchain/Dockerfile:49
· conf 0.92
Dockerfile pipes a remote script into a shellJRN004
Consent is collected in UI without visible backend audit persistence
turbo/apps/api/src/signals/services/zero-runs-create.service.ts:224
· conf 0.78
Consent is collected in UI without visible backend audit persistenceJRN009
Secret-like setting is echoed into a password input value
turbo/apps/platform/src/views/device-bb0/bb0-device-page.tsx:246
· conf 0.83
Secret-like setting is echoed into a password input valueMINED003
Rust Unwrap In Prod
CWE-755
crates/ably-subscriber/src/connection/endpoint.rs:109
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
crates/agent-diagnostics/src/lib.rs:273
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
crates/guest-agent/src/complete.rs:105
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED004
Weak Crypto
CWE-327
turbo/apps/web/app/f/[userId]/[id]/[filename]/route.ts:38
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
turbo/apps/web/proxy.cors.ts:99
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_connector_usage.py:496
· conf 1.00
[MINED106] Phantom test coverage: test_full_response_pipeline_x_soft_error_ignores_request_hints: Test function `test_full_response_pipeline_x_soft_error_ignores_request_hints` runs code but contains…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_counters.py:96
· conf 1.00
[MINED106] Phantom test coverage: test_set_buffered_usage_events: Test function `test_set_buffered_usage_events` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_counters.py:301
· conf 1.00
[MINED106] Phantom test coverage: test_write_failure_does_not_raise: Test function `test_write_failure_does_not_raise` runs code but contains no assert / expect / should call — it passes regardless o…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_json_selective.py:84
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_invalid_scalar_field_kind: Test function `test_rejects_invalid_scalar_field_kind` runs code but contains no assert / expect / should call — it passes re…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_json_selective.py:90
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_invalid_scalar_field_max_bytes: Test function `test_rejects_invalid_scalar_field_max_bytes` runs code but contains no assert / expect / should call — it…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_json_selective.py:95
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_bool_scalar_field_max_bytes: Test function `test_rejects_bool_scalar_field_max_bytes` runs code but contains no assert / expect / should call — it passe…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_json_selective.py:100
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_invalid_scalar_field_config_value: Test function `test_rejects_invalid_scalar_field_config_value` runs code but contains no assert / expect / should cal…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_json_selective.py:114
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_invalid_extractor_bounds: Test function `test_rejects_invalid_extractor_bounds` runs code but contains no assert / expect / should call — it passes rega…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_json_selective.py:128
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_non_integer_extractor_bounds: Test function `test_rejects_non_integer_extractor_bounds` runs code but contains no assert / expect / should call — it pas…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_json_selective.py:141
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_wildcards_in_exact_observation_paths: Test function `test_rejects_wildcards_in_exact_observation_paths` runs code but contains no assert / expect / shou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_json_selective.py:155
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_non_tuple_observation_paths: Test function `test_rejects_non_tuple_observation_paths` runs code but contains no assert / expect / should call — it passe…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_json_selective.py:169
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_non_string_path_segments: Test function `test_rejects_non_string_path_segments` runs code but contains no assert / expect / should call — it passes rega…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_json_selective.py:731
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_wildcard_pattern_without_exactly_one_wildcard: Test function `test_rejects_wildcard_pattern_without_exactly_one_wildcard` runs code but contains no asse…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_model_provider_stream_usage.py:198
· conf 1.00
[MINED106] Phantom test coverage: test_full_pipeline_anthropic_sse_logs_truncated_message_start: Test function `test_full_pipeline_anthropic_sse_logs_truncated_message_start` runs code but contains n…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_model_provider_stream_usage.py:229
· conf 1.00
[MINED106] Phantom test coverage: test_full_pipeline_anthropic_sse_error_logs_truncated_message_start: Test function `test_full_pipeline_anthropic_sse_error_logs_truncated_message_start` runs code bu…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_model_provider_stream_usage.py:261
· conf 1.00
[MINED106] Phantom test coverage: test_full_pipeline_anthropic_sse_logs_malformed_message_start: Test function `test_full_pipeline_anthropic_sse_logs_malformed_message_start` runs code but contains n…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_model_provider_stream_usage.py:328
· conf 1.00
[MINED106] Phantom test coverage: test_full_pipeline_openai_sse_logs_truncated_terminal_event: Test function `test_full_pipeline_openai_sse_logs_truncated_terminal_event` runs code but contains no as…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_model_provider_stream_usage.py:354
· conf 1.00
[MINED106] Phantom test coverage: test_full_pipeline_openai_sse_logs_truncated_late_event_name: Test function `test_full_pipeline_openai_sse_logs_truncated_late_event_name` runs code but contains no …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_model_provider_stream_usage.py:380
· conf 1.00
[MINED106] Phantom test coverage: test_full_pipeline_eventless_incomplete_anthropic_usage_sse_warns: Test function `test_full_pipeline_eventless_incomplete_anthropic_usage_sse_warns` runs code but co…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_response_headers_handler.py:141
· conf 1.00
[MINED106] Phantom test coverage: test_no_response_is_noop: Test function `test_no_response_is_noop` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_update_x_tlds.py:32
· conf 1.00
[MINED106] Phantom test coverage: test_parse_source_rejects_empty_source: Test function `test_parse_source_rejects_empty_source` runs code but contains no assert / expect / should call — it passes re…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_update_x_tlds.py:39
· conf 1.00
[MINED106] Phantom test coverage: test_parse_source_rejects_missing_version_header: Test function `test_parse_source_rejects_missing_version_header` runs code but contains no assert / expect / should…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_update_x_tlds.py:46
· conf 1.00
[MINED106] Phantom test coverage: test_parse_source_rejects_non_ascii_tld: Test function `test_parse_source_rejects_non_ascii_tld` runs code but contains no assert / expect / should call — it passes …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_update_x_tlds.py:54
· conf 1.00
[MINED106] Phantom test coverage: test_parse_source_rejects_invalid_tld_syntax: Test function `test_parse_source_rejects_invalid_tld_syntax` runs code but contains no assert / expect / should call — …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
crates/runner/mitm-addon/tests/test_update_x_tlds.py:61
· conf 1.00
[MINED106] Phantom test coverage: test_parse_source_rejects_source_without_tld_entries: Test function `test_parse_source_rejects_source_without_tld_entries` runs code but contains no assert / expect …MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:67
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_matches_raw_for_mixed_base_and_greedy_rule` of class `TestCompiledFirewallMatching` reads `self._compiled`, but no assign…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:71
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_matches_raw_for_mixed_base_and_greedy_rule` of class `TestCompiledFirewallMatching` reads `self._assert_same_re…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:99
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_matches_raw_for_greedy_host_base_params` of class `TestCompiledFirewallMatching` reads `self._compiled`, but no assignmen…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:116
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_matches_raw_for_greedy_host_base_params` of class `TestCompiledFirewallMatching` reads `self._assert_same_resul…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:128
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_matches_raw_for_greedy_host_base_params` of class `TestCompiledFirewallMatching` reads `self._assert_same_resul…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:145
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_matches_raw_for_static_base_boundary_and_query` of class `TestCompiledFirewallMatching` reads `self._compiled`, but no as…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:156
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_matches_raw_for_static_base_boundary_and_query` of class `TestCompiledFirewallMatching` reads `self._assert_sam…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:168
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_matches_raw_for_static_base_boundary_and_query` of class `TestCompiledFirewallMatching` reads `self._assert_sam…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:191
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_matches_raw_for_parameterized_host_nonstandard_port_rejection` of class `TestCompiledFirewallMatching` reads `self._compi…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:195
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_matches_raw_for_parameterized_host_nonstandard_port_rejection` of class `TestCompiledFirewallMatching` reads `s…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:209
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_matches_raw_for_unknown_policy_when_api_has_no_permissions` of class `TestCompiledFirewallMatching` reads `self._compiled…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:220
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_matches_raw_for_unknown_policy_when_api_has_no_permissions` of class `TestCompiledFirewallMatching` reads `self…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:232
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_matches_raw_for_unknown_policy_when_api_has_no_permissions` of class `TestCompiledFirewallMatching` reads `self…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:263
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_matches_raw_for_ask_permission_block` of class `TestCompiledFirewallMatching` reads `self._compiled`, but no assignment t…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:267
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_matches_raw_for_ask_permission_block` of class `TestCompiledFirewallMatching` reads `self._assert_same_result`,…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:307
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_later_allowed_firewall_wins_after_earlier_unknown_match` of class `TestCompiledFirewallMatching` reads `self._compiled`, …MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:311
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_later_allowed_firewall_wins_after_earlier_unknown_match` of class `TestCompiledFirewallMatching` reads `self._a…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:353
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_later_allowed_firewall_wins_after_earlier_malformed_policy_match` of class `TestCompiledFirewallMatching` reads `self._co…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:357
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_later_allowed_firewall_wins_after_earlier_malformed_policy_match` of class `TestCompiledFirewallMatching` reads…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:382
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_preserves_raw_rule_order_for_any_before_exact_method` of class `TestCompiledFirewallMatching` reads `self._compiled`, but…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:405
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_literal_rule_wins_over_earlier_parameter_rule` of class `TestCompiledFirewallMatching` reads `self._compiled`, but no ass…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:429
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_denied_parameter_rule_does_not_block_more_specific_literal_allow` of class `TestCompiledFirewallMatching` reads `self._co…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:478
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_more_specific_parameter_shape_wins` of class `TestCompiledFirewallMatching` reads `self._compiled`, but no assignment to …MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:502
· conf 1.00
[MINED108] `self._compiled` used but never assigned in __init__: Method `test_allowed_parameter_rule_does_not_bypass_more_specific_literal_deny` of class `TestCompiledFirewallMatching` reads `self._c…MINED108
self.attribute used but never assigned in __init__
CWE-476
crates/runner/mitm-addon/tests/test_compiled_firewall_matching.py:541
· conf 1.00
[MINED108] `self._assert_same_result` used but never assigned in __init__: Method `test_later_allowed_permission_still_wins_after_earlier_denied_match` of class `TestCompiledFirewallMatching` reads `…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:84
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:251
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:252
· conf 0.90
[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:284
· conf 0.90
[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v6`: `uses: codecov/codecov-action@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:309
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:325
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:326
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:336
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:339
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:375
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:376
· conf 0.90
[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:429
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:449
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/crates.yml:505
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
turbo/apps/web/app/f/[userId]/[id]/[filename]/route.ts:45
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
turbo/apps/web/app/monday-app-association.json/route.ts:4
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…DKR001
Docker final stage has no non-root USER
docker/toolchain/Dockerfile:123
· conf 0.82
Docker final stage has no non-root USERDKR018
Database dump or local database file is included in Docker build context
.dockerignore
· conf 0.86
Database dump or local database file is included in Docker build contextERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
turbo/apps/platform/custom-eslint/rules/no-empty-promise-catch.ts:46
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.JRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/github-oauth.ts:57
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/internal-callbacks-chat.ts:164
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/internal-event-consumers-agentphone-typing.ts:92
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/internal-event-consumers-telegram-typing.ts:68
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/model-stats.ts:32
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/model-stats.ts:62
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/zero-chat-messages.ts:250
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/zero-connectors.ts:558
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/zero-integrations-github-download-file.ts:19
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/zero-integrations-slack.ts:51
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/zero-integrations-telegram.ts:50
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/routes/zero-web-download.ts:20
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/services/agent-webhook-events.service.ts:62
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/services/agent-webhook-events.service.ts:67
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
turbo/apps/api/src/signals/services/built-in-generation-provider-webhooks.service.ts:56
· conf 0.74
Frontend API reference is not matched by discovered backend routesSEC001
Hardcoded Password
crates/vsock-guest/src/user.rs:261
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
turbo/apps/platform/src/signals/zero-page/telegram-login-popup.ts:27
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
turbo/apps/platform/src/signals/zero-page/zero-github.ts:203
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
turbo/apps/platform/src/views/router/link.tsx:55
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
crates/runner/src/main.rs:68
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
crates/sandbox/src/sandbox.rs:205
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
turbo/apps/platform/custom-eslint/rules/no-raw-msw-http.ts:109
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC046
Client-side open redirect — window.location = server-supplied URL
turbo/apps/web/app/desktop-auth/callback/DesktopAuthCallbackClient.tsx:87
· conf 1.00
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…SEC046
Client-side open redirect — window.location = server-supplied URL
turbo/apps/web/app/desktop-auth/consume/DesktopAuthConsumeClient.tsx:61
· conf 1.00
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
crates/ably-subscriber/src/connection/endpoint.rs:331
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtWEB015
Public web app has no Content Security Policy
index.html
· conf 0.70
Public web app has no Content Security PolicyAIC002
Source file name looks like an AI patch artifact
turbo/apps/platform/src/signals/zero-page/chat-draft.ts:1
· conf 0.62
Source file name looks like an AI patch artifactAIC003
Duplicated implementation block across source files
crates/runner/src/cmd/start/job_spawn.rs:599
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/runner/src/cmd/start/ownership.rs:111
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/runner/src/kmsg_log.rs:32
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/runner/src/provider/mod.rs:164
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/sandbox-fc/src/snapshot/provider.rs:81
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/vsock-guest/src/shell_command.rs:458
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/lib/slack-webhook-blocks.ts:137
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/signals/routes/internal-callbacks-slack-org.ts:270
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/signals/routes/internal-callbacks-telegram.ts:180
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/signals/routes/internal-callbacks-telegram.ts:204
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/signals/routes/internal-event-consumers-telegram-typing.ts:44
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/signals/routes/test-oauth-provider-token.ts:42
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/signals/routes/test-telegram-state.ts:100
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/signals/routes/zero-chat-threads-rename.ts:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/signals/routes/zero-chat-threads-unpin.ts:20
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/signals/routes/zero-codex-device-auth.ts:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/signals/routes/zero-composes.ts:90
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
turbo/apps/api/src/signals/routes/zero-custom-connectors-patch.ts:35
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
crates/runner/mitm-addon/scripts/update-x-tlds.py:57
· conf 0.95
[COMP001] High cognitive complexity: Function `parse_source` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
crates/runner/mitm-addon/src/auth_base_forwarder.py:50
· conf 0.95
[COMP001] High cognitive complexity: Function `_connection_header_names` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understa…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
crates/runner/mitm-addon/src/registry.py:68
· conf 0.95
[COMP001] High cognitive complexity: Function `load_registry` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested…DKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsDKR011
Dockerfile installs recommended OS packages
docker/toolchain/Dockerfile:8
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
docker/toolchain/Dockerfile:19
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
docker/toolchain/Dockerfile:126
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
docker/toolchain/Dockerfile:139
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
docker/toolchain/Dockerfile:147
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
docker/toolchain/Dockerfile:152
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
docker/toolchain/Dockerfile:182
· conf 0.72
Dockerfile installs recommended OS packagesSEC010
Cloud Provider Token
turbo/packages/api-contracts/src/contracts/test-slack-mock.ts:14
· conf 0.20
[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.SEC022
Database URL With Embedded Credential
scripts/prepare.sh:100
· conf 0.20
[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working c…WEB001
Public web app has no robots.txt
robots.txt
· conf 0.74
Public web app has no robots.txtWEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB008
Public docs site has no llms.txt
llms.txt
· conf 0.64
Public docs site has no llms.txtWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 9 more): Same pattern found in 9 additional files. Review if needed.MINED003
Rust Unwrap In Prod
CWE-755
[MINED003] Rust Unwrap In Prod (and 43 more): Same pattern found in 43 additional files. Review if needed.MINED043
Http Not Https
CWE-319
crates/ably-subscriber/src/connection/endpoint.rs:186
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
turbo/packages/connectors/src/auth-providers/oauth/providers/slock.ts:101
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 356 more): Same pattern found in 356 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
turbo/apps/cli/src/commands/artifact/clone.ts:16
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
turbo/apps/cli/src/commands/artifact/init.ts:28
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
turbo/apps/cli/src/commands/artifact/list.ts:17
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 35 more): Same pattern found in 35 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
turbo/apps/api/src/app-factory.ts:161
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
turbo/apps/api/src/signals/context/route.ts:129
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
turbo/apps/api/src/signals/routes/integrations-telegram-bot-id.ts:226
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED049
Print Pii
CWE-532
[MINED049] Print Pii (and 6 more): Same pattern found in 6 additional files. Review if needed.MINED049
Print Pii
CWE-532
turbo/apps/cli/src/commands/init/index.ts:123
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
turbo/apps/cli/src/commands/zero/org/secret/list.ts:15
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
turbo/apps/cli/src/commands/zero/org/secret/remove.ts:34
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED050
Stub Only Function
CWE-1188
crates/runner/mitm-addon/src/usage/sse.py:25
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
crates/runner/mitm-addon/src/usage/webhook.py:64
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED055
Npm Install No Lockfile
CWE-1357
turbo/apps/web/public/install.sh:31
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED056
React Key As Index
CWE-682
turbo/apps/platform/src/views/queue-page/queue-drawer.tsx:134
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
turbo/apps/platform/src/views/zero-page/components/log-views/log-table.tsx:165
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
turbo/apps/web/app/components/Particles.tsx:5
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED058
React Dangerously Set Html
CWE-79
[MINED058] React Dangerously Set Html (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED058
React Dangerously Set Html
CWE-79
turbo/apps/web/app/[locale]/blog/page.tsx:100
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
turbo/apps/web/app/[locale]/docs/page.tsx:103
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
turbo/apps/web/app/[locale]/docs/[...slug]/page.tsx:169
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED059
Rust Expect In Prod
CWE-755
[MINED059] Rust Expect In Prod (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED059
Rust Expect In Prod
CWE-755
crates/guest-agent/src/control.rs:152
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
crates/runner/build.rs:23
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
crates/runner/src/prefetch.rs:238
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED062
Python Dataclass No Fields
crates/runner/mitm-addon/src/url_utils.py:21
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED066
Rust Panic Macro
CWE-755
[MINED066] Rust Panic Macro (and 4 more): Same pattern found in 4 additional files. Review if needed.MINED066
Rust Panic Macro
CWE-755
crates/guest-agent/src/control.rs:196
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
crates/runner/build.rs:54
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
crates/runner/src/cmd/nbd.rs:110
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED068
Rust Unsafe Block
CWE-119
[MINED068] Rust Unsafe Block (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED068
Rust Unsafe Block
CWE-119
crates/guest-agent/src/metrics.rs:118
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED068
Rust Unsafe Block
CWE-119
crates/guest-agent/src/nofollow_fs.rs:78
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED068
Rust Unsafe Block
CWE-119
crates/guest-init/src/init.rs:85
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED099
Hardcoded Secret
CWE-798
[MINED099] Hardcoded Secret (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED099
Hardcoded Secret
CWE-798
turbo/packages/api-contracts/src/contracts/test-slack-mock.ts:14
· conf 0.10
[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.MINED099
Hardcoded Secret
CWE-798
turbo/packages/firewalls-generator/src/bland.ts:12
· conf 0.10
[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.MINED099
Hardcoded Secret
CWE-798
turbo/packages/firewalls-generator/src/deepseek.ts:14
· conf 0.10
[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.SEC002
Hardcoded API Key
turbo/packages/firewalls-generator/src/cronlytic.ts:4
· conf 0.10
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC010
Cloud Provider Token
[SEC010] Cloud Provider Token (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC010
Cloud Provider Token
turbo/packages/firewalls-generator/src/bland.ts:12
· conf 0.10
[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 237 more): Same pattern found in 237 additional files. Review if needed.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 164 more): Same pattern found in 164 additional files. Review if needed.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer" (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 10 more): Same pattern found in 10 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 9 more): Same pattern found in 9 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
turbo/apps/api/src/signals/routes/zero-integrations-github-upload-init.ts:29
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
turbo/apps/api/src/signals/routes/zero-integrations-phone-upload-init.ts:29
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
turbo/apps/api/src/signals/routes/zero-integrations-telegram-upload-init.ts:26
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 21 more): Same pattern found in 21 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/c5e1fbe1-170b-4f36-b3c5-d92f53e41551/.