← Legacy view v2 (rp.*)

vercel/next.js

https://github.com/vercel/next.js.git · lang: typescript · LOC: · source: both

Quality
81.8
Grade A-
Security
100.0
Findings
177
5 critical · 35 high
Status
completed
May 18, 2026 14:32
low: 54 medium: 46 info: 37 high: 35 critical: 5
Top rules by occurrence
RuleSeverityCount
AIC003 Duplicated implementation block across source files low 30
JRN003 Frontend API reference is not matched by discovered backend… medium 11
DKR014 Dockerfile copies the entire context without .dockerignore high 8
DKC006 Compose service does not declare a runtime user low 7
DKR002 Dockerfile base image has no explicit tag medium 7
DKC010 Compose service lacks no-new-privileges hardening low 7
AIC002 Source file name looks like an AI patch artifact low 5
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… medium 4
MINED054 Ts As Any info 3
SEC085 JS: child_process.exec with non-literal high 3
First 177 findings (severity-sorted)
critical MINED019 Ssti Jinja From String CWE-94
crates/next-core/src/middleware.rs:112 · conf 1.00 
[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.
critical MINED019 Ssti Jinja From String CWE-94
crates/next-taskless/src/lib.rs:319 · conf 1.00 
[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.
critical SEC084 JS: require() with non-literal
.github/actions/next-stats-action/src/prepare/action-info.js:73 · conf 1.00 
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).
critical SEC084 JS: require() with non-literal
.github/actions/next-stats-action/src/prepare/load-stats-config.js:13 · conf 1.00 
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).
critical SEC084 JS: require() with non-literal
.github/actions/next-stats-action/src/run/index.js:311 · conf 1.00 
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
packages/create-next-app/templates/app-api/js/app/[slug]/route.js:3 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high AUC003 [AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
packages/create-next-app/templates/app-api/ts/app/[slug]/route.ts:3 · conf 0.70 
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…
high DKC011 Database service publishes a host port
examples/cache-handler-redis/compose.yaml:1 · conf 0.84 
Database service publishes a host port
high DKR006 Dockerfile pipes a remote script into a shell
.github/actions/next-stats-action/Dockerfile:10 · conf 0.92 
Dockerfile pipes a remote script into a shell
high DKR014 Dockerfile copies the entire context without .dockerignore
examples/with-docker/Dockerfile:45 · conf 0.92 
Dockerfile copies the entire context without .dockerignore
high DKR014 Dockerfile copies the entire context without .dockerignore
examples/with-docker/Dockerfile.bun:33 · conf 0.92 
Dockerfile copies the entire context without .dockerignore
high DKR014 Dockerfile copies the entire context without .dockerignore
examples/with-docker-export-output/Dockerfile:47 · conf 0.92 
Dockerfile copies the entire context without .dockerignore
high DKR014 Dockerfile copies the entire context without .dockerignore
examples/with-docker-export-output/Dockerfile.serve:45 · conf 0.92 
Dockerfile copies the entire context without .dockerignore
high DKR014 Dockerfile copies the entire context without .dockerignore
examples/with-docker-multi-env/docker/development/Dockerfile:25 · conf 0.92 
Dockerfile copies the entire context without .dockerignore
high DKR014 Dockerfile copies the entire context without .dockerignore
examples/with-docker-multi-env/docker/production/Dockerfile:26 · conf 0.92 
Dockerfile copies the entire context without .dockerignore
high DKR014 Dockerfile copies the entire context without .dockerignore
examples/with-docker-multi-env/docker/staging/Dockerfile:26 · conf 0.92 
Dockerfile copies the entire context without .dockerignore
high DKR014 Dockerfile copies the entire context without .dockerignore
.github/actions/next-stats-action/Dockerfile:19 · conf 0.92 
Dockerfile copies the entire context without .dockerignore
high MINED003 Rust Unwrap In Prod CWE-755
crates/next-api/src/analyze.rs:163 · conf 1.00 
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.
high MINED003 Rust Unwrap In Prod CWE-755
crates/next-api/src/app.rs:1678 · conf 1.00 
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.
high MINED003 Rust Unwrap In Prod CWE-755
crates/next-api/src/asset_hashes_manifest.rs:77 · conf 1.00 
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.
high MINED004 Weak Crypto CWE-327
crates/next-custom-transforms/src/transforms/server_actions.rs:17 · conf 1.00 
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
high MINED004 Weak Crypto CWE-327
crates/next-error-code-swc-plugin/src/lib.rs:136 · conf 1.00 
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
high MINED012 Curl Pipe Bash CWE-494
.devcontainer/rust/install.sh:5 · conf 1.00 
[MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.
high MINED039 Rust Todo Macro CWE-1188
crates/next-core/src/hmr_entry.rs:105 · conf 1.00 
[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path.
high MINED039 Rust Todo Macro CWE-1188
crates/next-core/src/next_app/app_client_references_chunks.rs:55 · conf 1.00 
[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path.
high SEC020 Secret Printed to Logs
examples/with-firebase-cloud-messaging/utils/webPush.js:28 · conf 0.85 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
bench/nested-deps-app-router-many-pages/create-pages.mjs:5 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
.github/actions/next-stats-action/src/run/benchmark-url.js:8 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
.github/actions/next-stats-action/src/run/collect-stats.js:396 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC040 innerHTML XSS — template literal with server-supplied data
bench/render-pipeline/benchmark.ts:415 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC040 innerHTML XSS — template literal with server-supplied data
crates/next-core/src/next_manifests/client_reference_manifest.rs:495 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC040 innerHTML XSS — template literal with server-supplied data
examples/cms-builder-io/pages/posts/[slug].js:91 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC085 JS: child_process.exec with non-literal
bench/nested-deps-app-router/bench.mjs:193 · conf 1.00 
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
high SEC085 JS: child_process.exec with non-literal
bench/nested-deps-app-router-many-pages/bench.mjs:193 · conf 1.00 
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
high SEC085 JS: child_process.exec with non-literal
.github/actions/next-stats-action/src/util/exec.js:12 · conf 1.00 
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
high SEC114 path.join / Path() on user-controlled segment without containment check
crates/next-core/src/next_font/local/mod.rs:163 · conf 1.00 
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…
high SEC114 path.join / Path() on user-controlled segment without containment check
crates/next-core/src/next_font/util.rs:86 · conf 1.00 
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…
high SEC128 Async function without await — fire-and-forget Promise (AI mistake)
apps/bundle-analyzer/components/treemap-visualizer.tsx:97 · conf 1.00 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…
high SEC128 Async function without await — fire-and-forget Promise (AI mistake)
crates/next-custom-transforms/src/transforms/server_actions.rs:297 · conf 1.00 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…
high SEC128 Async function without await — fire-and-forget Promise (AI mistake)
.github/actions/next-stats-action/src/run/collect-stats.js:28 · conf 1.00 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…
medium AGT015 Remote install command pipes network code directly to a shell
.github/workflows/build_and_deploy.yml:412 · conf 0.70 
Remote install command pipes network code directly to a shell
medium AIC001 Parallel implementation file sits beside a canonical file
test/production/export/pages/query-update.js:1 · conf 0.82 
Parallel implementation file sits beside a canonical file
medium AIC004 Suspicious implementation file appears unreferenced
turbopack/crates/turbo-tasks-backend/src/backend/operation/leaf_distance_update.rs:1 · conf 0.78 
Suspicious implementation file appears unreferenced
medium AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
· conf 0.92 
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
· conf 0.74 
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
bench/module-cost/app/app/commonjs/route.js:5 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
packages/create-next-app/templates/app-api/js/app/[slug]/route.js:3 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
packages/create-next-app/templates/app-api/ts/app/route.ts:3 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
packages/create-next-app/templates/app-api/ts/app/[slug]/route.ts:3 · conf 0.68 
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…
medium DKC013 Database service has no persistent data volume
examples/cache-handler-redis/compose.yaml:1 · conf 0.74 
Database service has no persistent data volume
medium DKR001 Docker final stage has no non-root USER
.github/actions/next-stats-action/Dockerfile:25 · conf 0.82 
Docker final stage has no non-root USER
medium DKR002 Dockerfile base image has no explicit tag
examples/with-docker/compose.yml:2 · conf 0.90 
Compose service `nextjs-standalone` image has no explicit tag
medium DKR002 Dockerfile base image has no explicit tag
examples/with-docker/compose.yml:16 · conf 0.90 
Compose service `nextjs-standalone-with-bun` image has no explicit tag
medium DKR002 Dockerfile base image has no explicit tag
examples/with-docker-export-output/compose.yml:2 · conf 0.90 
Compose service `nextjs-static-export` image has no explicit tag
medium DKR002 Dockerfile base image has no explicit tag
examples/with-docker-export-output/compose.yml:15 · conf 0.90 
Compose service `nextjs-static-export-with-serve` image has no explicit tag
medium DKR002 Dockerfile base image has no explicit tag
examples/with-docker-multi-env/docker/development/compose.yaml:1 · conf 0.90 
Compose service `with-docker-multi-env-development` image has no explicit tag
medium DKR002 Dockerfile base image has no explicit tag
examples/with-docker-multi-env/docker/production/compose.yaml:1 · conf 0.90 
Compose service `with-docker-multi-env-production` image has no explicit tag
medium DKR002 Dockerfile base image has no explicit tag
examples/with-docker-multi-env/docker/staging/compose.yaml:1 · conf 0.90 
Compose service `with-docker-multi-env-staging` image has no explicit tag
medium DKR003 Dockerfile base image uses the latest tag
examples/cache-handler-redis/compose.yaml:1 · conf 0.94 
Compose service `redis-stack` image uses the latest tag
medium DKR007 Docker build context has no .dockerignore
.dockerignore · conf 0.90 
Docker build context has no .dockerignore
medium DKR009 Dockerfile separates apt update from install
.github/actions/next-stats-action/Dockerfile:7 · conf 0.86 
Dockerfile separates apt update from install
medium DKR015 Docker build context is very large
.dockerignore · conf 0.84 
Docker build context is very large
medium DKR018 Database dump or local database file is included in Docker build context
.dockerignore · conf 0.86 
Database dump or local database file is included in Docker build context
medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
bench/nested-deps-app-router/bench.mjs:179 · conf 1.00 
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
bench/nested-deps-app-router-many-pages/bench.mjs:179 · conf 1.00 
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
bench/nested-deps/bench.mjs:174 · conf 1.00 
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
medium JRN003 Frontend API reference is not matched by discovered backend routes
evals/evals/agent-021-avoid-fetch-in-effect/app/page.tsx:7 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
packages/next/src/client/components/segment-cache/navigation-testing-lock.ts:130 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
packages/next/src/cli/internal/static-routes-info.ts:217 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
packages/next/src/server/lib/router-utils/typegen.ts:938 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
packages/next/src/server/lib/router-utils/typegen.ts:1030 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
packages/next/src/shared/lib/router/utils/sortable-routes.ts:71 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
packages/next/src/shared/lib/router/utils/sortable-routes.ts:72 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
packages/next/src/shared/lib/router/utils/sortable-routes.ts:88 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
packages/next/src/shared/lib/router/utils/sortable-routes.ts:154 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
packages/next/src/shared/lib/router/utils/sortable-routes.ts:155 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium JRN003 Frontend API reference is not matched by discovered backend routes
packages/next/src/shared/lib/router/utils/sortable-routes.ts:156 · conf 0.74 
Frontend API reference is not matched by discovered backend routes
medium SEC045 eval()/exec() on stored or user-supplied data
.github/actions/next-stats-action/src/index.js:40 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
.github/actions/next-stats-action/src/prepare/repo-setup.js:11 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
.github/actions/next-stats-action/src/run/benchmark-url.js:18 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC087 JS: weak Math.random for crypto
examples/with-mqtt-js/app/page.tsx:53 · conf 1.00 
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…
medium SEC134 AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
bench/basic-app/app/api/app/route.js:2 · conf 1.00 
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…
medium SEC134 AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
bench/basic-app/pages/api/page-api.js:2 · conf 1.00 
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…
medium SEC134 AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
examples/api-routes-apollo-server/pages/api/graphql.ts:19 · conf 1.00 
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…
medium WEB003 Public web service has no security.txt
.well-known/security.txt · conf 0.78 
Public web service has no security.txt
medium WEB015 Public web app has no Content Security Policy
index.html · conf 0.70 
Public web app has no Content Security Policy
low AIC002 Source file name looks like an AI patch artifact
packages/next/src/lib/recursive-copy.ts:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
test/e2e/next-image-legacy/base-path/pages/layout-fixed.js:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
test/e2e/next-image-legacy/default/pages/layout-fixed.js:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
turbopack/crates/turbo-tasks-backend/src/backend/operation/aggregation_update.rs:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
turbopack/crates/turbo-tasks-backend/src/backend/operation/leaf_distance_update.rs:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC003 Duplicated implementation block across source files
crates/next-api/src/middleware.rs:17 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-core/src/next_app/app_page_entry.rs:153 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-core/src/next_app/app_route_entry.rs:129 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-core/src/next_app/app_route_entry.rs:147 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-core/src/next_edge/context.rs:135 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-core/src/next_font/local/mod.rs:112 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-core/src/next_pages/page_entry.rs:92 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-core/src/next_server_component/server_component_module.rs:6 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-core/src/next_server_utility/server_utility_module.rs:78 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-core/src/next_shared/transforms/next_edge_node_api_assert.rs:21 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-core/src/next_shared/transforms/next_middleware_dynamic_assert.rs:14 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-core/src/next_shared/transforms/next_optimize_server_react.rs:17 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-custom-transforms/src/transforms/strip_page_exports.rs:352 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-napi-bindings/src/lib.rs:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-napi-bindings/src/minify.rs:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-napi-bindings/src/rspack.rs:116 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-napi-bindings/src/transform.rs:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
crates/next-napi-bindings/src/util.rs:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-023-avoid-getserversideprops/app/layout.tsx:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-024-avoid-redundant-usestate/app/layout.tsx:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-025-prefer-next-link/app/layout.tsx:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-026-no-serial-await/app/layout.tsx:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-027-prefer-next-image/app/layout.tsx:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-029-use-cache-directive/app/layout.tsx:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-031-proxy-middleware/app/layout.tsx:5 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-032-use-cache-directive/app/layout.tsx:5 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-033-forbidden-auth/app/layout.tsx:5 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-034-async-cookies/app/layout.tsx:5 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-035-connection-dynamic/app/layout.tsx:5 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
evals/evals/agent-036-after-response/app/layout.tsx:5 · conf 0.86 
Duplicated implementation block across source files
low AIC005 Duplicate top-level symbol appears in a patch-style file
test/e2e/next-image-new/default/pages/missing-alt.js:1 · conf 0.64 
Duplicate top-level symbol appears in a patch-style file
low DKC006 Compose service does not declare a runtime user
examples/with-docker/compose.yml:2 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
examples/with-docker/compose.yml:16 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
examples/with-docker-export-output/compose.yml:2 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
examples/with-docker-export-output/compose.yml:15 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
examples/with-docker-multi-env/docker/development/compose.yaml:1 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
examples/with-docker-multi-env/docker/production/compose.yaml:1 · conf 0.56 
Compose service does not declare a runtime user
low DKC006 Compose service does not declare a runtime user
examples/with-docker-multi-env/docker/staging/compose.yaml:1 · conf 0.56 
Compose service does not declare a runtime user
low DKC010 Compose service lacks no-new-privileges hardening
examples/with-docker/compose.yml:2 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
examples/with-docker/compose.yml:16 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
examples/with-docker-export-output/compose.yml:2 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
examples/with-docker-export-output/compose.yml:15 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
examples/with-docker-multi-env/docker/development/compose.yaml:1 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
examples/with-docker-multi-env/docker/production/compose.yaml:1 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC010 Compose service lacks no-new-privileges hardening
examples/with-docker-multi-env/docker/staging/compose.yaml:1 · conf 0.62 
Compose service lacks no-new-privileges hardening
low DKC015 Database service has no healthcheck
examples/cache-handler-redis/compose.yaml:1 · conf 0.72 
Database service has no healthcheck
low WEB005 robots.txt does not advertise a sitemap
.github/pnpm-lock.yaml · conf 0.74 
robots.txt does not advertise a sitemap
low WEB008 Public docs site has no llms.txt
llms.txt · conf 0.64 
Public docs site has no llms.txt
low WEB011 Public web app has no humans.txt
humans.txt · conf 0.50 
Public web app has no humans.txt
info MINED043 Http Not Https CWE-319
examples/cms-wordpress/src/components/Globals/Navigation/Navigation.tsx:42 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED043 Http Not Https CWE-319
examples/image-component/app/shimmer/page.tsx:5 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED043 Http Not Https CWE-319
examples/with-passport-and-next-connect/pages/index.js:34 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED044 Js Console Log Prod CWE-532
.github/actions/next-integration-stat/src/index.ts:24 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
.github/actions/next-stats-action/src/add-comment.js:1159 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
.github/actions/next-stats-action/src/aggregate-results.js:125 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED045 Ts Non Null Assertion CWE-476
apps/bundle-analyzer/components/file-search.tsx:20 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
bench/render-pipeline/analyze-profiles.ts:106 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
bench/render-pipeline/benchmark.ts:495 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED049 Print Pii CWE-532
examples/with-firebase-cloud-messaging/utils/webPush.js:28 · conf 1.00 
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.
info MINED052 Ts Any Typed CWE-704
examples/api-routes-cors/pages/api/cors.ts:18 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
.github/actions/needs-triage/src/index.ts:35 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
.github/actions/validate-docs-links/src/index.ts:106 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED054 Ts As Any CWE-704
apps/bundle-analyzer/components/error-state.tsx:16 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED054 Ts As Any CWE-704
examples/cms-payload/payload/payloadClient.ts:19 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED054 Ts As Any CWE-704
examples/cms-sanity/sanity/schemas/documents/author.ts:28 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED056 React Key As Index CWE-682
apps/bundle-analyzer/components/import-chain.tsx:441 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
bench/basic-app/app/streaming/bulk/page.js:17 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
bench/rendering/pages/stateless-big.js:10 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED057 Todo Bomb
crates/next-core/src/hmr_entry.rs:105 · conf 1.00 
[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — left for later but never resolved.
info MINED058 React Dangerously Set Html CWE-79
apps/bundle-analyzer/app/layout.tsx:27 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED058 React Dangerously Set Html CWE-79
examples/blog-starter/src/app/_components/post-body.tsx:12 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED058 React Dangerously Set Html CWE-79
examples/blog-starter/src/app/_components/theme-switcher.tsx:97 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED059 Rust Expect In Prod CWE-755
crates/next-code-frame/src/highlight.rs:651 · conf 1.00 
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.
info MINED059 Rust Expect In Prod CWE-755
crates/next-core/src/next_shared/transforms/swc_ecma_transform_plugins.rs:23 · conf 1.00 
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.
info MINED059 Rust Expect In Prod CWE-755
crates/next-core/src/next_shared/webpack_rules/babel.rs:191 · conf 1.00 
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.
info MINED065 Cors Wildcard CWE-942CWE-346
examples/with-mux-video/app/(upload)/page.tsx:15 · conf 1.00 
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.
info MINED066 Rust Panic Macro CWE-755
crates/next-api/src/analyze.rs:287 · conf 1.00 
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
info MINED066 Rust Panic Macro CWE-755
crates/next-build-test/src/main.rs:37 · conf 1.00 
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
info MINED066 Rust Panic Macro CWE-755
crates/next-core/src/next_font/google/mod.rs:814 · conf 1.00 
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.
info MINED068 Rust Unsafe Block CWE-119
crates/next-napi-bindings/src/next_api/utils.rs:390 · conf 1.00 
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.
info MINED068 Rust Unsafe Block CWE-119
crates/next-napi-bindings/src/turbopack.rs:163 · conf 1.00 
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.
info MINED074 Ai Tell Fake Citation
evals/evals/agent-023-avoid-getserversideprops/app/page.tsx:6 · conf 1.00 
[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.
info MINED074 Ai Tell Fake Citation
evals/evals/agent-026-no-serial-await/app/page.tsx:7 · conf 1.00 
[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.
info MINED074 Ai Tell Fake Citation
evals/evals/agent-041-optimize-ppr-shell/app/page.tsx:6 · conf 1.00 
[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.
info MINED078 Eslint Disable File
examples/cms-sitecore-xmcloud/scripts/generate-config.ts:27 · conf 1.00 
[MINED078] Eslint Disable File: /* eslint-disable */ at top disables all lint rules for the file.
info MINED078 Eslint Disable File
examples/cms-sitecore-xmcloud/scripts/templates/component-factory.ts:43 · conf 1.00 
[MINED078] Eslint Disable File: /* eslint-disable */ at top disables all lint rules for the file.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/c62673f3-12b0-4330-8614-ead9a08d2948/.