home-assistant/core

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `select` used but not imported: The file uses `select.something(...)` but never imports `select`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `time` used but not imported: The file uses `time.something(...)` but never imports `time`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `uuid` used but not imported: The file uses `uuid.something(...)` but never imports `uuid`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `uuid` used but not imported: The file uses `uuid.something(...)` but never imports `uuid`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `select` used but not imported: The file uses `select.something(...)` but never imports `select`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `xml` used but not imported: The file uses `xml.something(...)` but never imports `xml`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `signal` used but not imported: The file uses `signal.something(...)` but never imports `signal`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.

[MINED107] Missing import: `collections` used but not imported: The file uses `collections.something(...)` but never imports `collections`. This raises NameError at runtime the first time the line ex…

[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes.

[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets…

[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets…

[SEC002] Hardcoded API Key: Hardcoded API key found in source code.

[SEC099] JWT decoded without signature verification: JWT token is parsed without verifying its signature. The token body can be tampered with arbitrarily by an attacker.

[SEC099] JWT decoded without signature verification: JWT token is parsed without verifying its signature. The token body can be tampered with arbitrarily by an attacker.

Dockerfile pipes a remote script into a shell

[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.

[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.

[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.

[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).

[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).

[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.

[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.

[MINED106] Phantom test coverage: test_entry_options_unknown_config_entry: Test function `test_entry_options_unknown_config_entry` runs code but contains no assert / expect / should call — it passes …

[MINED106] Phantom test coverage: test_entry_subentry_non_string: Test function `test_entry_subentry_non_string` runs code but contains no assert / expect / should call — it passes regardless of beha…

[MINED106] Phantom test coverage: test_entry_subentry_no_context: Test function `test_entry_subentry_no_context` runs code but contains no assert / expect / should call — it passes regardless of beha…

[MINED106] Phantom test coverage: test_entry_subentry_duplicate: Test function `test_entry_subentry_duplicate` runs code but contains no assert / expect / should call — it passes regardless of behavi…

[MINED106] Phantom test coverage: test_entry_subentry_unknown_config_entry: Test function `test_entry_subentry_unknown_config_entry` runs code but contains no assert / expect / should call — it passe…

[MINED106] Phantom test coverage: test_entry_subentry_deleted_config_entry: Test function `test_entry_subentry_deleted_config_entry` runs code but contains no assert / expect / should call — it passe…

[MINED106] Phantom test coverage: test_entry_subentry_unsupported_subentry_type: Test function `test_entry_subentry_unsupported_subentry_type` runs code but contains no assert / expect / should call …

[MINED106] Phantom test coverage: test_entry_subentry_unsupported: Test function `test_entry_subentry_unsupported` runs code but contains no assert / expect / should call — it passes regardless of be…

[MINED106] Phantom test coverage: test_init_custom_integration: Test function `test_init_custom_integration` runs code but contains no assert / expect / should call — it passes regardless of behaviou…

[MINED106] Phantom test coverage: test_init_custom_integration_with_missing_handler: Test function `test_init_custom_integration_with_missing_handler` runs code but contains no assert / expect / shou…

[MINED106] Phantom test coverage: test_entry_id_existing_entry: Test function `test_entry_id_existing_entry` runs code but contains no assert / expect / should call — it passes regardless of behaviou…

[MINED106] Phantom test coverage: test_scheduling_reload_unknown_entry: Test function `test_scheduling_reload_unknown_entry` runs code but contains no assert / expect / should call — it passes regard…

[MINED106] Phantom test coverage: test_deprecated_disabled_by_str_ctor: Test function `test_deprecated_disabled_by_str_ctor` runs code but contains no assert / expect / should call — it passes regard…

[MINED106] Phantom test coverage: test_deprecated_disabled_by_str_set: Test function `test_deprecated_disabled_by_str_set` runs code but contains no assert / expect / should call — it passes regardle…

[MINED106] Phantom test coverage: test_core_config_schema: Test function `test_core_config_schema` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…

[MINED106] Phantom test coverage: test_loading_configuration_from_packages: Test function `test_loading_configuration_from_packages` runs code but contains no assert / expect / should call — it passe…

[MINED106] Phantom test coverage: test_disallowed_auth_provider_config: Test function `test_disallowed_auth_provider_config` runs code but contains no assert / expect / should call — it passes regard…

[MINED106] Phantom test coverage: test_disallowed_duplicated_auth_provider_config: Test function `test_disallowed_duplicated_auth_provider_config` runs code but contains no assert / expect / should c…

[MINED106] Phantom test coverage: test_disallowed_auth_mfa_module_config: Test function `test_disallowed_auth_mfa_module_config` runs code but contains no assert / expect / should call — it passes re…

[MINED106] Phantom test coverage: test_disallowed_duplicated_auth_mfa_module_config: Test function `test_disallowed_duplicated_auth_mfa_module_config` runs code but contains no assert / expect / shou…

[MINED106] Phantom test coverage: test_bad_timezone_raises_value_error: Test function `test_bad_timezone_raises_value_error` runs code but contains no assert / expect / should call — it passes regard…

[MINED106] Phantom test coverage: test_custom_integration_missing_version: Test function `test_custom_integration_missing_version` runs code but contains no assert / expect / should call — it passes …

[MINED106] Phantom test coverage: test_custom_integration_missing: Test function `test_custom_integration_missing` runs code but contains no assert / expect / should call — it passes regardless of be…

[MINED106] Phantom test coverage: test_validation: Test function `test_validation` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage with…

[MINED106] Phantom test coverage: test_config_folder_not_in_path: Test function `test_config_folder_not_in_path` runs code but contains no assert / expect / should call — it passes regardless of beha…

[MINED108] `self._async_dispatch` used but never assigned in __init__: Method `_async_watch` of class `_WatchPendingSetups` reads `self._async_dispatch`, but no assignment to it exists in __init__ (a…

[MINED108] `self._async_schedule_next` used but never assigned in __init__: Method `_async_watch` of class `_WatchPendingSetups` reads `self._async_schedule_next`, but no assignment to it exists in _…

[MINED108] `self._async_watch` used but never assigned in __init__: Method `_async_schedule_next` of class `_WatchPendingSetups` reads `self._async_watch`, but no assignment to it exists in __init__ …

[MINED108] `self._async_schedule_next` used but never assigned in __init__: Method `async_start` of class `_WatchPendingSetups` reads `self._async_schedule_next`, but no assignment to it exists in __…

[MINED108] `self._async_dispatch` used but never assigned in __init__: Method `async_stop` of class `_WatchPendingSetups` reads `self._async_dispatch`, but no assignment to it exists in __init__ (and…

[MINED108] `self._async_flow_handler_to_flow_result` used but never assigned in __init__: Method `async_get` of class `FlowManager` reads `self._async_flow_handler_to_flow_result`, but no assignment …

[MINED108] `self._async_flow_handler_to_flow_result` used but never assigned in __init__: Method `async_progress` of class `FlowManager` reads `self._async_flow_handler_to_flow_result`, but no assign…

[MINED108] `self._async_flow_handler_to_flow_result` used but never assigned in __init__: Method `async_progress_by_handler` of class `FlowManager` reads `self._async_flow_handler_to_flow_result`, bu…

[MINED108] `self.output` used but never assigned in __init__: Method `__str__` of class `ConditionError` reads `self.output`, but no assignment to it exists in __init__ (and no class-level fallback).…

[MINED108] `self._indent` used but never assigned in __init__: Method `output` of class `ConditionErrorMessage` reads `self._indent`, but no assignment to it exists in __init__ (and no class-level fa…

[MINED108] `self.type` used but never assigned in __init__: Method `output` of class `ConditionErrorMessage` reads `self.type`, but no assignment to it exists in __init__ (and no class-level fallback…

[MINED108] `self._indent` used but never assigned in __init__: Method `output` of class `ConditionErrorIndex` reads `self._indent`, but no assignment to it exists in __init__ (and no class-level fall…

[MINED108] `self.type` used but never assigned in __init__: Method `output` of class `ConditionErrorIndex` reads `self.type`, but no assignment to it exists in __init__ (and no class-level fallback).…

[MINED108] `self._indent` used but never assigned in __init__: Method `output` of class `ConditionErrorIndex` reads `self._indent`, but no assignment to it exists in __init__ (and no class-level fall…

[MINED108] `self.type` used but never assigned in __init__: Method `output` of class `ConditionErrorIndex` reads `self.type`, but no assignment to it exists in __init__ (and no class-level fallback).…

[MINED108] `self._async_process_integration` used but never assigned in __init__: Method `async_get_integration_with_requirements` of class `RequirementsManager` reads `self._async_process_integratio…

[MINED108] `self.async_process_requirements` used but never assigned in __init__: Method `_async_process_integration` of class `RequirementsManager` reads `self.async_process_requirements`, but no as…

[MINED108] `self.async_get_integration_with_requirements` used but never assigned in __init__: Method `_async_process_integration` of class `RequirementsManager` reads `self.async_get_integration_wit…

[MINED108] `self._find_missing_requirements` used but never assigned in __init__: Method `async_process_requirements` of class `RequirementsManager` reads `self._find_missing_requirements`, but no as…

[MINED108] `self._raise_for_failed_requirements` used but never assigned in __init__: Method `async_process_requirements` of class `RequirementsManager` reads `self._raise_for_failed_requirements`, b…

[MINED108] `self._find_missing_requirements` used but never assigned in __init__: Method `async_process_requirements` of class `RequirementsManager` reads `self._find_missing_requirements`, but no as…

[MINED108] `self._async_process_requirements` used but never assigned in __init__: Method `async_process_requirements` of class `RequirementsManager` reads `self._async_process_requirements`, but no …

[MINED108] `self._loop_factory` used but never assigned in __init__: Method `loop_name` of class `HassEventLoopPolicy` reads `self._loop_factory`, but no assignment to it exists in __init__ (and no c…

[MINED108] `self.added_to_bucket` used but never assigned in __init__: Method `add_to_bucket` of class `TestFolder` reads `self.added_to_bucket`, but no assignment to it exists in __init__ (and no cl…

[MINED108] `self.total_tests` used but never assigned in __init__: Method `__repr__` of class `TestFolder` reads `self.total_tests`, but no assignment to it exists in __init__ (and no class-level fal…

[MINED110] Blocking call `time.sleep` inside async function `test_metadata_downloads_are_sequential`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the e…

[MINED110] Blocking call `requests.exceptions.ConnectionError` inside async function `test_setup_entry_fails`: `requests.exceptions.ConnectionError` is a synchronous (blocking) call. When invoked ins…

[MINED110] Blocking call `requests.exceptions.ConnectionError` inside async function `test_state_unavailable`: `requests.exceptions.ConnectionError` is a synchronous (blocking) call. When invoked ins…

[MINED110] Blocking call `requests.exceptions.ConnectionError` inside async function `test_connection_error`: `requests.exceptions.ConnectionError` is a synchronous (blocking) call. When invoked insi…

[MINED110] Blocking call `time.sleep` inside async function `test_async_import_module_concurrency`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the eve…

[MINED110] Blocking call `time.sleep` inside async function `test_protect_loop_debugger_sleep`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event l…

[MINED110] Blocking call `time.sleep` inside async function `test_protect_loop_sleep`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, prev…

[MINED110] Blocking call `time.sleep` inside async function `test_protect_loop_sleep_get_current_frame_raises`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it st…

[MINED110] Blocking call `time.sleep` inside async function `test_async_add_executor_job_background`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the e…

[MINED110] Blocking call `time.sleep` inside async function `test_async_add_executor_job`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, …

[MINED110] Blocking call `time.sleep` inside async function `test_executor_shutdown_can_interrupt_threads`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls…

[MINED110] Blocking call `time.sleep` inside async function `test_executor_shutdown_only_logs_max_attempts`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stall…

[MINED110] Blocking call `time.sleep` inside async function `test_overall_timeout_reached`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop,…

[MINED110] Blocking call `time.sleep` inside async function `test_simple_zone_timeout_freeze_inside_executor_job`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it…

[MINED110] Blocking call `time.sleep` inside async function `test_simple_global_timeout_freeze_inside_executor_job`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` …

[MINED110] Blocking call `time.sleep` inside async function `test_mix_global_timeout_freeze_and_zone_freeze_inside_executor_job`: `time.sleep` is a synchronous (blocking) call. When invoked inside an…

[MINED110] Blocking call `time.sleep` inside async function `test_mix_global_timeout_freeze_and_zone_freeze_different_order`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `as…

[MINED110] Blocking call `time.sleep` inside async function `test_mix_global_timeout_freeze_and_zone_freeze_other_zone_inside_executor_job`: `time.sleep` is a synchronous (blocking) call. When invoke…

[MINED110] Blocking call `time.sleep` inside async function `test_mix_global_timeout_freeze_and_zone_freeze_executor_2nd_outside_zone`: `time.sleep` is a synchronous (blocking) call. When invoked ins…

[MINED118] Dockerfile FROM `mcr.microsoft.com/vscode/devcontainers/base:debian` not pinned by digest: `FROM mcr.microsoft.com/vscode/devcontainers/base:debian` resolves the tag at build time. The reg…

[MINED118] Dockerfile FROM `python:3.14.5-alpine` not pinned by digest: `FROM python:3.14.5-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so eve…

[MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.15.13`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev…

[MINED131] pre-commit hook `https://github.com/codespell-project/codespell` pinned to mutable rev `v2.4.2`: `.pre-commit-config.yaml` references `https://github.com/codespell-project/codespell` at `r…

[MINED131] pre-commit hook `https://github.com/zizmorcore/zizmor-pre-commit` pinned to mutable rev `v1.24.1`: `.pre-commit-config.yaml` references `https://github.com/zizmorcore/zizmor-pre-commit` at…

[MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `r…

[MINED131] pre-commit hook `https://github.com/adrienverge/yamllint.git` pinned to mutable rev `v1.38.0`: `.pre-commit-config.yaml` references `https://github.com/adrienverge/yamllint.git` at `rev: v…

[MINED131] pre-commit hook `https://github.com/rbubley/mirrors-prettier` pinned to mutable rev `v3.6.2`: `.pre-commit-config.yaml` references `https://github.com/rbubley/mirrors-prettier` at `rev: v3…

[MINED131] pre-commit hook `https://github.com/cdce8p/python-typing-update` pinned to mutable rev `v0.6.0`: `.pre-commit-config.yaml` references `https://github.com/cdce8p/python-typing-update` at `r…

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…

[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…

[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…

[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).

[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.

[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.

[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

[COMP001] High cognitive complexity: Function `_merge_policies` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nes…

Docker final stage has no non-root USER

Docker final stage has no non-root USER

[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

[SEC001] Hardcoded Password: Hardcoded password found in source code.

[SEC001] Hardcoded Password: Hardcoded password found in source code.

[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.

[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.

[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.

[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.

[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.

[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…

[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…

Source file name looks like an AI patch artifact

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicate top-level symbol appears in a patch-style file

Multiple AI-agent scaffold marker files are present

[COMP001] High cognitive complexity: Function `compile_policy` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — neste…

[COMP001] High cognitive complexity: Function `ensure_config_path` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — …

.dockerignore misses sensitive defaults

Dockerfile keeps pip download cache

Dockerfile keeps pip download cache

Dockerfile keeps pip download cache

Dockerfile keeps pip download cache

[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated …

[COMP001] High cognitive complexity (and 303 more): Same pattern found in 303 additional files. Review if needed.

Dockerfile base image is selected through a build variable

[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed.

[MINED043] Http Not Https (and 24 more): Same pattern found in 24 additional files. Review if needed.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED050] Stub Only Function (and 35 more): Same pattern found in 35 additional files. Review if needed.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED062] Python Dataclass No Fields (and 228 more): Same pattern found in 228 additional files. Review if needed.

[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.

[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.

[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.

[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.

[MINED067] Python Requests No Timeout (and 9 more): Same pattern found in 9 additional files. Review if needed.

[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.

[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.

[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.

[MINED079] Off By One Slice: range(len(x)+1), arr[i+1:i+n+1], or while i<=len(arr) — off-by-one risk.

[SEC001] Hardcoded Password (and 3 more): Same pattern found in 3 additional files. Review if needed.

[SEC001] Hardcoded Password: Hardcoded password found in source code.

[SEC020] Secret Printed to Logs (and 13 more): Same pattern found in 13 additional files. Review if needed.

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 40 more): Same pattern found in 40 additional files. Review if needed.

[SEC078] Python: requests without timeout (and 9 more): Same pattern found in 9 additional files. Review if needed.

[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 75 more): Same pattern found in 75 additional files. Review if needed.