← Legacy view v2 (rp.*)

ai-ql/tuui

https://github.com/AI-QL/tuui · lang: typescript · LOC: · source: user_submitted

Quality
75.4
Grade B+
Security
98.4
Findings
38
0 critical · 12 high
Status
completed
May 31, 2026 01:25
info: 16 high: 12 low: 6 medium: 4
Top rules by occurrence
RuleSeverityCount
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) high 6
MINED044 Js Console Log Prod info 4
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… high 4
MINED045 Ts Non Null Assertion info 4
MINED052 Ts Any Typed info 4
SEC128 Async function without await — fire-and-forget Promise (AI … high 3
AIC003 Duplicated implementation block across source files low 2
WEB003 Public web service has no security.txt medium 1
MINED043 Http Not Https info 1
WEB011 Public web app has no humans.txt low 1
First 38 findings (severity-sorted)
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/build-artifacts.yml:16 · conf 0.90 
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/build-artifacts.yml:19 · conf 0.90 
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/build-artifacts.yml:32 · conf 0.90 
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/playwright-test.yml:28 · conf 0.90 
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/playwright-test.yml:38 · conf 0.90 
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …
high MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) CWE-829
.github/workflows/playwright-test.yml:45 · conf 0.90 
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/main/aid/commands.ts:82 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/main/IPCs.ts:59 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/main/MainRunner.ts:47 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC128 Async function without await — fire-and-forget Promise (AI mistake)
src/main/aid/index.ts:133 · conf 1.00 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…
high SEC128 Async function without await — fire-and-forget Promise (AI mistake)
src/main/MainRunner.ts:30 · conf 1.00 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…
high SEC128 Async function without await — fire-and-forget Promise (AI mistake)
src/renderer/store/message.ts:58 · conf 1.00 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…
medium ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
src/main/mcp/connection.ts:14 · conf 1.00 
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
medium SEC031 Catastrophic Backtracking Regex (ReDoS)
src/renderer/router/index.ts:83 · conf 1.00 
[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit expon…
medium SEC136 AI-typical over-broad exception handler swallowing all errors
src/renderer/store/agent.ts:115 · conf 1.00 
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…
medium WEB003 Public web service has no security.txt
.well-known/security.txt · conf 0.78 
Public web service has no security.txt
low AIC003 Duplicated implementation block across source files
src/renderer/components/pages/McpEditPage.vue:14 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
src/renderer/components/pages/McpRegistryPage.vue:4 · conf 0.86 
Duplicated implementation block across source files
low WEB002 Public web app has no sitemap
sitemap.xml · conf 0.72 
Public web app has no sitemap
low WEB005 robots.txt does not advertise a sitemap
docs/src/public/robots.txt · conf 0.74 
robots.txt does not advertise a sitemap
low WEB008 Public docs site has no llms.txt
llms.txt · conf 0.64 
Public docs site has no llms.txt
low WEB011 Public web app has no humans.txt
humans.txt · conf 0.50 
Public web app has no humans.txt
info MINED043 Http Not Https CWE-319
src/renderer/utils/color.ts:2 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED044 Js Console Log Prod CWE-532
· conf 0.20 
[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed.
info MINED044 Js Console Log Prod CWE-532
src/main/aid/automation.ts:34 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
src/main/aid/automator.ts:25 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
src/main/IPCs.ts:155 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED045 Ts Non Null Assertion CWE-476
· conf 0.20 
[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed.
info MINED045 Ts Non Null Assertion CWE-476
src/main/aid/macos.ts:113 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
src/main/aid/nut.ts:35 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
src/main/aid/windows.ts:43 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED052 Ts Any Typed CWE-704
· conf 0.20 
[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed.
info MINED052 Ts Any Typed CWE-704
src/main/aid/macos.ts:169 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
src/main/aid/nut.ts:4 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
src/main/IPCs.ts:335 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED054 Ts As Any CWE-704
src/main/mcp/connection.ts:37 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info SEC020 Secret Printed to Logs
src/main/IPCs.ts:172 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
info SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
· conf 0.20 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/d6e12ad7-d186-451b-b812-8b976bb2844b/.