https://github.com/can1357/oh-my-pi.git ·
lang: rust ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 16 |
MINED059 Rust Expect In Prod |
info | 4 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
MINED068 Rust Unsafe Block |
info | 4 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 3 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 3 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 3 |
DKR012 Dockerfile keeps pip download cache |
low | 2 |
MINED107
Missing Python import (NameError at runtime)
CWE-1075
packages/ai/scripts/proto-extractor.py:430
· conf 1.00
[MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(...)` but never imports `enum`. This raises NameError at runtime the first time the line executes.MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:365
· conf 0.90
[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NPM_TOKEN }` lets a PR fr…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
packages/ai/scripts/cursor-log.py:66
· conf 0.95
[COMP001] High cognitive complexity: Function `format_data` has cognitive complexity 30 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested …DKR006
Dockerfile pipes a remote script into a shell
Dockerfile:42
· conf 0.92
Dockerfile pipes a remote script into a shellDKR006
Dockerfile pipes a remote script into a shell
Dockerfile:123
· conf 0.92
Dockerfile pipes a remote script into a shellDKR014
Dockerfile copies the entire context without .dockerignore
Dockerfile:66
· conf 0.92
Dockerfile copies the entire context without .dockerignoreDKR014
Dockerfile copies the entire context without .dockerignore
Dockerfile:183
· conf 0.92
Dockerfile copies the entire context without .dockerignoreMINED001
Bare Except Pass
CWE-755
packages/ai/scripts/cursor-log.py:219
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED003
Rust Unwrap In Prod
CWE-755
crates/brush-core-vendored/src/prompt.rs:216
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED006
Overcatch Baseexception
CWE-705
packages/ai/scripts/cursor-log.py:245
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:33
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:81
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:82
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:86
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:107
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:131
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:147
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:148
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:152
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:173
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:195
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:196
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:199
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@nightly`: `uses: dtolnay/rust-toolchain@nightly` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:202
· conf 0.90
[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:210
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:273
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:274
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:278
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:284
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:310
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:323
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:325
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:331
· conf 0.90
[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:343
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:344
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:30
· conf 0.90
[MINED118] Dockerfile FROM `rust:1.86-slim-bookworm` not pinned by digest: `FROM rust:1.86-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:83
· conf 0.90
[MINED118] Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest: `FROM python:3.12-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same t…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:103
· conf 0.90
[MINED118] Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest: `FROM python:3.12-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same t…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/ai/src/provider-details.ts:62
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/ai/src/provider-models/ollama.ts:28
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/ai/src/providers/azure-openai-responses.ts:188
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
packages/agent/src/compaction/utils.ts:152
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/ai/src/providers/aws-sigv4.ts:151
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC100
CORS permissive Access-Control-Allow-Origin: *
packages/ai/src/auth-gateway/http.ts:164
· conf 1.00
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
crates/brush-core-vendored/src/terminal.rs:89
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/ai/src/api-registry.ts:86
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/ai/src/providers/google-auth.ts:226
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…CFG006
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
packages/ai/scripts/cursor-log.py:145
· conf 0.95
[COMP001] High cognitive complexity: Function `coalesce_entries` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — ne…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
packages/ai/scripts/cursor-log.py:203
· conf 0.95
[COMP001] High cognitive complexity: Function `process_file` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested…DKR001
Docker final stage has no non-root USER
Dockerfile:163
· conf 0.82
Docker final stage has no non-root USERDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/agent/src/proxy.ts:112
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC045
eval()/exec() on stored or user-supplied data
crates/brush-builtins-vendored/src/exec.rs:75
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
crates/pi-shell/src/minimizer/filters/gt.rs:221
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…AIC003
Duplicated implementation block across source files
crates/brush-builtins-vendored/src/getopts.rs:45
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/brush-builtins-vendored/src/test.rs:10
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/brush-core-vendored/src/sys/windows/fs.rs:91
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/pi-iso/src/windows_block_clone.rs:144
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/pi-natives/src/ast.rs:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/pi-shell/build.rs:38
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/pi-shell/src/minimizer/filters/cpp.rs:218
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/pi-shell/src/minimizer/filters/gt.rs:38
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/pi-shell/src/minimizer/filters/js_tools.rs:358
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/pi-shell/src/minimizer/filters/js_tools.rs:359
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/pi-shell/src/minimizer/filters/mod.rs:114
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/pi-shell/src/minimizer/filters/python.rs:85
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/ai/src/providers/google-gemini-cli.ts:249
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/ai/src/providers/google-shared.ts:386
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/ai/src/providers/google-shared.ts:549
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/ai/src/providers/ollama.ts:258
· conf 0.86
Duplicated implementation block across source filesDKR012
Dockerfile keeps pip download cache
Dockerfile:89
· conf 0.72
Dockerfile keeps pip download cacheDKR012
Dockerfile keeps pip download cache
Dockerfile:141
· conf 0.72
Dockerfile keeps pip download cacheCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED043
Http Not Https
CWE-319
packages/ai/src/providers/google-auth.ts:22
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
packages/ai/src/cli.ts:70
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
packages/agent/src/compaction/utils.ts:34
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED050
Stub Only Function
CWE-1188
packages/ai/scripts/cursor-log.py:220
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED054
Ts As Any
CWE-704
packages/agent/src/proxy.ts:286
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED059
Rust Expect In Prod
CWE-755
[MINED059] Rust Expect In Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED059
Rust Expect In Prod
CWE-755
crates/pi-ast/src/ops.rs:292
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
crates/pi-iso/src/overlayfs.rs:189
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
crates/pi-iso/src/windows_block_clone.rs:270
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED066
Rust Panic Macro
CWE-755
crates/pi-natives/build.rs:58
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
crates/pi-shell/build.rs:56
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED068
Rust Unsafe Block
CWE-119
[MINED068] Rust Unsafe Block (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED068
Rust Unsafe Block
CWE-119
crates/brush-core-vendored/src/processes.rs:211
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED068
Rust Unsafe Block
CWE-119
crates/brush-core-vendored/src/sys/unix/commands.rs:56
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED068
Rust Unsafe Block
CWE-119
crates/brush-core-vendored/src/sys/unix/fd.rs:55
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.SEC020
Secret Printed to Logs
packages/ai/src/providers/google-auth.ts:238
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
crates/brush-builtins-vendored/src/let_.rs:30
· conf 0.10
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
crates/brush-core-vendored/src/shell/execution.rs:289
· conf 0.10
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/e1693738-f0c2-4ae2-888c-ee3b2d99a3c3/.