← Legacy view v2 (rp.*)

portainer/portainer

https://github.com/portainer/portainer · lang: typescript · LOC: · source: user_submitted

Quality
75.2
Grade B+
Security
100.0
Findings
156
5 critical · 32 high
Status
completed
May 24, 2026 00:00
low: 63 info: 40 high: 32 medium: 16 critical: 5
Top rules by occurrence
RuleSeverityCount
AIC003 Duplicated implementation block across source files low 30
AIC002 Source file name looks like an AI patch artifact low 18
MINED060 Go Context No Cancel info 4
SEC045 eval()/exec() on stored or user-supplied data medium 4
ERR003 [ERR003] Ignored Error (Go): Ignoring error return values. medium 4
SEC040 innerHTML XSS — template literal with server-supplied data high 4
SEC132 String concat where the language has interpolation (AI styl… low 4
MINED031 React Direct State Mutation high 4
MINED044 Js Console Log Prod info 4
MINED045 Ts Non Null Assertion info 4
First 156 findings (severity-sorted)
critical DKC008 Compose service mounts the Docker socket
build/docker-extension/docker-compose.yml:3 · conf 0.98 
Compose service mounts the Docker socket
critical MINED019 Ssti Jinja From String CWE-94
api/http/handler/customtemplates/handler.go:50 · conf 1.00 
[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.
critical MINED024 Js Eval Usage CWE-95
app/portainer/components/focusIf.js:19 · conf 1.00 
[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
critical MINED024 Js Eval Usage CWE-95
app/portainer/components/onEnterKey.js:10 · conf 1.00 
[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
critical SEC001 Hardcoded Password
app/portainer/services/authentication.js:6 · conf 0.90 
[SEC001] Hardcoded Password: Hardcoded password found in source code.
high JRN009 Secret-like setting is echoed into a password input value
app/react/portainer/gitops/AuthFieldset/CredentialsSection.tsx:91 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
app/react/portainer/registries/CreateView/RegistryFormDockerhub/RegistryFormDockerhub.tsx:107 · conf 0.83 
Secret-like setting is echoed into a password input value
high MINED014 Disabled Tls Verify CWE-295
api/http/handler/endpoints/endpoint_update.go:244 · conf 1.00 
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.
high MINED014 Disabled Tls Verify CWE-295
app/portainer/models/endpoint/formValues.js:9 · conf 1.00 
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.
high MINED016 Go Error Ignored CWE-754
api/archive/tar.go:58 · conf 1.00 
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.
high MINED016 Go Error Ignored CWE-754
api/archive/targz.go:83 · conf 1.00 
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.
high MINED016 Go Error Ignored CWE-754
api/backup/backup.go:92 · conf 1.00 
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.
high MINED027 React State Array Mutation CWE-682
app/docker/components/log-viewer/logViewerController.js:70 · conf 1.00 
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
high MINED027 React State Array Mutation CWE-682
app/docker/views/networks/create/createNetworkController.js:95 · conf 1.00 
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
high MINED031 React Direct State Mutation CWE-682
app/agent/components/host-browser/hostBrowserController.js:57 · conf 1.00 
[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.
high MINED031 React Direct State Mutation CWE-682
app/agent/components/volume-browser/volumeBrowserController.js:103 · conf 1.00 
[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.
high MINED031 React Direct State Mutation CWE-682
app/docker/components/log-viewer/logViewerController.js:33 · conf 1.00 
[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.
high MINED033 Go Recover Without Log CWE-755
api/http/middlewares/panic_logger.go:13 · conf 1.00 
[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.
high MINED033 Go Recover Without Log CWE-755
api/pendingactions/pendingactions.go:141 · conf 1.00 
[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.
high MINED122 package.json dep pulled from git URL or tarball CWE-829
package.json:1 · conf 0.90 
[MINED122] package.json dep `axios-progress-bar` pulled from URL/Git: `dependencies.axios-progress-bar` = `git://github.com/portainer/progress-bar-4-axios` bypasses the npm registry. No integrity has…
high SEC005 Command Injection Risk
api/http/proxy/factory/kubernetes/pods.go:18 · conf 0.80 
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
high SEC005 Command Injection Risk
api/http/proxy/factory/kubernetes/transport.go:99 · conf 0.80 
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
api/agent/version.go:28 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
api/cli/cli.go:183 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
api/exec/kubernetes_deploy.go:96 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC040 innerHTML XSS — template literal with server-supplied data
app/assets/css/colors.ts:5 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC040 innerHTML XSS — template literal with server-supplied data
app/docker/helpers/containers.ts:8 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC040 innerHTML XSS — template literal with server-supplied data
app/docker/models/config.ts:48 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC069 Dockerfile: no USER directive (runs as root)
app/react/docker/images/ItemView/DockerfileDetails.tsx:1 · conf 1.00 
[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level…
high SEC083 JS: new RegExp() with non-literal
app/docker/components/imageRegistry/por-image-registry.controller.js:49 · conf 1.00 
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
high SEC083 JS: new RegExp() with non-literal
app/docker/helpers/logHelper/formatZerologLogs.ts:43 · conf 1.00 
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
high SEC083 JS: new RegExp() with non-literal
app/react/components/ImageConfigFieldset/SimpleForm.tsx:115 · conf 1.00 
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
high SEC085 JS: child_process.exec with non-literal
app/docker/views/images/import/importImageController.js:62 · conf 1.00 
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
high SEC085 JS: child_process.exec with non-literal
app/react/components/CodeEditor/useCodeEditorExtensions.ts:30 · conf 1.00 
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
high SEC128 Async function without await — fire-and-forget Promise (AI mistake)
api/apikey/service.go:135 · conf 1.00 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…
high SEC128 Async function without await — fire-and-forget Promise (AI mistake)
api/docker/images/status.go:275 · conf 1.00 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…
high SEC128 Async function without await — fire-and-forget Promise (AI mistake)
.storybook/public/mockServiceWorker.js:75 · conf 1.00 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…
medium AIC004 Suspicious implementation file appears unreferenced
api/http/handler/edgestacks/edgestack_status_update.go:1 · conf 0.78 
Suspicious implementation file appears unreferenced
medium AIC004 Suspicious implementation file appears unreferenced
api/http/handler/endpoints/endpoint_settings_update.go:1 · conf 0.78 
Suspicious implementation file appears unreferenced
medium AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
· conf 0.92 
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium CORE_NO_CI No CI/CD configuration found 
No CI/CD configuration found
medium DKR001 Docker final stage has no non-root USER
build/linux/Dockerfile:1 · conf 0.82 
Docker final stage has no non-root USER
medium DKR002 Dockerfile base image has no explicit tag
build/linux/Dockerfile:1 · conf 0.90 
Dockerfile base image has no explicit tag
medium SEC014 SSL Verification Disabled
api/http/handler/endpoints/endpoint_update.go:244 · conf 1.00 
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
medium SEC014 SSL Verification Disabled
app/portainer/models/endpoint/formValues.js:9 · conf 1.00 
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.
medium SEC045 eval()/exec() on stored or user-supplied data
app/docker/views/images/import/importImageController.js:62 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
app/portainer/components/focusIf.js:19 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
app/portainer/components/onEnterKey.js:10 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC089 Go: bind to all interfaces (0.0.0.0)
api/http/proxy/factory/agent.go:74 · conf 1.00 
[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces — exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0).
medium SEC091 Go: net/http server without timeouts
api/http/proxy/factory/agent.go:60 · conf 1.00 
[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).
medium WEB003 Public web service has no security.txt
.well-known/security.txt · conf 0.78 
Public web service has no security.txt
medium WEB012 Service worker is present without a web app manifest
manifest.json · conf 0.72 
Service worker is present without a web app manifest
medium WEB015 Public web app has no Content Security Policy
index.html · conf 0.70 
Public web app has no Content Security Policy
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/customtemplates/customtemplate_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/edgegroups/edgegroup_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/edgejobs/edgejob_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/edgestacks/edgestack_status_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/edgestacks/edgestack_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/endpointgroups/endpointgroup_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/endpoints/endpoint_settings_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/endpoints/endpoint_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/registries/registry_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/resourcecontrols/resourcecontrol_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/settings/settings_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/ssl/ssl_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/stacks/stack_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/teammemberships/teammembership_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/teams/team_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/users/user_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
api/http/handler/webhooks/webhook_update.go:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC002 Source file name looks like an AI patch artifact
app/react/common/stacks/common/confirm-stack-update.ts:1 · conf 0.62 
Source file name looks like an AI patch artifact
low AIC003 Duplicated implementation block across source files
api/dataservices/endpoint/tx.go:92 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/extension/extension.go:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/resourcecontrol/tx.go:17 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/schedule/schedule.go:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/settings/settings.go:8 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/settings/settings.go:18 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/ssl/ssl.go:8 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/ssl/ssl.go:13 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/ssl/ssl.go:18 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/stack/tx.go:16 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/team/tx.go:15 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/tunnelserver/tunnelserver.go:8 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/user/user.go:37 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/dataservices/version/version.go:16 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/customtemplates/customtemplate_inspect.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/endpointproxy/proxy_docker.go:12 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/endpointproxy/proxy_docker.go:18 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/endpointproxy/proxy_kubernetes.go:12 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/endpointproxy/proxy_kubernetes.go:27 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/gitops/sources/update_git.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/gitops/workflows/handler.go:8 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/kubernetes/persistent_volumes.go:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/roles/handler.go:2 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/stacks/create_swarm_stack.go:106 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/stacks/stack_inspect.go:14 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/stacks/stack_start.go:81 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/stacks/stack_stop.go:18 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/stacks/stack_stop.go:48 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/stacks/stack_update_git_redeploy.go:58 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
api/http/handler/stacks/update_kubernetes_stack.go:64 · conf 0.86 
Duplicated implementation block across source files
low AIC007 Generated build artifact directory is present at repository root
build:1 · conf 0.70 
Generated build artifact directory is present at repository root
low DKC006 Compose service does not declare a runtime user
build/docker-extension/docker-compose.yml:3 · conf 0.56 
Compose service does not declare a runtime user
low DKR008 .dockerignore misses sensitive defaults
.dockerignore · conf 0.72 
.dockerignore misses sensitive defaults
low ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
api/agent/version.go:45 · conf 1.00 
[ERR003] Ignored Error (Go): Ignoring error return values.
low ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
api/chisel/service.go:93 · conf 1.00 
[ERR003] Ignored Error (Go): Ignoring error return values.
low ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
api/chisel/tunnel.go:244 · conf 1.00 
[ERR003] Ignored Error (Go): Ignoring error return values.
low SEC006 XSS Risk
app/assets/css/colors.ts:5 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
low SEC075 Dockerfile: no HEALTHCHECK
app/react/docker/images/ItemView/DockerfileDetails.tsx:1 · conf 1.00 
[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive — orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if…
low SEC132 String concat where the language has interpolation (AI style drift)
api/docker/images/image.go:162 · conf 1.00 
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…
low SEC132 String concat where the language has interpolation (AI style drift)
api/http/handler/kubernetes/deprecated_routes.go:53 · conf 1.00 
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…
low SEC132 String concat where the language has interpolation (AI style drift)
api/http/handler/websocket/attach.go:129 · conf 1.00 
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…
low WEB001 Public web app has no robots.txt
robots.txt · conf 0.74 
Public web app has no robots.txt
low WEB002 Public web app has no sitemap
sitemap.xml · conf 0.72 
Public web app has no sitemap
low WEB008 Public docs site has no llms.txt
llms.txt · conf 0.64 
Public docs site has no llms.txt
low WEB011 Public web app has no humans.txt
humans.txt · conf 0.50 
Public web app has no humans.txt
info DKR002 Dockerfile base image has no explicit tag
build/docker-extension/docker-compose.yml:3 · conf 0.48 
Compose service `portainer` image is selected through a build variable
info DKR002 Dockerfile base image has no explicit tag
build/windows/Dockerfile:3 · conf 0.48 
Dockerfile base image is selected through a build variable
info DKR002 Dockerfile base image has no explicit tag
build/windows/Dockerfile:5 · conf 0.48 
Dockerfile base image is selected through a build variable
info ERR003 [ERR003] Ignored Error (Go): Ignoring error return values.
· conf 0.20 
[ERR003] Ignored Error (Go) (and 13 more): Same pattern found in 13 additional files. Review if needed.
info MINED016 Go Error Ignored CWE-754
· conf 0.20 
[MINED016] Go Error Ignored (and 26 more): Same pattern found in 26 additional files. Review if needed.
info MINED031 React Direct State Mutation CWE-682
· conf 0.20 
[MINED031] React Direct State Mutation (and 22 more): Same pattern found in 22 additional files. Review if needed.
info MINED043 Http Not Https CWE-319
· conf 0.20 
[MINED043] Http Not Https (and 10 more): Same pattern found in 10 additional files. Review if needed.
info MINED043 Http Not Https CWE-319
api/aws/ecr/parse_endpoints.go:38 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED043 Http Not Https CWE-319
api/chisel/service.go:78 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED043 Http Not Https CWE-319
api/cli/cli.go:48 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED044 Js Console Log Prod CWE-532
· conf 0.20 
[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed.
info MINED044 Js Console Log Prod CWE-532
app/docker/components/imageRegistry/por-image-registry-rate-limits.controller.js:38 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
app/docker/helpers/splitargs.ts:12 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
.storybook/preview.tsx:13 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED045 Ts Non Null Assertion CWE-476
· conf 0.20 
[MINED045] Ts Non Null Assertion (and 2 more): Same pattern found in 2 additional files. Review if needed.
info MINED045 Ts Non Null Assertion CWE-476
app/react/components/buttons/DeleteButton.tsx:87 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
app/react/components/datatables/editable/actionsColumn.tsx:15 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
app/react/components/form-components/InputList/InputList.tsx:97 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED056 React Key As Index CWE-682
· conf 0.20 
[MINED056] React Key As Index (and 12 more): Same pattern found in 12 additional files. Review if needed.
info MINED056 React Key As Index CWE-682
app/react/components/BoxSelector/BoxSelector.tsx:79 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
app/react/components/DetailsTable/DetailsRow.tsx:29 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
app/react/components/PageHeader/Breadcrumbs/Breadcrumbs.tsx:31 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED058 React Dangerously Set Html CWE-79
app/react/components/Tip/Tooltip/Tooltip.tsx:37 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info MINED060 Go Context No Cancel CWE-401
· conf 0.20 
[MINED060] Go Context No Cancel (and 31 more): Same pattern found in 31 additional files. Review if needed.
info MINED060 Go Context No Cancel CWE-401
api/concurrent/concurrent.go:21 · conf 1.00 
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.
info MINED060 Go Context No Cancel CWE-401
api/docker/images/digest.go:175 · conf 1.00 
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.
info MINED060 Go Context No Cancel CWE-401
api/http/handler/endpoints/endpoint_force_update_service.go:85 · conf 1.00 
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.
info MINED071 Go Panic Call CWE-755
api/cli/cli.go:114 · conf 1.00 
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.
info MINED071 Go Panic Call CWE-755
api/datastore/teststore.go:49 · conf 1.00 
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.
info MINED088 React Conditional Hook CWE-682
app/react/docker/containers/CreateView/VolumesTab/context.ts:11 · conf 1.00 
[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.
info MINED098 Global Scope Pollution
app/index.js:26 · conf 1.00 
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…
info MINED098 Global Scope Pollution
app/portainer/services/authentication.js:22 · conf 1.00 
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…
info SEC001 Hardcoded Password
app/docker/views/volumes/create/createVolumeController.js:85 · conf 0.10 
[SEC001] Hardcoded Password: Hardcoded password found in source code.
info SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
· conf 0.20 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 79 more): Same pattern found in 79 additional files. Review if needed.
info SEC040 innerHTML XSS — template literal with server-supplied data
· conf 0.20 
[SEC040] innerHTML XSS — template literal with server-supplied data (and 8 more): Same pattern found in 8 additional files. Review if needed.
info SEC045 eval()/exec() on stored or user-supplied data
· conf 0.20 
[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed.
info SEC083 JS: new RegExp() with non-literal
· conf 0.20 
[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.
info SEC118 UUIDv1 / UUIDv3 used for security-sensitive identifier
.storybook/public/mockServiceWorker.js:112 · conf 0.10 
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.
info SEC128 Async function without await — fire-and-forget Promise (AI mistake)
· conf 0.20 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed.
info SEC132 String concat where the language has interpolation (AI style drift)
· conf 0.20 
[SEC132] String concat where the language has interpolation (AI style drift) (and 3 more): Same pattern found in 3 additional files. Review if needed.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/eb9d896b-a332-4cc1-be80-d2c1bc8ccc58/.