← Legacy view v2 (rp.*)

mateiszakwork-cloud/hiro

https://github.com/mateiszakwork-cloud/hiro.git · lang: typescript · LOC: · source: user_submitted

Quality
56.7
Grade C
Security
62.2
Findings
46
2 critical · 9 high
Status
completed
May 25, 2026 15:37
info: 18 low: 10 high: 9 medium: 7 critical: 2
Top rules by occurrence
RuleSeverityCount
SEC100 CORS permissive Access-Control-Allow-Origin: * high 4
MINED056 React Key As Index info 4
MINED044 Js Console Log Prod info 4
AIC003 Duplicated implementation block across source files low 4
MINED052 Ts Any Typed info 4
SEC040 innerHTML XSS — template literal with server-supplied data high 3
JRN009 Secret-like setting is echoed into a password input value high 2
SEC001 Hardcoded Password critical 2
MINED045 Ts Non Null Assertion info 2
CORE_NO_LICENSE No LICENSE file low 1
First 46 findings (severity-sorted)
critical CORE_ENV_FILE .env file committed to repository
.env 
.env file committed to repository
critical SEC009 [SEC009] .env File Committed: .env file with secrets committed to repository.
.env · conf 1.00 
[SEC009] .env File Committed: .env file with secrets committed to repository.
high JRN009 Secret-like setting is echoed into a password input value
src/pages/Login.tsx:163 · conf 0.83 
Secret-like setting is echoed into a password input value
high JRN009 Secret-like setting is echoed into a password input value
src/pages/Register.tsx:169 · conf 0.83 
Secret-like setting is echoed into a password input value
high SEC040 innerHTML XSS — template literal with server-supplied data
src/components/ui/chart.tsx:72 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC040 innerHTML XSS — template literal with server-supplied data
supabase/functions/calculate-match-score/index.ts:85 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC040 innerHTML XSS — template literal with server-supplied data
supabase/functions/draft-tracker-message/index.ts:88 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
high SEC100 CORS permissive Access-Control-Allow-Origin: *
supabase/functions/calculate-match-score/index.ts:5 · conf 1.00 
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…
high SEC100 CORS permissive Access-Control-Allow-Origin: *
supabase/functions/draft-outreach-messages/index.ts:4 · conf 1.00 
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…
high SEC100 CORS permissive Access-Control-Allow-Origin: *
supabase/functions/draft-tracker-message/index.ts:5 · conf 1.00 
[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…
high SEC128 Async function without await — fire-and-forget Promise (AI mistake)
src/hooks/use-toast.ts:61 · conf 1.00 
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…
medium AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
· conf 0.92 
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium CORE_NO_CI No CI/CD configuration found 
No CI/CD configuration found
medium SEC001 Hardcoded Password
src/pages/Login.tsx:52 · conf 0.30 
[SEC001] Hardcoded Password: Hardcoded password found in source code.
medium SEC001 Hardcoded Password
src/pages/Register.tsx:55 · conf 0.30 
[SEC001] Hardcoded Password: Hardcoded password found in source code.
medium SEC134 AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
src/pages/Register.tsx:151 · conf 1.00 
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…
medium WEB003 Public web service has no security.txt
.well-known/security.txt · conf 0.78 
Public web service has no security.txt
medium WEB015 Public web app has no Content Security Policy
index.html · conf 0.70 
Public web app has no Content Security Policy
low AIC003 Duplicated implementation block across source files
src/lib/generateCvDocx.ts:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
src/pages/Register.tsx:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
src/pages/Welcome.tsx:58 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
supabase/functions/parse-job/index.ts:1 · conf 0.86 
Duplicated implementation block across source files
low AUC005 [AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
· conf 0.76 
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
low CORE_NO_LICENSE No LICENSE file 
No LICENSE file
low WEB002 Public web app has no sitemap
sitemap.xml · conf 0.72 
Public web app has no sitemap
low WEB005 robots.txt does not advertise a sitemap
public/robots.txt · conf 0.74 
robots.txt does not advertise a sitemap
low WEB008 Public docs site has no llms.txt
llms.txt · conf 0.64 
Public docs site has no llms.txt
low WEB011 Public web app has no humans.txt
humans.txt · conf 0.50 
Public web app has no humans.txt
info MINED044 Js Console Log Prod CWE-532
· conf 0.20 
[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed.
info MINED044 Js Console Log Prod CWE-532
src/pages/NotFound.tsx:8 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
supabase/functions/calculate-match-score/index.ts:139 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
supabase/functions/draft-tracker-message/index.ts:186 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED045 Ts Non Null Assertion CWE-476
supabase/functions/draft-tracker-message/index.ts:117 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
supabase/functions/parse-cv/index.ts:67 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED052 Ts Any Typed CWE-704
· conf 0.20 
[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed.
info MINED052 Ts Any Typed CWE-704
supabase/functions/calculate-match-score/index.ts:70 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
supabase/functions/draft-tracker-message/index.ts:89 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
supabase/functions/generate-interview-prep/index.ts:57 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED054 Ts As Any CWE-704
supabase/functions/test-linkedin-connection/index.ts:44 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED056 React Key As Index CWE-682
· conf 0.20 
[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed.
info MINED056 React Key As Index CWE-682
src/components/ManualJobModal.tsx:67 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
src/components/onboarding/StepAwards.tsx:51 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
src/components/ProductTour.tsx:68 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED058 React Dangerously Set Html CWE-79
src/components/ui/chart.tsx:70 · conf 1.00 
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.
info SEC020 Secret Printed to Logs
supabase/functions/parse-job/index.ts:49 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
info SEC100 CORS permissive Access-Control-Allow-Origin: *
· conf 0.20 
[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 5 more): Same pattern found in 5 additional files. Review if needed.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/ecbe478e-97ee-4d3d-90ff-98c1aca2692b/.