← Legacy view v2 (rp.*)

cocoindex-io/cocoindex

https://github.com/cocoindex-io/cocoindex · lang: rust · LOC: · source: both

Quality
80.9
Grade A-
Security
86.1
Findings
11
3 critical · 2 high
Status
completed
May 15, 2026 03:47
critical: 3 info: 3 high: 2 medium: 2 low: 1
Top rules by occurrence
RuleSeverityCount
SEC004 SQL Injection Risk high 4
SEC022 Database URL With Embedded Credential critical 4
SEC007 Unsafe Deserialization medium 2
SEC020 Secret Printed to Logs high 1
First 11 findings (severity-sorted)
critical SEC022 Database URL With Embedded Credential
examples/audio_to_text/main.py:25 · conf 0.45 
[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working c…
critical SEC022 Database URL With Embedded Credential
examples/code_embedding/main.py:37 · conf 0.45 
[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working c…
critical SEC022 Database URL With Embedded Credential
examples/entire_session_search/main.py:44 · conf 0.45 
[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working c…
high SEC004 SQL Injection Risk
python/cocoindex/connectors/doris/_target.py:696 · conf 0.50 
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
high SEC004 SQL Injection Risk
python/cocoindex/connectors/postgres/_source.py:132 · conf 0.85 
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
medium SEC007 Unsafe Deserialization
python/cocoindex/_internal/function.py:1069 · conf 1.00 
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
medium SEC007 Unsafe Deserialization
python/cocoindex/_internal/runner.py:173 · conf 1.00 
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
low SEC004 SQL Injection Risk
python/cocoindex/connectors/sqlite/_target.py:496 · conf 0.20 
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
info SEC004 SQL Injection Risk
· conf 0.20 
[SEC004] SQL Injection Risk (and 1 more): Same pattern found in 1 additional files. Review if needed.
info SEC020 Secret Printed to Logs
examples/text_embedding_turbopuffer/main.py:148 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
info SEC022 Database URL With Embedded Credential
· conf 0.20 
[SEC022] Database URL With Embedded Credential (and 6 more): Same pattern found in 6 additional files. Review if needed.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/ecebda09-0cac-4f20-b198-ea898eaf9be2/.