← Legacy view v2 (rp.*)

totosugito/fin-man

https://github.com/totosugito/fin-man · lang: typescript · LOC: · source: user_submitted

Quality
46.8
Grade D+
Security
70.3
Findings
56
2 critical · 4 high
Status
completed
May 29, 2026 10:06
low: 24 info: 22 high: 4 medium: 4 critical: 2
Top rules by occurrence
RuleSeverityCount
AIC003 Duplicated implementation block across source files low 20
MINED044 Js Console Log Prod info 4
MINED052 Ts Any Typed info 4
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… high 4
MINED054 Ts As Any info 4
MINED056 React Key As Index info 4
MINED045 Ts Non Null Assertion info 3
MINED043 Http Not Https info 1
SEC009 [SEC009] .env File Committed: .env file with secrets commit… critical 1
WEB011 Public web app has no humans.txt low 1
First 56 findings (severity-sorted)
critical CORE_ENV_FILE .env file committed to repository
.env 
.env file committed to repository
critical SEC009 [SEC009] .env File Committed: .env file with secrets committed to repository.
.env · conf 1.00 
[SEC009] .env File Committed: .env file with secrets committed to repository.
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
backend/src/routes/admin/user/detail.ts:99 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
backend/src/routes/admin/user/list.ts:182 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
backend/src/routes/admin/user/update.ts:160 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC040 innerHTML XSS — template literal with server-supplied data
src/components/custom/charts/ReactECharts.tsx:299 · conf 1.00 
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…
medium AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
· conf 0.92 
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
medium CORE_NO_CI No CI/CD configuration found 
No CI/CD configuration found
medium SEC041 Tabnabbing — target="_blank" without rel="noopener noreferrer"
src/components/custom/forms/FormUpload.tsx:116 · conf 1.00 
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…
medium WEB003 Public web service has no security.txt
.well-known/security.txt · conf 0.78 
Public web service has no security.txt
low AIC003 Duplicated implementation block across source files
backend/src/routes/admin/user/detail.ts:34 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/admin/user/list.ts:52 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/admin/user/reset-password.ts:26 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/admin/user/reset-password.ts:40 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/admin/user/update.ts:35 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/admin/user/update.ts:37 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/v1/project/create.ts:31 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/v1/project/delete.ts:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/v1/project/events.ts:24 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/v1/project/gantt-view.ts:74 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/v1/project/list.ts:16 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/v1/project/list.ts:43 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/v1/project/update.ts:34 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/v1/project/update.ts:36 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/v1/project/update.ts:63 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
backend/src/routes/v1/user.hook.ts:1 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
src/components/pages/project/list/ProjectGanttViewDetails.tsx:27 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
src/routes/__authenticated/project/$id.tsx:37 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
src/routes/__authenticated/project/list.tsx:44 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
src/routes/__authenticated/project/list.tsx:187 · conf 0.86 
Duplicated implementation block across source files
low CORE_NO_LICENSE No LICENSE file 
No LICENSE file
low WEB001 Public web app has no robots.txt
robots.txt · conf 0.74 
Public web app has no robots.txt
low WEB002 Public web app has no sitemap
sitemap.xml · conf 0.72 
Public web app has no sitemap
low WEB011 Public web app has no humans.txt
humans.txt · conf 0.50 
Public web app has no humans.txt
info MINED043 Http Not Https CWE-319
backend/src/config/env.config.ts:58 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED044 Js Console Log Prod CWE-532
· conf 0.20 
[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed.
info MINED044 Js Console Log Prod CWE-532
backend/src/auth.ts:35 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
backend/src/scripts/init-data.ts:70 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED044 Js Console Log Prod CWE-532
backend/src/scripts/init-user.ts:41 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info MINED045 Ts Non Null Assertion CWE-476
backend/src/routes/v1/project/create.ts:135 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
backend/src/routes/v1/project-event/create.ts:201 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED045 Ts Non Null Assertion CWE-476
backend/src/routes/v1/project/update.ts:125 · conf 1.00 
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.
info MINED052 Ts Any Typed CWE-704
· conf 0.20 
[MINED052] Ts Any Typed (and 28 more): Same pattern found in 28 additional files. Review if needed.
info MINED052 Ts Any Typed CWE-704
backend/src/routes/v1/project-event/update.ts:67 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
backend/src/scripts/init-data.ts:56 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED052 Ts Any Typed CWE-704
src/components/app/AppNavbar.tsx:29 · conf 1.00 
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.
info MINED054 Ts As Any CWE-704
· conf 0.20 
[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed.
info MINED054 Ts As Any CWE-704
backend/src/routes/v1/project-event/list-by-year-month.ts:167 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED054 Ts As Any CWE-704
backend/src/routes/v1/project-event/list.ts:113 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED054 Ts As Any CWE-704
backend/src/routes/v1/project/events.ts:201 · conf 1.00 
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.
info MINED056 React Key As Index CWE-682
· conf 0.20 
[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed.
info MINED056 React Key As Index CWE-682
src/components/custom/skeleton/SkeTable.tsx:22 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
src/components/custom/table/data-table-pagination.tsx:177 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info MINED056 React Key As Index CWE-682
src/components/custom/table/PaginationData.tsx:92 · conf 1.00 
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.
info SEC020 Secret Printed to Logs
backend/src/auth.ts:35 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…
info SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
· conf 0.20 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/ee7d3aaf-6c31-433d-b721-478c750ea54b/.