prometheus/prometheus

[MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.

[MINED116] Workflow uses `secrets.PROMBOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PROMBOT_GITHUB…

[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NPM_TOKEN }` lets a PR fr…

[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).

[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).

[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.

[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.

[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.

[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.

[MINED118] Dockerfile FROM `quay.io/prometheus/busybox- (no tag)` not pinned by digest: `FROM quay.io/prometheus/busybox- (no tag)` resolves the tag at build time. The registry CAN re-push a differen…

[MINED118] Dockerfile FROM `gcr.io/distroless/static-debian13:nonroot-` not pinned by digest: `FROM gcr.io/distroless/static-debian13:nonroot-` resolves the tag at build time. The registry CAN re-pus…

[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pull…

[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pull…

[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pull…

[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pull…

[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.25-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.25-base` without `@sha256:...` pull…

[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pull…

[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pull…

[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pull…

[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder:1.26-base` unpinned: `container/services image: quay.io/prometheus/golang-builder:1.26-base` without `@sha256:...` pull…

[MINED126] Workflow container/services image `quay.io/prometheus/golang-builder` unpinned: `container/services image: quay.io/prometheus/golang-builder` without `@sha256:...` pulls a mutable tag at w…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `A…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

Agent control bridge may listen on a network interface without visible auth

Agent control bridge may listen on a network interface without visible auth

Agent control bridge may listen on a network interface without visible auth

[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces — exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0).

[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces — exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0).

[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).

[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

.dockerignore misses sensitive defaults

[ERR003] Ignored Error (Go): Ignoring error return values.

[ERR003] Ignored Error (Go): Ignoring error return values.

[ERR003] Ignored Error (Go): Ignoring error return values.

Dockerfile base image is selected through a build variable

Dockerfile base image is selected through a build variable

[ERR003] Ignored Error (Go) (and 8 more): Same pattern found in 8 additional files. Review if needed.

[MINED016] Go Error Ignored (and 11 more): Same pattern found in 11 additional files. Review if needed.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED045] Ts Non Null Assertion (and 1 more): Same pattern found in 1 additional files. Review if needed.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.

[MINED056] React Key As Index (and 18 more): Same pattern found in 18 additional files. Review if needed.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.

[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.

[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.

[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.

[MINED060] Go Context No Cancel (and 14 more): Same pattern found in 14 additional files. Review if needed.

[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.

[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.

[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.

[MINED071] Go Panic Call (and 23 more): Same pattern found in 23 additional files. Review if needed.

[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.

[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.

[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed.