https://github.com/dograh-hq/dograh.git ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
JRN003 Frontend API reference is not matched by discovered backend… |
medium | 15 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 9 |
DKC006 Compose service does not declare a runtime user |
low | 5 |
DKC007 Compose service contains a literal secret environment value |
medium | 4 |
DKC010 Compose service lacks no-new-privileges hardening |
low | 4 |
SEC020 Secret Printed to Logs |
high | 3 |
ERR001 [ERR001] Silent Exception Swallowing (and 2 more): Same pat… |
info | 3 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 3 |
SEC034 Log Injection / Log Forging — unsanitized user input in log |
medium | 3 |
DKC007
Compose service contains a literal secret environment value
docker-compose.yaml:1
· conf 0.96
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
docker-compose.yaml:40
· conf 0.96
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
docker-compose.yaml:61
· conf 0.96
Compose service contains a literal secret environment valueDKC007
Compose service contains a literal secret environment value
docker-compose.yaml:124
· conf 0.96
Compose service contains a literal secret environment valueDKR005
Docker image bakes a secret-like ENV value
ui/Dockerfile:42
· conf 0.96
Docker image bakes a secret-like ENV valueJRN001
Token handoff appears to use a callback URL or fragment
ui/src/app/workflow/[workflowId]/run/[runId]/hooks/useWebSocketRTC.tsx:96
· conf 0.88
Token handoff appears to use a callback URL or fragmentAUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
evals/visualizer/src/app/api/results/[id]/route.ts:7
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…DKC011
Database service publishes a host port
docker-compose.yaml:24
· conf 0.84
Database service publishes a host portJRN009
Secret-like setting is echoed into a password input value
ui/src/app/auth/login/page.tsx:70
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
ui/src/app/auth/signup/page.tsx:82
· conf 0.83
Secret-like setting is echoed into a password input valueSEC020
Secret Printed to Logs
api/db/embed_token_client.py:68
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
api/routes/public_download.py:50
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
ui/src/app/after-sign-in/page.tsx:20
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
api/routes/campaign.py:927
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
api/routes/knowledge_base.py:35
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
api/routes/public_download.py:77
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…AGT012
Agent control bridge may listen on a network interface without visible auth
docker-compose.yaml:30
· conf 0.72
Agent control bridge may listen on a network interface without visible authAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
evals/visualizer/src/app/api/audio/[filename]/route.ts:15
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
evals/visualizer/src/app/api/results/[id]/route.ts:7
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
evals/visualizer/src/app/api/results/route.ts:8
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
ui/src/app/api/auth/oss/route.ts:14
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
ui/src/app/api/auth/session/route.ts:7
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
ui/src/app/api/config/auth/route.ts:6
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
ui/src/app/api/config/sentry/route.ts:3
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
ui/src/app/api/config/version/route.ts:9
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
ui/src/app/impersonate/route.ts:11
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…DKR001
Docker final stage has no non-root USER
api/Dockerfile:59
· conf 0.82
Docker final stage has no non-root USERDKR002
Dockerfile base image has no explicit tag
docker-compose.yaml:40
· conf 0.90
Compose service `minio` image has no explicit tagDKR003
Dockerfile base image uses the latest tag
docker-compose.yaml:236
· conf 0.94
Compose service `cloudflared` image uses the latest tagERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
api/routes/campaign.py:37
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
api/routes/organization.py:900
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
api/services/filesystem/local.py:88
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
ui/src/app/layout.tsx:56
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
ui/src/components/layout/GitHubStarBadge.tsx:29
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.JRN003
Frontend API reference is not matched by discovered backend routes
api/mcp_server/ts_validator/src/types.ts:3
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
evals/visualizer/src/app/page.tsx:38
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
evals/visualizer/src/app/view/[id]/page.tsx:30
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
evals/visualizer/src/app/view/[id]/page.tsx:88
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
sdk/typescript/src/_generated_models.ts:7
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
sdk/typescript/src/_generated_models.ts:28
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
sdk/typescript/src/_generated_models.ts:52
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
sdk/typescript/src/_generated_models.ts:75
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
sdk/typescript/src/_generated_models.ts:98
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
sdk/typescript/src/_generated_models.ts:128
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
sdk/typescript/src/_generated_models.ts:151
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
sdk/typescript/src/_generated_models.ts:178
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
sdk/typescript/src/_generated_models.ts:201
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
sdk/typescript/src/_generated_models.ts:221
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
sdk/typescript/src/_generated_models.ts:244
· conf 0.74
Frontend API reference is not matched by discovered backend routesSEC014
SSL Verification Disabled
api/tasks/arq.py:28
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC015
Insecure Randomness for Security
api/services/workflow/qa/llm_config.py:63
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC034
Log Injection / Log Forging — unsanitized user input in log
api/db/user_client.py:88
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…SEC034
Log Injection / Log Forging — unsanitized user input in log
api/routes/knowledge_base.py:144
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…SEC034
Log Injection / Log Forging — unsanitized user input in log
api/routes/s3_signed_url.py:317
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtAIC003
Duplicated implementation block across source files
api/alembic/versions/6d2f94baf4b7_add_ari_mode.py:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/alembic/versions/a188ff90e76f_add_vobiz_mode_for_workflow.py:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/alembic/versions/b3a1c7e94f12_add_telnyx_mode.py:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/alembic/versions/b3a1c7e94f12_add_telnyx_mode.py:27
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/alembic/versions/e02f387b7538_add_embed_token_model.py:93
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/alembic/versions/e02f387b7538_add_embed_token_model.py:99
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/alembic/versions/e02f387b7538_add_embed_token_model.py:113
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/alembic/versions/f2e1d0c9b8a7_add_plivo_mode.py:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/alembic/versions/f2e1d0c9b8a7_add_plivo_mode.py:23
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/alembic/versions/f2e1d0c9b8a7_add_plivo_mode.py:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/alembic/versions/f2e1d0c9b8a7_add_plivo_mode.py:31
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/db/organization_usage_client.py:297
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/db/workflow_run_client.py:242
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/campaign/sources/google_sheets.py:118
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/pipecat/realtime/openai_realtime.py:46
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/providers/cloudonix/transport.py:49
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/providers/plivo/routes.py:56
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/providers/plivo/transport.py:40
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/providers/telnyx/transport.py:42
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/providers/twilio/provider.py:219
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/providers/twilio/routes.py:45
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/providers/twilio/routes.py:67
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/providers/twilio/transport.py:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/providers/vobiz/__init__.py:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/providers/vobiz/provider.py:268
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/providers/vonage/transport.py:37
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/telephony/status_processor.py:46
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/workflow/node_specs/end_call.py:88
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
api/services/workflow/node_specs/start_call.py:90
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
evals/stt/event_capture.py:175
· conf 0.86
Duplicated implementation block across source filesDKC006
Compose service does not declare a runtime user
docker-compose.yaml:1
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker-compose.yaml:102
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker-compose.yaml:124
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker-compose.yaml:206
· conf 0.56
Compose service does not declare a runtime userDKC006
Compose service does not declare a runtime user
docker-compose.yaml:236
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yaml:102
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yaml:124
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yaml:206
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yaml:236
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC011
Database service publishes a host port
docker-compose.yaml:40
· conf 0.58
Database service publishes a loopback host portDKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsDKR010
Dockerfile leaves apt package indexes in the image layer
api/Dockerfile:50
· conf 0.74
Dockerfile leaves apt package indexes in the image layerDKR011
Dockerfile installs recommended OS packages
api/Dockerfile:8
· conf 0.72
Dockerfile installs recommended OS packagesWEB005
robots.txt does not advertise a sitemap
api/services/telephony/providers/twilio/provider.py
· conf 0.74
robots.txt does not advertise a sitemapReading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/fca85d4e-dcc0-4eb6-858e-36c136019350/.