https://github.com/strapi/strapi.git ·
lang: typescript ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 29 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
MINED116 GHA pull_request workflow leaks secrets to forks |
critical | 9 |
JRN002 Browser storage is used for session token material |
medium | 7 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 3 |
ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. |
medium | 3 |
MINED054 Ts As Any |
info | 3 |
SEC136 AI-typical over-broad exception handler swallowing all erro… |
medium | 3 |
MINED027 React State Array Mutation |
high | 3 |
SEC085 JS: child_process.exec with non-literal |
high | 3 |
MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/changeFreeze.yml:19
· conf 0.90
[MINED116] Workflow uses `secrets.CHECK_OWNERSHIP_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CHECK_OWNERSH…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/docs-flag-notification.yml:17
· conf 0.90
[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_DOCUMENTATION_OPS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLA…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/pr-reviewer.yml:25
· conf 0.90
[MINED116] Workflow uses `secrets.PR_REVIEW_ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PR_REVI…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/tests.yml:284
· conf 0.90
[MINED116] Workflow uses `secrets.TRUNK_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRUNK_API_TOKEN }` …MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/tests.yml:335
· conf 0.90
[MINED116] Workflow uses `secrets.TRUNK_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TRUNK_API_TOKEN }` …MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/tests.yml:613
· conf 0.90
[MINED116] Workflow uses `secrets.SONAR_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SONAR_TOKEN }` lets a P…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/tests.yml:614
· conf 0.90
[MINED116] Workflow uses `secrets.SONAR_HOST_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SONAR_HOST_URL }` le…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/tests.yml:622
· conf 0.90
[MINED116] Workflow uses `secrets.SONAR_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SONAR_TOKEN }` lets a P…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/tests.yml:623
· conf 0.90
[MINED116] Workflow uses `secrets.SONAR_HOST_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SONAR_HOST_URL }` le…SEC084
JS: require() with non-literal
packages/core/core/src/loaders/plugins/get-enabled-plugins.ts:100
· conf 1.00
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).MINED014
Disabled Tls Verify
CWE-295
examples/complex/scripts/setup-v4-project.js:159
· conf 1.00
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.MINED027
React State Array Mutation
CWE-682
packages/core/admin/admin/src/pages/Settings/pages/ApiTokens/EditView/reducer.ts:80
· conf 1.00
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.MINED027
React State Array Mutation
CWE-682
packages/core/content-type-builder/admin/src/components/DataManager/undoRedo.ts:79
· conf 1.00
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.MINED027
React State Array Mutation
CWE-682
packages/core/database/src/query/query-builder.ts:240
· conf 1.00
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.MINED031
React Direct State Mutation
CWE-682
packages/core/database/src/query/query-builder.ts:457
· conf 1.00
[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/adminBundleSize.yml:24
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/adminBundleSize.yml:25
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/adminBundleSize.yml:35
· conf 0.90
[MINED115] Action `preactjs/compressed-size-action` pinned to mutable ref `@v2`: `uses: preactjs/compressed-size-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/caniuse.yml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/caniuse.yml:25
· conf 0.90
[MINED115] Action `c2corg/browserslist-update-action` pinned to mutable ref `@v2`: `uses: c2corg/browserslist-update-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/changeFreeze.yml:16
· conf 0.90
[MINED115] Action `tspascoal/get-user-teams-membership` pinned to mutable ref `@v3`: `uses: tspascoal/get-user-teams-membership@v3` resolves at workflow-run time. Tags and branches can be re-pushed b…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/changeFreeze.yml:30
· conf 0.90
[MINED115] Action `thollander/actions-comment-pull-request` pinned to mutable ref `@v2`: `uses: thollander/actions-comment-pull-request@v2` resolves at workflow-run time. Tags and branches can be re-…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/clean-up-pr-caches.yml:15
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/close_stale_issues.yml:14
· conf 0.90
[MINED115] Action `actions/stale` pinned to mutable ref `@v10`: `uses: actions/stale@v10` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actio…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:22
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:42
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:65
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:75
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:102
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:112
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:134
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:144
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:162
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:172
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:191
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/issues_handleLabel.yml:199
· conf 0.90
[MINED115] Action `actions-cool/issues-helper` pinned to mutable ref `@v3`: `uses: actions-cool/issues-helper@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pr-reviewer.yml:18
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish-release.yml:30
· conf 0.90
[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v1`: `uses: actions/create-github-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish-release.yml:35
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish-release.yml:41
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/cli/create-strapi-app/src/utils/template.ts:67
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/core/admin/admin/src/pages/Settings/pages/ApplicationInfo/components/LogoInput.tsx:234
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/core/admin/admin/src/pages/Settings/pages/ApplicationInfo/utils/files.ts:45
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC033
Prototype Pollution — unfiltered merge of user object
packages/core/core/src/loaders/admin.ts:13
· conf 1.00
[SEC033] Prototype Pollution — unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject propert…SEC040
innerHTML XSS — template literal with server-supplied data
examples/complex/scripts/bench-compare.js:490
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/core/content-manager/server/src/homepage/services/homepage.ts:32
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
packages/core/content-manager/server/src/services/components.ts:110
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
packages/core/content-manager/admin/src/pages/EditView/components/FormInputs/UID.tsx:66
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
packages/core/content-manager/admin/src/utils/validation.ts:263
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
packages/core/content-manager/server/src/controllers/validation/index.ts:26
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
examples/complex/scripts/db-mariadb.js:53
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
examples/complex/scripts/db-mysql.js:54
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
examples/complex/scripts/db-postgres.js:61
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
examples/complex/scripts/bench-hook.js:60
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/admin-test-utils/src/setup.ts:222
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
packages/cli/cloud/src/deploy-project/action.ts:137
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT012
Agent control bridge may listen on a network interface without visible auth
examples/complex/scripts/setup-v4-project.js:205
· conf 0.72
Agent control bridge may listen on a network interface without visible authAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/cli/create-strapi-app/src/utils/usage.ts:74
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/core/content-manager/admin/src/preview/utils/previewScript.ts:266
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/core/content-manager/server/src/services/metrics.ts:31
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.JRN002
Browser storage is used for session token material
packages/core/admin/admin/src/reducer.ts:32
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
packages/core/admin/admin/src/reducer.ts:80
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
packages/core/admin/admin/src/utils/getFetchClient.ts:72
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
packages/core/admin/admin/src/utils/getFetchClient.ts:75
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
packages/core/admin/admin/src/utils/getFetchClient.ts:202
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
packages/core/content-type-builder/admin/src/components/AIChat/hooks/useFigmaUpload.ts:48
· conf 0.82
Browser storage is used for session token materialJRN002
Browser storage is used for session token material
packages/core/content-type-builder/admin/src/components/AIChat/hooks/useFigmaUpload.ts:60
· conf 0.82
Browser storage is used for session token materialSEC045
eval()/exec() on stored or user-supplied data
packages/core/content-manager/admin/src/pages/EditView/components/FormInputs/Wysiwyg/utils/continueList.ts:32
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
packages/core/openapi/src/assemblers/document/path/path-item/operation/operation-id.ts:52
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC091
Go: net/http server without timeouts
packages/core/core/src/services/server/http-server.ts:6
· conf 1.00
[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).SEC136
AI-typical over-broad exception handler swallowing all errors
examples/complex/scripts/db-utils.js:60
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
packages/core/admin/admin/src/utils/users.ts:52
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
packages/core/content-type-builder/admin/src/components/FormModal/attributes/ConditionForm.tsx:110
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…AIC003
Duplicated implementation block across source files
.github/actions/community-pr-triage/src/modes/weekly-report.ts:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
jest-preset.unit.js:19
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Auth/components/Oops.tsx:38
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Auth/components/ResetPassword.tsx:32
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Auth/components/ResetPassword.tsx:127
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Home/components/FreeTrialWelcomeModal.tsx:8
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/NotFoundPage.tsx:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/ApiTokens/EditView/EditViewPage.tsx:114
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/ApiTokens/ListView.tsx:60
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/PurchaseContentHistory.tsx:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/PurchaseSingleSignOn.tsx:20
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/PurchaseSingleSignOn.tsx:42
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/Roles/EditPage.tsx:84
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/Roles/EditPage.tsx:97
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/Roles/ListPage.tsx:167
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/TransferTokens/EditView.tsx:112
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/TransferTokens/EditView.tsx:301
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/TransferTokens/ListView.tsx:109
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/Users/components/NewUserForm.tsx:255
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/Users/EditPage.tsx:193
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/Users/utils/validation.ts:23
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/admin/src/pages/Settings/pages/Webhooks/ListPage.tsx:79
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/ee/admin/src/pages/SettingsPage/pages/SingleSignOnPage.tsx:76
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/server/src/content-types/api-token-permission.ts:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/server/src/content-types/api-token.ts:10
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/server/src/content-types/transfer-token-permission.ts:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/server/src/content-types/transfer-token-permission.ts:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/server/src/content-types/transfer-token.ts:8
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/admin/server/src/content-types/transfer-token.ts:9
· conf 0.86
Duplicated implementation block across source filesWEB005
robots.txt does not advertise a sitemap
examples/complex/public/robots.txt
· conf 0.74
robots.txt does not advertise a sitemapMINED043
Http Not Https
CWE-319
packages/core/admin/admin/src/components/MainNav/NavLink.tsx:14
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
packages/core/core/src/configuration/urls.ts:92
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
examples/complex/scripts/bench-compare.js:61
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
examples/complex/scripts/bench-hook.js:34
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
examples/complex/scripts/bench.js:63
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
packages/cli/cloud/src/link/action.ts:93
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/cli/cloud/src/login/action.ts:175
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/cli/cloud/src/services/token.ts:132
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED047
Emoji In Source
packages/core/admin/admin/src/translations/languageNativeNames.ts:12
· conf 1.00
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.MINED049
Print Pii
CWE-532
packages/core/strapi/src/cli/commands/admin/reset-user-password.ts:37
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED052
Ts Any Typed
CWE-704
packages/cli/cloud/src/deploy-project/action.ts:121
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
packages/cli/cloud/src/environment/link/action.ts:135
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
packages/cli/cloud/src/environment/list/action.ts:38
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED053
Placeholder Default Username
CWE-1392CWE-798
packages/core/admin/admin/src/pages/Settings/pages/AdminTokens/EditView/EditViewPage.tsx:293
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED053
Placeholder Default Username
CWE-1392CWE-798
packages/core/admin/admin/src/services/apiTokens.ts:73
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED053
Placeholder Default Username
CWE-1392CWE-798
packages/core/admin/jest.config.front.js:5
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED054
Ts As Any
CWE-704
packages/admin-test-utils/src/setup.ts:57
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
packages/core/admin/admin/src/components/DescriptionComponentRenderer.tsx:160
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
packages/core/admin/admin/src/core/store/configure.ts:62
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED056
React Key As Index
CWE-682
examples/getstarted/src/admin/preview/dummy-preview.jsx:155
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
packages/core/admin/admin/src/components/SubNav.tsx:161
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
packages/core/admin/admin/src/pages/ProfilePage.tsx:296
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED058
React Dangerously Set Html
CWE-79
packages/core/admin/admin/src/components/GuidedTour/Steps/Step.tsx:265
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
packages/core/content-manager/admin/src/pages/EditView/components/FormInputs/Wysiwyg/PreviewWysiwyg.tsx:29
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED088
React Conditional Hook
CWE-682
packages/core/content-type-builder/admin/src/components/FormModal/FormModal.tsx:718
· conf 1.00
[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/fd0d49e3-fbea-455c-9358-68c783fa4c4a/.