Hi @KeygraphHQ, an automated scan of this repository surfaced 18 code-quality findings that may be worth a look.
Full details, severity filters, and per-file context are at the link below — feel free to close this issue if it isn't useful to you.
Full interactive report
https://repobility.com/scan/c0b72a8d-ab12-496f-bea6-082a4fe853ab/
At a glance
- Score:
83/100 • Grade: B-
- Scanned:
2026-05-17 19:41 UTC
- Lines of code: 12,777
- Total findings: 18
- Security-tagged: 1
- Credential / secret patterns: 0
Top issues, with file & line
These are deterministic rule-based findings — the file paths and line numbers below are real and can be verified in your tree.
- [high] No test files found
Add a test directory (tests/ or tests/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business lo…
- [high] [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches. —
apps/cli/src/commands/setup.ts:126
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400)…
- [high] [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches. —
apps/cli/src/commands/start.ts:61
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400)…
- [high] [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches. —
apps/cli/src/index.ts:85
Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400)…
- [high] Docker final stage runs as root —
Dockerfile:47
Create an application user after package installation and switch to it with USER appuser or USER 10001.
See all 18 findings, with severity filters and AI fix prompts: https://repobility.com/scan/c0b72a8d-ab12-496f-bea6-082a4fe853ab/
What is this? Repobility is a research project that scans public repositories with a multi-layer static analyzer (rule-based, no AI hallucinations) and learns code-quality patterns across a broad cross-repo corpus. This is not a sales pitch — there's no paywall, no signup required to view the report, and no payment ask. If the findings aren't useful, please close this issue and we won't post again.
To re-run after fixes land: paste your repo URL at repobility.com — fresh scan, free.
Issue filed via the public Repobility report at https://repobility.com/scan/c0b72a8d-ab12-496f-bea6-082a4fe853ab/.
Hi @KeygraphHQ, an automated scan of this repository surfaced 18 code-quality findings that may be worth a look.
Full details, severity filters, and per-file context are at the link below — feel free to close this issue if it isn't useful to you.
Full interactive report
https://repobility.com/scan/c0b72a8d-ab12-496f-bea6-082a4fe853ab/
At a glance
83/100• Grade:B-2026-05-17 19:41 UTCTop issues, with file & line
These are deterministic rule-based findings — the file paths and line numbers below are real and can be verified in your tree.
Add a test directory (tests/ or tests/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business lo…
apps/cli/src/commands/setup.ts:126Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400)…
apps/cli/src/commands/start.ts:61Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400)…
apps/cli/src/index.ts:85Validate the URL against an allowlist BEFORE fetching: ALLOWED = {'images.example.com', 'cdn.example.com'} host = urlparse(url).hostname if host not in ALLOWED: abort(400)…
Dockerfile:47Create an application user after package installation and switch to it with USER appuser or USER 10001.
See all 18 findings, with severity filters and AI fix prompts: https://repobility.com/scan/c0b72a8d-ab12-496f-bea6-082a4fe853ab/
What is this? Repobility is a research project that scans public repositories with a multi-layer static analyzer (rule-based, no AI hallucinations) and learns code-quality patterns across a broad cross-repo corpus. This is not a sales pitch — there's no paywall, no signup required to view the report, and no payment ask. If the findings aren't useful, please close this issue and we won't post again.
To re-run after fixes land: paste your repo URL at repobility.com — fresh scan, free.
Issue filed via the public Repobility report at https://repobility.com/scan/c0b72a8d-ab12-496f-bea6-082a4fe853ab/.