📝 Code Report

10 vulnerabilities
0 High 10 Moderate 0 Low

secrover.org

Website

0 vulnerabilities
0 High 0 Moderate 0 Low

🕵️ Findings Details:

None - All clear!

Secrover

Main project

10 vulnerabilities
0 High 10 Moderate 0 Low

🕵️ Findings Details:

yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag — GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
File: .github/workflows/ci.yaml:20, Severity: Moderate
yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag — GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
File: .github/workflows/ci.yaml:36, Severity: Moderate
yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag — GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
File: .github/workflows/ci.yaml:39, Severity: Moderate
yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag — GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
File: .github/workflows/ci.yaml:42, Severity: Moderate
yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag — GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
File: .github/workflows/ci.yaml:45, Severity: Moderate
yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag — GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. `uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608`.
File: .github/workflows/ci.yaml:65, Severity: Moderate
dockerfile.security.missing-user-entrypoint.missing-user-entrypoint — By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
File: Dockerfile:64, Severity: Moderate
python.lang.security.audit.insecure-transport.requests.request-with-http.request-with-http — Detected a request using 'http://'. This request will be unencrypted, and attackers could listen into traffic on the network and be able to obtain sensitive information. Use 'https://' instead.
File: secrover/audits/domains.py:34, Severity: Moderate
python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2 — Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.
File: secrover/report.py:36, Severity: Moderate
python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2 — Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.
File: secrover/report.py:58, Severity: Moderate