Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Detected catch blocks with empty bodies. Empty catch blocks silently swallow errors, making it impossible to diagnose failures, detect attacks, or audit security-relevant events.
} catch (e) {}Always handle or log errors in catch blocks. At minimum, log the error for debugging and auditing purposes.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
new URL(`${textUriBase}/${resourceId}`);Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
String literals matching known API key prefixes (sk-, ghp_, AKIA, xoxb-, etc.) or long base64-like strings may expose secrets in source code.
"iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAKsGlDQ1BJQ0MgUHJvZmlsZQAASImVlwdUU+kSgOfe9JDQEiIgJfQmSCeAlBBaAAXpYCMkAUKJMRBU7MriClZURLCs6KqIgo0idizYFsWC3QVZBNR1sWDDlXeBQ9jdd9575805c+a7c+efmf+e/z9nLgCdKZDJMlF1gCxpjjwyyI8dn5DIJvUABRiY0kBdIMyWcSMiwgCTUft3+dgGyJC9YzuU69/f/1fREImzhQBIBMbJomxhFsbHMe0TyuQ5ALg9mN9kbo5siK9gzJRjDWL8ZIhTR7hviJOHGY8fjomO5GGsDUCmCQTyVACaKeZn5wpTsTw0f4ztpSKJFGPsGbyzsmaLMMbqgiUWI8N4KD8n+S95Uv+WM1mZUyBIVfLIXoaF7C/JlmUK5v+fn+N/S1amYrSGOaa0NHlwJGaxvpAHGbNDlSxNnhI+yhLRcPwwpymCY0Z
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.get("/sse", async (req, res) => {Add authentication middleware to all routes that access or modify data.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
const { server, cleanup } = createServer();Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
Null bytes in file paths can truncate path validation and access unintended files.
if (absolutePath.includes('\x00')) {Strip null bytes from all file path inputs before processing.
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: anthropics/claude-code-action@v1
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: astral-sh/setup-uv@v3
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/setup-python@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: astral-sh/setup-uv@v3
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/setup-python@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/upload-artifact@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/download-artifact@v7
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/github-script@v8
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/github-script@v8
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: astral-sh/setup-uv@v5
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/upload-artifact@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: astral-sh/setup-uv@v5
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: astral-sh/setup-uv@v5
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/setup-python@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
uses: actions/download-artifact@v7
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/checkout@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.
- uses: actions/setup-node@v6
Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('PR modifies files other than README, skipping');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('Already commented on this PR, skipping');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log('No pending label found, skipping');Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("Available transports:");Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("- stdio");Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("- sse");Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("- streamableHttp");Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
description: "Toggles simulated, random-leveled logging on or off.",
Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("Starting Streamable HTTP server...");Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("Received MCP POST request");Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Session initialized with ID: ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("Error handling MCP request:", error);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("Received MCP GET request");Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Client reconnecting with Last-Event-ID: ${lastEventId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Establishing new SSE stream for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Received session termination request for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("Error handling session termination:", error);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("Shutting down server...");Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Closing transport for session ${sessionId}`);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(`Error closing transport for session ${sessionId}:`, error);Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log("Server shutdown complete");Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
def git_log(repo: git.Repo, max_count: int = 10, start_timestamp: Optional[str] = None, end_timestamp: Optional[str] = None) -> list[str]:
Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
private disableThoughtLogging: boolean;
Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
this.disableThoughtLogging = (process.env.DISABLE_THOUGHT_LOGGING || "").toLowerCase() === "true";
Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Detected patterns that disable, silence, or suppress logging or audit trails. Disabling security logging can mask malicious activity and hinder incident investigation.
if (!this.disableThoughtLogging) {Ensure security-related logging is always enabled in production. Never suppress audit trails or security event logs.
Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.
new URL(`${blobUriBase}/${resourceId}`);Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const response = await fetch(url, { signal: controller.signal });Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
file://, gopher://, dict://, and other non-HTTP schemas can be exploited for SSRF.
const rawPath = rootUri.startsWith('file://') ? fileURLToPath(rootUri) : rootUri;Only allow http:// and https:// URL schemas. Validate URL schemas before making requests.
Remove hardcoded secrets from source code. Use environment variables or a secrets manager.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.post("/message", async (req, res) => {Add authentication middleware to all routes that access or modify data.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get("/sse", async (req, res) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post("/message", async (req, res) => {Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post("/message", async (req, res) => {Implement CSRF protection using tokens or SameSite cookies.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.post("/mcp", async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.get("/mcp", async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
HTTP endpoints defined without authentication middleware may be accessible to unauthorized users.
app.delete("/mcp", async (req: Request, res: Response) => {Add authentication middleware to all routes that access or modify data.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.post("/mcp", async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.get("/mcp", async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
API endpoints without rate limiting are vulnerable to brute force and denial of service.
app.delete("/mcp", async (req: Request, res: Response) => {Add rate limiting middleware to all public API endpoints.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.post("/mcp", async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
POST/PUT/DELETE endpoints without CSRF tokens are vulnerable to cross-site request forgery.
app.delete("/mcp", async (req: Request, res: Response) => {Implement CSRF protection using tokens or SameSite cookies.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
app.listen(PORT, () => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
const { server, cleanup } = createServer();Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
const { server, cleanup } = createServer();Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
const server = app.listen(PORT, () => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
Null bytes in file paths can truncate path validation and access unintended files.
if (dir.includes('\x00')) {Strip null bytes from all file path inputs before processing.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
const data = await fs.readFile(this.memoryFilePath, "utf-8");
Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.
File system operations using variables without prior path validation or sanitization may allow traversal attacks.
await fs.writeFile(this.memoryFilePath, lines.join("\n"));Add path sanitization before all fs operations. Validate paths against an allowlist of permitted directories.