All findings
27 findings across categories.
Category:
Severity:
Rule:
27 findings
| Category | Rule | Evidence | Actions | ||
|---|---|---|---|---|---|
| high | security theater | webhook.no_signature_verification | apps/api/app/api/cron/webhook-retry/route.ts:1 | /** * Cron endpoint for automatic webhook retry processing. * * This should be called by a scheduled job (Vercel Cron, external scheduler, etc.) Webhook handler accepts events without verifying signatures. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/api/integrations/webhooks/[id]/route.ts:1 | /** * Outbound Webhook by ID API * * GET /api/integrations/webhooks/[id] - Get webhook Webhook handler accepts events without verifying signatures. | |
| high | ai slop | ai.production_should_phrase | apps/app/app/(authenticated)/kitchen/recipes/page.tsx:548 | One operational library for production builds, sellable dishes, AI-agent residue implying the code does not actually do the thing in production. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/api/integrations/webhooks/dlq/[id]/resolve/route.ts:1 | /** * Webhook DLQ Resolve API * * POST /api/integrations/webhooks/dlq/[id]/resolve - Mark DLQ entry as resolved Webhook handler accepts events without verifying signatures. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/api/integrations/webhooks/dlq/[id]/route.ts:1 | /** * Webhook Dead Letter Queue (DLQ) Single Entry API * * GET /api/integrations/webhooks/dlq/[id] - Get single DLQ entry Webhook handler accepts events without verifying signatures. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/api/integrations/webhooks/dlq/[id]/retry/route.ts:1 | /** * Webhook DLQ Retry API * * POST /api/integrations/webhooks/dlq/[id]/retry - Retry a DLQ entry Webhook handler accepts events without verifying signatures. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/api/integrations/webhooks/dlq/route.ts:1 | /** * Webhook Dead Letter Queue (DLQ) API * * GET /api/integrations/webhooks/dlq - List DLQ entries Webhook handler accepts events without verifying signatures. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/api/integrations/webhooks/retry/route.ts:1 | /** * Webhook Retry API * * POST /api/integrations/webhooks/retry - Retry pending/failed deliveries Webhook handler accepts events without verifying signatures. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/api/integrations/webhooks/route.ts:1 | /** * Outbound Webhooks API * * GET /api/integrations/webhooks - List webhooks Webhook handler accepts events without verifying signatures. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/api/integrations/webhooks/trigger/route.ts:1 | /** * Webhook Trigger API * * POST /api/integrations/webhooks/trigger - Trigger webhooks for an entity event Webhook handler accepts events without verifying signatures. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/cron/webhook-retry/route.ts:1 | /** * Webhook Retry Cron Job * * GET /cron/webhook-retry - Process pending webhook retries across all tenants Webhook handler accepts events without verifying signatures. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/webhooks/auth/route.ts:1 | import { analytics } from "@repo/analytics/server";
import type {
DeletedObjectJSON,
OrganizationJSON,Webhook handler accepts events without verifying signatures. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/webhooks/sentry/route.ts:1 | import { database } from "@repo/database";
import { log } from "@repo/observability/log";
import type { SentryIssueAlertPayload } from "@repo/sentry-integration";
import {Webhook handler accepts events without verifying signatures. | |
| high | security theater | webhook.no_signature_verification | apps/api/app/api/integrations/webhooks/delivery-logs/route.ts:1 | /** * Webhook Delivery Logs API * * GET /api/integrations/webhooks/delivery-logs - List delivery logs Webhook handler accepts events without verifying signatures. | |
| high | ai slop | ai.production_should_phrase | apps/app/app/(authenticated)/tools/battleboards/battleboards-client.tsx:275 | ? "Create a new battleboard for production and service coordination." AI-agent residue implying the code does not actually do the thing in production. | |
| high | ai slop | ai.production_should_phrase | apps/app/app/(authenticated)/tools/battleboards/page.tsx:9 | Build and manage battleboards for production and service coordination. AI-agent residue implying the code does not actually do the thing in production. | |
| high | security theater | security_theater.api_key_scopes_never_enforced | apps/api/middleware/api-key-auth.ts:266 | export function withApiKeyAuth<TParams = Record<string, string | string[]>>( Scope-checking auth functions defined but never consumed by route handlers | |
| high | security theater | security_theater.api_key_scopes_never_enforced | apps/api/middleware/api-key-auth.ts:300 | export function hasScope(apiKey: ApiKeyContext, scope: string): boolean {Scope-checking auth functions defined but never consumed by route handlers | |
| high | security theater | security_theater.api_key_scopes_never_enforced | apps/api/middleware/api-key-auth.ts:311 | export function hasAnyScope(apiKey: ApiKeyContext, scopes: string[]): boolean {Scope-checking auth functions defined but never consumed by route handlers | |
| high | security theater | security_theater.api_key_scopes_never_enforced | apps/api/middleware/api-key-auth.ts:322 | export function hasAllScopes(apiKey: ApiKeyContext, scopes: string[]): boolean {Scope-checking auth functions defined but never consumed by route handlers | |
| medium | test credibility | tests.skipped_critical_tests | e2e/workflows/authentication.workflow.spec.ts:68 | test.skip( Tests are skipped, reducing coverage credibility. | |
| medium | test credibility | tests.skipped_critical_tests | e2e/workflows/authentication.workflow.spec.ts:138 | test.skip( Tests are skipped, reducing coverage credibility. | |
| medium | test credibility | tests.skipped_critical_tests | apps/api/__tests__/sales-reporting/generate.test.ts:33 | describe.skip("POST /api/sales-reporting/generate", () => {Tests are skipped, reducing coverage credibility. | |
| medium | test credibility | tests.skipped_critical_tests | e2e/workflows/authentication.workflow.spec.ts:47 | test.skip( Tests are skipped, reducing coverage credibility. | |
| medium | fake integration | ai.hardcoded_success_response | apps/api/app/api/kitchen/allergens/detect-conflicts/route.ts:139 | return { success: true };Route returns hardcoded success without any DB / external API / auth work. |
Page 1 of 2