← Scan another repo

github.com/fredzirbel/IRIS

@ 16fac27341ff

Submitted 7/16/2026, 1:50:14 PM · Status: ok

Risk grade
D
67 / 100
Findings
24
0 critical2 high21 medium1 low0 info0 on CISA KEV0ATT&CK
Showing 24 of 24 findings

Findings

  • By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensur
    By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
    semgrepDockerfile:82
  • Image user should not be 'root'
    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
    trivyDockerfile:0
  • Ensure that a user for the container has been created
    Ensure that a user for the container has been created on /Dockerfile.
    checkovDockerfile:1
  • Ensure that HEALTHCHECK instructions have been added to container images
    Ensure that HEALTHCHECK instructions have been added to container images on /Dockerfile.
    checkovDockerfile:1
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Build & Publish Docker Image)
    checkov.github/workflows/docker-publish.yml:17
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(CI)
    checkov.github/workflows/ci.yml:0
  • Detected a python logger call with a potential hardcoded secret "CAPTCHA token check failed: %s" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not loggi
    Detected a python logger call with a potential hardcoded secret "CAPTCHA token check failed: %s" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.
    semgrepsrc/iris/browser.py:284
  • Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
    semgrepsrc/iris/analyzers/download.py:627
  • Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
    semgrepsrc/iris/analyzers/download.py:810
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/ci.yml:13
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/ci.yml:16
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/ci.yml:35
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/ci.yml:38
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/ci.yml:59
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/ci.yml:64
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/docker-publish.yml:23
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/docker-publish.yml:26
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/docker-publish.yml:34
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/docker-publish.yml:43
  • Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.
    semgrepsrc/iris/web/templates/index.html:31
  • User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorizat
    User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers o…
    semgrepsrc/iris/web/app.py:1379
  • User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorizat
    User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers o…
    semgrepsrc/iris/web/app.py:677
  • User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorizat
    User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers o…
    semgrepsrc/iris/web/app.py:1086
  • No HEALTHCHECK defined
    You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
    trivyDockerfile:0

This report is public.