← Scan another repo

github.com/n0-computer/iroh

@ 6520cd6c9bac

Submitted 6/16/2026, 6:14:12 PM · Status: ok

Risk grade
F
100 / 100
Findings
52
0 critical21 high26 medium2 low3 info0 on CISA KEV0ATT&CK
Showing 52 of 52 findings

Findings

  • By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensur
    By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
    semgrepdocker/Dockerfile:65
  • By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensur
    By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
    semgrepdocker/Dockerfile:64
  • By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensur
    By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
    semgrepdocker/Dockerfile:46
  • By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensur
    By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
    semgrepdocker/Dockerfile:45
  • Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.
    semgrepiroh-relay/src/server/http_server.rs:1356
  • Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.
    semgrepiroh-relay/src/client.rs:394
  • Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.
    semgrepiroh-relay/src/client.rs:270
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/tests.yaml:161
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/tests.yaml:295
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/ci.yml:342
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/docker.yaml:89
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/netsim_runner.yaml:121
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/netsim_runner.yaml:125
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/netsim_runner.yaml:144
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/netsim_runner.yaml:158
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/release.yml:59
  • 'apk add' is missing '--no-cache'
    You should use 'apk add' with '--no-cache' to clean package cached data and reduce image size.
    trivydocker/Dockerfile.ci:3
  • 'apk add' is missing '--no-cache'
    You should use 'apk add' with '--no-cache' to clean package cached data and reduce image size.
    trivydocker/Dockerfile:51
  • 'apk add' is missing '--no-cache'
    You should use 'apk add' with '--no-cache' to clean package cached data and reduce image size.
    trivydocker/Dockerfile:32
  • Image user should not be 'root'
    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
    trivydocker/Dockerfile:0
  • Image user should not be 'root'
    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
    trivydocker/Dockerfile.ci:0
  • Ensure that a user for the container has been created
    Ensure that a user for the container has been created on /docker/Dockerfile.
    checkovdocker/Dockerfile:1
  • Ensure that a user for the container has been created
    Ensure that a user for the container has been created on /docker/Dockerfile.ci.
    checkovdocker/Dockerfile.ci:1
  • Ensure that HEALTHCHECK instructions have been added to container images
    Ensure that HEALTHCHECK instructions have been added to container images on /docker/Dockerfile.
    checkovdocker/Dockerfile:1
  • Ensure that HEALTHCHECK instructions have been added to container images
    Ensure that HEALTHCHECK instructions have been added to container images on /docker/Dockerfile.ci.
    checkovdocker/Dockerfile.ci:1
  • Ensure the base image uses a non latest version tag
    Ensure the base image uses a non latest version tag on /docker/Dockerfile.FROM
    checkovdocker/Dockerfile:30
  • Ensure the base image uses a non latest version tag
    Ensure the base image uses a non latest version tag on /docker/Dockerfile.ci.FROM
    checkovdocker/Dockerfile.ci:2
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Probe sccache backend)
    checkov.github/workflows/sccache-probe/action.yml:0
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Beta Rust)
    checkov.github/workflows/beta.yaml:0
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Cleanup)
    checkov.github/workflows/cleanup.yaml:20
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Commits)
    checkov.github/workflows/commit.yml:0
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Docker)
    checkov.github/workflows/docker.yaml:0
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Flaky CI)
    checkov.github/workflows/flaky.yaml:0
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Patchbay Tests)
    checkov.github/workflows/patchbay.yml:0
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Pick runner (reusable, per-slot))
    checkov.github/workflows/pick-runner.yml:53
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Add PRs and Issues to the Project Board)
    checkov.github/workflows/project_sync.yaml:0
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Release)
    checkov.github/workflows/release.yml:0
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Tests)
    checkov.github/workflows/tests.yaml:0
  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(Wine Tests)
    checkov.github/workflows/wine.yaml:0
  • The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.
    The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. on on(Release)
    checkov.github/workflows/release.yml:6
  • The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.
    The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. on on(Docker)
    checkov.github/workflows/docker.yaml:6
  • The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.
    The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. on on(Flaky CI)
    checkov.github/workflows/flaky.yaml:30
  • Dangerous client config used, ensure SSL verification
    semgrepiroh-dns-server/src/http.rs:525
  • Detected cryptographically insecure hashing function
    semgrepiroh-relay/src/server/http_server.rs:83
  • ':latest' tag used
    When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
    trivydocker/Dockerfile:30
  • ':latest' tag used
    When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
    trivydocker/Dockerfile:49
  • ':latest' tag used
    When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.
    trivydocker/Dockerfile.ci:2

This report is public.