profit/local-review-harness
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
local-review-harness/docs/SELF_REVIEW_2026-04-30.findings.json
Claude (review-harness setup) 70d68757f7 docs: SELF_REVIEW snapshot from f3ee472 (Phase A+B MVP) 
Per PROMPT.md "Final Deliverable" — capture the harness's review of
its own repo as a tracked artifact. reports/latest/ stays gitignored
for routine runs; this snapshot is the deliverable proof.

Captured: 28 findings, 3 critical (all from tests/fixtures/insecure-repo
planted secrets, intentionally), 16 high (mostly shell-exec patterns
mentioned by name in PROMPT.md and chatd-style scripts), 6 medium,
3 low. Verdict "blocked" because of fixture criticals.

Banner header notes that fixture findings are dismissable; real
codebase secrets land in identical shape — operators dismiss the
fixture path explicitly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 01:02:19 -05:00

402 lines
16 KiB
JSON
Raw Blame History

{
"generated_at": "2026-04-30T05:55:10.696108956Z",
"findings": [
{
"id": "5d2d6990d7f5",
"title": "Shell command execution",
"severity": "high",
"status": "suspected",
"file": "PROMPT.md",
"line_hint": "419",
"evidence": "- `exec(`",
"reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.",
"source": "static",
"confidence": 0.6,
"check_id": "static.shell_execution"
},
{
"id": "ade02702c129",
"title": "Shell command execution",
"severity": "high",
"status": "suspected",
"file": "PROMPT.md",
"line_hint": "420",
"evidence": "- `spawn(`",
"reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.",
"source": "static",
"confidence": 0.6,
"check_id": "static.shell_execution"
},
{
"id": "a15313bf5fac",
"title": "Shell command execution",
"severity": "high",
"status": "suspected",
"file": "PROMPT.md",
"line_hint": "421",
"evidence": "- `Command::new`",
"reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.",
"source": "static",
"confidence": 0.6,
"check_id": "static.shell_execution"
},
{
"id": "08acbf12529d",
"title": "Raw SQL interpolation",
"severity": "high",
"status": "suspected",
"file": "PROMPT.md",
"line_hint": "423",
"evidence": "- `format!(\"SELECT`",
"reason": "SQL assembled via string formatting/concatenation rather than parameterized query. Verify inputs aren't user-controlled.",
"suggested_fix": "Use parameterized queries / prepared statements; pass values via driver placeholders, not string interpolation.",
"source": "static",
"confidence": 0.6,
"check_id": "static.raw_sql_interpolation"
},
{
"id": "6a7008d0004a",
"title": "Wildcard CORS",
"severity": "high",
"status": "suspected",
"file": "PROMPT.md",
"line_hint": "429",
"evidence": "- `Access-Control-Allow-Origin: *`",
"reason": "Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.",
"source": "static",
"confidence": 0.85,
"check_id": "static.broad_cors"
},
{
"id": "7708bce04aa7",
"title": "Shell command execution",
"severity": "high",
"status": "suspected",
"file": "internal/analyzers/checks.go",
"line_hint": "89",
"evidence": "// === 2. shell execution (exec, spawn, Command::new, subprocess) ===",
"reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.",
"source": "static",
"confidence": 0.6,
"check_id": "static.shell_execution"
},
{
"id": "0b78dca77fb3",
"title": "Shell command execution",
"severity": "high",
"status": "suspected",
"file": "internal/analyzers/checks.go",
"line_hint": "101",
"evidence": "`Command::new|` + // Rust",
"reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.",
"source": "static",
"confidence": 0.6,
"check_id": "static.shell_execution"
},
{
"id": "3729ed9168dd",
"title": "Raw SQL interpolation",
"severity": "high",
"status": "suspected",
"file": "internal/analyzers/checks.go",
"line_hint": "140",
"evidence": "rawSQLFmtRe = regexp.MustCompile(`(?i)(?:format!|fmt\\.Sprintf|String::from|f\"|f')[^\\n]{0,80}?(?:SELECT|INSERT|UPDATE|DELETE|DROP)\\b`)",
"reason": "SQL assembled via string formatting/concatenation rather than parameterized query. Verify inputs aren't user-controlled.",
"suggested_fix": "Use parameterized queries / prepared statements; pass values via driver placeholders, not string interpolation.",
"source": "static",
"confidence": 0.6,
"check_id": "static.raw_sql_interpolation"
},
{
"id": "4ed58fa58f04",
"title": "Raw SQL interpolation",
"severity": "high",
"status": "suspected",
"file": "internal/analyzers/checks.go",
"line_hint": "143",
"evidence": "rawSQLConcatRe = regexp.MustCompile(`(?i)(?:SELECT|INSERT|UPDATE|DELETE)\\b[^\\n]{0,40}(?:\\+\\s*\\w|%s|%v|\\$\\{|` + \"`\" + `\\$\\{)`)",
"reason": "SQL assembled via string formatting/concatenation rather than parameterized query. Verify inputs aren't user-controlled.",
"suggested_fix": "Use parameterized queries / prepared statements; pass values via driver placeholders, not string interpolation.",
"source": "static",
"confidence": 0.6,
"check_id": "static.raw_sql_interpolation"
},
{
"id": "174c7276677f",
"title": "Wildcard CORS",
"severity": "high",
"status": "suspected",
"file": "internal/analyzers/checks.go",
"line_hint": "177",
"evidence": "// styles: Express's res.setHeader(\"Access-Control-Allow-Origin\", \"*\"),",
"reason": "Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.",
"source": "static",
"confidence": 0.85,
"check_id": "static.broad_cors"
},
{
"id": "e9beee52079c",
"title": "Wildcard CORS",
"severity": "high",
"status": "suspected",
"file": "internal/analyzers/checks.go",
"line_hint": "180",
"evidence": "var corsAnyRe = regexp.MustCompile(`Access-Control-Allow-Origin[^\\n]{0,40}\\*`)",
"reason": "Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.",
"source": "static",
"confidence": 0.85,
"check_id": "static.broad_cors"
},
{
"id": "14fa8051e73c",
"title": "Wildcard CORS",
"severity": "high",
"status": "suspected",
"file": "internal/analyzers/checks.go",
"line_hint": "194",
"evidence": "Reason: \"Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.\",",
"reason": "Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.",
"source": "static",
"confidence": 0.85,
"check_id": "static.broad_cors"
},
{
"id": "5ccf0d1f8491",
"title": "Large file",
"severity": "medium",
"status": "suspected",
"file": "review-harness",
"line_hint": "1-18860",
"evidence": "18860 lines (limit: 800)",
"reason": "File exceeds the configured size threshold. Long files are a refactor target — split by responsibility.",
"source": "static",
"confidence": 1,
"check_id": "static.large_files"
},
{
"id": "5703eb1ba5fe",
"title": "Environment file in source tree",
"severity": "high",
"status": "confirmed",
"file": "tests/fixtures/insecure-repo/.env",
"evidence": "filename=.env",
"reason": ".env files commonly hold real secrets and should not be tracked. If this is a sample, rename to .env.example with placeholder values.",
"suggested_fix": "Rename to .env.example with placeholders; add .env to .gitignore; rotate any committed secrets.",
"source": "static",
"confidence": 0.9,
"check_id": "static.env_file_committed"
},
{
"id": "144fc5f2981e",
"title": "Hardcoded absolute path",
"severity": "medium",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/handler.go",
"line_hint": "10",
"evidence": "const HARDCODED_PATH = \"/home/profit/secrets/key.pem\"",
"reason": "Absolute path encoded in source — couples the binary to one filesystem layout. Move to config or env var.",
"source": "static",
"confidence": 0.7,
"check_id": "static.hardcoded_paths"
},
{
"id": "fe1d54ec5045",
"title": "Shell command execution",
"severity": "high",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/handler.go",
"line_hint": "19",
"evidence": "exec.Command(\"bash\", \"-c\", cmd).Run()",
"reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.",
"source": "static",
"confidence": 0.6,
"check_id": "static.shell_execution"
},
{
"id": "e00ebc0ac661",
"title": "Raw SQL interpolation",
"severity": "high",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/handler.go",
"line_hint": "14",
"evidence": "q := fmt.Sprintf(\"SELECT * FROM users WHERE name = '%s'\", name)",
"reason": "SQL assembled via string formatting/concatenation rather than parameterized query. Verify inputs aren't user-controlled.",
"suggested_fix": "Use parameterized queries / prepared statements; pass values via driver placeholders, not string interpolation.",
"source": "static",
"confidence": 0.6,
"check_id": "static.raw_sql_interpolation"
},
{
"id": "66b494571e04",
"title": "Possible secret committed to source",
"severity": "critical",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/handler.go",
"line_hint": "23",
"evidence": "const API_KEY = \"sk-1234567890abcdefABCDEFGHIJKLMNOPQRSTUV\"",
"reason": "OpenAI/OpenRouter-shaped key detected. If real, rotate immediately and move to a secret store.",
"suggested_fix": "Move secret to env var / secret manager; commit the .env.example with a placeholder; rotate the leaked credential.",
"source": "static",
"confidence": 0.75,
"check_id": "static.secret_patterns"
},
{
"id": "66b494571e04",
"title": "Possible secret committed to source",
"severity": "critical",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/handler.go",
"line_hint": "23",
"evidence": "const API_KEY = \"sk-1234567890abcdefABCDEFGHIJKLMNOPQRSTUV\"",
"reason": "Hardcoded credential pattern detected. If real, rotate immediately and move to a secret store.",
"suggested_fix": "Move secret to env var / secret manager; commit the .env.example with a placeholder; rotate the leaked credential.",
"source": "static",
"confidence": 0.75,
"check_id": "static.secret_patterns"
},
{
"id": "5b886708c3b5",
"title": "TODO/FIXME comment",
"severity": "low",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/handler.go",
"line_hint": "9",
"evidence": "// TODO: rotate this and move to env",
"reason": "Inline marker for deferred work. Audit whether the deferred concern is now blocking.",
"source": "static",
"confidence": 0.95,
"check_id": "static.todo_comments"
},
{
"id": "1e61962f010a",
"title": "TODO/FIXME comment",
"severity": "low",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/handler.go",
"line_hint": "22",
"evidence": "// FIXME: hardcoded creds",
"reason": "Inline marker for deferred work. Audit whether the deferred concern is now blocking.",
"source": "static",
"confidence": 0.95,
"check_id": "static.todo_comments"
},
{
"id": "2c5c4350c263",
"title": "Hardcoded private-network IP",
"severity": "medium",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/handler.go",
"line_hint": "11",
"evidence": "const SERVER_IP = \"192.168.1.176\"",
"reason": "RFC 1918 / link-local IP literal in source. Move to config so the binary isn't tied to one network.",
"source": "static",
"confidence": 0.7,
"check_id": "static.hardcoded_local_ip"
},
{
"id": "3756dd35d39d",
"title": "Large file",
"severity": "medium",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/huge.go",
"line_hint": "1-901",
"evidence": "901 lines (limit: 800)",
"reason": "File exceeds the configured size threshold. Long files are a refactor target — split by responsibility.",
"source": "static",
"confidence": 1,
"check_id": "static.large_files"
},
{
"id": "6b5c4b19d770",
"title": "Wildcard CORS",
"severity": "high",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/server.js",
"line_hint": "2",
"evidence": "res.setHeader(\"Access-Control-Allow-Origin\", \"*\");",
"reason": "Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.",
"source": "static",
"confidence": 0.85,
"check_id": "static.broad_cors"
},
{
"id": "0df161625ead",
"title": "Possible secret committed to source",
"severity": "critical",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/server.js",
"line_hint": "5",
"evidence": "const AWS_KEY = \"AKIAIOSFODNN7EXAMPLE\";",
"reason": "AWS access key ID detected. If real, rotate immediately and move to a secret store.",
"suggested_fix": "Move secret to env var / secret manager; commit the .env.example with a placeholder; rotate the leaked credential.",
"source": "static",
"confidence": 0.75,
"check_id": "static.secret_patterns"
},
{
"id": "6dd9b338f734",
"title": "TODO/FIXME comment",
"severity": "low",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/server.js",
"line_hint": "1",
"evidence": "// HACK: open CORS for now",
"reason": "Inline marker for deferred work. Audit whether the deferred concern is now blocking.",
"source": "static",
"confidence": 0.95,
"check_id": "static.todo_comments"
},
{
"id": "4a3098b9af2c",
"title": "Mutation route in file with no visible auth",
"severity": "medium",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/server.js",
"line_hint": "7",
"evidence": "app.post(\"/api/users\", function(req, res) { /* no auth */ });",
"reason": "POST/PUT/DELETE/PATCH route registered in a file with no visible auth middleware. May still be auth'd at a higher layer — confirm.",
"source": "static",
"confidence": 0.4,
"check_id": "static.exposed_mutation_endpoint"
},
{
"id": "44d91c0668c0",
"title": "Mutation route in file with no visible auth",
"severity": "medium",
"status": "suspected",
"file": "tests/fixtures/insecure-repo/src/server.js",
"line_hint": "8",
"evidence": "app.delete(\"/api/admin\", function(req, res) { /* no auth */ });",
"reason": "POST/PUT/DELETE/PATCH route registered in a file with no visible auth middleware. May still be auth'd at a higher layer — confirm.",
"source": "static",
"confidence": 0.4,
"check_id": "static.exposed_mutation_endpoint"
}
],
"summary": {
"total": 28,
"confirmed": 1,
"suspected": 27,
"rejected": 0,
"critical": 3,
"high": 16,
"medium": 6,
"low": 3,
"by_source": {
"static": 28
},
"by_check": {
"static.broad_cors": 5,
"static.env_file_committed": 1,
"static.exposed_mutation_endpoint": 2,
"static.hardcoded_local_ip": 1,
"static.hardcoded_paths": 1,
"static.large_files": 2,
"static.raw_sql_interpolation": 4,
"static.secret_patterns": 3,
"static.shell_execution": 6,
"static.todo_comments": 3
}
}
}
Reference in New Issue View Git Blame Copy Permalink