gitsafehub
github.com/kazusa000/ai_game_workbench ↗

kazusa000/ai_game_workbench

scanned 2026-06-28 · git 7cb0b0e
3 of 6 checks flagged a security issue
🟡 Worth a look
Only 5 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secrets2Vulnerable dependencies8Known OSS vulnerabilities8Risky code patternsMalicious dependenciesProject health10

Security checks

Leaked secrets — Gitleaks 2 found

API keys, passwords or tokens committed into the repo.

  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/server/test/oneClickCharacterJobsRoute.test.ts:174
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    apps/server/test/generationRoute.test.ts:867
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 8 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2026-6410 @fastify/static: @fastify/static: Information disclosure via path traversal when directory listing is enabled.
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-6410). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-6414 @fastify/static: @fastify/static: Security bypass via percent-encoded path separators
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-6414). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53571 vite: `server.fs.deny` bypass on Windows alternate paths
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-53571). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53632 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-53632). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53571 vite: `server.fs.deny` bypass on Windows alternate paths
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-53571). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53632 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
    package-lock.json
    A package you depend on has a known security hole (CVE-2026-53632). Fix: Update that package to its patched version.
  • Minor GHSA-g7r4-m6w7-qqqr esbuild allows arbitrary file read when running the development server on Windows
    package-lock.json
    A package you depend on has a known security hole (GHSA-g7r4-m6w7-qqqr). Fix: Update that package to its patched version.
  • Minor GHSA-g7r4-m6w7-qqqr esbuild allows arbitrary file read when running the development server on Windows
    package-lock.json
    A package you depend on has a known security hole (GHSA-g7r4-m6w7-qqqr). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 8 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GHSA-pr96-94w5-mx2h @fastify/static vulnerable to path traversal in directory listing
    /workdirs/scan-2cc564d3-0708-45bb-8869-33f35c8b5dfb/package-lock.json
    A package you depend on has a known security hole (CVE-2026-6410). Fix: Update that package to its patched version.
  • Worth fixing GHSA-x428-ghpx-8j92 @fastify/static vulnerable to route guard bypass via encoded path separators
    /workdirs/scan-2cc564d3-0708-45bb-8869-33f35c8b5dfb/package-lock.json
    A package you depend on has a known security hole (CVE-2026-6414). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fx2h-pf6j-xcff vite: `server.fs.deny` bypass on Windows alternate paths
    /workdirs/scan-2cc564d3-0708-45bb-8869-33f35c8b5dfb/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53571). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v6wh-96g9-6wx3 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
    /workdirs/scan-2cc564d3-0708-45bb-8869-33f35c8b5dfb/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53632). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fx2h-pf6j-xcff vite: `server.fs.deny` bypass on Windows alternate paths
    /workdirs/scan-2cc564d3-0708-45bb-8869-33f35c8b5dfb/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53571). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v6wh-96g9-6wx3 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
    /workdirs/scan-2cc564d3-0708-45bb-8869-33f35c8b5dfb/package-lock.json
    A package you depend on has a known security hole (CVE-2026-53632). Fix: Update that package to its patched version.
  • Minor GHSA-g7r4-m6w7-qqqr esbuild allows arbitrary file read when running the development server on Windows
    /workdirs/scan-2cc564d3-0708-45bb-8869-33f35c8b5dfb/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-g7r4-m6w7-qqqr esbuild allows arbitrary file read when running the development server on Windows
    /workdirs/scan-2cc564d3-0708-45bb-8869-33f35c8b5dfb/package-lock.json
    A package you depend on has a known security hole. Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog couldn’t run

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: npm:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 10 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 1.5/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Code-Review Code-Review scored 0: Found 0/30 approved changesets -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Contributors Contributors scored 0: project has 0 contributing companies or organizations -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: project was created within the last 90 days. Please review its contents carefully
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: no SAST tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.