gitsafehub
github.com/matryer/xbar ↗

matryer/xbar

scanned 2026-05-29 · git d624239
1 of 6 checks flagged a security issue
🟡 Worth a look
Only 2 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependenciesKnown OSS vulnerabilities676Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 120s

Vulnerable dependencies — Trivy timed out

Packages you depend on that have known security holes (CVEs).

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Trivy v0.70.0 · Apache-2.0

error: timeout after 120s

Known OSS vulnerabilities — OSV-Scanner 676 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GHSA-h395-qcrw-5vmq Inconsistent Interpretation of HTTP Requests in github.com/gin-gonic/gin
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.sum
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-7vpp-9cxj-q8gv mholt/archiver Vulnerable to Path Traversal via Crafted ZIP File
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.sum
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-7vpp-9cxj-q8gv mholt/archiver Vulnerable to Path Traversal via Crafted ZIP File
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/pkg/update/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-77fj-vx54-gvh7 Go Markdown has an Out-of-bounds Read in SmartypantsRenderer
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/tools/sitegen/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-m9xq-6h2j-65r2 Markdown vulnerable to Out-of-bounds Read while parsing citations
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/tools/sitegen/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-6v2p-p543-phr9 golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/tools/sitegen/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0493 Incorrect privilege reporting in syscall and golang.org/x/sys/unix
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2026-5024 Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-p782-xgp4-8hr8 golang.org/x/sys/unix has Incorrect privilege reporting in syscall
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0433 Stack overflow from a large amount of PEM data in encoding/pem
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0435 Panic due to large inputs affecting P-256 curves in crypto/elliptic
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0477 Indefinite hang with large buffers on Windows in crypto/rand
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0493 Incorrect privilege reporting in syscall and golang.org/x/sys/unix
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0515 Stack exhaustion due to deeply nested types in go/parser
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0520 Exposure of client IP addresses in net/http
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0521 Stack exhaustion from deeply nested XML documents in encoding/xml
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0522 Stack exhaustion on crafted paths in path/filepath
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0523 Stack exhaustion when unmarshaling certain documents in encoding/xml
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0524 Stack exhaustion when reading certain archives in compress/gzip
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0525 Improper sanitization of Transfer-Encoding headers in net/http
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0526 Stack exhaustion when decoding certain messages in encoding/gob
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0527 Stack exhaustion in Glob on certain paths in io/fs
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0531 Session tickets lack random ticket_age_add in crypto/tls
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0532 Empty Cmd.Path can trigger unintended binary in os/exec on Windows
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2022-0533 Path traversal via Clean on Windows in path/filepath
    /workdirs/scan-8d788090-c526-46ca-9a77-c74263d75ea4/app/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
… 651 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep timed out

Code that can be exploited — injection, hardcoded credentials and similar.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Semgrep v1.147.0 · LGPL-2.1

error: timeout after 120s

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard timed out

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

error: timeout after 120s

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.