gitsafehub
github.com/nubskr/walrus ↗

nubskr/walrus

scanned 2026-05-30 · git 89a38a0
2 of 6 checks flagged a security issue
🟡 Worth a look
6 checks ran. Start with known oss vulnerabilities below.

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies4Known OSS vulnerabilities69Risky code patternsMalicious dependenciesProject health11

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 4 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2026-25541 Bytes is a utility library for working with bytes. From version 1.2.1 ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25541 Bytes is a utility library for working with bytes. From version 1.2.1 ...
    distributed-walrus/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25541 Bytes is a utility library for working with bytes. From version 1.2.1 ...
    raft_client/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
  • Minor GHSA-cq8v-f236-94qc Rand is unsound with a custom logger using rand::rng()
    Cargo.lock
    A package you depend on has a known security hole (GHSA-cq8v-f236-94qc). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 69 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GHSA-394x-vwmw-crm3 AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/distributed-walrus/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-65p9-r9h6-22vj AWS-LC has Timing Side-Channel in AES-CCM Tag Verification
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/distributed-walrus/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-9f94-5g5w-gf6r CRL Distribution Point Scope Check Logic Error in AWS-LC
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/distributed-walrus/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-hfpc-8r3f-gw53 AWS-LC has PKCS7_verify Signature Validation Bypass
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/distributed-walrus/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-vw5v-4f2q-w9xf AWS-LC has PKCS7_verify Certificate Chain Validation Bypass
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/distributed-walrus/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-6xvm-j4wr-6v98 Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/distributed-walrus/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-82j2-j2ch-gfr8 rustls-webpki: Denial of service via panic on malformed CRL BIT STRING
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/distributed-walrus/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-394x-vwmw-crm3 AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/raft_client/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-65p9-r9h6-22vj AWS-LC has Timing Side-Channel in AES-CCM Tag Verification
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/raft_client/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-9f94-5g5w-gf6r CRL Distribution Point Scope Check Logic Error in AWS-LC
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/raft_client/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-hfpc-8r3f-gw53 AWS-LC has PKCS7_verify Signature Validation Bypass
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/raft_client/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-vw5v-4f2q-w9xf AWS-LC has PKCS7_verify Certificate Chain Validation Bypass
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/raft_client/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-6xvm-j4wr-6v98 Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/raft_client/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-82j2-j2ch-gfr8 rustls-webpki: Denial of service via panic on malformed CRL BIT STRING
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/raft_client/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-cq8v-f236-94qc Rand is unsound with a custom logger using rand::rng()
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-cq8v-f236-94qc Rand is unsound with a custom logger using rand::rng()
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/distributed-walrus/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-cq8v-f236-94qc Rand is unsound with a custom logger using rand::rng()
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/distributed-walrus/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-965h-392x-2mh5 webpki: Name constraints for URI names were incorrectly accepted
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/distributed-walrus/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-xgp8-3hg3-c2mh webpki: Name constraints were accepted for certificates asserting a wildcard name
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/distributed-walrus/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-cq8v-f236-94qc Rand is unsound with a custom logger using rand::rng()
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/raft_client/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-cq8v-f236-94qc Rand is unsound with a custom logger using rand::rng()
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/raft_client/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-965h-392x-2mh5 webpki: Name constraints for URI names were incorrectly accepted
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/raft_client/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-xgp8-3hg3-c2mh webpki: Name constraints were accepted for certificates asserting a wildcard name
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/raft_client/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2026-0007 Integer overflow in `BytesMut::reserve`
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-434x-w66g-qw3r bytes has integer overflow in BytesMut::reserve
    /workdirs/scan-bb037a72-a45c-435f-9b53-aaa7492a3f58/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
… 44 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 11 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 3.3/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Code-Review Code-Review scored 0: Found 0/24 approved changesets -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Contributors Contributors scored 0: project has 0 contributing companies or organizations -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Vulnerabilities Vulnerabilities scored 0: 16 existing vulnerabilities detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.