gitsafehub
github.com/y2z/monolith ↗

y2z/monolith

scanned 2026-06-27 · git a6fc8d0
3 of 6 checks flagged a security issue
🔴 Needs attention
6 checks ran. Start with leaked secrets below.

Informational scan, not a security audit. How this is computed.

Leaked secrets1Vulnerable dependencies13Known OSS vulnerabilities31Risky code patternsMalicious dependenciesProject health9

Security checks

Leaked secrets — Gitleaks 1 found · 1 serious

API keys, passwords or tokens committed into the repo.

  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    .actor/README.md:33
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 13 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2026-25541 Bytes is a utility library for working with bytes. From version 1.2.1 ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
  • Worth fixing GHSA-wrw7-89jp-8q8g Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
    Cargo.lock
    A package you depend on has a known security hole (GHSA-wrw7-89jp-8q8g). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41676 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41676). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41678 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41678). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41681 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41681). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41898 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41898). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42327 rust-openssl: rust-openssl: Arbitrary code execution via specially crafted certificate
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-42327). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44662 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-44662). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-45784 rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-45784). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25727 time: time affected by a stack exhaustion denial of service attack
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25727). Fix: Update that package to its patched version.
  • Minor CVE-2026-41677 rust-openssl provides OpenSSL bindings for the Rust programming langua ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41677). Fix: Update that package to its patched version.
  • Minor GHSA-cq8v-f236-94qc Rand is unsound with a custom logger using rand::rng()
    Cargo.lock
    A package you depend on has a known security hole (GHSA-cq8v-f236-94qc). Fix: Update that package to its patched version.
  • Minor CVE-2025-58160 tracing-subscriber: Tracing log pollution
    Cargo.lock
    A package you depend on has a known security hole (CVE-2025-58160). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 31 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing RUSTSEC-2026-0007 Integer overflow in `BytesMut::reserve`
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25541). Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2024-0429 Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-8c75-8mhr-p7r9 rust-openssl has incorrect bounds assertion in aes key wrap
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41678). Fix: Update that package to its patched version.
  • Worth fixing GHSA-ghm9-cr32-g9qj rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41681). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hppc-g8h3-xhp3 rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41898). Fix: Update that package to its patched version.
  • Worth fixing GHSA-phqj-4mhp-q6mq rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-45784). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pqf5-4pqq-29f5 rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41676). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xp3w-r5p5-63rr rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-42327). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xv59-967r-8726 rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wrap-with-padding
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-44662). Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0009 Denial of Service via Stack Exhaustion
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25727). Fix: Update that package to its patched version.
  • Minor GHSA-xmgf-hq76-4vx2 rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41677). Fix: Update that package to its patched version.
  • Minor RUSTSEC-2025-0055 Logging user input may result in poisoning logs with ANSI escape sequences
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole (CVE-2025-58160). Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0413 gtk-rs GTK3 bindings - no longer maintained
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0416 gtk-rs GTK3 bindings - no longer maintained
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2021-0145 Potential unaligned read
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0375 `atty` is unmaintained
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0412 gtk-rs GTK3 bindings - no longer maintained
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0418 gtk-rs GTK3 bindings - no longer maintained
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0415 gtk-rs GTK3 bindings - no longer maintained
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0420 gtk-rs GTK3 bindings - no longer maintained
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0419 gtk-rs GTK3 bindings - no longer maintained
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0384 `instant` is unmaintained
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0370 proc-macro-error is unmaintained
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2026-0097 Rand is unsound with a custom logger using `rand::rng()`
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2025-0134 rustls-pemfile is unmaintained
    /workdirs/scan-dafbb289-6baf-4540-8906-488018dab6d0/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
… 6 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 9 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 4.1/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 2 out of 21 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.