🛡 SecShield

F
Security Score: 0/100
Last audit: 2026-02-24 08:22 UTC • 238 active findings • 0 whitelisted (accepted risk)
CRITICAL 2 HIGH 68 MEDIUM 38 LOW 130

Top Active Findings View all

UFW firewall is INACTIVE (iptables/nftables may be configured directly) HIGH
OS/Firewall
fail2ban is INACTIVE — no brute-force protection HIGH
OS/Firewall
Password authentication is enabled (prefer key-only) MEDIUM
SSH
X11 forwarding is enabled MEDIUM
SSH
TCP forwarding is enabled MEDIUM
SSH
MaxAuthTries is 6 (recommend <= 4) MEDIUM
SSH
ClientAliveInterval is 0 (no idle timeout) MEDIUM
SSH
30 non-standard SUID/SGID binaries MEDIUM
Permissions

Services Status

ServiceTypeStatus
nginx systemd active
postgresql systemd active
redis-server systemd active
mosquitto systemd active
picobernacca systemd active
docker systemd active
ssh systemd active
darkskyscout-api pm2 online
darkskyscout-web pm2 online

Audit Info

Schedule: Daily at 03:00 UTC
Last audit: 2026-02-24 08:22 UTC
Scanners: os_audit, network_audit, regex, trivy, bandit
Total findings: 238
Active: 238
Whitelisted: 0
Patching: auto_after_grace (10d grace)

Active Findings (238)

UFW firewall is INACTIVE (iptables/nftables may be configured directly) HIGH
OS/Firewall
fail2ban is INACTIVE — no brute-force protection HIGH
OS/Firewall
Password authentication is enabled (prefer key-only) MEDIUM
SSH
X11 forwarding is enabled MEDIUM
SSH
TCP forwarding is enabled MEDIUM
SSH
MaxAuthTries is 6 (recommend <= 4) MEDIUM
SSH
ClientAliveInterval is 0 (no idle timeout) MEDIUM
SSH
30 non-standard SUID/SGID binaries MEDIUM
Permissions
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chsh
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chfn
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/mount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/umount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722ad
PASS_MAX_DAYS is 99999 (recommend <= 90) MEDIUM
Password Policy
PASS_MIN_DAYS is 0 — no minimum password age MEDIUM
Password Policy
PASS_MIN_LEN is 5 (recommend >= 8) MEDIUM
Password Policy
No account lockout policy (pam_faillock/pam_tally2 not configured) MEDIUM
Password Policy
pam_pwquality not configured — no password complexity enforcement MEDIUM
Password Policy
net.ipv4.ip_forward=1 (IP forwarding enabled — router mode) LOW
Kernel
net.ipv4.conf.all.send_redirects=1 (ICMP redirect sending enabled) LOW
Kernel
net.ipv4.conf.all.log_martians=0 (Martian packet logging disabled) LOW
Kernel
fs.suid_dumpable=2 (SUID core dumps enabled) LOW
Kernel
DMARC policy is 'none' — not enforcing LOW
DNS (home.xamad.net)
DNSSEC not enabled LOW
DNS (home.xamad.net)
DMARC policy is 'none' — not enforcing LOW
DNS (secshield.xamad.net)
DNSSEC not enabled LOW
DNS (secshield.xamad.net)
darkskyscout API (port 3030) bound to 0.0.0.0 — should be 127.0.0.1 HIGH
Network
Service '' is listening on all interfaces but config expects localhost only
Unexpected exposed port 8883 (mosquitto) MEDIUM
Network
Port 8883 is listening on 0.0.0.0 but not in expected_ports config
Unexpected exposed port 5055 (python3) MEDIUM
Network
Port 5055 is listening on 0.0.0.0 but not in expected_ports config
Unexpected exposed port 9001 (mosquitto) MEDIUM
Network
Port 9001 is listening on 0.0.0.0 but not in expected_ports config
Unexpected exposed port 8003 (python) MEDIUM
Network
Port 8003 is listening on 0.0.0.0 but not in expected_ports config
Unexpected exposed port 8000 (python) MEDIUM
Network
Port 8000 is listening on 0.0.0.0 but not in expected_ports config
Unexpected exposed port 3050 (node) MEDIUM
Network
Port 3050 is listening on * but not in expected_ports config
Unexpected exposed port 8065 () MEDIUM
Network
Port 8065 is listening on * but not in expected_ports config
Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection LOW
Headers (home.xamad.net)
Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection LOW
Headers (secshield.xamad.net)
[CVE-2026-25896] fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling CRITICAL
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.5
Hardcoded API key HIGH
Code ([...path].js)
File: /opt/darkskyscout/vercel-satellite-proxy/api/n2yo/[...path].js
Line 45: if (!apiKey || apiKey === 'your_n2yo_api_key_here') {
Hardcoded API key HIGH
Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 51: if (!OPENWEATHER_API_KEY || OPENWEATHER_API_KEY === 'demo_key') {
Hardcoded API key HIGH
Code (admin-sources-api.js)
File: /opt/darkskyscout/packages/api/src/routes/admin-sources-api.js
Line 95: if (requires_api_key !== undefined) filters.requires_api_key = requires_api_key === 'true';
Hardcoded API key HIGH
Code (webhooks.js)
File: /opt/darkskyscout/packages/api/src/routes/webhooks.js
Line 238: const apiKey = req.get('X-API-Key');
Hardcoded API key HIGH
Code (security.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/security.middleware.js
Line 258: const apiKey = req.headers['x-api-key'];
Hardcoded API key HIGH
Code (auth.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.js
Line 340: const apiKey = req.headers['x-api-key'];
Hardcoded password HIGH
Code (validation.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/validation.middleware.js
Line 41: const passwordValidation = body('password')
Hardcoded password HIGH
Code (seed.dev.js)
File: /opt/darkskyscout/packages/api/src/prisma/seed.dev.js
Line 31: const hashedPassword = await bcrypt.hash('password123', 10);
Hardcoded API key HIGH
Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 90: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
Hardcoded API key HIGH
Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 405: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
Hardcoded API key HIGH
Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 146: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
Hardcoded API key HIGH
Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 268: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
Hardcoded API key HIGH
Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 56: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
Hardcoded API key HIGH
Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 132: if (this.n2yoApiKey && this.n2yoApiKey !== 'demo_key') {
Hardcoded API key HIGH
Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 196: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
Hardcoded API key HIGH
Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 735: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
Hardcoded API key HIGH
Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 78: diagnosis.mapsApiKey.error = 'Billing not enabled';
Hardcoded password HIGH
Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 8: const { validatePassword, validateEmail } = require('../utils/validation');
child_process — command injection risk HIGH
Code (satelliteClaudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/satelliteClaudeSearch.service.js
Line 1: const { spawn } = require('child_process');
child_process — command injection risk HIGH
Code (claudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/claudeSearch.service.js
Line 1: const { exec } = require('child_process');
child_process — command injection risk HIGH
Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 4: const { exec } = require('child_process');
Hardcoded API key HIGH
Code (n2yoClient.service.js)
File: /opt/darkskyscout/packages/web/src/services/n2yoClient.service.js
Line 26: return !!this.apiKey && this.apiKey !== 'your_n2yo_api_key_here';
Hardcoded password HIGH
Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 87: newErrors.password = 'Password is required';
Hardcoded password HIGH
Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 89: newErrors.password = 'Password must be at least 8 characters';
Hardcoded password HIGH
Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 91: newErrors.password = 'Password must contain uppercase, lowercase and number';
Hardcoded password HIGH
Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 95: newErrors.confirmPassword = 'Please confirm your password';
Hardcoded password HIGH
Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 97: newErrors.confirmPassword = 'Passwords do not match';
Hardcoded password HIGH
Code (LoginPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/LoginPage.jsx
Line 82: newErrors.password = 'Password is required';
innerHTML assignment — XSS risk HIGH
Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
React dangerouslySetInnerHTML — XSS risk HIGH
Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
innerHTML assignment — XSS risk HIGH
Code (MatchSuggestions.jsx)
File: /opt/darkskyscout/packages/web/src/components/common/MatchSuggestions.jsx
Line 96: e.target.parentElement.innerHTML = `<span class="text-lg font-bold">${suggestion.user.name[0]}</span>`;
innerHTML assignment — XSS risk HIGH
Code (InstantLightPollutionOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/InstantLightPollutionOverlay.jsx
Line 478: tooltip.innerHTML = `
innerHTML assignment — XSS risk HIGH
Code (CustomLocationMarkers.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/CustomLocationMarkers.jsx
Line 54: el.innerHTML = `
innerHTML assignment — XSS risk HIGH
Code (SimpleBortleOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/SimpleBortleOverlay.jsx
Line 67: svgElement.innerHTML = '';
innerHTML assignment — XSS risk HIGH
Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 446: el.innerHTML = `
innerHTML assignment — XSS risk HIGH
Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 534: el.innerHTML = `
innerHTML assignment — XSS risk HIGH
Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 616: el.innerHTML = `
innerHTML assignment — XSS risk HIGH
Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1275: loadingIndicator.innerHTML = `
innerHTML assignment — XSS risk HIGH
Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1421: clickableIndicator.innerHTML = `
innerHTML assignment — XSS risk HIGH
Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1619: errorIndicator.innerHTML = `
[CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
[CVE-2026-26278] fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.6
[CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
[CVE-2025-47935] Multer vulnerable to Denial of Service via memory leaks from unclosed streams HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
[CVE-2025-47944] Multer vulnerable to Denial of Service from maliciously crafted requests HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
[CVE-2025-48997] multer: Multer vulnerable to Denial of Service via unhandled exception HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.1
[CVE-2025-7338] multer: Multer Denial of Service HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.2
[CVE-2026-23745] node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.3
[CVE-2026-23950] node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.4
[CVE-2026-24842] node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.7
[CVE-2026-26960] tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.8
[CVE-2024-12905] tar-fs: link following and path traversal via maliciously crafted tar file HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.4, 2.1.2, 3.0.7
[CVE-2025-48387] tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.5, 2.1.3, 3.0.9
[CVE-2025-59343] tar-fs: tar-fs symlink validation bypass HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 3.1.1, 2.1.4, 1.16.6
[CVE-2024-37890] nodejs-ws: denial of service when handling a request with many HTTP headers HIGH
Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: ws 8.16.0 → 5.2.4, 6.2.3, 7.5.10, 8.17.1
[CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig HIGH
Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
[CVE-2026-1615] jsonpath: jsonpath: Arbitrary Code Execution via unsafe JSON Path expression evaluation HIGH
Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: jsonpath 1.2.1 → no fix
[CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
[CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 5.1.6 → 10.2.1
[CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 9.0.5 → 10.2.1
[CVE-2021-3803] nodejs-nth-check: inefficient regular expression complexity HIGH
Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: nth-check 1.0.2 → 2.0.1
MD5 hash usage MEDIUM
Code (analytics.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/analytics.middleware.js
Line 86: return crypto.createHash('md5').update(components.join('|')).digest('hex');
MD5 hash usage MEDIUM
Code (feature-flags.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/feature-flags.middleware.js
Line 294: const hash = crypto.createHash('md5').update(hashInput).digest('hex');
MD5 hash usage MEDIUM
Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 110: return crypto.createHash('md5').update(fingerprint).digest('hex');
MD5 hash usage MEDIUM
Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 56: const hash = crypto.createHash('md5').update(fullKey).digest('hex');
MD5 hash usage MEDIUM
Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 316: const paramsHash = crypto.createHash('md5').update(paramsString).digest('hex');
MD5 hash usage MEDIUM
Code (compression.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/compression.middleware.js
Line 353: const hash = crypto.createHash('md5').update(chunk).digest('hex');
MD5 hash usage MEDIUM
Code (userLocationInteractions.service.js)
File: /opt/darkskyscout/packages/api/src/services/userLocationInteractions.service.js
Line 22: return crypto.createHash('md5').update(`${name}_${location.id || Date.now()}`).digest('hex');
[CVE-2025-69873] ajv: ReDoS via $data reference MEDIUM
Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 6.12.6 → 8.18.0, 6.14.0
[CVE-2025-69873] ajv: ReDoS via $data reference MEDIUM
Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 8.17.1 → 8.18.0, 6.14.0
[CVE-2023-44270] PostCSS: Improper input validation in PostCSS MEDIUM
Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: postcss 7.0.39 → 8.4.31
[CVE-2025-30359] webpack-dev-server: webpack-dev-server information exposure MEDIUM
Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
[CVE-2025-30360] webpack-dev-server: webpack-dev-server information exposure MEDIUM
Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
Secret: Mapbox API token MEDIUM
Code (fix_all_localhost.sh)
File: fix_all_localhost.sh
Line 35: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
Secret: Mapbox API token MEDIUM
Code (fix_browser_cache_delirium.sh)
File: fix_browser_cache_delirium.sh
Line 64: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
Hardcoded fallback for env variable LOW
Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2894: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
Hardcoded fallback for env variable LOW
Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2929: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
Hardcoded fallback for env variable LOW
Code (server.js)
File: /opt/darkskyscout/packages/api/src/server.js
Line 9: const HOST = process.env.HOST || '0.0.0.0';
Hardcoded fallback for env variable LOW
Code (debug-sky-tracking.js)
File: /opt/darkskyscout/packages/api/src/debug-sky-tracking.js
Line 13: console.log('   OPENSKY_CLIENT_ID:', process.env.OPENSKY_CLIENT_ID || 'NOT SET');
Hardcoded fallback for env variable LOW
Code (socket.js)
File: /opt/darkskyscout/packages/api/src/socket.js
Line 17: origin: process.env.FRONTEND_URL || "https://darkskyscout.xamad.net",
Hardcoded fallback for env variable LOW
Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 450: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
Hardcoded fallback for env variable LOW
Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 505: const baseUrl = returnUrl || process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
Hardcoded fallback for env variable LOW
Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 580: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
Hardcoded fallback for env variable LOW
Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 108: host: process.env.REDIS_HOST || 'localhost',
Hardcoded fallback for env variable LOW
Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 651: limit: process.env.MAX_REQUEST_SIZE || '10mb',
Hardcoded fallback for env variable LOW
Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 659: limit: process.env.MAX_REQUEST_SIZE || '10mb'
Hardcoded fallback for env variable LOW
Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 51: process.env.JWT_SECRET || 'dev-secret',
Hardcoded fallback for env variable LOW
Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 112: process.env.JWT_SECRET || 'dev-secret',
Hardcoded fallback for env variable LOW
Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 141: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'dev-secret');
Hardcoded fallback for env variable LOW
Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 86: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
Hardcoded fallback for env variable LOW
Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 92: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
Hardcoded fallback for env variable LOW
Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 341: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
Hardcoded fallback for env variable LOW
Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 523: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
Hardcoded fallback for env variable LOW
Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 19: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
Hardcoded fallback for env variable LOW
Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 222: const baseUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
Hardcoded fallback for env variable LOW
Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 274: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
Hardcoded fallback for env variable LOW
Code (communitySharing.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/communitySharing.routes.js
Line 102: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'fallback-secret');
Hardcoded fallback for env variable LOW
Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 18: callbackURL: process.env.GOOGLE_CALLBACK_URL || '/api/auth/google/callback'
Hardcoded fallback for env variable LOW
Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 80: callbackURL: process.env.FACEBOOK_CALLBACK_URL || '/api/auth/facebook/callback',
Hardcoded fallback for env variable LOW
Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 137: callbackURL: process.env.GITHUB_CALLBACK_URL || '/api/auth/github/callback'
Hardcoded fallback for env variable LOW
Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 229: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
Hardcoded fallback for env variable LOW
Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 235: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
Hardcoded fallback for env variable LOW
Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 164: googleRedirectUri: process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback',
Hardcoded fallback for env variable LOW
Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 165: frontendUrl: process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net',
Hardcoded fallback for env variable LOW
Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 32: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
Hardcoded fallback for env variable LOW
Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 38: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
Hardcoded fallback for env variable LOW
Code (analytics.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/analytics.worker.js
Line 890: const filepath = path.join(process.env.EXPORT_DIR || '/tmp', filename);
Hardcoded fallback for env variable LOW
Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 263: host: process.env.REDIS_HOST || 'localhost',
Hardcoded fallback for env variable LOW
Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 417: timezone: process.env.TZ || 'UTC'
Hardcoded fallback for env variable LOW
Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 785: version: process.env.npm_package_version || 'unknown',
Hardcoded fallback for env variable LOW
Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 240: host: process.env.REDIS_HOST || 'localhost',
Hardcoded fallback for env variable LOW
Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 248: host: process.env.REDIS_HOST || 'localhost',
Hardcoded fallback for env variable LOW
Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 426: const tempDir = process.env.TEMP_DIR || '/tmp';
Hardcoded fallback for env variable LOW
Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 432: const uploadsDir = process.env.UPLOADS_DIR || '/uploads';
Hardcoded fallback for env variable LOW
Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 438: const logsDir = process.env.LOGS_DIR || '/logs';
Hardcoded fallback for env variable LOW
Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 743: const tempDir = process.env.TEMP_DIR || '/tmp';
Hardcoded fallback for env variable LOW
Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 33: host: process.env.REDIS_HOST || 'localhost',
Hardcoded fallback for env variable LOW
Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 51: host: process.env.REDIS_HOST || 'localhost',
Hardcoded fallback for env variable LOW
Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 69: host: process.env.REDIS_HOST || 'localhost',
Hardcoded fallback for env variable LOW
Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 87: host: process.env.REDIS_HOST || 'localhost',
Hardcoded fallback for env variable LOW
Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 105: host: process.env.REDIS_HOST || 'localhost',
Hardcoded fallback for env variable LOW
Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 119: host: process.env.REDIS_HOST || 'localhost',
Hardcoded fallback for env variable LOW
Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 241: url: process.env.REDIS_URL || 'redis://localhost:6379',
Hardcoded fallback for env variable LOW
Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 348: version: process.env.APP_VERSION || '1.0.0',
Hardcoded fallback for env variable LOW
Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 349: environment: process.env.NODE_ENV || 'development'
Hardcoded fallback for env variable LOW
Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 364: version: process.env.APP_VERSION || '1.0.0',
Hardcoded fallback for env variable LOW
Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 365: environment: process.env.NODE_ENV || 'development',
Hardcoded fallback for env variable LOW
Code (error.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/error.middleware.js
Line 210: maxSize: process.env.MAX_FILE_SIZE || '50MB'
Hardcoded fallback for env variable LOW
Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 12: region: process.env.AWS_REGION || 'eu-west-1',
Hardcoded fallback for env variable LOW
Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 19: const bucket = process.env.AWS_S3_BUCKET || 'skyscout-uploads';
Hardcoded fallback for env variable LOW
Code (auth.middleware.simple.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.middleware.simple.js
Line 12: const secret = process.env.JWT_SECRET || 'dev-jwt-secret-key-for-testing-only-change-in-production';
Hardcoded fallback for env variable LOW
Code (logging.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/logging.middleware.js
Line 182: const environment = process.env.NODE_ENV || 'development';
Hardcoded fallback for env variable LOW
Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 20: ios: process.env.IOS_CURRENT_VERSION || '1.0.0',
Hardcoded fallback for env variable LOW
Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 21: android: process.env.ANDROID_CURRENT_VERSION || '1.0.0'
Hardcoded fallback for env variable LOW
Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 24: ios: process.env.IOS_FORCE_UPDATE_VERSION || '0.9.0',
Hardcoded fallback for env variable LOW
Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 25: android: process.env.ANDROID_FORCE_UPDATE_VERSION || '0.9.0'
Hardcoded fallback for env variable LOW
Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 197: ios: process.env.IOS_DOWNLOAD_URL || 'https://apps.apple.com/app/skyscout',
Hardcoded fallback for env variable LOW
Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 198: android: process.env.ANDROID_DOWNLOAD_URL || 'https://play.google.com/store/apps/details?id=com.skyscout'
Hardcoded fallback for env variable LOW
Code (maintenance.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/maintenance.middleware.js
Line 263: contactSupport: process.env.SUPPORT_EMAIL || 'support@skyscout.app'
Hardcoded fallback for env variable LOW
Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 8: url: process.env.REDIS_URL || 'redis://localhost:6379',
Hardcoded fallback for env variable LOW
Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 27: timezoneAPI: process.env.TIMEZONE_API_URL || 'http://api.timezonedb.com/v2.1/get-time-zone',
Hardcoded fallback for env variable LOW
Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 31: elevationAPI: process.env.ELEVATION_API_URL || 'https://api.open-elevation.com/api/v1/lookup',
Hardcoded fallback for env variable LOW
Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 34: bortleAPI: process.env.BORTLE_API_URL || 'https://www.lightpollutionmap.info/QueryRaster/',
Hardcoded fallback for env variable LOW
Code (LocationService.js)
File: /opt/darkskyscout/packages/api/src/services/LocationService.js
Line 472: key: process.env.TIMEZONEDB_KEY || 'demo',
Hardcoded fallback for env variable LOW
Code (ai.grok.js)
File: /opt/darkskyscout/packages/api/src/services/ai.grok.js
Line 7: this.apiUrl = process.env.GROK_API_URL || 'https://api.x.ai/v1'; // Default Grok API URL
Hardcoded fallback for env variable LOW
Code (MediaService.js)
File: /opt/darkskyscout/packages/api/src/services/MediaService.js
Line 32: region: process.env.AWS_REGION || 'us-east-1'
Hardcoded fallback for env variable LOW
Code (skyInterference.proxy.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.proxy.service.js
Line 11: this.proxyBaseUrl = process.env.SATELLITE_PROXY_URL || 'https://your-app.vercel.app';
Hardcoded fallback for env variable LOW
Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 30: primary: process.env.AI_ENGINE_PRIMARY || 'claude-code',
Hardcoded fallback for env variable LOW
Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 31: fallbackChain: (process.env.AI_ENGINE_FALLBACK || 'claude-api,openai,deepseek').split(','),
Hardcoded fallback for env variable LOW
Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 10: this.redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
Hardcoded fallback for env variable LOW
Code (lightPollution.realtime.service.js)
File: /opt/darkskyscout/packages/api/src/services/lightPollution.realtime.service.js
Line 28: nasa: process.env.NASA_API_KEY || 'DEMO_KEY',
Hardcoded fallback for env variable LOW
Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 262: from: process.env.EMAIL_FROM || 'SkyScout <noreply@skyscout.app>',
Hardcoded fallback for env variable LOW
Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 297: from: process.env.EMAIL_FROM || 'SkyScout <noreply@skyscout.app>',
Hardcoded fallback for env variable LOW
Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 324: appUrl: process.env.APP_URL || 'https://app.skyscout.com'
Hardcoded fallback for env variable LOW
Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 7: const MATRIX_SERVER = process.env.MATRIX_SERVER_URL || 'http://localhost:8008';
Hardcoded fallback for env variable LOW
Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 8: const MATRIX_DOMAIN = process.env.MATRIX_DOMAIN || 'chat.darkskyscout.xamad.net';
Hardcoded fallback for env variable LOW
Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 9: const REGISTRATION_SECRET = process.env.MATRIX_REGISTRATION_SECRET || '_hkFIRqh5;a^3t7aZ9*WMKPuLqsn8gS-cTwAbxYjYN0Iad_I1Q';
Hardcoded fallback for env variable LOW
Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 57: const secret = process.env.JWT_SECRET || 'darkskyscout-matrix-secret';
Hardcoded fallback for env variable LOW
Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 106: user: process.env.MATRIX_ADMIN_USER || 'darkskyadmin',
Hardcoded fallback for env variable LOW
Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 107: password: process.env.MATRIX_ADMIN_PASSWORD || 'DarkSky2024Admin!'
Hardcoded fallback for env variable LOW
Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 9: this.bucketName = process.env.AWS_S3_BUCKET || 'skyscout-media';
Hardcoded fallback for env variable LOW
Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 44: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
Hardcoded fallback for env variable LOW
Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 115: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
Hardcoded fallback for env variable LOW
Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 7: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3-0324';
Hardcoded fallback for env variable LOW
Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 8: this.baseUrl = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
Hardcoded fallback for env variable LOW
Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 16: this.jwtExpiration = process.env.JWT_EXPIRATION || '24h';
Hardcoded fallback for env variable LOW
Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 17: this.refreshTokenExpiration = process.env.REFRESH_TOKEN_EXPIRATION || '7d';
Hardcoded fallback for env variable LOW
Code (emailService.js)
File: /opt/darkskyscout/packages/api/src/services/emailService.js
Line 7: this.fromEmail = process.env.EMAIL_FROM || 'noreply@darkskyscout.xamad.net';
Hardcoded fallback for env variable LOW
Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 12: this.baseURL = process.env.CLAUDE_API_URL || 'https://api.anthropic.com/v1';
Hardcoded fallback for env variable LOW
Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 13: this.model = process.env.CLAUDE_API_MODEL || 'claude-3-5-sonnet-20241022';
Hardcoded fallback for env variable LOW
Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 14: this.version = process.env.CLAUDE_API_VERSION || '2023-06-01';
Hardcoded fallback for env variable LOW
Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
Hardcoded fallback for env variable LOW
Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3';
Hardcoded fallback for env variable LOW
Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 12: this.baseURL = process.env.OPENAI_API_URL || 'https://api.openai.com/v1';
Hardcoded fallback for env variable LOW
Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 13: this.model = process.env.OPENAI_MODEL || 'gpt-4';
Hardcoded fallback for env variable LOW
Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 14: this.claudePath = process.env.CLAUDE_CODE_PATH || '/home/deploy/.nvm/versions/node/v22.17.1/bin/claude';
Hardcoded fallback for env variable LOW
Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 16: this.defaultModel = process.env.CLAUDE_CODE_MODEL || 'sonnet'; // Use alias for latest Sonnet model
Hardcoded fallback for env variable LOW
Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_INFERENCE_URL || 'https://api-inference.huggingface.co/models';
Hardcoded fallback for env variable LOW
Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_DEFAULT_MODEL || 'microsoft/DialoGPT-large';
Hardcoded fallback for env variable LOW
Code (test-api-connection.js)
File: /opt/darkskyscout/packages/web/src/test-api-connection.js
Line 2: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net';
Hardcoded fallback for env variable LOW
Code (geocoding.service.js)
File: /opt/darkskyscout/packages/web/src/services/geocoding.service.js
Line 118: const API_BASE = process.env.REACT_APP_API_URL || '/api';
Hardcoded fallback for env variable LOW
Code (externalLocation.service.js)
File: /opt/darkskyscout/packages/web/src/services/externalLocation.service.js
Line 443: const API_BASE = process.env.REACT_APP_API_URL || '/api';
Hardcoded fallback for env variable LOW
Code (communitySharing.service.js)
File: /opt/darkskyscout/packages/web/src/services/communitySharing.service.js
Line 3: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
Hardcoded fallback for env variable LOW
Code (AIEngineAdminPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AIEngineAdminPage.jsx
Line 8: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
Hardcoded fallback for env variable LOW
Code (AccommodationDetailPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AccommodationDetailPage.jsx
Line 124: const apiUrl = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
Hardcoded fallback for env variable LOW
Code (AIEngineManager.jsx)
File: /opt/darkskyscout/packages/web/src/components/admin/AIEngineManager.jsx
Line 6: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
Hardcoded fallback for env variable LOW
Code (MapboxMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapboxMap.jsx
Line 8: mapboxgl.accessToken = process.env.REACT_APP_MAPBOX_ACCESS_TOKEN || 'pk.eyJ1IjoiZGFya3NreXNjb3V0IiwiYSI6ImNsdmhkZnhrbzAyeDQycW9ma3J2aHUwaGMifQ.placeholder';
Debug mode enabled MEDIUM
Code (app.py)
File: /home/webhook/picobernacca/app.py
Line 202: app.run(host="127.0.0.1", port=config.PORT, debug=True)
Inline event handler — potential XSS vector LOW
Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 5: <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
Inline event handler — potential XSS vector LOW
Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 6: <meta name="theme-color" content="#0a0a28">
Inline event handler — potential XSS vector LOW
Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 7: <meta name="apple-mobile-web-app-capable" content="yes">
Inline event handler — potential XSS vector LOW
Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 8: <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
Active SSH brute-force attack with no fail2ban protection CRITICAL
AI Analysis
Logs show an active brute-force attack from 222.121.250.156 cycling through root, admin, oracle, usuario, and test usernames with maximum authentication attempts exceeded. fail2ban is INACTIVE, meaning there is no automated IP banning. Combined with PasswordAuthentication=yes on SSH, this creates a high-probability credential compromise vector. MaxStartups throttling events confirm connection flooding is occurring.
SSH password authentication enabled alongside active brute-force HIGH
AI Analysis
PasswordAuthentication is set to 'yes' in both config and runtime. With an active brute-force attack in progress and no fail2ban, this significantly increases the risk of unauthorized access. Key-based authentication is already configured (1 ed25519 key for root), so password auth can be safely disabled.
Multiple unidentified services exposed on all interfaces HIGH
AI Analysis
12 services are bound to 0.0.0.0 or [::]. Several have no identified process name: port 3030 (unknown), port 8065 (unknown), port 3050 (node). Ports 8000 and 8003 run unidentified Python processes, and port 5055 runs python3. Without nftables rule visibility, it's unclear if these are filtered. Unnecessary exposure increases attack surface significantly.
MQTT broker (Mosquitto) exposed on ports 8883 and 9001 HIGH
AI Analysis
Mosquitto MQTT broker is listening on 0.0.0.0:8883 (MQTT over TLS) and 0.0.0.0:9001 (likely WebSocket). MQTT brokers exposed to the internet are frequent targets for unauthorized subscription/publishing attacks. If authentication is not configured or uses weak credentials, attackers can intercept or inject messages into IoT communication channels.
No password complexity or account lockout policies configured HIGH
AI Analysis
pam_pwquality is not configured (no password complexity enforcement) and pam_faillock is not configured (no account lockout after failed attempts). PASS_MAX_DAYS is 99999 (no password expiration), PASS_MIN_DAYS is 0. Combined with password authentication being enabled on SSH, weak passwords could be set and brute-forced indefinitely at the PAM level.
SSH X11 forwarding and TCP forwarding enabled MEDIUM
AI Analysis
X11Forwarding is set to 'yes' and AllowTcpForwarding is 'yes'. X11 forwarding can be exploited for X11 session hijacking if an attacker gains SSH access. TCP forwarding allows tunneling through the server, which could be used for lateral movement or as a proxy. On a server (not a workstation), neither is typically needed.
No SSH idle session timeout configured MEDIUM
AI Analysis
ClientAliveInterval is 0 and UnusedConnectionTimeout is 'none'. Idle SSH sessions remain open indefinitely, increasing the risk of session hijacking if a workstation is left unattended. MaxAuthTries is 6 (recommended <= 4), giving attackers more password guesses per connection.
SUID core dumps enabled (fs.suid_dumpable=2) MEDIUM
AI Analysis
fs.suid_dumpable is set to 2 (suidsafe), which allows core dumps of SUID processes to be written (readable only by root). Core dumps from privileged processes can leak sensitive data such as passwords, encryption keys, or memory contents of privileged applications.
Root filesystem at 80% capacity MEDIUM
AI Analysis
The root partition (/) is at 80% usage with 7.3G remaining of 38G. While not immediately critical, continued growth (especially from logs, Docker images, or database data) could cause service failures. Docker overlay filesystem shares the same partition. A full disk can cause PostgreSQL corruption, application crashes, and inability to write logs.
SSH minimum RSA key size set to 1024 bits MEDIUM
AI Analysis
RequiredRSASize is set to 1024, which allows weak RSA keys. NIST deprecated 1024-bit RSA keys in 2013. While the configured host key is Ed25519 (strong), clients could authenticate with weak 1024-bit RSA keys.
ICMP redirect sending enabled and martian logging disabled LOW
AI Analysis
net.ipv4.conf.all.send_redirects=1 allows the server to send ICMP redirect messages, which could be abused for MITM attacks on the local network. net.ipv4.conf.all.log_martians=0 means packets with impossible source addresses are not logged, reducing visibility into potential spoofing attacks.
SSH Debian banner and deprecated authorized_keys2 path enabled LOW
AI Analysis
DebianBanner is 'yes', disclosing the OS distribution to attackers during SSH handshake. AuthorizedKeysFile includes '.ssh/authorized_keys2' which is a deprecated path and could be used to plant backdoor keys in a less obvious location. Both are information disclosure / attack surface issues.
SSH includes weak MAC algorithms LOW
AI Analysis
The SSH MAC configuration includes hmac-sha1 and umac-64 variants which are considered weak. While ETM (Encrypt-then-MAC) variants are present and preferred, the non-ETM hmac-sha1 and umac-64 are still accepted, allowing downgrade by a capable attacker.
IP forwarding enabled (verify necessity) LOW
AI Analysis
net.ipv4.ip_forward=1 enables the kernel to route packets between network interfaces. This is typically required for Docker networking and is expected on this system (Docker/containerd are present). However, if Docker is not actively used for inter-container or host networking, this should be disabled to prevent the server from being used as a router in network attacks.

Whitelist — Accepted Risks

Whitelisted findings are still detected and reported, but don't affect the security score. Use this for known issues that are intentional or accepted business risks.

Loading...

Pending Fixes

These fixes were identified during the last audit. Review them before approving. SecShield creates a snapshot before applying any changes and will auto-rollback if services break. Force Security Updates: applies only security patches immediately. Force All Updates: applies all pending packages (use with caution).

No pending fixes from the last audit.

Audit History

F 2026-02-24 08:22 UTC (full)
238 findings (238 active, 0 whitelisted)
HTML TXT
F 2026-02-24 08:15 UTC (full)
238 findings (238 active, 0 whitelisted)
HTML TXT
F 2026-02-24 06:48 UTC (full)
246 findings (246 active, 0 whitelisted) — Fixes approved
HTML TXT

Configuration

Audit Schedule

:
Daily at 03:00 UTC

System Info

Loading...

Working...

Starting...

SecShield v1.1 — AI Security Analyst (regex + Bandit + Trivy + Claude AI) Daily at 03:00 UTC