Findings (246)
#1: UFW firewall is INACTIVE (iptables/nftables may be configured directly)
HIGH
Source: OS/Firewall
#2: fail2ban is INACTIVE — no brute-force protection
HIGH
Source: OS/Firewall
#3: Password authentication is enabled (prefer key-only)
MEDIUM
Source: SSH
#4: X11 forwarding is enabled
MEDIUM
Source: SSH
#5: TCP forwarding is enabled
MEDIUM
Source: SSH
#6: MaxAuthTries is 6 (recommend <= 4)
MEDIUM
Source: SSH
#7: ClientAliveInterval is 0 (no idle timeout)
MEDIUM
Source: SSH
#8: Disk / at 96%
HIGH
Source: Disk
#9: Disk /var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746 at 96%
HIGH
Source: Disk
#10: 30 non-standard SUID/SGID binaries
MEDIUM
Source: Permissions
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chsh
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chfn
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/mount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/umount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/expiry
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chage
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/newgrp
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/su
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/gpasswd
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/passwd
#11: PASS_MAX_DAYS is 99999 (recommend <= 90)
MEDIUM
Source: Password Policy
#12: PASS_MIN_DAYS is 0 — no minimum password age
MEDIUM
Source: Password Policy
#13: PASS_MIN_LEN is 5 (recommend >= 8)
MEDIUM
Source: Password Policy
#14: No account lockout policy (pam_faillock/pam_tally2 not configured)
MEDIUM
Source: Password Policy
#15: pam_pwquality not configured — no password complexity enforcement
MEDIUM
Source: Password Policy
#16: net.ipv4.ip_forward=1 (IP forwarding enabled — router mode)
LOW
Source: Kernel
#17: net.ipv4.conf.all.send_redirects=1 (ICMP redirect sending enabled)
LOW
Source: Kernel
#18: net.ipv4.conf.all.log_martians=0 (Martian packet logging disabled)
LOW
Source: Kernel
#19: fs.suid_dumpable=2 (SUID core dumps enabled)
LOW
Source: Kernel
#20: DMARC policy is 'none' — not enforcing
LOW
Source: DNS (home.xamad.net)
#21: DNSSEC not enabled
LOW
Source: DNS (home.xamad.net)
#22: Certificate verification failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'secshield.xamad.net'. (_ssl.c:1000)
MEDIUM
Source: SSL (secshield.xamad.net)
#23: DMARC policy is 'none' — not enforcing
LOW
Source: DNS (secshield.xamad.net)
#24: DNSSEC not enabled
LOW
Source: DNS (secshield.xamad.net)
#25: darkskyscout API (port 3030) bound to 0.0.0.0 — should be 127.0.0.1
HIGH
Source: Network
Service '' is listening on all interfaces but config expects localhost only
#26: Unexpected exposed port 8883 (mosquitto)
MEDIUM
Source: Network
Port 8883 is listening on 0.0.0.0 but not in expected_ports config
#27: Unexpected exposed port 5055 (python3)
MEDIUM
Source: Network
Port 5055 is listening on 0.0.0.0 but not in expected_ports config
#28: Unexpected exposed port 9001 (mosquitto)
MEDIUM
Source: Network
Port 9001 is listening on 0.0.0.0 but not in expected_ports config
#29: Unexpected exposed port 8003 (python)
MEDIUM
Source: Network
Port 8003 is listening on 0.0.0.0 but not in expected_ports config
#30: Unexpected exposed port 8000 (python)
MEDIUM
Source: Network
Port 8000 is listening on 0.0.0.0 but not in expected_ports config
#31: Unexpected exposed port 3050 (node)
MEDIUM
Source: Network
Port 3050 is listening on * but not in expected_ports config
#32: Unexpected exposed port 8065 ()
MEDIUM
Source: Network
Port 8065 is listening on * but not in expected_ports config
#33: Certificate verification failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'secshield.xamad.net'. (_ssl.c:1000)
MEDIUM
Source: SSL (secshield.xamad.net)
#34: Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection
LOW
Source: Headers (home.xamad.net)
#35: Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection
LOW
Source: Headers (secshield.xamad.net)
#36: [CVE-2026-25896] fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling
CRITICAL
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.5
#37: Hardcoded API key
HIGH
Source: Code ([...path].js)
File: /opt/darkskyscout/vercel-satellite-proxy/api/n2yo/[...path].js
Line 45: if (!apiKey || apiKey === 'your_n2yo_api_key_here') {
#38: Hardcoded API key
HIGH
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 51: if (!OPENWEATHER_API_KEY || OPENWEATHER_API_KEY === 'demo_key') {
#39: Hardcoded API key
HIGH
Source: Code (admin-sources-api.js)
File: /opt/darkskyscout/packages/api/src/routes/admin-sources-api.js
Line 95: if (requires_api_key !== undefined) filters.requires_api_key = requires_api_key === 'true';
#40: Hardcoded API key
HIGH
Source: Code (webhooks.js)
File: /opt/darkskyscout/packages/api/src/routes/webhooks.js
Line 238: const apiKey = req.get('X-API-Key');
#41: Hardcoded API key
HIGH
Source: Code (security.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/security.middleware.js
Line 258: const apiKey = req.headers['x-api-key'];
#42: Hardcoded API key
HIGH
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.js
Line 340: const apiKey = req.headers['x-api-key'];
#43: Hardcoded password
HIGH
Source: Code (validation.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/validation.middleware.js
Line 41: const passwordValidation = body('password')
#44: Hardcoded password
HIGH
Source: Code (seed.dev.js)
File: /opt/darkskyscout/packages/api/src/prisma/seed.dev.js
Line 31: const hashedPassword = await bcrypt.hash('password123', 10);
#45: Hardcoded API key
HIGH
Source: Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 90: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
#46: Hardcoded API key
HIGH
Source: Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 405: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
#47: Hardcoded API key
HIGH
Source: Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 146: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
#48: Hardcoded API key
HIGH
Source: Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 268: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
#49: Hardcoded API key
HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 56: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
#50: Hardcoded API key
HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 132: if (this.n2yoApiKey && this.n2yoApiKey !== 'demo_key') {
#51: Hardcoded API key
HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 196: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
#52: Hardcoded API key
HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 735: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
#53: Hardcoded API key
HIGH
Source: Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 78: diagnosis.mapsApiKey.error = 'Billing not enabled';
#54: Hardcoded password
HIGH
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 8: const { validatePassword, validateEmail } = require('../utils/validation');
#55: child_process — command injection risk
HIGH
Source: Code (satelliteClaudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/satelliteClaudeSearch.service.js
Line 1: const { spawn } = require('child_process');
#56: child_process — command injection risk
HIGH
Source: Code (claudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/claudeSearch.service.js
Line 1: const { exec } = require('child_process');
#57: child_process — command injection risk
HIGH
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 4: const { exec } = require('child_process');
#58: Hardcoded API key
HIGH
Source: Code (n2yoClient.service.js)
File: /opt/darkskyscout/packages/web/src/services/n2yoClient.service.js
Line 26: return !!this.apiKey && this.apiKey !== 'your_n2yo_api_key_here';
#59: Hardcoded password
HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 87: newErrors.password = 'Password is required';
#60: Hardcoded password
HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 89: newErrors.password = 'Password must be at least 8 characters';
#61: Hardcoded password
HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 91: newErrors.password = 'Password must contain uppercase, lowercase and number';
#62: Hardcoded password
HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 95: newErrors.confirmPassword = 'Please confirm your password';
#63: Hardcoded password
HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 97: newErrors.confirmPassword = 'Passwords do not match';
#64: Hardcoded password
HIGH
Source: Code (LoginPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/LoginPage.jsx
Line 82: newErrors.password = 'Password is required';
#65: innerHTML assignment — XSS risk
HIGH
Source: Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
#66: React dangerouslySetInnerHTML — XSS risk
HIGH
Source: Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
#67: innerHTML assignment — XSS risk
HIGH
Source: Code (MatchSuggestions.jsx)
File: /opt/darkskyscout/packages/web/src/components/common/MatchSuggestions.jsx
Line 96: e.target.parentElement.innerHTML = `<span class="text-lg font-bold">${suggestion.user.name[0]}</span>`;
#68: innerHTML assignment — XSS risk
HIGH
Source: Code (InstantLightPollutionOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/InstantLightPollutionOverlay.jsx
Line 478: tooltip.innerHTML = `
#69: innerHTML assignment — XSS risk
HIGH
Source: Code (CustomLocationMarkers.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/CustomLocationMarkers.jsx
Line 54: el.innerHTML = `
#70: innerHTML assignment — XSS risk
HIGH
Source: Code (SimpleBortleOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/SimpleBortleOverlay.jsx
Line 67: svgElement.innerHTML = '';
#71: innerHTML assignment — XSS risk
HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 446: el.innerHTML = `
#72: innerHTML assignment — XSS risk
HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 534: el.innerHTML = `
#73: innerHTML assignment — XSS risk
HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 616: el.innerHTML = `
#74: innerHTML assignment — XSS risk
HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1275: loadingIndicator.innerHTML = `
#75: innerHTML assignment — XSS risk
HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1421: clickableIndicator.innerHTML = `
#76: innerHTML assignment — XSS risk
HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1619: errorIndicator.innerHTML = `
#77: [CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
#78: [CVE-2026-26278] fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.6
#79: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
#80: [CVE-2025-47935] Multer vulnerable to Denial of Service via memory leaks from unclosed streams
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
#81: [CVE-2025-47944] Multer vulnerable to Denial of Service from maliciously crafted requests
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
#82: [CVE-2025-48997] multer: Multer vulnerable to Denial of Service via unhandled exception
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.1
#83: [CVE-2025-7338] multer: Multer Denial of Service
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.2
#84: [CVE-2026-23745] node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.3
#85: [CVE-2026-23950] node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.4
#86: [CVE-2026-24842] node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.7
#87: [CVE-2026-26960] tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.8
#88: [CVE-2024-12905] tar-fs: link following and path traversal via maliciously crafted tar file
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.4, 2.1.2, 3.0.7
#89: [CVE-2025-48387] tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.5, 2.1.3, 3.0.9
#90: [CVE-2025-59343] tar-fs: tar-fs symlink validation bypass
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 3.1.1, 2.1.4, 1.16.6
#91: [CVE-2024-37890] nodejs-ws: denial of service when handling a request with many HTTP headers
HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: ws 8.16.0 → 5.2.4, 6.2.3, 7.5.10, 8.17.1
#92: [CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
#93: [CVE-2026-1615] jsonpath: jsonpath: Arbitrary Code Execution via unsafe JSON Path expression evaluation
HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: jsonpath 1.2.1 → no fix
#94: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
#95: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 5.1.6 → 10.2.1
#96: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 9.0.5 → 10.2.1
#97: [CVE-2021-3803] nodejs-nth-check: inefficient regular expression complexity
HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: nth-check 1.0.2 → 2.0.1
#98: MD5 hash usage
MEDIUM
Source: Code (analytics.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/analytics.middleware.js
Line 86: return crypto.createHash('md5').update(components.join('|')).digest('hex');
#99: MD5 hash usage
MEDIUM
Source: Code (feature-flags.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/feature-flags.middleware.js
Line 294: const hash = crypto.createHash('md5').update(hashInput).digest('hex');
#100: MD5 hash usage
MEDIUM
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 110: return crypto.createHash('md5').update(fingerprint).digest('hex');
#101: MD5 hash usage
MEDIUM
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 56: const hash = crypto.createHash('md5').update(fullKey).digest('hex');
#102: MD5 hash usage
MEDIUM
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 316: const paramsHash = crypto.createHash('md5').update(paramsString).digest('hex');
#103: MD5 hash usage
MEDIUM
Source: Code (compression.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/compression.middleware.js
Line 353: const hash = crypto.createHash('md5').update(chunk).digest('hex');
#104: MD5 hash usage
MEDIUM
Source: Code (userLocationInteractions.service.js)
File: /opt/darkskyscout/packages/api/src/services/userLocationInteractions.service.js
Line 22: return crypto.createHash('md5').update(`${name}_${location.id || Date.now()}`).digest('hex');
#105: [CVE-2025-69873] ajv: ReDoS via $data reference
MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 6.12.6 → 8.18.0, 6.14.0
#106: [CVE-2025-69873] ajv: ReDoS via $data reference
MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 8.17.1 → 8.18.0, 6.14.0
#107: [CVE-2023-44270] PostCSS: Improper input validation in PostCSS
MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: postcss 7.0.39 → 8.4.31
#108: [CVE-2025-30359] webpack-dev-server: webpack-dev-server information exposure
MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
#109: [CVE-2025-30360] webpack-dev-server: webpack-dev-server information exposure
MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
#110: Secret: Mapbox API token
MEDIUM
Source: Code (fix_all_localhost.sh)
File: fix_all_localhost.sh
Line 35: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
#111: Secret: Mapbox API token
MEDIUM
Source: Code (fix_browser_cache_delirium.sh)
File: fix_browser_cache_delirium.sh
Line 64: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
#112: Hardcoded fallback for env variable
LOW
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2894: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
#113: Hardcoded fallback for env variable
LOW
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2929: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
#114: Hardcoded fallback for env variable
LOW
Source: Code (server.js)
File: /opt/darkskyscout/packages/api/src/server.js
Line 9: const HOST = process.env.HOST || '0.0.0.0';
#115: Hardcoded fallback for env variable
LOW
Source: Code (debug-sky-tracking.js)
File: /opt/darkskyscout/packages/api/src/debug-sky-tracking.js
Line 13: console.log(' OPENSKY_CLIENT_ID:', process.env.OPENSKY_CLIENT_ID || 'NOT SET');
#116: Hardcoded fallback for env variable
LOW
Source: Code (socket.js)
File: /opt/darkskyscout/packages/api/src/socket.js
Line 17: origin: process.env.FRONTEND_URL || "https://darkskyscout.xamad.net",
#117: Hardcoded fallback for env variable
LOW
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 450: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
#118: Hardcoded fallback for env variable
LOW
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 505: const baseUrl = returnUrl || process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#119: Hardcoded fallback for env variable
LOW
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 580: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#120: Hardcoded fallback for env variable
LOW
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 108: host: process.env.REDIS_HOST || 'localhost',
#121: Hardcoded fallback for env variable
LOW
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 651: limit: process.env.MAX_REQUEST_SIZE || '10mb',
#122: Hardcoded fallback for env variable
LOW
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 659: limit: process.env.MAX_REQUEST_SIZE || '10mb'
#123: Hardcoded fallback for env variable
LOW
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 51: process.env.JWT_SECRET || 'dev-secret',
#124: Hardcoded fallback for env variable
LOW
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 112: process.env.JWT_SECRET || 'dev-secret',
#125: Hardcoded fallback for env variable
LOW
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 141: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'dev-secret');
#126: Hardcoded fallback for env variable
LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 86: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
#127: Hardcoded fallback for env variable
LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 92: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
#128: Hardcoded fallback for env variable
LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 341: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
#129: Hardcoded fallback for env variable
LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 523: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
#130: Hardcoded fallback for env variable
LOW
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 19: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
#131: Hardcoded fallback for env variable
LOW
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 222: const baseUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#132: Hardcoded fallback for env variable
LOW
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 274: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#133: Hardcoded fallback for env variable
LOW
Source: Code (communitySharing.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/communitySharing.routes.js
Line 102: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'fallback-secret');
#134: Hardcoded fallback for env variable
LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 18: callbackURL: process.env.GOOGLE_CALLBACK_URL || '/api/auth/google/callback'
#135: Hardcoded fallback for env variable
LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 80: callbackURL: process.env.FACEBOOK_CALLBACK_URL || '/api/auth/facebook/callback',
#136: Hardcoded fallback for env variable
LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 137: callbackURL: process.env.GITHUB_CALLBACK_URL || '/api/auth/github/callback'
#137: Hardcoded fallback for env variable
LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 229: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
#138: Hardcoded fallback for env variable
LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 235: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
#139: Hardcoded fallback for env variable
LOW
Source: Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 164: googleRedirectUri: process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback',
#140: Hardcoded fallback for env variable
LOW
Source: Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 165: frontendUrl: process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net',
#141: Hardcoded fallback for env variable
LOW
Source: Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 32: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
#142: Hardcoded fallback for env variable
LOW
Source: Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 38: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
#143: Hardcoded fallback for env variable
LOW
Source: Code (analytics.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/analytics.worker.js
Line 890: const filepath = path.join(process.env.EXPORT_DIR || '/tmp', filename);
#144: Hardcoded fallback for env variable
LOW
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 263: host: process.env.REDIS_HOST || 'localhost',
#145: Hardcoded fallback for env variable
LOW
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 417: timezone: process.env.TZ || 'UTC'
#146: Hardcoded fallback for env variable
LOW
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 785: version: process.env.npm_package_version || 'unknown',
#147: Hardcoded fallback for env variable
LOW
Source: Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 240: host: process.env.REDIS_HOST || 'localhost',
#148: Hardcoded fallback for env variable
LOW
Source: Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 248: host: process.env.REDIS_HOST || 'localhost',
#149: Hardcoded fallback for env variable
LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 426: const tempDir = process.env.TEMP_DIR || '/tmp';
#150: Hardcoded fallback for env variable
LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 432: const uploadsDir = process.env.UPLOADS_DIR || '/uploads';
#151: Hardcoded fallback for env variable
LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 438: const logsDir = process.env.LOGS_DIR || '/logs';
#152: Hardcoded fallback for env variable
LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 743: const tempDir = process.env.TEMP_DIR || '/tmp';
#153: Hardcoded fallback for env variable
LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 33: host: process.env.REDIS_HOST || 'localhost',
#154: Hardcoded fallback for env variable
LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 51: host: process.env.REDIS_HOST || 'localhost',
#155: Hardcoded fallback for env variable
LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 69: host: process.env.REDIS_HOST || 'localhost',
#156: Hardcoded fallback for env variable
LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 87: host: process.env.REDIS_HOST || 'localhost',
#157: Hardcoded fallback for env variable
LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 105: host: process.env.REDIS_HOST || 'localhost',
#158: Hardcoded fallback for env variable
LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 119: host: process.env.REDIS_HOST || 'localhost',
#159: Hardcoded fallback for env variable
LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 241: url: process.env.REDIS_URL || 'redis://localhost:6379',
#160: Hardcoded fallback for env variable
LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 348: version: process.env.APP_VERSION || '1.0.0',
#161: Hardcoded fallback for env variable
LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 349: environment: process.env.NODE_ENV || 'development'
#162: Hardcoded fallback for env variable
LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 364: version: process.env.APP_VERSION || '1.0.0',
#163: Hardcoded fallback for env variable
LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 365: environment: process.env.NODE_ENV || 'development',
#164: Hardcoded fallback for env variable
LOW
Source: Code (error.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/error.middleware.js
Line 210: maxSize: process.env.MAX_FILE_SIZE || '50MB'
#165: Hardcoded fallback for env variable
LOW
Source: Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 12: region: process.env.AWS_REGION || 'eu-west-1',
#166: Hardcoded fallback for env variable
LOW
Source: Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 19: const bucket = process.env.AWS_S3_BUCKET || 'skyscout-uploads';
#167: Hardcoded fallback for env variable
LOW
Source: Code (auth.middleware.simple.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.middleware.simple.js
Line 12: const secret = process.env.JWT_SECRET || 'dev-jwt-secret-key-for-testing-only-change-in-production';
#168: Hardcoded fallback for env variable
LOW
Source: Code (logging.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/logging.middleware.js
Line 182: const environment = process.env.NODE_ENV || 'development';
#169: Hardcoded fallback for env variable
LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 20: ios: process.env.IOS_CURRENT_VERSION || '1.0.0',
#170: Hardcoded fallback for env variable
LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 21: android: process.env.ANDROID_CURRENT_VERSION || '1.0.0'
#171: Hardcoded fallback for env variable
LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 24: ios: process.env.IOS_FORCE_UPDATE_VERSION || '0.9.0',
#172: Hardcoded fallback for env variable
LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 25: android: process.env.ANDROID_FORCE_UPDATE_VERSION || '0.9.0'
#173: Hardcoded fallback for env variable
LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 197: ios: process.env.IOS_DOWNLOAD_URL || 'https://apps.apple.com/app/skyscout',
#174: Hardcoded fallback for env variable
LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 198: android: process.env.ANDROID_DOWNLOAD_URL || 'https://play.google.com/store/apps/details?id=com.skyscout'
#175: Hardcoded fallback for env variable
LOW
Source: Code (maintenance.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/maintenance.middleware.js
Line 263: contactSupport: process.env.SUPPORT_EMAIL || 'support@skyscout.app'
#176: Hardcoded fallback for env variable
LOW
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 8: url: process.env.REDIS_URL || 'redis://localhost:6379',
#177: Hardcoded fallback for env variable
LOW
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 27: timezoneAPI: process.env.TIMEZONE_API_URL || 'http://api.timezonedb.com/v2.1/get-time-zone',
#178: Hardcoded fallback for env variable
LOW
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 31: elevationAPI: process.env.ELEVATION_API_URL || 'https://api.open-elevation.com/api/v1/lookup',
#179: Hardcoded fallback for env variable
LOW
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 34: bortleAPI: process.env.BORTLE_API_URL || 'https://www.lightpollutionmap.info/QueryRaster/',
#180: Hardcoded fallback for env variable
LOW
Source: Code (LocationService.js)
File: /opt/darkskyscout/packages/api/src/services/LocationService.js
Line 472: key: process.env.TIMEZONEDB_KEY || 'demo',
#181: Hardcoded fallback for env variable
LOW
Source: Code (ai.grok.js)
File: /opt/darkskyscout/packages/api/src/services/ai.grok.js
Line 7: this.apiUrl = process.env.GROK_API_URL || 'https://api.x.ai/v1'; // Default Grok API URL
#182: Hardcoded fallback for env variable
LOW
Source: Code (MediaService.js)
File: /opt/darkskyscout/packages/api/src/services/MediaService.js
Line 32: region: process.env.AWS_REGION || 'us-east-1'
#183: Hardcoded fallback for env variable
LOW
Source: Code (skyInterference.proxy.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.proxy.service.js
Line 11: this.proxyBaseUrl = process.env.SATELLITE_PROXY_URL || 'https://your-app.vercel.app';
#184: Hardcoded fallback for env variable
LOW
Source: Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 30: primary: process.env.AI_ENGINE_PRIMARY || 'claude-code',
#185: Hardcoded fallback for env variable
LOW
Source: Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 31: fallbackChain: (process.env.AI_ENGINE_FALLBACK || 'claude-api,openai,deepseek').split(','),
#186: Hardcoded fallback for env variable
LOW
Source: Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 10: this.redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
#187: Hardcoded fallback for env variable
LOW
Source: Code (lightPollution.realtime.service.js)
File: /opt/darkskyscout/packages/api/src/services/lightPollution.realtime.service.js
Line 28: nasa: process.env.NASA_API_KEY || 'DEMO_KEY',
#188: Hardcoded fallback for env variable
LOW
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 262: from: process.env.EMAIL_FROM || 'SkyScout <noreply@skyscout.app>',
#189: Hardcoded fallback for env variable
LOW
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 297: from: process.env.EMAIL_FROM || 'SkyScout <noreply@skyscout.app>',
#190: Hardcoded fallback for env variable
LOW
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 324: appUrl: process.env.APP_URL || 'https://app.skyscout.com'
#191: Hardcoded fallback for env variable
LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 7: const MATRIX_SERVER = process.env.MATRIX_SERVER_URL || 'http://localhost:8008';
#192: Hardcoded fallback for env variable
LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 8: const MATRIX_DOMAIN = process.env.MATRIX_DOMAIN || 'chat.darkskyscout.xamad.net';
#193: Hardcoded fallback for env variable
LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 9: const REGISTRATION_SECRET = process.env.MATRIX_REGISTRATION_SECRET || '_hkFIRqh5;a^3t7aZ9*WMKPuLqsn8gS-cTwAbxYjYN0Iad_I1Q';
#194: Hardcoded fallback for env variable
LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 57: const secret = process.env.JWT_SECRET || 'darkskyscout-matrix-secret';
#195: Hardcoded fallback for env variable
LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 106: user: process.env.MATRIX_ADMIN_USER || 'darkskyadmin',
#196: Hardcoded fallback for env variable
LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 107: password: process.env.MATRIX_ADMIN_PASSWORD || 'DarkSky2024Admin!'
#197: Hardcoded fallback for env variable
LOW
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 9: this.bucketName = process.env.AWS_S3_BUCKET || 'skyscout-media';
#198: Hardcoded fallback for env variable
LOW
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 44: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
#199: Hardcoded fallback for env variable
LOW
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 115: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
#200: Hardcoded fallback for env variable
LOW
Source: Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 7: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3-0324';
#201: Hardcoded fallback for env variable
LOW
Source: Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 8: this.baseUrl = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
#202: Hardcoded fallback for env variable
LOW
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 16: this.jwtExpiration = process.env.JWT_EXPIRATION || '24h';
#203: Hardcoded fallback for env variable
LOW
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 17: this.refreshTokenExpiration = process.env.REFRESH_TOKEN_EXPIRATION || '7d';
#204: Hardcoded fallback for env variable
LOW
Source: Code (emailService.js)
File: /opt/darkskyscout/packages/api/src/services/emailService.js
Line 7: this.fromEmail = process.env.EMAIL_FROM || 'noreply@darkskyscout.xamad.net';
#205: Hardcoded fallback for env variable
LOW
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 12: this.baseURL = process.env.CLAUDE_API_URL || 'https://api.anthropic.com/v1';
#206: Hardcoded fallback for env variable
LOW
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 13: this.model = process.env.CLAUDE_API_MODEL || 'claude-3-5-sonnet-20241022';
#207: Hardcoded fallback for env variable
LOW
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 14: this.version = process.env.CLAUDE_API_VERSION || '2023-06-01';
#208: Hardcoded fallback for env variable
LOW
Source: Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
#209: Hardcoded fallback for env variable
LOW
Source: Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3';
#210: Hardcoded fallback for env variable
LOW
Source: Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 12: this.baseURL = process.env.OPENAI_API_URL || 'https://api.openai.com/v1';
#211: Hardcoded fallback for env variable
LOW
Source: Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 13: this.model = process.env.OPENAI_MODEL || 'gpt-4';
#212: Hardcoded fallback for env variable
LOW
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 14: this.claudePath = process.env.CLAUDE_CODE_PATH || '/home/deploy/.nvm/versions/node/v22.17.1/bin/claude';
#213: Hardcoded fallback for env variable
LOW
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 16: this.defaultModel = process.env.CLAUDE_CODE_MODEL || 'sonnet'; // Use alias for latest Sonnet model
#214: Hardcoded fallback for env variable
LOW
Source: Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_INFERENCE_URL || 'https://api-inference.huggingface.co/models';
#215: Hardcoded fallback for env variable
LOW
Source: Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_DEFAULT_MODEL || 'microsoft/DialoGPT-large';
#216: Hardcoded fallback for env variable
LOW
Source: Code (test-api-connection.js)
File: /opt/darkskyscout/packages/web/src/test-api-connection.js
Line 2: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net';
#217: Hardcoded fallback for env variable
LOW
Source: Code (geocoding.service.js)
File: /opt/darkskyscout/packages/web/src/services/geocoding.service.js
Line 118: const API_BASE = process.env.REACT_APP_API_URL || '/api';
#218: Hardcoded fallback for env variable
LOW
Source: Code (externalLocation.service.js)
File: /opt/darkskyscout/packages/web/src/services/externalLocation.service.js
Line 443: const API_BASE = process.env.REACT_APP_API_URL || '/api';
#219: Hardcoded fallback for env variable
LOW
Source: Code (communitySharing.service.js)
File: /opt/darkskyscout/packages/web/src/services/communitySharing.service.js
Line 3: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#220: Hardcoded fallback for env variable
LOW
Source: Code (AIEngineAdminPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AIEngineAdminPage.jsx
Line 8: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#221: Hardcoded fallback for env variable
LOW
Source: Code (AccommodationDetailPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AccommodationDetailPage.jsx
Line 124: const apiUrl = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#222: Hardcoded fallback for env variable
LOW
Source: Code (AIEngineManager.jsx)
File: /opt/darkskyscout/packages/web/src/components/admin/AIEngineManager.jsx
Line 6: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#223: Hardcoded fallback for env variable
LOW
Source: Code (MapboxMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapboxMap.jsx
Line 8: mapboxgl.accessToken = process.env.REACT_APP_MAPBOX_ACCESS_TOKEN || 'pk.eyJ1IjoiZGFya3NreXNjb3V0IiwiYSI6ImNsdmhkZnhrbzAyeDQycW9ma3J2aHUwaGMifQ.placeholder';
#224: Debug mode enabled
MEDIUM
Source: Code (app.py)
File: /home/webhook/picobernacca/app.py
Line 202: app.run(host="127.0.0.1", port=config.PORT, debug=True)
#225: Inline event handler — potential XSS vector
LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 5: <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
#226: Inline event handler — potential XSS vector
LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 6: <meta name="theme-color" content="#0a0a28">
#227: Inline event handler — potential XSS vector
LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 7: <meta name="apple-mobile-web-app-capable" content="yes">
#228: Inline event handler — potential XSS vector
LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 8: <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
#229: Active SSH brute-force attack with no brute-force protection
CRITICAL
Source: AI Analysis
Logs show an active brute-force attack from 222.121.250.156 targeting root, admin, oracle, and usuario accounts with repeated maximum authentication attempts exceeded. Combined with fail2ban being inactive, there is no automated mechanism to block this attacker. The MaxStartups throttling events indicate connection flooding. 79 SSH errors in the last 24 hours confirm sustained attack activity.
Fix: Immediately block the attacking IP and enable fail2ban:
iptables -A INPUT -s 222.121.250.156 -j DROP
apt install fail2ban
systemctl enable --now fail2ban
Create /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = 22
maxretry = 3
bantime = 3600
findtime = 600
#230: Root filesystem at 96% capacity — 1.5G remaining
CRITICAL
Source: AI Analysis
The root partition (/) is at 96% usage with only 1.5GB free on a 38GB disk. This can cause service failures (PostgreSQL, Redis, logging, Docker), inability to write logs (losing audit trail), failed package updates, and potential system instability. An unused 30GB volume is mounted at /mnt/HC_Volume_104305213 with 28GB free that could be leveraged.
Fix: 1. Identify large files: du -xh / | sort -rh | head -30
2. Clean Docker: docker system prune -a --volumes
3. Clean apt cache: apt clean
4. Clean old journals: journalctl --vacuum-size=100M
5. Move large data directories (e.g., /var/lib/docker, /var/lib/postgresql) to /mnt/HC_Volume_104305213 using symlinks or bind mounts
6. Consider expanding the root partition
#231: Multiple application services directly exposed on 0.0.0.0
HIGH
Source: AI Analysis
Several application services are bound to 0.0.0.0 and publicly accessible without going through the nginx reverse proxy: port 3030 (unknown process), port 5055 (python3), port 8003 (python), port 8000 (python), port 3050 (node), port 8065 (unknown). These services bypass any security controls nginx provides (TLS, rate limiting, access control, WAF). Nginx is already present on ports 80/443 and should be used as the single entry point.
Fix: Bind all application services to 127.0.0.1 and proxy through nginx:
1. For Python services (8000, 8003, 5055): change bind address to 127.0.0.1 in their respective configs
2. For Node services (3050): set HOST=127.0.0.1 or --bind 127.0.0.1
3. For port 8065 (likely Mattermost): configure ListenAddress to 127.0.0.1:8065
4. Add nginx reverse proxy blocks for each service
5. If iptables/nftables are managing the firewall, add rules to block direct access to these ports from external IPs
#232: SSH password authentication enabled
HIGH
Source: AI Analysis
PasswordAuthentication is set to 'yes' in both config and runtime. With an active brute-force attack in progress and no fail2ban, this significantly increases the risk of unauthorized access. Key-based authentication is already configured (an ed25519 key exists for root), so password auth is unnecessary and expands the attack surface.
Fix: Edit /etc/ssh/sshd_config:
PasswordAuthentication no
KbdInteractiveAuthentication no
Then: systemctl reload sshd
IMPORTANT: Verify key-based login works in a separate session before disconnecting.
#233: MQTT broker ports exposed to the internet
HIGH
Source: AI Analysis
Mosquitto MQTT broker is exposed on two public ports: 8883 (MQTT over TLS) and 9001 (WebSocket). While port 1883 (plain MQTT) is correctly bound to localhost, the exposed ports could allow unauthorized clients to subscribe/publish to topics if Mosquitto is not configured with strong authentication. MQTT brokers are frequently targeted for IoT botnet enrollment and data exfiltration.
Fix: 1. Verify Mosquitto authentication is configured in /etc/mosquitto/mosquitto.conf:
allow_anonymous false
password_file /etc/mosquitto/passwd
2. If only internal services need MQTT, bind 8883 and 9001 to 127.0.0.1
3. Use ACLs to restrict topic access: acl_file /etc/mosquitto/acl
4. If external access is needed, restrict source IPs via firewall rules
#234: 65 packages pending upgrade including Docker and compiler toolchain
HIGH
Source: AI Analysis
65 packages have available updates including security-sensitive components: docker-ce, docker-ce-cli, docker-compose-plugin (container runtime), gcc-13/g++-13/libstdc++ (compiler toolchain), libldap2 (LDAP library), initramfs-tools (boot infrastructure), and snapd. While no explicit security updates are flagged by apt, Docker and library updates frequently contain security fixes not always tagged as security-specific on Ubuntu.
Fix: apt update && apt upgrade -y
Specifically prioritize:
apt install docker-ce docker-ce-cli docker-compose-plugin libldap2 snapd
Then restart affected services:
systemctl restart docker
systemctl restart snap.*.service
#235: No password complexity or account lockout policies
HIGH
Source: AI Analysis
pam_pwquality is not configured, meaning no password complexity requirements (length, special characters, etc.) are enforced. pam_faillock is not configured, meaning there is no account lockout after failed login attempts. PASS_MAX_DAYS is 99999 (no password expiration), PASS_MIN_DAYS is 0 (passwords can be immediately changed back), and minimum password length is 5 characters. Combined with SSH password authentication being enabled, this creates a high risk of credential compromise.
Fix: 1. Install and configure pam_pwquality:
apt install libpam-pwquality
Edit /etc/security/pwquality.conf:
minlen = 12
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
2. Configure pam_faillock in /etc/pam.d/common-auth:
auth required pam_faillock.so preauth deny=5 unlock_time=900
auth [default=die] pam_faillock.so authfail deny=5 unlock_time=900
3. Edit /etc/login.defs:
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_MIN_LEN 12
#236: SSH X11 forwarding enabled
MEDIUM
Source: AI Analysis
X11Forwarding is set to 'yes'. This allows X11 display forwarding through SSH tunnels, which can be exploited for X11 session hijacking or keylogging if an attacker gains SSH access. On a server with no desktop environment, X11 forwarding serves no purpose and expands the attack surface.
Fix: Edit /etc/ssh/sshd_config:
X11Forwarding no
Then: systemctl reload sshd
#237: SSH session has no idle timeout
MEDIUM
Source: AI Analysis
ClientAliveInterval is 0 and ClientAliveCountMax is 3, meaning idle SSH sessions are never terminated. Abandoned sessions could be hijacked if an attacker gains access to the terminal (physical or through session hijacking). LoginGraceTime is also 120 seconds, giving attackers 2 minutes per authentication attempt.
Fix: Edit /etc/ssh/sshd_config:
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 30
MaxAuthTries 3
Then: systemctl reload sshd
#238: Weak SSH MAC algorithms and legacy configurations
MEDIUM
Source: AI Analysis
The SSH server accepts weak MAC algorithms including hmac-sha1, hmac-sha1-etm, umac-64, and umac-64-etm which are considered cryptographically weakened. The RequiredRSASize is 1024 bits (should be 2048+). The AuthorizedKeysFile includes .ssh/authorized_keys2 (deprecated). The Debian banner (debianbanner=yes) leaks OS information.
Fix: Edit /etc/ssh/sshd_config:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
RequiredRSASize 2048
AuthorizedKeysFile .ssh/authorized_keys
DebianBanner no
Then: systemctl reload sshd
#239: IP forwarding enabled and ICMP send_redirects not disabled
MEDIUM
Source: AI Analysis
net.ipv4.ip_forward=1 enables the system to route packets between interfaces. While this is required for Docker, net.ipv4.conf.all.send_redirects should be 0 on a system that is not intentionally acting as a router, as it could be used in MITM attacks. net.ipv4.conf.all.log_martians=0 means spoofed/impossible source addresses are not logged, reducing visibility into network attacks.
Fix: Add to /etc/sysctl.d/99-security.conf:
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
Apply: sysctl --system
Note: Do NOT disable ip_forward if Docker is in use.
#240: SUID core dumps enabled (fs.suid_dumpable=2)
MEDIUM
Source: AI Analysis
fs.suid_dumpable is set to 2 (suidsafe), which allows core dumps from SUID binaries to be written (readable only by root). Core dumps from SUID programs may contain sensitive data such as passwords, cryptographic keys, or memory contents from privileged processes. The safest setting is 0 (disabled).
Fix: echo 'fs.suid_dumpable = 0' >> /etc/sysctl.d/99-security.conf
sysctl -w fs.suid_dumpable=0
#241: UFW inactive — relying on raw iptables/nftables rules
MEDIUM
Source: AI Analysis
UFW (Uncomplicated Firewall) is inactive, though iptables (13 rules) and nftables (31 rules) have some rules configured. This is likely Docker-managed rules rather than intentional security policy. Without a managed firewall, the 12 publicly exposed ports may not be properly filtered. Managing raw iptables/nftables is error-prone and rules may be overwritten by Docker restarts.
Fix: Option A (UFW with Docker): Configure UFW and use ufw-docker or DOCKER-USER chain:
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8883/tcp # only if MQTT needs external access
ufw enable
Option B: Add explicit DOCKER-USER chain rules in iptables to restrict access to application ports.
#242: SUID binaries in Docker overlay filesystems
LOW
Source: AI Analysis
22 SUID binaries were found in Docker overlay/containerd snapshot filesystems. While these are standard Linux utilities (chsh, mount, su, passwd, etc.) and exist within container filesystem layers, they could be leveraged for privilege escalation if a container escape vulnerability exists. These are expected for Docker but should be monitored.
Fix: 1. Use --no-new-privileges in Docker container security options
2. Drop unnecessary capabilities in container configs: --cap-drop=ALL --cap-add=<needed>
3. Consider using rootless Docker: dockerd-rootless-setuptool.sh install
4. Audit container images for unnecessary SUID binaries: docker run --rm <image> find / -perm -4000
#243: SSH TCP and agent forwarding enabled
LOW
Source: AI Analysis
AllowTcpForwarding, AllowAgentForwarding, and AllowStreamLocalForwarding are all enabled. These features allow authenticated users to create tunnels through the SSH server, potentially bypassing network security controls to access internal services (e.g., the localhost-bound PostgreSQL, Redis, or internal application servers).
Fix: If not needed, edit /etc/ssh/sshd_config:
AllowTcpForwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
Then: systemctl reload sshd
Note: Only disable if no legitimate tunneling use cases exist.
#244: PostgreSQL system user has interactive bash shell
LOW
Source: AI Analysis
The postgres user (uid 111) has /bin/bash as its login shell. While common for PostgreSQL administration, this provides an interactive shell that could be leveraged if the postgres account is compromised. Service accounts should generally have restricted shells.
Fix: If interactive shell is not needed for postgres administration:
usermod -s /usr/sbin/nologin postgres
Note: This may affect 'su - postgres' workflows. Test before applying in production.
#245: LOG_UNKFAIL_ENAB and LOG_OK_LOGINS disabled
LOW
Source: AI Analysis
LOG_UNKFAIL_ENAB is set to 'no', meaning failed login attempts with unknown usernames are not logged with the attempted username. LOG_OK_LOGINS is 'no', meaning successful logins are not explicitly logged via login.defs. This reduces forensic visibility during and after security incidents.
Fix: Edit /etc/login.defs:
LOG_UNKFAIL_ENAB yes
LOG_OK_LOGINS yes
#246: Custom root cron job running every 5 minutes
LOW
Source: AI Analysis
Root's crontab runs /opt/darkskyscout/check_services.sh every 5 minutes with output suppressed (>/dev/null 2>&1). While this appears to be a legitimate service health check, the output suppression means failures are silently ignored. The script runs as root, so any compromise of this script or its dependencies would grant root-level code execution.
Fix: 1. Verify script permissions: ls -la /opt/darkskyscout/check_services.sh (should be owned by root, mode 0700 or 0750)
2. Verify script contents for command injection or insecure patterns
3. Redirect output to a log file instead of /dev/null:
*/5 * * * * /opt/darkskyscout/check_services.sh >> /var/log/darkskyscout/check_services.log 2>&1
4. Ensure the /opt/darkskyscout directory is owned by root with restricted permissions