SecShield Security Report

2026-02-24 08:15 UTC
F
0/100
Security Score
CRITICAL: 2 HIGH: 66 MEDIUM: 39 LOW: 131

Network Security

WAF Detection
home.xamad.net: WAF None
secshield.xamad.net: WAF None
SSL/TLS
home.xamad.net: SSL OK (TLSv1.3, cert expires in 88d)
secshield.xamad.net: SSL OK (TLSv1.3, cert expires in 89d)
Port Exposure: 12 exposed | 10 localhost-only

Findings (238)

#1: UFW firewall is INACTIVE (iptables/nftables may be configured directly) HIGH
Source: OS/Firewall
#2: fail2ban is INACTIVE — no brute-force protection HIGH
Source: OS/Firewall
#3: Password authentication is enabled (prefer key-only) MEDIUM
Source: SSH
#4: X11 forwarding is enabled MEDIUM
Source: SSH
#5: TCP forwarding is enabled MEDIUM
Source: SSH
#6: MaxAuthTries is 6 (recommend <= 4) MEDIUM
Source: SSH
#7: ClientAliveInterval is 0 (no idle timeout) MEDIUM
Source: SSH
#8: 30 non-standard SUID/SGID binaries MEDIUM
Source: Permissions
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chsh
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chfn
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/mount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/umount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/expiry
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chage
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/newgrp
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/su
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/gpasswd
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/passwd
#9: PASS_MAX_DAYS is 99999 (recommend <= 90) MEDIUM
Source: Password Policy
#10: PASS_MIN_DAYS is 0 — no minimum password age MEDIUM
Source: Password Policy
#11: PASS_MIN_LEN is 5 (recommend >= 8) MEDIUM
Source: Password Policy
#12: No account lockout policy (pam_faillock/pam_tally2 not configured) MEDIUM
Source: Password Policy
#13: pam_pwquality not configured — no password complexity enforcement MEDIUM
Source: Password Policy
#14: net.ipv4.ip_forward=1 (IP forwarding enabled — router mode) LOW
Source: Kernel
#15: net.ipv4.conf.all.send_redirects=1 (ICMP redirect sending enabled) LOW
Source: Kernel
#16: net.ipv4.conf.all.log_martians=0 (Martian packet logging disabled) LOW
Source: Kernel
#17: fs.suid_dumpable=2 (SUID core dumps enabled) LOW
Source: Kernel
#18: DMARC policy is 'none' — not enforcing LOW
Source: DNS (home.xamad.net)
#19: DNSSEC not enabled LOW
Source: DNS (home.xamad.net)
#20: DMARC policy is 'none' — not enforcing LOW
Source: DNS (secshield.xamad.net)
#21: DNSSEC not enabled LOW
Source: DNS (secshield.xamad.net)
#22: darkskyscout API (port 3030) bound to 0.0.0.0 — should be 127.0.0.1 HIGH
Source: Network
Service '' is listening on all interfaces but config expects localhost only
#23: Unexpected exposed port 8883 (mosquitto) MEDIUM
Source: Network
Port 8883 is listening on 0.0.0.0 but not in expected_ports config
#24: Unexpected exposed port 5055 (python3) MEDIUM
Source: Network
Port 5055 is listening on 0.0.0.0 but not in expected_ports config
#25: Unexpected exposed port 9001 (mosquitto) MEDIUM
Source: Network
Port 9001 is listening on 0.0.0.0 but not in expected_ports config
#26: Unexpected exposed port 8003 (python) MEDIUM
Source: Network
Port 8003 is listening on 0.0.0.0 but not in expected_ports config
#27: Unexpected exposed port 8000 (python) MEDIUM
Source: Network
Port 8000 is listening on 0.0.0.0 but not in expected_ports config
#28: Unexpected exposed port 3050 (node) MEDIUM
Source: Network
Port 3050 is listening on * but not in expected_ports config
#29: Unexpected exposed port 8065 () MEDIUM
Source: Network
Port 8065 is listening on * but not in expected_ports config
#30: Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection LOW
Source: Headers (home.xamad.net)
#31: Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection LOW
Source: Headers (secshield.xamad.net)
#32: [CVE-2026-25896] fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling CRITICAL
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.5
#33: Hardcoded API key HIGH
Source: Code ([...path].js)
File: /opt/darkskyscout/vercel-satellite-proxy/api/n2yo/[...path].js
Line 45: if (!apiKey || apiKey === 'your_n2yo_api_key_here') {
#34: Hardcoded API key HIGH
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 51: if (!OPENWEATHER_API_KEY || OPENWEATHER_API_KEY === 'demo_key') {
#35: Hardcoded API key HIGH
Source: Code (admin-sources-api.js)
File: /opt/darkskyscout/packages/api/src/routes/admin-sources-api.js
Line 95: if (requires_api_key !== undefined) filters.requires_api_key = requires_api_key === 'true';
#36: Hardcoded API key HIGH
Source: Code (webhooks.js)
File: /opt/darkskyscout/packages/api/src/routes/webhooks.js
Line 238: const apiKey = req.get('X-API-Key');
#37: Hardcoded API key HIGH
Source: Code (security.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/security.middleware.js
Line 258: const apiKey = req.headers['x-api-key'];
#38: Hardcoded API key HIGH
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.js
Line 340: const apiKey = req.headers['x-api-key'];
#39: Hardcoded password HIGH
Source: Code (validation.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/validation.middleware.js
Line 41: const passwordValidation = body('password')
#40: Hardcoded password HIGH
Source: Code (seed.dev.js)
File: /opt/darkskyscout/packages/api/src/prisma/seed.dev.js
Line 31: const hashedPassword = await bcrypt.hash('password123', 10);
#41: Hardcoded API key HIGH
Source: Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 90: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
#42: Hardcoded API key HIGH
Source: Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 405: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
#43: Hardcoded API key HIGH
Source: Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 146: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
#44: Hardcoded API key HIGH
Source: Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 268: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
#45: Hardcoded API key HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 56: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
#46: Hardcoded API key HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 132: if (this.n2yoApiKey && this.n2yoApiKey !== 'demo_key') {
#47: Hardcoded API key HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 196: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
#48: Hardcoded API key HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 735: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
#49: Hardcoded API key HIGH
Source: Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 78: diagnosis.mapsApiKey.error = 'Billing not enabled';
#50: Hardcoded password HIGH
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 8: const { validatePassword, validateEmail } = require('../utils/validation');
#51: child_process — command injection risk HIGH
Source: Code (satelliteClaudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/satelliteClaudeSearch.service.js
Line 1: const { spawn } = require('child_process');
#52: child_process — command injection risk HIGH
Source: Code (claudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/claudeSearch.service.js
Line 1: const { exec } = require('child_process');
#53: child_process — command injection risk HIGH
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 4: const { exec } = require('child_process');
#54: Hardcoded API key HIGH
Source: Code (n2yoClient.service.js)
File: /opt/darkskyscout/packages/web/src/services/n2yoClient.service.js
Line 26: return !!this.apiKey && this.apiKey !== 'your_n2yo_api_key_here';
#55: Hardcoded password HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 87: newErrors.password = 'Password is required';
#56: Hardcoded password HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 89: newErrors.password = 'Password must be at least 8 characters';
#57: Hardcoded password HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 91: newErrors.password = 'Password must contain uppercase, lowercase and number';
#58: Hardcoded password HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 95: newErrors.confirmPassword = 'Please confirm your password';
#59: Hardcoded password HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 97: newErrors.confirmPassword = 'Passwords do not match';
#60: Hardcoded password HIGH
Source: Code (LoginPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/LoginPage.jsx
Line 82: newErrors.password = 'Password is required';
#61: innerHTML assignment — XSS risk HIGH
Source: Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
#62: React dangerouslySetInnerHTML — XSS risk HIGH
Source: Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
#63: innerHTML assignment — XSS risk HIGH
Source: Code (MatchSuggestions.jsx)
File: /opt/darkskyscout/packages/web/src/components/common/MatchSuggestions.jsx
Line 96: e.target.parentElement.innerHTML = `<span class="text-lg font-bold">${suggestion.user.name[0]}</span>`;
#64: innerHTML assignment — XSS risk HIGH
Source: Code (InstantLightPollutionOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/InstantLightPollutionOverlay.jsx
Line 478: tooltip.innerHTML = `
#65: innerHTML assignment — XSS risk HIGH
Source: Code (CustomLocationMarkers.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/CustomLocationMarkers.jsx
Line 54: el.innerHTML = `
#66: innerHTML assignment — XSS risk HIGH
Source: Code (SimpleBortleOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/SimpleBortleOverlay.jsx
Line 67: svgElement.innerHTML = '';
#67: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 446: el.innerHTML = `
#68: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 534: el.innerHTML = `
#69: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 616: el.innerHTML = `
#70: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1275: loadingIndicator.innerHTML = `
#71: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1421: clickableIndicator.innerHTML = `
#72: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1619: errorIndicator.innerHTML = `
#73: [CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
#74: [CVE-2026-26278] fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.6
#75: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
#76: [CVE-2025-47935] Multer vulnerable to Denial of Service via memory leaks from unclosed streams HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
#77: [CVE-2025-47944] Multer vulnerable to Denial of Service from maliciously crafted requests HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
#78: [CVE-2025-48997] multer: Multer vulnerable to Denial of Service via unhandled exception HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.1
#79: [CVE-2025-7338] multer: Multer Denial of Service HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.2
#80: [CVE-2026-23745] node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.3
#81: [CVE-2026-23950] node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.4
#82: [CVE-2026-24842] node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.7
#83: [CVE-2026-26960] tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.8
#84: [CVE-2024-12905] tar-fs: link following and path traversal via maliciously crafted tar file HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.4, 2.1.2, 3.0.7
#85: [CVE-2025-48387] tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.5, 2.1.3, 3.0.9
#86: [CVE-2025-59343] tar-fs: tar-fs symlink validation bypass HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 3.1.1, 2.1.4, 1.16.6
#87: [CVE-2024-37890] nodejs-ws: denial of service when handling a request with many HTTP headers HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: ws 8.16.0 → 5.2.4, 6.2.3, 7.5.10, 8.17.1
#88: [CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
#89: [CVE-2026-1615] jsonpath: jsonpath: Arbitrary Code Execution via unsafe JSON Path expression evaluation HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: jsonpath 1.2.1 → no fix
#90: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
#91: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 5.1.6 → 10.2.1
#92: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 9.0.5 → 10.2.1
#93: [CVE-2021-3803] nodejs-nth-check: inefficient regular expression complexity HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: nth-check 1.0.2 → 2.0.1
#94: MD5 hash usage MEDIUM
Source: Code (analytics.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/analytics.middleware.js
Line 86: return crypto.createHash('md5').update(components.join('|')).digest('hex');
#95: MD5 hash usage MEDIUM
Source: Code (feature-flags.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/feature-flags.middleware.js
Line 294: const hash = crypto.createHash('md5').update(hashInput).digest('hex');
#96: MD5 hash usage MEDIUM
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 110: return crypto.createHash('md5').update(fingerprint).digest('hex');
#97: MD5 hash usage MEDIUM
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 56: const hash = crypto.createHash('md5').update(fullKey).digest('hex');
#98: MD5 hash usage MEDIUM
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 316: const paramsHash = crypto.createHash('md5').update(paramsString).digest('hex');
#99: MD5 hash usage MEDIUM
Source: Code (compression.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/compression.middleware.js
Line 353: const hash = crypto.createHash('md5').update(chunk).digest('hex');
#100: MD5 hash usage MEDIUM
Source: Code (userLocationInteractions.service.js)
File: /opt/darkskyscout/packages/api/src/services/userLocationInteractions.service.js
Line 22: return crypto.createHash('md5').update(`${name}_${location.id || Date.now()}`).digest('hex');
#101: [CVE-2025-69873] ajv: ReDoS via $data reference MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 6.12.6 → 8.18.0, 6.14.0
#102: [CVE-2025-69873] ajv: ReDoS via $data reference MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 8.17.1 → 8.18.0, 6.14.0
#103: [CVE-2023-44270] PostCSS: Improper input validation in PostCSS MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: postcss 7.0.39 → 8.4.31
#104: [CVE-2025-30359] webpack-dev-server: webpack-dev-server information exposure MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
#105: [CVE-2025-30360] webpack-dev-server: webpack-dev-server information exposure MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
#106: Secret: Mapbox API token MEDIUM
Source: Code (fix_all_localhost.sh)
File: fix_all_localhost.sh
Line 35: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
#107: Secret: Mapbox API token MEDIUM
Source: Code (fix_browser_cache_delirium.sh)
File: fix_browser_cache_delirium.sh
Line 64: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
#108: Hardcoded fallback for env variable LOW
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2894: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
#109: Hardcoded fallback for env variable LOW
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2929: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
#110: Hardcoded fallback for env variable LOW
Source: Code (server.js)
File: /opt/darkskyscout/packages/api/src/server.js
Line 9: const HOST = process.env.HOST || '0.0.0.0';
#111: Hardcoded fallback for env variable LOW
Source: Code (debug-sky-tracking.js)
File: /opt/darkskyscout/packages/api/src/debug-sky-tracking.js
Line 13: console.log('   OPENSKY_CLIENT_ID:', process.env.OPENSKY_CLIENT_ID || 'NOT SET');
#112: Hardcoded fallback for env variable LOW
Source: Code (socket.js)
File: /opt/darkskyscout/packages/api/src/socket.js
Line 17: origin: process.env.FRONTEND_URL || "https://darkskyscout.xamad.net",
#113: Hardcoded fallback for env variable LOW
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 450: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
#114: Hardcoded fallback for env variable LOW
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 505: const baseUrl = returnUrl || process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#115: Hardcoded fallback for env variable LOW
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 580: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#116: Hardcoded fallback for env variable LOW
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 108: host: process.env.REDIS_HOST || 'localhost',
#117: Hardcoded fallback for env variable LOW
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 651: limit: process.env.MAX_REQUEST_SIZE || '10mb',
#118: Hardcoded fallback for env variable LOW
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 659: limit: process.env.MAX_REQUEST_SIZE || '10mb'
#119: Hardcoded fallback for env variable LOW
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 51: process.env.JWT_SECRET || 'dev-secret',
#120: Hardcoded fallback for env variable LOW
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 112: process.env.JWT_SECRET || 'dev-secret',
#121: Hardcoded fallback for env variable LOW
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 141: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'dev-secret');
#122: Hardcoded fallback for env variable LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 86: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
#123: Hardcoded fallback for env variable LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 92: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
#124: Hardcoded fallback for env variable LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 341: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
#125: Hardcoded fallback for env variable LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 523: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
#126: Hardcoded fallback for env variable LOW
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 19: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
#127: Hardcoded fallback for env variable LOW
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 222: const baseUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#128: Hardcoded fallback for env variable LOW
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 274: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#129: Hardcoded fallback for env variable LOW
Source: Code (communitySharing.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/communitySharing.routes.js
Line 102: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'fallback-secret');
#130: Hardcoded fallback for env variable LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 18: callbackURL: process.env.GOOGLE_CALLBACK_URL || '/api/auth/google/callback'
#131: Hardcoded fallback for env variable LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 80: callbackURL: process.env.FACEBOOK_CALLBACK_URL || '/api/auth/facebook/callback',
#132: Hardcoded fallback for env variable LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 137: callbackURL: process.env.GITHUB_CALLBACK_URL || '/api/auth/github/callback'
#133: Hardcoded fallback for env variable LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 229: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
#134: Hardcoded fallback for env variable LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 235: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
#135: Hardcoded fallback for env variable LOW
Source: Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 164: googleRedirectUri: process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback',
#136: Hardcoded fallback for env variable LOW
Source: Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 165: frontendUrl: process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net',
#137: Hardcoded fallback for env variable LOW
Source: Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 32: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
#138: Hardcoded fallback for env variable LOW
Source: Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 38: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
#139: Hardcoded fallback for env variable LOW
Source: Code (analytics.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/analytics.worker.js
Line 890: const filepath = path.join(process.env.EXPORT_DIR || '/tmp', filename);
#140: Hardcoded fallback for env variable LOW
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 263: host: process.env.REDIS_HOST || 'localhost',
#141: Hardcoded fallback for env variable LOW
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 417: timezone: process.env.TZ || 'UTC'
#142: Hardcoded fallback for env variable LOW
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 785: version: process.env.npm_package_version || 'unknown',
#143: Hardcoded fallback for env variable LOW
Source: Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 240: host: process.env.REDIS_HOST || 'localhost',
#144: Hardcoded fallback for env variable LOW
Source: Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 248: host: process.env.REDIS_HOST || 'localhost',
#145: Hardcoded fallback for env variable LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 426: const tempDir = process.env.TEMP_DIR || '/tmp';
#146: Hardcoded fallback for env variable LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 432: const uploadsDir = process.env.UPLOADS_DIR || '/uploads';
#147: Hardcoded fallback for env variable LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 438: const logsDir = process.env.LOGS_DIR || '/logs';
#148: Hardcoded fallback for env variable LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 743: const tempDir = process.env.TEMP_DIR || '/tmp';
#149: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 33: host: process.env.REDIS_HOST || 'localhost',
#150: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 51: host: process.env.REDIS_HOST || 'localhost',
#151: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 69: host: process.env.REDIS_HOST || 'localhost',
#152: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 87: host: process.env.REDIS_HOST || 'localhost',
#153: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 105: host: process.env.REDIS_HOST || 'localhost',
#154: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 119: host: process.env.REDIS_HOST || 'localhost',
#155: Hardcoded fallback for env variable LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 241: url: process.env.REDIS_URL || 'redis://localhost:6379',
#156: Hardcoded fallback for env variable LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 348: version: process.env.APP_VERSION || '1.0.0',
#157: Hardcoded fallback for env variable LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 349: environment: process.env.NODE_ENV || 'development'
#158: Hardcoded fallback for env variable LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 364: version: process.env.APP_VERSION || '1.0.0',
#159: Hardcoded fallback for env variable LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 365: environment: process.env.NODE_ENV || 'development',
#160: Hardcoded fallback for env variable LOW
Source: Code (error.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/error.middleware.js
Line 210: maxSize: process.env.MAX_FILE_SIZE || '50MB'
#161: Hardcoded fallback for env variable LOW
Source: Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 12: region: process.env.AWS_REGION || 'eu-west-1',
#162: Hardcoded fallback for env variable LOW
Source: Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 19: const bucket = process.env.AWS_S3_BUCKET || 'skyscout-uploads';
#163: Hardcoded fallback for env variable LOW
Source: Code (auth.middleware.simple.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.middleware.simple.js
Line 12: const secret = process.env.JWT_SECRET || 'dev-jwt-secret-key-for-testing-only-change-in-production';
#164: Hardcoded fallback for env variable LOW
Source: Code (logging.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/logging.middleware.js
Line 182: const environment = process.env.NODE_ENV || 'development';
#165: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 20: ios: process.env.IOS_CURRENT_VERSION || '1.0.0',
#166: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 21: android: process.env.ANDROID_CURRENT_VERSION || '1.0.0'
#167: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 24: ios: process.env.IOS_FORCE_UPDATE_VERSION || '0.9.0',
#168: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 25: android: process.env.ANDROID_FORCE_UPDATE_VERSION || '0.9.0'
#169: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 197: ios: process.env.IOS_DOWNLOAD_URL || 'https://apps.apple.com/app/skyscout',
#170: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 198: android: process.env.ANDROID_DOWNLOAD_URL || 'https://play.google.com/store/apps/details?id=com.skyscout'
#171: Hardcoded fallback for env variable LOW
Source: Code (maintenance.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/maintenance.middleware.js
Line 263: contactSupport: process.env.SUPPORT_EMAIL || 'support@skyscout.app'
#172: Hardcoded fallback for env variable LOW
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 8: url: process.env.REDIS_URL || 'redis://localhost:6379',
#173: Hardcoded fallback for env variable LOW
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 27: timezoneAPI: process.env.TIMEZONE_API_URL || 'http://api.timezonedb.com/v2.1/get-time-zone',
#174: Hardcoded fallback for env variable LOW
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 31: elevationAPI: process.env.ELEVATION_API_URL || 'https://api.open-elevation.com/api/v1/lookup',
#175: Hardcoded fallback for env variable LOW
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 34: bortleAPI: process.env.BORTLE_API_URL || 'https://www.lightpollutionmap.info/QueryRaster/',
#176: Hardcoded fallback for env variable LOW
Source: Code (LocationService.js)
File: /opt/darkskyscout/packages/api/src/services/LocationService.js
Line 472: key: process.env.TIMEZONEDB_KEY || 'demo',
#177: Hardcoded fallback for env variable LOW
Source: Code (ai.grok.js)
File: /opt/darkskyscout/packages/api/src/services/ai.grok.js
Line 7: this.apiUrl = process.env.GROK_API_URL || 'https://api.x.ai/v1'; // Default Grok API URL
#178: Hardcoded fallback for env variable LOW
Source: Code (MediaService.js)
File: /opt/darkskyscout/packages/api/src/services/MediaService.js
Line 32: region: process.env.AWS_REGION || 'us-east-1'
#179: Hardcoded fallback for env variable LOW
Source: Code (skyInterference.proxy.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.proxy.service.js
Line 11: this.proxyBaseUrl = process.env.SATELLITE_PROXY_URL || 'https://your-app.vercel.app';
#180: Hardcoded fallback for env variable LOW
Source: Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 30: primary: process.env.AI_ENGINE_PRIMARY || 'claude-code',
#181: Hardcoded fallback for env variable LOW
Source: Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 31: fallbackChain: (process.env.AI_ENGINE_FALLBACK || 'claude-api,openai,deepseek').split(','),
#182: Hardcoded fallback for env variable LOW
Source: Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 10: this.redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
#183: Hardcoded fallback for env variable LOW
Source: Code (lightPollution.realtime.service.js)
File: /opt/darkskyscout/packages/api/src/services/lightPollution.realtime.service.js
Line 28: nasa: process.env.NASA_API_KEY || 'DEMO_KEY',
#184: Hardcoded fallback for env variable LOW
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 262: from: process.env.EMAIL_FROM || 'SkyScout <noreply@skyscout.app>',
#185: Hardcoded fallback for env variable LOW
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 297: from: process.env.EMAIL_FROM || 'SkyScout <noreply@skyscout.app>',
#186: Hardcoded fallback for env variable LOW
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 324: appUrl: process.env.APP_URL || 'https://app.skyscout.com'
#187: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 7: const MATRIX_SERVER = process.env.MATRIX_SERVER_URL || 'http://localhost:8008';
#188: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 8: const MATRIX_DOMAIN = process.env.MATRIX_DOMAIN || 'chat.darkskyscout.xamad.net';
#189: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 9: const REGISTRATION_SECRET = process.env.MATRIX_REGISTRATION_SECRET || '_hkFIRqh5;a^3t7aZ9*WMKPuLqsn8gS-cTwAbxYjYN0Iad_I1Q';
#190: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 57: const secret = process.env.JWT_SECRET || 'darkskyscout-matrix-secret';
#191: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 106: user: process.env.MATRIX_ADMIN_USER || 'darkskyadmin',
#192: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 107: password: process.env.MATRIX_ADMIN_PASSWORD || 'DarkSky2024Admin!'
#193: Hardcoded fallback for env variable LOW
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 9: this.bucketName = process.env.AWS_S3_BUCKET || 'skyscout-media';
#194: Hardcoded fallback for env variable LOW
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 44: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
#195: Hardcoded fallback for env variable LOW
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 115: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
#196: Hardcoded fallback for env variable LOW
Source: Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 7: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3-0324';
#197: Hardcoded fallback for env variable LOW
Source: Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 8: this.baseUrl = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
#198: Hardcoded fallback for env variable LOW
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 16: this.jwtExpiration = process.env.JWT_EXPIRATION || '24h';
#199: Hardcoded fallback for env variable LOW
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 17: this.refreshTokenExpiration = process.env.REFRESH_TOKEN_EXPIRATION || '7d';
#200: Hardcoded fallback for env variable LOW
Source: Code (emailService.js)
File: /opt/darkskyscout/packages/api/src/services/emailService.js
Line 7: this.fromEmail = process.env.EMAIL_FROM || 'noreply@darkskyscout.xamad.net';
#201: Hardcoded fallback for env variable LOW
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 12: this.baseURL = process.env.CLAUDE_API_URL || 'https://api.anthropic.com/v1';
#202: Hardcoded fallback for env variable LOW
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 13: this.model = process.env.CLAUDE_API_MODEL || 'claude-3-5-sonnet-20241022';
#203: Hardcoded fallback for env variable LOW
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 14: this.version = process.env.CLAUDE_API_VERSION || '2023-06-01';
#204: Hardcoded fallback for env variable LOW
Source: Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
#205: Hardcoded fallback for env variable LOW
Source: Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3';
#206: Hardcoded fallback for env variable LOW
Source: Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 12: this.baseURL = process.env.OPENAI_API_URL || 'https://api.openai.com/v1';
#207: Hardcoded fallback for env variable LOW
Source: Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 13: this.model = process.env.OPENAI_MODEL || 'gpt-4';
#208: Hardcoded fallback for env variable LOW
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 14: this.claudePath = process.env.CLAUDE_CODE_PATH || '/home/deploy/.nvm/versions/node/v22.17.1/bin/claude';
#209: Hardcoded fallback for env variable LOW
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 16: this.defaultModel = process.env.CLAUDE_CODE_MODEL || 'sonnet'; // Use alias for latest Sonnet model
#210: Hardcoded fallback for env variable LOW
Source: Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_INFERENCE_URL || 'https://api-inference.huggingface.co/models';
#211: Hardcoded fallback for env variable LOW
Source: Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_DEFAULT_MODEL || 'microsoft/DialoGPT-large';
#212: Hardcoded fallback for env variable LOW
Source: Code (test-api-connection.js)
File: /opt/darkskyscout/packages/web/src/test-api-connection.js
Line 2: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net';
#213: Hardcoded fallback for env variable LOW
Source: Code (geocoding.service.js)
File: /opt/darkskyscout/packages/web/src/services/geocoding.service.js
Line 118: const API_BASE = process.env.REACT_APP_API_URL || '/api';
#214: Hardcoded fallback for env variable LOW
Source: Code (externalLocation.service.js)
File: /opt/darkskyscout/packages/web/src/services/externalLocation.service.js
Line 443: const API_BASE = process.env.REACT_APP_API_URL || '/api';
#215: Hardcoded fallback for env variable LOW
Source: Code (communitySharing.service.js)
File: /opt/darkskyscout/packages/web/src/services/communitySharing.service.js
Line 3: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#216: Hardcoded fallback for env variable LOW
Source: Code (AIEngineAdminPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AIEngineAdminPage.jsx
Line 8: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#217: Hardcoded fallback for env variable LOW
Source: Code (AccommodationDetailPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AccommodationDetailPage.jsx
Line 124: const apiUrl = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#218: Hardcoded fallback for env variable LOW
Source: Code (AIEngineManager.jsx)
File: /opt/darkskyscout/packages/web/src/components/admin/AIEngineManager.jsx
Line 6: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#219: Hardcoded fallback for env variable LOW
Source: Code (MapboxMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapboxMap.jsx
Line 8: mapboxgl.accessToken = process.env.REACT_APP_MAPBOX_ACCESS_TOKEN || 'pk.eyJ1IjoiZGFya3NreXNjb3V0IiwiYSI6ImNsdmhkZnhrbzAyeDQycW9ma3J2aHUwaGMifQ.placeholder';
#220: Debug mode enabled MEDIUM
Source: Code (app.py)
File: /home/webhook/picobernacca/app.py
Line 202: app.run(host="127.0.0.1", port=config.PORT, debug=True)
#221: Inline event handler — potential XSS vector LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 5: <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
#222: Inline event handler — potential XSS vector LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 6: <meta name="theme-color" content="#0a0a28">
#223: Inline event handler — potential XSS vector LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 7: <meta name="apple-mobile-web-app-capable" content="yes">
#224: Inline event handler — potential XSS vector LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 8: <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
#225: Active SSH brute-force attack with no fail2ban protection CRITICAL
Source: AI Analysis
Logs show an active brute-force attack from 222.121.250.156 targeting root, admin, oracle, usuario, and test accounts. MaxStartups throttling was triggered 4 times on Feb 23, indicating high-volume connection flooding. fail2ban is INACTIVE, meaning there is zero automated blocking of attackers. While iptables (13 rules) and nftables (31 rules) appear configured, there is no dynamic ban mechanism to respond to ongoing attacks.
Fix: sudo apt install fail2ban && sudo systemctl enable --now fail2ban # Create /etc/fail2ban/jail.local: [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600 findtime = 600 # Immediately block the active attacker: sudo iptables -A INPUT -s 222.121.250.156 -j DROP
#226: Excessive exposed services on 0.0.0.0 (12 ports publicly bound) HIGH
Source: AI Analysis
12 services are bound to 0.0.0.0 or [::] and potentially reachable externally: SSH (22), HTTP (80), HTTPS (443), Mosquitto MQTT-TLS (8883), Mosquitto WebSocket (9001), Python (8000, 8003, 5055), Node (3050), and unknown processes on 3030 and 8065. Ports 3030, 5055, 8000, 8003, 8065, and 3050 appear to be application services that should likely be behind nginx reverse proxy (bound to 127.0.0.1) rather than directly exposed. Without knowing the iptables/nftables rules, these may or may not be filtered at the network level.
Fix: 1. Audit each service to determine if public exposure is required 2. Bind application services to 127.0.0.1 and proxy through nginx: - Port 8000, 8003 (Python apps) -> bind to 127.0.0.1 - Port 5055 (Python) -> bind to 127.0.0.1 - Port 3030, 3050 (Node) -> bind to 127.0.0.1 - Port 8065 (unknown) -> identify process and bind to 127.0.0.1 3. Review iptables/nftables rules: sudo iptables -L -n -v && sudo nft list ruleset 4. Restrict MQTT WebSocket (9001) if not needed publicly
#227: SSH password authentication enabled during active brute-force attack HIGH
Source: AI Analysis
PasswordAuthentication is set to 'yes' in both config and runtime. Combined with the active brute-force attack from 222.121.250.156 and no fail2ban, this significantly increases the risk of credential compromise. Root login is restricted to key-only (prohibit-password), but all other accounts can be attacked via password guessing.
Fix: # In /etc/ssh/sshd_config: PasswordAuthentication no KbdInteractiveAuthentication no # Ensure all users have SSH keys deployed first, then: sudo systemctl reload sshd
#228: SSH hardening deficiencies (X11, forwarding, timeouts, weak algorithms) MEDIUM
Source: AI Analysis
Multiple SSH configuration weaknesses: (1) X11Forwarding enabled — allows X11 session hijacking if attacker gains user access. (2) AllowTcpForwarding enabled — allows SSH tunneling for lateral movement. (3) ClientAliveInterval=0 — no idle session timeout, abandoned sessions persist indefinitely. (4) MaxAuthTries=6 — allows more guesses per connection (recommend 3-4). (5) RequiredRSASize=1024 — accepts weak RSA keys. (6) debianbanner=yes — discloses OS information. (7) Weak MACs included (umac-64, hmac-sha1). (8) LoginGraceTime=120 — 2 minutes is excessive.
Fix: # In /etc/ssh/sshd_config: X11Forwarding no AllowTcpForwarding no AllowAgentForwarding no ClientAliveInterval 300 ClientAliveCountMax 2 MaxAuthTries 3 LoginGraceTime 30 RequiredRSASize 3072 DebianBanner no MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com sudo systemctl reload sshd
#229: Unidentified processes listening on exposed ports 3030 and 8065 MEDIUM
Source: AI Analysis
Ports 3030 and 8065 are bound to 0.0.0.0/* (all interfaces) but the process name is empty/unidentified in the audit data. These could be containerized services (Docker overlay is present), but unidentified exposed services represent an unknown attack surface that cannot be properly assessed or secured.
Fix: # Identify the processes: sudo ss -tlnp | grep -E '3030|8065' sudo lsof -i :3030 -i :8065 # If Docker containers, check: docker ps --format '{{.Names}} {{.Ports}}' # Bind to 127.0.0.1 if not needed externally, or add to firewall allowlist with source restrictions
#230: No password complexity or account lockout policy MEDIUM
Source: AI Analysis
pam_pwquality is not configured — no minimum complexity requirements (length, character classes) for passwords. pam_faillock is not configured — no account lockout after failed attempts. PASS_MAX_DAYS=99999 means passwords never expire. PASS_MIN_DAYS=0 means passwords can be changed back immediately after forced change. Combined with SSH password authentication being enabled, this allows unlimited password guessing against weak passwords at the PAM level.
Fix: # Install and configure pam_pwquality: sudo apt install libpam-pwquality # In /etc/security/pwquality.conf: minlen = 12 minclass = 3 maxrepeat = 3 reject_username enforce_for_root # Configure account lockout in /etc/pam.d/common-auth (add before pam_unix): auth required pam_faillock.so preauth silent deny=5 unlock_time=900 auth required pam_faillock.so authfail deny=5 unlock_time=900 # In /etc/login.defs: PASS_MAX_DAYS 90 PASS_MIN_DAYS 1 PASS_MIN_LEN 12 PASS_WARN_AGE 14
#231: Mosquitto MQTT exposed on two ports (8883 and 9001) MEDIUM
Source: AI Analysis
Mosquitto MQTT broker is externally accessible on port 8883 (MQTT over TLS) and port 9001 (likely MQTT over WebSocket). If ACLs and authentication are not properly configured on the broker, this could allow unauthorized subscription to all topics, message injection, or data exfiltration. MQTT brokers are commonly misconfigured with anonymous access enabled by default.
Fix: # Verify authentication is required in /etc/mosquitto/mosquitto.conf: allow_anonymous false password_file /etc/mosquitto/passwd # Verify ACLs are configured: acl_file /etc/mosquitto/acl # If WebSocket (9001) is not needed publicly, bind to localhost: listener 9001 127.0.0.1 # Test for anonymous access: mosquitto_sub -h localhost -p 8883 --cafile /path/to/ca.crt -t '#' -v
#232: IP forwarding enabled and kernel hardening gaps MEDIUM
Source: AI Analysis
net.ipv4.ip_forward=1 enables this host to route packets between interfaces — likely required for Docker but increases attack surface if the host is compromised (can be used for MITM or pivoting). Additionally: (1) send_redirects=1 allows ICMP redirect injection for traffic redirection. (2) log_martians=0 means spoofed/impossible source addresses are not logged. (3) fs.suid_dumpable=2 allows core dumps of SUID processes, potentially leaking sensitive memory contents.
Fix: # In /etc/sysctl.d/99-security.conf: # Keep ip_forward=1 only if Docker/containers require it net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 fs.suid_dumpable = 0 sudo sysctl --system
#233: Active SSH scanning/attack patterns in logs (79 errors in 24h) MEDIUM
Source: AI Analysis
79 SSH errors in the last 24 hours indicate sustained reconnaissance and brute-force activity: (1) kex_exchange_identification errors — port scanners and bots probing SSH. (2) Protocol version 1 vs 2 errors — legacy exploit scanners. (3) kex_protocol_error bursts — potential downgrade attack attempts. (4) MaxStartups throttling triggered 4 times — connection flooding that could deny legitimate SSH access. (5) Targeted brute-force from 222.121.250.156 against root, admin, oracle, usuario, test usernames. Without fail2ban, these attacks will continue indefinitely.
Fix: 1. Enable fail2ban (see NET-001) 2. Consider changing SSH to a non-standard port to reduce noise: Port 2222 # in /etc/ssh/sshd_config 3. Implement AllowUsers or AllowGroups to restrict SSH access: AllowUsers your_admin_user 4. Consider using port knocking or VPN for SSH access 5. Review and block known attacker IPs at the firewall level
#234: Root filesystem at 78% capacity LOW
Source: AI Analysis
The root filesystem (/) is at 78% usage with 8.3G remaining of 38G. While not immediately critical, continued growth (especially from logs, Docker images, or application data) could lead to disk exhaustion causing service failures, inability to write logs, or database corruption. The Docker overlay shares this filesystem.
Fix: # Identify large files and directories: sudo du -sh /var/log/* | sort -rh | head -20 sudo docker system df sudo docker system prune -f # Consider moving Docker data to the mounted volume: # /mnt/HC_Volume_104305213 has 28G free # Edit /etc/docker/daemon.json: {"data-root": "/mnt/HC_Volume_104305213/docker"} # Set up log rotation limits and monitoring at 85% threshold
#235: SSH authorized_keys2 file accepted LOW
Source: AI Analysis
The AuthorizedKeysFile directive includes '.ssh/authorized_keys2' which is a deprecated location. While not directly exploitable, it provides an additional location where an attacker could plant authorized keys that might be overlooked during audits.
Fix: # In /etc/ssh/sshd_config: AuthorizedKeysFile .ssh/authorized_keys sudo systemctl reload sshd
#236: SUID binaries in Docker/containerd overlay layers on host filesystem LOW
Source: AI Analysis
22 SUID binaries exist within Docker rootfs overlay and containerd snapshot directories on the host filesystem. While these are standard Linux utilities (passwd, su, mount, etc.) and are expected within container images, their presence as SUID on the host filesystem could be leveraged if an attacker gains access to the Docker data directory through a container escape or host compromise.
Fix: # Ensure Docker storage is properly secured: sudo chmod 700 /var/lib/docker sudo chmod 700 /var/lib/containerd # Consider enabling user namespaces for Docker to remap UIDs: # In /etc/docker/daemon.json: {"userns-remap": "default"} # Audit periodically: find /var/lib/docker -perm -4000 -type f 2>/dev/null
#237: UMASK 022 allows group/world-readable file creation by default LOW
Source: AI Analysis
The default UMASK in /etc/login.defs is 022, meaning newly created files are world-readable (644) and directories are world-accessible (755). For a server with multiple services, a more restrictive default of 027 would prevent other users/services from reading files they don't own.
Fix: # In /etc/login.defs: UMASK 027 # Also set in /etc/pam.d/common-session if using pam_umask: session optional pam_umask.so umask=027
#238: postgres system user has interactive bash shell LOW
Source: AI Analysis
The postgres user (uid 111) has /bin/bash as its login shell. Service accounts should have non-interactive shells (/usr/sbin/nologin or /bin/false) to prevent interactive login, reducing attack surface if the database credentials are compromised.
Fix: sudo usermod -s /usr/sbin/nologin postgres # Note: PostgreSQL operations via 'sudo -u postgres psql' will still work # as psql doesn't require an interactive login shell
Generated by SecShield — AI Security Analyst