======================================================================
SecShield Security Report — 2026-02-24 08:15 UTC
======================================================================
Security Grade: F (0/100)
CRITICAL: 2 | HIGH: 66 | MEDIUM: 39 | LOW: 131
----------------------------------------------------------------------
FINDINGS
----------------------------------------------------------------------
[HIGH] #1: UFW firewall is INACTIVE (iptables/nftables may be configured directly)
Source: OS/Firewall
[HIGH] #2: fail2ban is INACTIVE — no brute-force protection
Source: OS/Firewall
[MEDIUM] #3: Password authentication is enabled (prefer key-only)
Source: SSH
[MEDIUM] #4: X11 forwarding is enabled
Source: SSH
[MEDIUM] #5: TCP forwarding is enabled
Source: SSH
[MEDIUM] #6: MaxAuthTries is 6 (recommend <= 4)
Source: SSH
[MEDIUM] #7: ClientAliveInterval is 0 (no idle timeout)
Source: SSH
[MEDIUM] #8: 30 non-standard SUID/SGID binaries
Source: Permissions
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chsh
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chfn
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/mount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/umount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/expiry
[MEDIUM] #9: PASS_MAX_DAYS is 99999 (recommend <= 90)
Source: Password Policy
[MEDIUM] #10: PASS_MIN_DAYS is 0 — no minimum password age
Source: Password Policy
[MEDIUM] #11: PASS_MIN_LEN is 5 (recommend >= 8)
Source: Password Policy
[MEDIUM] #12: No account lockout policy (pam_faillock/pam_tally2 not configured)
Source: Password Policy
[MEDIUM] #13: pam_pwquality not configured — no password complexity enforcement
Source: Password Policy
[LOW] #14: net.ipv4.ip_forward=1 (IP forwarding enabled — router mode)
Source: Kernel
[LOW] #15: net.ipv4.conf.all.send_redirects=1 (ICMP redirect sending enabled)
Source: Kernel
[LOW] #16: net.ipv4.conf.all.log_martians=0 (Martian packet logging disabled)
Source: Kernel
[LOW] #17: fs.suid_dumpable=2 (SUID core dumps enabled)
Source: Kernel
[LOW] #18: DMARC policy is 'none' — not enforcing
Source: DNS (home.xamad.net)
[LOW] #19: DNSSEC not enabled
Source: DNS (home.xamad.net)
[LOW] #20: DMARC policy is 'none' — not enforcing
Source: DNS (secshield.xamad.net)
[LOW] #21: DNSSEC not enabled
Source: DNS (secshield.xamad.net)
[HIGH] #22: darkskyscout API (port 3030) bound to 0.0.0.0 — should be 127.0.0.1
Source: Network
Service '' is listening on all interfaces but config expects localhost only
[MEDIUM] #23: Unexpected exposed port 8883 (mosquitto)
Source: Network
Port 8883 is listening on 0.0.0.0 but not in expected_ports config
[MEDIUM] #24: Unexpected exposed port 5055 (python3)
Source: Network
Port 5055 is listening on 0.0.0.0 but not in expected_ports config
[MEDIUM] #25: Unexpected exposed port 9001 (mosquitto)
Source: Network
Port 9001 is listening on 0.0.0.0 but not in expected_ports config
[MEDIUM] #26: Unexpected exposed port 8003 (python)
Source: Network
Port 8003 is listening on 0.0.0.0 but not in expected_ports config
[MEDIUM] #27: Unexpected exposed port 8000 (python)
Source: Network
Port 8000 is listening on 0.0.0.0 but not in expected_ports config
[MEDIUM] #28: Unexpected exposed port 3050 (node)
Source: Network
Port 3050 is listening on * but not in expected_ports config
[MEDIUM] #29: Unexpected exposed port 8065 ()
Source: Network
Port 8065 is listening on * but not in expected_ports config
[LOW] #30: Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection
Source: Headers (home.xamad.net)
[LOW] #31: Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection
Source: Headers (secshield.xamad.net)
[CRITICAL] #32: [CVE-2026-25896] fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.5
[HIGH] #33: Hardcoded API key
Source: Code ([...path].js)
File: /opt/darkskyscout/vercel-satellite-proxy/api/n2yo/[...path].js
Line 45: if (!apiKey || apiKey === 'your_n2yo_api_key_here') {
[HIGH] #34: Hardcoded API key
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 51: if (!OPENWEATHER_API_KEY || OPENWEATHER_API_KEY === 'demo_key') {
[HIGH] #35: Hardcoded API key
Source: Code (admin-sources-api.js)
File: /opt/darkskyscout/packages/api/src/routes/admin-sources-api.js
Line 95: if (requires_api_key !== undefined) filters.requires_api_key = requires_api_key === 'true';
[HIGH] #36: Hardcoded API key
Source: Code (webhooks.js)
File: /opt/darkskyscout/packages/api/src/routes/webhooks.js
Line 238: const apiKey = req.get('X-API-Key');
[HIGH] #37: Hardcoded API key
Source: Code (security.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/security.middleware.js
Line 258: const apiKey = req.headers['x-api-key'];
[HIGH] #38: Hardcoded API key
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.js
Line 340: const apiKey = req.headers['x-api-key'];
[HIGH] #39: Hardcoded password
Source: Code (validation.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/validation.middleware.js
Line 41: const passwordValidation = body('password')
[HIGH] #40: Hardcoded password
Source: Code (seed.dev.js)
File: /opt/darkskyscout/packages/api/src/prisma/seed.dev.js
Line 31: const hashedPassword = await bcrypt.hash('password123', 10);
[HIGH] #41: Hardcoded API key
Source: Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 90: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
[HIGH] #42: Hardcoded API key
Source: Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 405: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
[HIGH] #43: Hardcoded API key
Source: Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 146: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
[HIGH] #44: Hardcoded API key
Source: Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 268: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
[HIGH] #45: Hardcoded API key
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 56: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
[HIGH] #46: Hardcoded API key
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 132: if (this.n2yoApiKey && this.n2yoApiKey !== 'demo_key') {
[HIGH] #47: Hardcoded API key
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 196: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
[HIGH] #48: Hardcoded API key
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 735: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
[HIGH] #49: Hardcoded API key
Source: Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 78: diagnosis.mapsApiKey.error = 'Billing not enabled';
[HIGH] #50: Hardcoded password
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 8: const { validatePassword, validateEmail } = require('../utils/validation');
[HIGH] #51: child_process — command injection risk
Source: Code (satelliteClaudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/satelliteClaudeSearch.service.js
Line 1: const { spawn } = require('child_process');
[HIGH] #52: child_process — command injection risk
Source: Code (claudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/claudeSearch.service.js
Line 1: const { exec } = require('child_process');
[HIGH] #53: child_process — command injection risk
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 4: const { exec } = require('child_process');
[HIGH] #54: Hardcoded API key
Source: Code (n2yoClient.service.js)
File: /opt/darkskyscout/packages/web/src/services/n2yoClient.service.js
Line 26: return !!this.apiKey && this.apiKey !== 'your_n2yo_api_key_here';
[HIGH] #55: Hardcoded password
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 87: newErrors.password = 'Password is required';
[HIGH] #56: Hardcoded password
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 89: newErrors.password = 'Password must be at least 8 characters';
[HIGH] #57: Hardcoded password
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 91: newErrors.password = 'Password must contain uppercase, lowercase and number';
[HIGH] #58: Hardcoded password
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 95: newErrors.confirmPassword = 'Please confirm your password';
[HIGH] #59: Hardcoded password
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 97: newErrors.confirmPassword = 'Passwords do not match';
[HIGH] #60: Hardcoded password
Source: Code (LoginPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/LoginPage.jsx
Line 82: newErrors.password = 'Password is required';
[HIGH] #61: innerHTML assignment — XSS risk
Source: Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
[HIGH] #62: React dangerouslySetInnerHTML — XSS risk
Source: Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
[HIGH] #63: innerHTML assignment — XSS risk
Source: Code (MatchSuggestions.jsx)
File: /opt/darkskyscout/packages/web/src/components/common/MatchSuggestions.jsx
Line 96: e.target.parentElement.innerHTML = `${suggestion.user.name[0]}`;
[HIGH] #64: innerHTML assignment — XSS risk
Source: Code (InstantLightPollutionOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/InstantLightPollutionOverlay.jsx
Line 478: tooltip.innerHTML = `
[HIGH] #65: innerHTML assignment — XSS risk
Source: Code (CustomLocationMarkers.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/CustomLocationMarkers.jsx
Line 54: el.innerHTML = `
[HIGH] #66: innerHTML assignment — XSS risk
Source: Code (SimpleBortleOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/SimpleBortleOverlay.jsx
Line 67: svgElement.innerHTML = '';
[HIGH] #67: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 446: el.innerHTML = `
[HIGH] #68: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 534: el.innerHTML = `
[HIGH] #69: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 616: el.innerHTML = `
[HIGH] #70: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1275: loadingIndicator.innerHTML = `
[HIGH] #71: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1421: clickableIndicator.innerHTML = `
[HIGH] #72: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1619: errorIndicator.innerHTML = `
[HIGH] #73: [CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
[HIGH] #74: [CVE-2026-26278] fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.6
[HIGH] #75: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
[HIGH] #76: [CVE-2025-47935] Multer vulnerable to Denial of Service via memory leaks from unclosed streams
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
[HIGH] #77: [CVE-2025-47944] Multer vulnerable to Denial of Service from maliciously crafted requests
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
[HIGH] #78: [CVE-2025-48997] multer: Multer vulnerable to Denial of Service via unhandled exception
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.1
[HIGH] #79: [CVE-2025-7338] multer: Multer Denial of Service
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.2
[HIGH] #80: [CVE-2026-23745] node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.3
[HIGH] #81: [CVE-2026-23950] node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.4
[HIGH] #82: [CVE-2026-24842] node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.7
[HIGH] #83: [CVE-2026-26960] tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.8
[HIGH] #84: [CVE-2024-12905] tar-fs: link following and path traversal via maliciously crafted tar file
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.4, 2.1.2, 3.0.7
[HIGH] #85: [CVE-2025-48387] tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.5, 2.1.3, 3.0.9
[HIGH] #86: [CVE-2025-59343] tar-fs: tar-fs symlink validation bypass
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 3.1.1, 2.1.4, 1.16.6
[HIGH] #87: [CVE-2024-37890] nodejs-ws: denial of service when handling a request with many HTTP headers
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: ws 8.16.0 → 5.2.4, 6.2.3, 7.5.10, 8.17.1
[HIGH] #88: [CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
[HIGH] #89: [CVE-2026-1615] jsonpath: jsonpath: Arbitrary Code Execution via unsafe JSON Path expression evaluation
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: jsonpath 1.2.1 → no fix
[HIGH] #90: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
[HIGH] #91: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 5.1.6 → 10.2.1
[HIGH] #92: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 9.0.5 → 10.2.1
[HIGH] #93: [CVE-2021-3803] nodejs-nth-check: inefficient regular expression complexity
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: nth-check 1.0.2 → 2.0.1
[MEDIUM] #94: MD5 hash usage
Source: Code (analytics.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/analytics.middleware.js
Line 86: return crypto.createHash('md5').update(components.join('|')).digest('hex');
[MEDIUM] #95: MD5 hash usage
Source: Code (feature-flags.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/feature-flags.middleware.js
Line 294: const hash = crypto.createHash('md5').update(hashInput).digest('hex');
[MEDIUM] #96: MD5 hash usage
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 110: return crypto.createHash('md5').update(fingerprint).digest('hex');
[MEDIUM] #97: MD5 hash usage
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 56: const hash = crypto.createHash('md5').update(fullKey).digest('hex');
[MEDIUM] #98: MD5 hash usage
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 316: const paramsHash = crypto.createHash('md5').update(paramsString).digest('hex');
[MEDIUM] #99: MD5 hash usage
Source: Code (compression.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/compression.middleware.js
Line 353: const hash = crypto.createHash('md5').update(chunk).digest('hex');
[MEDIUM] #100: MD5 hash usage
Source: Code (userLocationInteractions.service.js)
File: /opt/darkskyscout/packages/api/src/services/userLocationInteractions.service.js
Line 22: return crypto.createHash('md5').update(`${name}_${location.id || Date.now()}`).digest('hex');
[MEDIUM] #101: [CVE-2025-69873] ajv: ReDoS via $data reference
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 6.12.6 → 8.18.0, 6.14.0
[MEDIUM] #102: [CVE-2025-69873] ajv: ReDoS via $data reference
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 8.17.1 → 8.18.0, 6.14.0
[MEDIUM] #103: [CVE-2023-44270] PostCSS: Improper input validation in PostCSS
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: postcss 7.0.39 → 8.4.31
[MEDIUM] #104: [CVE-2025-30359] webpack-dev-server: webpack-dev-server information exposure
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
[MEDIUM] #105: [CVE-2025-30360] webpack-dev-server: webpack-dev-server information exposure
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
[MEDIUM] #106: Secret: Mapbox API token
Source: Code (fix_all_localhost.sh)
File: fix_all_localhost.sh
Line 35: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
[MEDIUM] #107: Secret: Mapbox API token
Source: Code (fix_browser_cache_delirium.sh)
File: fix_browser_cache_delirium.sh
Line 64: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
[LOW] #108: Hardcoded fallback for env variable
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2894: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
[LOW] #109: Hardcoded fallback for env variable
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2929: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
[LOW] #110: Hardcoded fallback for env variable
Source: Code (server.js)
File: /opt/darkskyscout/packages/api/src/server.js
Line 9: const HOST = process.env.HOST || '0.0.0.0';
[LOW] #111: Hardcoded fallback for env variable
Source: Code (debug-sky-tracking.js)
File: /opt/darkskyscout/packages/api/src/debug-sky-tracking.js
Line 13: console.log(' OPENSKY_CLIENT_ID:', process.env.OPENSKY_CLIENT_ID || 'NOT SET');
[LOW] #112: Hardcoded fallback for env variable
Source: Code (socket.js)
File: /opt/darkskyscout/packages/api/src/socket.js
Line 17: origin: process.env.FRONTEND_URL || "https://darkskyscout.xamad.net",
[LOW] #113: Hardcoded fallback for env variable
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 450: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
[LOW] #114: Hardcoded fallback for env variable
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 505: const baseUrl = returnUrl || process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
[LOW] #115: Hardcoded fallback for env variable
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 580: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
[LOW] #116: Hardcoded fallback for env variable
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 108: host: process.env.REDIS_HOST || 'localhost',
[LOW] #117: Hardcoded fallback for env variable
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 651: limit: process.env.MAX_REQUEST_SIZE || '10mb',
[LOW] #118: Hardcoded fallback for env variable
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 659: limit: process.env.MAX_REQUEST_SIZE || '10mb'
[LOW] #119: Hardcoded fallback for env variable
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 51: process.env.JWT_SECRET || 'dev-secret',
[LOW] #120: Hardcoded fallback for env variable
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 112: process.env.JWT_SECRET || 'dev-secret',
[LOW] #121: Hardcoded fallback for env variable
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 141: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'dev-secret');
[LOW] #122: Hardcoded fallback for env variable
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 86: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
[LOW] #123: Hardcoded fallback for env variable
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 92: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
[LOW] #124: Hardcoded fallback for env variable
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 341: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
[LOW] #125: Hardcoded fallback for env variable
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 523: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
[LOW] #126: Hardcoded fallback for env variable
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 19: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
[LOW] #127: Hardcoded fallback for env variable
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 222: const baseUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
[LOW] #128: Hardcoded fallback for env variable
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 274: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
[LOW] #129: Hardcoded fallback for env variable
Source: Code (communitySharing.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/communitySharing.routes.js
Line 102: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'fallback-secret');
[LOW] #130: Hardcoded fallback for env variable
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 18: callbackURL: process.env.GOOGLE_CALLBACK_URL || '/api/auth/google/callback'
[LOW] #131: Hardcoded fallback for env variable
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 80: callbackURL: process.env.FACEBOOK_CALLBACK_URL || '/api/auth/facebook/callback',
[LOW] #132: Hardcoded fallback for env variable
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 137: callbackURL: process.env.GITHUB_CALLBACK_URL || '/api/auth/github/callback'
[LOW] #133: Hardcoded fallback for env variable
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 229: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
[LOW] #134: Hardcoded fallback for env variable
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 235: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
[LOW] #135: Hardcoded fallback for env variable
Source: Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 164: googleRedirectUri: process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback',
[LOW] #136: Hardcoded fallback for env variable
Source: Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 165: frontendUrl: process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net',
[LOW] #137: Hardcoded fallback for env variable
Source: Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 32: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
[LOW] #138: Hardcoded fallback for env variable
Source: Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 38: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
[LOW] #139: Hardcoded fallback for env variable
Source: Code (analytics.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/analytics.worker.js
Line 890: const filepath = path.join(process.env.EXPORT_DIR || '/tmp', filename);
[LOW] #140: Hardcoded fallback for env variable
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 263: host: process.env.REDIS_HOST || 'localhost',
[LOW] #141: Hardcoded fallback for env variable
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 417: timezone: process.env.TZ || 'UTC'
[LOW] #142: Hardcoded fallback for env variable
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 785: version: process.env.npm_package_version || 'unknown',
[LOW] #143: Hardcoded fallback for env variable
Source: Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 240: host: process.env.REDIS_HOST || 'localhost',
[LOW] #144: Hardcoded fallback for env variable
Source: Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 248: host: process.env.REDIS_HOST || 'localhost',
[LOW] #145: Hardcoded fallback for env variable
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 426: const tempDir = process.env.TEMP_DIR || '/tmp';
[LOW] #146: Hardcoded fallback for env variable
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 432: const uploadsDir = process.env.UPLOADS_DIR || '/uploads';
[LOW] #147: Hardcoded fallback for env variable
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 438: const logsDir = process.env.LOGS_DIR || '/logs';
[LOW] #148: Hardcoded fallback for env variable
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 743: const tempDir = process.env.TEMP_DIR || '/tmp';
[LOW] #149: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 33: host: process.env.REDIS_HOST || 'localhost',
[LOW] #150: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 51: host: process.env.REDIS_HOST || 'localhost',
[LOW] #151: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 69: host: process.env.REDIS_HOST || 'localhost',
[LOW] #152: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 87: host: process.env.REDIS_HOST || 'localhost',
[LOW] #153: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 105: host: process.env.REDIS_HOST || 'localhost',
[LOW] #154: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 119: host: process.env.REDIS_HOST || 'localhost',
[LOW] #155: Hardcoded fallback for env variable
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 241: url: process.env.REDIS_URL || 'redis://localhost:6379',
[LOW] #156: Hardcoded fallback for env variable
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 348: version: process.env.APP_VERSION || '1.0.0',
[LOW] #157: Hardcoded fallback for env variable
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 349: environment: process.env.NODE_ENV || 'development'
[LOW] #158: Hardcoded fallback for env variable
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 364: version: process.env.APP_VERSION || '1.0.0',
[LOW] #159: Hardcoded fallback for env variable
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 365: environment: process.env.NODE_ENV || 'development',
[LOW] #160: Hardcoded fallback for env variable
Source: Code (error.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/error.middleware.js
Line 210: maxSize: process.env.MAX_FILE_SIZE || '50MB'
[LOW] #161: Hardcoded fallback for env variable
Source: Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 12: region: process.env.AWS_REGION || 'eu-west-1',
[LOW] #162: Hardcoded fallback for env variable
Source: Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 19: const bucket = process.env.AWS_S3_BUCKET || 'skyscout-uploads';
[LOW] #163: Hardcoded fallback for env variable
Source: Code (auth.middleware.simple.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.middleware.simple.js
Line 12: const secret = process.env.JWT_SECRET || 'dev-jwt-secret-key-for-testing-only-change-in-production';
[LOW] #164: Hardcoded fallback for env variable
Source: Code (logging.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/logging.middleware.js
Line 182: const environment = process.env.NODE_ENV || 'development';
[LOW] #165: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 20: ios: process.env.IOS_CURRENT_VERSION || '1.0.0',
[LOW] #166: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 21: android: process.env.ANDROID_CURRENT_VERSION || '1.0.0'
[LOW] #167: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 24: ios: process.env.IOS_FORCE_UPDATE_VERSION || '0.9.0',
[LOW] #168: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 25: android: process.env.ANDROID_FORCE_UPDATE_VERSION || '0.9.0'
[LOW] #169: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 197: ios: process.env.IOS_DOWNLOAD_URL || 'https://apps.apple.com/app/skyscout',
[LOW] #170: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 198: android: process.env.ANDROID_DOWNLOAD_URL || 'https://play.google.com/store/apps/details?id=com.skyscout'
[LOW] #171: Hardcoded fallback for env variable
Source: Code (maintenance.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/maintenance.middleware.js
Line 263: contactSupport: process.env.SUPPORT_EMAIL || 'support@skyscout.app'
[LOW] #172: Hardcoded fallback for env variable
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 8: url: process.env.REDIS_URL || 'redis://localhost:6379',
[LOW] #173: Hardcoded fallback for env variable
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 27: timezoneAPI: process.env.TIMEZONE_API_URL || 'http://api.timezonedb.com/v2.1/get-time-zone',
[LOW] #174: Hardcoded fallback for env variable
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 31: elevationAPI: process.env.ELEVATION_API_URL || 'https://api.open-elevation.com/api/v1/lookup',
[LOW] #175: Hardcoded fallback for env variable
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 34: bortleAPI: process.env.BORTLE_API_URL || 'https://www.lightpollutionmap.info/QueryRaster/',
[LOW] #176: Hardcoded fallback for env variable
Source: Code (LocationService.js)
File: /opt/darkskyscout/packages/api/src/services/LocationService.js
Line 472: key: process.env.TIMEZONEDB_KEY || 'demo',
[LOW] #177: Hardcoded fallback for env variable
Source: Code (ai.grok.js)
File: /opt/darkskyscout/packages/api/src/services/ai.grok.js
Line 7: this.apiUrl = process.env.GROK_API_URL || 'https://api.x.ai/v1'; // Default Grok API URL
[LOW] #178: Hardcoded fallback for env variable
Source: Code (MediaService.js)
File: /opt/darkskyscout/packages/api/src/services/MediaService.js
Line 32: region: process.env.AWS_REGION || 'us-east-1'
[LOW] #179: Hardcoded fallback for env variable
Source: Code (skyInterference.proxy.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.proxy.service.js
Line 11: this.proxyBaseUrl = process.env.SATELLITE_PROXY_URL || 'https://your-app.vercel.app';
[LOW] #180: Hardcoded fallback for env variable
Source: Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 30: primary: process.env.AI_ENGINE_PRIMARY || 'claude-code',
[LOW] #181: Hardcoded fallback for env variable
Source: Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 31: fallbackChain: (process.env.AI_ENGINE_FALLBACK || 'claude-api,openai,deepseek').split(','),
[LOW] #182: Hardcoded fallback for env variable
Source: Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 10: this.redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
[LOW] #183: Hardcoded fallback for env variable
Source: Code (lightPollution.realtime.service.js)
File: /opt/darkskyscout/packages/api/src/services/lightPollution.realtime.service.js
Line 28: nasa: process.env.NASA_API_KEY || 'DEMO_KEY',
[LOW] #184: Hardcoded fallback for env variable
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 262: from: process.env.EMAIL_FROM || 'SkyScout ',
[LOW] #185: Hardcoded fallback for env variable
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 297: from: process.env.EMAIL_FROM || 'SkyScout ',
[LOW] #186: Hardcoded fallback for env variable
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 324: appUrl: process.env.APP_URL || 'https://app.skyscout.com'
[LOW] #187: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 7: const MATRIX_SERVER = process.env.MATRIX_SERVER_URL || 'http://localhost:8008';
[LOW] #188: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 8: const MATRIX_DOMAIN = process.env.MATRIX_DOMAIN || 'chat.darkskyscout.xamad.net';
[LOW] #189: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 9: const REGISTRATION_SECRET = process.env.MATRIX_REGISTRATION_SECRET || '_hkFIRqh5;a^3t7aZ9*WMKPuLqsn8gS-cTwAbxYjYN0Iad_I1Q';
[LOW] #190: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 57: const secret = process.env.JWT_SECRET || 'darkskyscout-matrix-secret';
[LOW] #191: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 106: user: process.env.MATRIX_ADMIN_USER || 'darkskyadmin',
[LOW] #192: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 107: password: process.env.MATRIX_ADMIN_PASSWORD || 'DarkSky2024Admin!'
[LOW] #193: Hardcoded fallback for env variable
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 9: this.bucketName = process.env.AWS_S3_BUCKET || 'skyscout-media';
[LOW] #194: Hardcoded fallback for env variable
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 44: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
[LOW] #195: Hardcoded fallback for env variable
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 115: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
[LOW] #196: Hardcoded fallback for env variable
Source: Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 7: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3-0324';
[LOW] #197: Hardcoded fallback for env variable
Source: Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 8: this.baseUrl = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
[LOW] #198: Hardcoded fallback for env variable
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 16: this.jwtExpiration = process.env.JWT_EXPIRATION || '24h';
[LOW] #199: Hardcoded fallback for env variable
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 17: this.refreshTokenExpiration = process.env.REFRESH_TOKEN_EXPIRATION || '7d';
[LOW] #200: Hardcoded fallback for env variable
Source: Code (emailService.js)
File: /opt/darkskyscout/packages/api/src/services/emailService.js
Line 7: this.fromEmail = process.env.EMAIL_FROM || 'noreply@darkskyscout.xamad.net';
[LOW] #201: Hardcoded fallback for env variable
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 12: this.baseURL = process.env.CLAUDE_API_URL || 'https://api.anthropic.com/v1';
[LOW] #202: Hardcoded fallback for env variable
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 13: this.model = process.env.CLAUDE_API_MODEL || 'claude-3-5-sonnet-20241022';
[LOW] #203: Hardcoded fallback for env variable
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 14: this.version = process.env.CLAUDE_API_VERSION || '2023-06-01';
[LOW] #204: Hardcoded fallback for env variable
Source: Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
[LOW] #205: Hardcoded fallback for env variable
Source: Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3';
[LOW] #206: Hardcoded fallback for env variable
Source: Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 12: this.baseURL = process.env.OPENAI_API_URL || 'https://api.openai.com/v1';
[LOW] #207: Hardcoded fallback for env variable
Source: Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 13: this.model = process.env.OPENAI_MODEL || 'gpt-4';
[LOW] #208: Hardcoded fallback for env variable
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 14: this.claudePath = process.env.CLAUDE_CODE_PATH || '/home/deploy/.nvm/versions/node/v22.17.1/bin/claude';
[LOW] #209: Hardcoded fallback for env variable
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 16: this.defaultModel = process.env.CLAUDE_CODE_MODEL || 'sonnet'; // Use alias for latest Sonnet model
[LOW] #210: Hardcoded fallback for env variable
Source: Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_INFERENCE_URL || 'https://api-inference.huggingface.co/models';
[LOW] #211: Hardcoded fallback for env variable
Source: Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_DEFAULT_MODEL || 'microsoft/DialoGPT-large';
[LOW] #212: Hardcoded fallback for env variable
Source: Code (test-api-connection.js)
File: /opt/darkskyscout/packages/web/src/test-api-connection.js
Line 2: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net';
[LOW] #213: Hardcoded fallback for env variable
Source: Code (geocoding.service.js)
File: /opt/darkskyscout/packages/web/src/services/geocoding.service.js
Line 118: const API_BASE = process.env.REACT_APP_API_URL || '/api';
[LOW] #214: Hardcoded fallback for env variable
Source: Code (externalLocation.service.js)
File: /opt/darkskyscout/packages/web/src/services/externalLocation.service.js
Line 443: const API_BASE = process.env.REACT_APP_API_URL || '/api';
[LOW] #215: Hardcoded fallback for env variable
Source: Code (communitySharing.service.js)
File: /opt/darkskyscout/packages/web/src/services/communitySharing.service.js
Line 3: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
[LOW] #216: Hardcoded fallback for env variable
Source: Code (AIEngineAdminPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AIEngineAdminPage.jsx
Line 8: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
[LOW] #217: Hardcoded fallback for env variable
Source: Code (AccommodationDetailPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AccommodationDetailPage.jsx
Line 124: const apiUrl = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
[LOW] #218: Hardcoded fallback for env variable
Source: Code (AIEngineManager.jsx)
File: /opt/darkskyscout/packages/web/src/components/admin/AIEngineManager.jsx
Line 6: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
[LOW] #219: Hardcoded fallback for env variable
Source: Code (MapboxMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapboxMap.jsx
Line 8: mapboxgl.accessToken = process.env.REACT_APP_MAPBOX_ACCESS_TOKEN || 'pk.eyJ1IjoiZGFya3NreXNjb3V0IiwiYSI6ImNsdmhkZnhrbzAyeDQycW9ma3J2aHUwaGMifQ.placeholder';
[MEDIUM] #220: Debug mode enabled
Source: Code (app.py)
File: /home/webhook/picobernacca/app.py
Line 202: app.run(host="127.0.0.1", port=config.PORT, debug=True)
[LOW] #221: Inline event handler — potential XSS vector
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 5:
[LOW] #222: Inline event handler — potential XSS vector
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 6:
[LOW] #223: Inline event handler — potential XSS vector
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 7:
[LOW] #224: Inline event handler — potential XSS vector
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 8:
[CRITICAL] #225: Active SSH brute-force attack with no fail2ban protection
Source: AI Analysis
Logs show an active brute-force attack from 222.121.250.156 targeting root, admin, oracle, usuario, and test accounts. MaxStartups throttling was triggered 4 times on Feb 23, indicating high-volume connection flooding. fail2ban is INACTIVE, meaning there is zero automated blocking of attackers. While iptables (13 rules) and nftables (31 rules) appear configured, there is no dynamic ban mechanism to respond to ongoing attacks.
Fix: sudo apt install fail2ban && sudo systemctl enable --now fail2ban
# Create /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime =
[HIGH] #226: Excessive exposed services on 0.0.0.0 (12 ports publicly bound)
Source: AI Analysis
12 services are bound to 0.0.0.0 or [::] and potentially reachable externally: SSH (22), HTTP (80), HTTPS (443), Mosquitto MQTT-TLS (8883), Mosquitto WebSocket (9001), Python (8000, 8003, 5055), Node (3050), and unknown processes on 3030 and 8065. Ports 3030, 5055, 8000, 8003, 8065, and 3050 appear to be application services that should likely be behind nginx reverse proxy (bound to 127.0.0.1) rather than directly exposed. Without knowing the iptables/nftables rules, these may or may not be filtered at the network level.
Fix: 1. Audit each service to determine if public exposure is required
2. Bind application services to 127.0.0.1 and proxy through nginx:
- Port 8000, 8003 (Python apps) -> bind to 127.0.0.1
- Port 5
[HIGH] #227: SSH password authentication enabled during active brute-force attack
Source: AI Analysis
PasswordAuthentication is set to 'yes' in both config and runtime. Combined with the active brute-force attack from 222.121.250.156 and no fail2ban, this significantly increases the risk of credential compromise. Root login is restricted to key-only (prohibit-password), but all other accounts can be attacked via password guessing.
Fix: # In /etc/ssh/sshd_config:
PasswordAuthentication no
KbdInteractiveAuthentication no
# Ensure all users have SSH keys deployed first, then:
sudo systemctl reload sshd
[MEDIUM] #228: SSH hardening deficiencies (X11, forwarding, timeouts, weak algorithms)
Source: AI Analysis
Multiple SSH configuration weaknesses: (1) X11Forwarding enabled — allows X11 session hijacking if attacker gains user access. (2) AllowTcpForwarding enabled — allows SSH tunneling for lateral movement. (3) ClientAliveInterval=0 — no idle session timeout, abandoned sessions persist indefinitely. (4) MaxAuthTries=6 — allows more guesses per connection (recommend 3-4). (5) RequiredRSASize=1024 — accepts weak RSA keys. (6) debianbanner=yes — discloses OS information. (7) Weak MACs included (umac-64, hmac-sha1). (8) LoginGraceTime=120 — 2 minutes is excessive.
Fix: # In /etc/ssh/sshd_config:
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
LoginGraceTime 30
RequiredRSASize 3072
DebianBann
[MEDIUM] #229: Unidentified processes listening on exposed ports 3030 and 8065
Source: AI Analysis
Ports 3030 and 8065 are bound to 0.0.0.0/* (all interfaces) but the process name is empty/unidentified in the audit data. These could be containerized services (Docker overlay is present), but unidentified exposed services represent an unknown attack surface that cannot be properly assessed or secured.
Fix: # Identify the processes:
sudo ss -tlnp | grep -E '3030|8065'
sudo lsof -i :3030 -i :8065
# If Docker containers, check:
docker ps --format '{{.Names}} {{.Ports}}'
# Bind to 127.0.0.1 if not needed
[MEDIUM] #230: No password complexity or account lockout policy
Source: AI Analysis
pam_pwquality is not configured — no minimum complexity requirements (length, character classes) for passwords. pam_faillock is not configured — no account lockout after failed attempts. PASS_MAX_DAYS=99999 means passwords never expire. PASS_MIN_DAYS=0 means passwords can be changed back immediately after forced change. Combined with SSH password authentication being enabled, this allows unlimited password guessing against weak passwords at the PAM level.
Fix: # Install and configure pam_pwquality:
sudo apt install libpam-pwquality
# In /etc/security/pwquality.conf:
minlen = 12
minclass = 3
maxrepeat = 3
reject_username
enforce_for_root
# Configure accoun
[MEDIUM] #231: Mosquitto MQTT exposed on two ports (8883 and 9001)
Source: AI Analysis
Mosquitto MQTT broker is externally accessible on port 8883 (MQTT over TLS) and port 9001 (likely MQTT over WebSocket). If ACLs and authentication are not properly configured on the broker, this could allow unauthorized subscription to all topics, message injection, or data exfiltration. MQTT brokers are commonly misconfigured with anonymous access enabled by default.
Fix: # Verify authentication is required in /etc/mosquitto/mosquitto.conf:
allow_anonymous false
password_file /etc/mosquitto/passwd
# Verify ACLs are configured:
acl_file /etc/mosquitto/acl
# If WebSock
[MEDIUM] #232: IP forwarding enabled and kernel hardening gaps
Source: AI Analysis
net.ipv4.ip_forward=1 enables this host to route packets between interfaces — likely required for Docker but increases attack surface if the host is compromised (can be used for MITM or pivoting). Additionally: (1) send_redirects=1 allows ICMP redirect injection for traffic redirection. (2) log_martians=0 means spoofed/impossible source addresses are not logged. (3) fs.suid_dumpable=2 allows core dumps of SUID processes, potentially leaking sensitive memory contents.
Fix: # In /etc/sysctl.d/99-security.conf:
# Keep ip_forward=1 only if Docker/containers require it
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martia
[MEDIUM] #233: Active SSH scanning/attack patterns in logs (79 errors in 24h)
Source: AI Analysis
79 SSH errors in the last 24 hours indicate sustained reconnaissance and brute-force activity: (1) kex_exchange_identification errors — port scanners and bots probing SSH. (2) Protocol version 1 vs 2 errors — legacy exploit scanners. (3) kex_protocol_error bursts — potential downgrade attack attempts. (4) MaxStartups throttling triggered 4 times — connection flooding that could deny legitimate SSH access. (5) Targeted brute-force from 222.121.250.156 against root, admin, oracle, usuario, test usernames. Without fail2ban, these attacks will continue indefinitely.
Fix: 1. Enable fail2ban (see NET-001)
2. Consider changing SSH to a non-standard port to reduce noise:
Port 2222 # in /etc/ssh/sshd_config
3. Implement AllowUsers or AllowGroups to restrict SSH access:
[LOW] #234: Root filesystem at 78% capacity
Source: AI Analysis
The root filesystem (/) is at 78% usage with 8.3G remaining of 38G. While not immediately critical, continued growth (especially from logs, Docker images, or application data) could lead to disk exhaustion causing service failures, inability to write logs, or database corruption. The Docker overlay shares this filesystem.
Fix: # Identify large files and directories:
sudo du -sh /var/log/* | sort -rh | head -20
sudo docker system df
sudo docker system prune -f
# Consider moving Docker data to the mounted volume:
# /mnt/HC_V
[LOW] #235: SSH authorized_keys2 file accepted
Source: AI Analysis
The AuthorizedKeysFile directive includes '.ssh/authorized_keys2' which is a deprecated location. While not directly exploitable, it provides an additional location where an attacker could plant authorized keys that might be overlooked during audits.
Fix: # In /etc/ssh/sshd_config:
AuthorizedKeysFile .ssh/authorized_keys
sudo systemctl reload sshd
[LOW] #236: SUID binaries in Docker/containerd overlay layers on host filesystem
Source: AI Analysis
22 SUID binaries exist within Docker rootfs overlay and containerd snapshot directories on the host filesystem. While these are standard Linux utilities (passwd, su, mount, etc.) and are expected within container images, their presence as SUID on the host filesystem could be leveraged if an attacker gains access to the Docker data directory through a container escape or host compromise.
Fix: # Ensure Docker storage is properly secured:
sudo chmod 700 /var/lib/docker
sudo chmod 700 /var/lib/containerd
# Consider enabling user namespaces for Docker to remap UIDs:
# In /etc/docker/daemon.js
[LOW] #237: UMASK 022 allows group/world-readable file creation by default
Source: AI Analysis
The default UMASK in /etc/login.defs is 022, meaning newly created files are world-readable (644) and directories are world-accessible (755). For a server with multiple services, a more restrictive default of 027 would prevent other users/services from reading files they don't own.
Fix: # In /etc/login.defs:
UMASK 027
# Also set in /etc/pam.d/common-session if using pam_umask:
session optional pam_umask.so umask=027
[LOW] #238: postgres system user has interactive bash shell
Source: AI Analysis
The postgres user (uid 111) has /bin/bash as its login shell. Service accounts should have non-interactive shells (/usr/sbin/nologin or /bin/false) to prevent interactive login, reducing attack surface if the database credentials are compromised.
Fix: sudo usermod -s /usr/sbin/nologin postgres
# Note: PostgreSQL operations via 'sudo -u postgres psql' will still work
# as psql doesn't require an interactive login shell
----------------------------------------------------------------------
OS STATUS
----------------------------------------------------------------------
Packages installed: 927
Upgradable: 0 (security: 0)
Open ports: 22 (exposed: 12)
UFW: INACTIVE
fail2ban: INACTIVE
iptables rules: 13
----------------------------------------------------------------------
NETWORK SECURITY
----------------------------------------------------------------------
home.xamad.net: WAF=none
secshield.xamad.net: WAF=none
home.xamad.net: SSL=OK protocol=TLSv1.3
secshield.xamad.net: SSL=OK protocol=TLSv1.3
Exposed ports: 12 | Localhost-only: 10
======================================================================
Generated by SecShield — AI Security Analyst
======================================================================