# Candidate Scan Generated by piolium at 2026-06-01T14:22:03.009Z ## Totals - Files scanned: 880 - Candidate files: 259 - Candidate matches: 1703 - Per-file records: disabled (set PIOLIUM_FILE_RECORDS=1 to enable) ## Candidate Classes - secret-literal: 14 match(es), max score 122. Hardcoded secret-like literal. - command-execution: 65 match(es), max score 90. Potential command execution or shell invocation with variable input. - dynamic-code-execution: 27 match(es), max score 90. Dynamic code execution, expression evaluation, or runtime compilation. - raw-sql-query: 644 match(es), max score 87. Raw SQL construction or query execution that may need parameterization review. - hidden-control-channel: 165 match(es), max score 87. Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior. - open-redirect: 2 match(es), max score 81. Redirect sink that may accept user-controlled URLs. - path-traversal-file-access: 688 match(es), max score 79. Filesystem access using path joins or user-controllable paths. - webhook-without-obvious-signature: 41 match(es), max score 79. Webhook handler path that should be checked for signature verification. - ssrf-capable-request: 26 match(es), max score 71. Outbound HTTP request site that may be attacker-controlled. - unsafe-html-or-template: 17 match(es), max score 71. HTML injection sink or template escape bypass. - weak-token-or-crypto: 9 match(es), max score 63. Token, JWT, randomness, or crypto usage that deserves review. - public-entrypoint: 5 match(es), max score 54. Public route, handler, controller, workflow, or operation entry point. ## Top Files - `honker/tests/test_joblite.py`: score 2280, 41 match(es) - `honker/tests/test_litenotify.py`: score 2200, 40 match(es) - `honker/packages/honker-jvm/src/test/java/dev/honker/HonkerJvmTest.java`: score 1980, 36 match(es) - `honker/packages/honker-bun/src/index.ts`: score 1905, 27 match(es) - `honker/packages/honker-node/test/parity.test.js`: score 1815, 33 match(es) - `honker/tests/test_scheduler.py`: score 1815, 33 match(es) - `honker/tests/test_real_e2e_scenarios.py`: score 1810, 32 match(es) - `honker/tests/test_extension_interop.py`: score 1760, 32 match(es) - `honker/tests/test_stream.py`: score 1650, 30 match(es) - `web/src/server/services/hometitle/county-scrapers/unified-parser.ts`: score 1530, 18 match(es) - `honker/tests/test_tasks.py`: score 1485, 27 match(es) - `web/src/routes/api/stripe/webhook.test.ts`: score 1422, 18 match(es) - `honker/tests/test_task_results.py`: score 1375, 25 match(es) - `honker/tests/test_outbox.py`: score 1320, 24 match(es) - `honker/packages/honker/python/honker/_honker.py`: score 1265, 23 match(es) - `web/src/server/services/darkwatch/shodan.client.ts`: score 1265, 23 match(es) - `web/src/routes/api/stripe/webhook.ts`: score 1239, 16 match(es) - `web/src/middleware.ts`: score 1197, 19 match(es) - `web/src/server/services/darkwatch/shodan.client.test.ts`: score 1190, 21 match(es) - `honker/packages/honker-node/test/basic.js`: score 1155, 21 match(es) - `web/src/server/websocket.ts`: score 1155, 21 match(es) - `honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts`: score 1150, 20 match(es) - `honker/packages/honker-node/api.js`: score 1134, 18 match(es) - `honker/packages/honker-bun/test/parity.test.ts`: score 1115, 17 match(es) - `web/src/server/api/routers/removebrokers.ts`: score 1106, 14 match(es) - `honker/tests/test_multiprocess.py`: score 1065, 18 match(es) - `honker/packages/honker-bun/test/python_interop.test.ts`: score 930, 16 match(es) - `honker/bench/real_bench.py`: score 925, 15 match(es) - `honker/packages/honker-node/test/watcher_backends_e2e.js`: score 905, 16 match(es) - `honker/tests/test_crash_recovery.py`: score 905, 16 match(es) - `honker/packages/honker-bun/test/basic.test.ts`: score 880, 16 match(es) - `web/src/server/websocket.test.ts`: score 880, 16 match(es) - `honker/packages/honker-node/examples/atomic.js`: score 825, 15 match(es) - `web/src/server/api/routers/correlation.test.ts`: score 790, 10 match(es) - `honker/bench/ext_bench.py`: score 770, 14 match(es) - `honker/packages/honker-jvm/src/main/java/dev/honker/Database.java`: score 770, 14 match(es) - `honker/packages/honker-ruby/spec/parity_spec.rb`: score 770, 14 match(es) - `honker/tests/test_phase_mantle.py`: score 770, 14 match(es) - `honker/tests/test_task_expiration.py`: score 715, 13 match(es) - `honker/tests/test_task_locking.py`: score 715, 13 match(es) ## Highest-Ranked Matches - secret-literal (precise, score 122) at `web/src/server/api/routers/billing.test.ts:220` - clientSecret: "cs_123_secret", - secret-literal (precise, score 106) at `web/src/routes/(auth)/login.tsx:30` - if (!password()) errs.password = "Password is required"; - secret-literal (precise, score 106) at `web/src/routes/(auth)/reset-password.tsx:27` - if (!password()) errs.password = "Password is required"; - secret-literal (precise, score 106) at `web/src/routes/(auth)/reset-password.tsx:29` - errs.password = "Password must be at least 8 characters"; - secret-literal (precise, score 106) at `web/src/routes/(auth)/signup.tsx:66` - if (!password()) errs.password = "Password is required"; - secret-literal (precise, score 106) at `web/src/routes/(auth)/signup.tsx:68` - errs.password = "Password must be at least 8 characters"; - secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:140` - client_secret: "cs_123_secret", - secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:178` - client_secret: "cs_trial_secret", - secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:216` - client_secret: "cs_upgrade_secret", - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/examples/atomic.ts:21` - db.raw.exec( - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:343` - this.raw.exec("BEGIN IMMEDIATE"); - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:422` - raw.exec("PRAGMA busy_timeout = 5000;"); - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:424` - raw.exec(DEFAULT_PRAGMAS); - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:425` - raw.exec("SELECT honker_bootstrap()"); - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:441` - held.raw.exec("ROLLBACK"); - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:480` - this.raw.exec("COMMIT"); - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:489` - this.raw.exec("ROLLBACK"); - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/test/parity.test.ts:68` - db.raw.exec("CREATE TABLE kv (k TEXT PRIMARY KEY, v TEXT)"); - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/test/parity.test.ts:82` - db.raw.exec("CREATE TABLE kv (k TEXT)"); - dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/test/parity.test.ts:94` - db.raw.exec("CREATE TABLE orders (id INTEGER PRIMARY KEY, amount INTEGER)"); - command-execution (precise, score 90) at `honker/packages/honker-go/python_interop_test.go:24` - cmd := exec.Command(p, "-c", pythonProbeScript) - command-execution (precise, score 90) at `honker/packages/honker-go/python_interop_test.go:38` - cmd := exec.Command(p, "-c", pythonProbeScript) - command-execution (precise, score 90) at `honker/packages/honker-go/python_interop_test.go:86` - cmd := exec.Command(python, "-c", script) - command-execution (precise, score 90) at `honker/packages/honker-go/watcher_backends_queue_test.go:119` - cmd := exec.Command(os.Args[0], "-test.v", "-test.run", "^TestWatcherBackendQueueHelper$") - command-execution (precise, score 90) at `honker/packages/honker-go/watcher_backends_queue_test.go:194` - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$") - command-execution (precise, score 90) at `honker/packages/honker-go/watcher_backends_queue_test.go:226` - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$") - dynamic-code-execution (precise, score 90) at `honker/scripts/test_sqlite_versions.py:103` - assert rc == SQLITE_OK, f"exec({sql!r}) failed: {rc}" - dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval() - dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval() - dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval() - dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval() - dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval() - dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval() - secret-literal (precise, score 90) at `web/src/server/services/darkwatch/hibp.client.test.ts:65` - const apiKey = "test-api-key"; - secret-literal (precise, score 90) at `web/src/server/services/darkwatch/shodan.client.test.ts:13` - const apiKey = "test-shodan-key"; - secret-literal (precise, score 90) at `web/src/server/services/hometitle/attom.client.test.ts:170` - const apiKey = "test-attom-api-key"; - dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:101` - while ((tableMatch = tableRegex.exec(html)) !== null) { - dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:127` - while ((rowMatch = rowRegex.exec(tableHtml)) !== null) { - dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:153` - while ((match = cellRegex.exec(headerRowHtml)) !== null) { - dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:160` - while ((match = tdRegex.exec(headerRowHtml)) !== null) { - dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:199` - while ((match = cellRegex.exec(rowHtml)) !== null) { - dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:294` - while ((match = labelSpanPattern.exec(html)) !== null) { - dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:302` - while ((match = thTdPattern.exec(html)) !== null) { - dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:310` - while ((match = divFieldPattern.exec(html)) !== null) { - dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:318` - while ((match = plainLabelPattern.exec(html)) !== null) { - secret-literal (precise, score 90) at `web/src/server/services/notification.service.test.ts:220` - token: "existing-token", - secret-literal (precise, score 90) at `web/src/server/services/notification.service.test.ts:256` - token: "other-user-token", - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:40` - stats: adminProcedure.query(async ({ ctx }) => { - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:58` - blogList: adminProcedure.query(async ({ ctx }) => { - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:64` - .query(async ({ ctx, input }) => { - raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:137` - userList: adminProcedure.query(async ({ ctx }) => { - hidden-control-channel (normal, score 87) at `web/src/server/api/routers/billing.test.ts:95` - const isAuthed = t.middleware(({ ctx, next }) => { - raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:102` - .query(async () => { - raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:168` - .query(async ({ ctx, input }) => { - raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:43` - getSubscription: protectedProcedure.query(async ({ ctx }) => { - raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:304` - .query(async ({ ctx, input }) => { - open-redirect (normal, score 81) at `web/src/routes/(admin)/blog/index.tsx:32` - if (redirect()) return ; - command-execution (precise, score 80) at `honker/bench/real_bench.py:180` - def spawn(script: str) -> subprocess.Popen: - command-execution (precise, score 80) at `honker/bench/real_bench.py:181` - return subprocess.Popen( - command-execution (precise, score 80) at `honker/bench/real_bench.py:212` - spawn( - command-execution (precise, score 80) at `honker/bench/real_bench.py:224` - spawn(enqueuer_script(db_path, queue_name, rate_per_enqueuer)) - command-execution (precise, score 80) at `honker/bench/wake_latency_bench.py:83` - proc = subprocess.Popen( - command-execution (precise, score 80) at `honker/packages/honker-bun/examples/atomic.ts:21` - db.raw.exec( - command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:343` - this.raw.exec("BEGIN IMMEDIATE"); - command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:422` - raw.exec("PRAGMA busy_timeout = 5000;"); - command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:424` - raw.exec(DEFAULT_PRAGMAS); - command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:425` - raw.exec("SELECT honker_bootstrap()"); - command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:441` - held.raw.exec("ROLLBACK"); - command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:480` - this.raw.exec("COMMIT"); - command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:489` - this.raw.exec("ROLLBACK"); - command-execution (precise, score 80) at `honker/packages/honker-bun/test/parity.test.ts:68` - db.raw.exec("CREATE TABLE kv (k TEXT PRIMARY KEY, v TEXT)"); - command-execution (precise, score 80) at `honker/packages/honker-bun/test/parity.test.ts:82` - db.raw.exec("CREATE TABLE kv (k TEXT)"); - command-execution (precise, score 80) at `honker/packages/honker-bun/test/parity.test.ts:94` - db.raw.exec("CREATE TABLE orders (id INTEGER PRIMARY KEY, amount INTEGER)"); - command-execution (precise, score 80) at `honker/packages/honker-bun/test/python_interop.test.ts:38` - const probe = spawnSync(python, ["-c", probeScript], { - command-execution (precise, score 80) at `honker/packages/honker-bun/test/python_interop.test.ts:61` - const out = spawnSync(python, ["-c", script], { - command-execution (precise, score 80) at `honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts:116` - const proc = spawn(process.execPath, ["-e", workerScript(dbPath, extPath, workerId, backend)], { - command-execution (precise, score 80) at `honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts:152` - const res = spawnSync(process.execPath, ["-e", script], { - command-execution (precise, score 80) at `honker/packages/honker-node/index.js:56` - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl') - command-execution (precise, score 80) at `honker/packages/honker-node/native.js:56` - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl') - command-execution (precise, score 80) at `honker/packages/honker-node/test/cross_lang_shared.js:28` - return spawn(PYTHON, ['-c', script], { stdio }); ## Custom Matchers Project matchers can be added at `piolium/matchers.json`, `piolium/custom-matchers.json`, or `.piolium-matchers.json`.