AI Assessment
VERDICT
The scanner findings suggest this is likely production-adjacent but needs attention before full deployment. The codebase has no critical issues and solid security posture, but high complexity in core components and Docker container hardening gaps warrant remediation.
TOP RISKS
→ High cyclomatic complexity (CCN 161) was flagged in pkg/agent/loop.go:1584 and related files. This suggests core logic may be difficult to maintain and test, creating maintainability risk.
→ Docker containers flagged running as root user in docker/Dockerfile.full and docker/Dockerfile.goreleaser. This is a direct privilege escalation vector if containers are compromised.
→ Missing HEALTHCHECK directives in both Dockerfiles (DS-0026). Running containers without health monitoring can mask failures in production.
→ 191-line code duplication detected across multiple files including web/frontend/src/components/channels/channel-forms/wecom-form.tsx. This increases maintenance burden and inconsistency risk.
→ No test coverage detected for at least one component. Test gaps reduce confidence in functionality correctness.
WHAT TO FIX FIRST
Change the Docker user from root in docker/Dockerfile.full and docker/Dockerfile.goreleaser. This is a quick security fix with immediate impact: use USER directive to run as unprivileged account. This addresses both the DS-0002 and follows container hardening best practices.
Note: The high complexity flagging in loop.go (CCN 161) may warrant code review to verify the scanner is not reporting a false positive, as that level of complexity is unusual. Verify against your actual code structure before refactoring.
Category Breakdown
Findings(253 in 25 groups)
Tip: 209 low-severity findings are style suggestions, not security risks.
This function is extremely complex (complexity score: 161). It likely has hidden bugs that are hard to find, and AI coding tools will struggle to modify it correctly.
In pkg/agent/loop.go at line 1584, there's a function with cyclomatic complexity of 161 (should be under 15). Break it down: 1. Identify the different things this function does (each if/else branch, each loop) 2. Extract each logical step into its own smaller function with a clear name 3. The main function should read like a high-level description of the process 4. Each new function should do ONE thing and be easy to understand on its own 5. Aim for functions with complexity under 10
The same code is copied in multiple places. If there's a bug in one copy, all the other copies still have it. This makes fixing bugs much harder.
In docs/hooks/README.md at line 376, duplicated code was detected. Refactor it: 1. Identify the repeated code block 2. Extract it into a shared function with a descriptive name 3. Replace all multiple copies with calls to the new function 4. If the copies differ slightly, add parameters to the function to handle the differences 5. Make sure all existing behavior is preserved after the refactor
A package your app depends on (Image) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency Image in docker/Dockerfile.full has a known vulnerability (DS-0002: Image user should not be 'root'). Update it to a patched version: 1. Run: npm update Image (or yarn upgrade Image) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "Use Exhaustive Dependencies". Please review and fix this according to best practices. The linter rule lint/correctness/useExhaustiveDependencies this as a problem — look up the rule for guidance on the correct fix.
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "No Children Prop". Please review and fix this according to best practices. The linter rule lint/correctness/noChildrenProp this as a problem — look up the rule for guidance on the correct fix.
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "No Array Index Key". Please review and fix this according to best practices. The linter rule lint/suspicious/noArrayIndexKey this as a problem — look up the rule for guidance on the correct fix.
Your app has no automated tests. You won't know if a code change breaks something until real users complain. This is the #1 reason apps break after updates.
Your project has no test files. Add basic tests: 1. Install a test framework: npm install -D vitest (or jest) 2. Create a __tests__ folder or add .test.ts files next to your source files 3. Start by writing tests for your most important functions — the ones that handle money, auth, or user data 4. Add a "test" script to your package.json: "test": "vitest" 5. Run tests with: npm test
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "No Duplicate Object Keys". Please review and fix this according to best practices. The linter rule lint/suspicious/noDuplicateObjectKeys this as a problem — look up the rule for guidance on the correct fix.
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "No Double Equals". Please review and fix this according to best practices. The linter rule lint/suspicious/noDoubleEquals this as a problem — look up the rule for guidance on the correct fix.
A code quality issue was found. It may not be a security risk, but fixing it makes your code more reliable and easier to work with.
In your project, there's a code quality issue: "Use Semantic Elements". Please review and fix this according to best practices. The linter rule lint/a11y/useSemanticElements this as a problem — look up the rule for guidance on the correct fix.
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmn73gnib0011ic04vxg9x5gc)