AI Assessment
VERDICT
Based on automated scanner findings, this project is not yet production-ready. It has a critical container security issue and several medium-risk concerns that should be resolved before deployment.
TOP RISKS
→ Dockerfile line 20: The scanner flagged that no USER is specified in the container, meaning processes run as root. This is a critical security hazard if an attacker controls a process.
→ Dockerfile: DS-0002 flagged that the image user should not be 'root', reinforcing the container privilege escalation risk.
→ Dockerfile line 8: The scanner detected 'RUN cd ...' used to change directory, which can cause fragility in layered Docker builds.
→ CMakeCache.txt lines 107, 320, 27: A 129-line code block was flagged as duplicated across multiple locations, suggesting maintainability concerns.
→ No test suite was detected in the repository, which limits confidence in code correctness and regression prevention.
WHAT TO FIX FIRST
Add a non-root USER directive to the Dockerfile (currently missing at line 20). This single change addresses the critical security finding and removes the highest-risk vulnerability from the report.
ADDITIONAL NOTES
The scanner also flagged missing HEALTHCHECK in the Dockerfile and absent SECURITY.md and CODEOWNERS files. Code duplication at 19.3% with cyclomatic complexity concerns in dispatcher.cpp warrant review, though these are lower priority than the container security issue. Verify all security findings against your actual code implementation.
Category Breakdown
Findings(21 in 10 groups)
Tip: 7 low-severity findings are style suggestions, not security risks.
A security scanner found a potential vulnerability in your code. This is critical and should be fixed immediately.
In Dockerfile at line 20, a security issue was detected: "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensur". Please analyze this code and fix the security vulnerability. The issue is categorized as critical severity. Look for unsafe patterns like unvalidated input, insecure configurations, or missing security checks.
The same code is copied in multiple places. If there's a bug in one copy, all the other copies still have it. This makes fixing bugs much harder.
In CMakeCache.txt at line 107, duplicated code was detected. Refactor it: 1. Identify the repeated code block 2. Extract it into a shared function with a descriptive name 3. Replace all multiple copies with calls to the new function 4. If the copies differ slightly, add parameters to the function to handle the differences 5. Make sure all existing behavior is preserved after the refactor
A package your app depends on (Image) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency Image in Dockerfile has a known vulnerability (DS-0002: Image user should not be 'root'). Update it to a patched version: 1. Run: npm update Image (or yarn upgrade Image) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
Your app has no automated tests. You won't know if a code change breaks something until real users complain. This is the #1 reason apps break after updates.
Your project has no test files. Add basic tests: 1. Install a test framework: npm install -D vitest (or jest) 2. Create a __tests__ folder or add .test.ts files next to your source files 3. Start by writing tests for your most important functions — the ones that handle money, auth, or user data 4. Add a "test" script to your package.json: "test": "vitest" 5. Run tests with: npm test
A package your app depends on (cd) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency cd in Dockerfile has a known vulnerability (DS-0013: 'RUN cd ...' to change directory). Update it to a patched version: 1. Run: npm update cd (or yarn upgrade cd) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
The same code is copied in 15 places. If there's a bug in one copy, all the other copies still have it. This makes fixing bugs much harder.
In your project, duplicated code was detected. Refactor it: 1. Identify the repeated code block 2. Extract it into a shared function with a descriptive name 3. Replace all 15 copies with calls to the new function 4. If the copies differ slightly, add parameters to the function to handle the differences 5. Make sure all existing behavior is preserved after the refactor
This function is overly complex (complexity score: 15). It likely has hidden bugs that are hard to find, and AI coding tools will struggle to modify it correctly.
In src/core/dispatcher.cpp at line 59, there's a function with cyclomatic complexity of 15 (should be under 15). Break it down: 1. Identify the different things this function does (each if/else branch, each loop) 2. Extract each logical step into its own smaller function with a clear name 3. The main function should read like a high-level description of the process 4. Each new function should do ONE thing and be easy to understand on its own 5. Aim for functions with complexity under 10
A package your app depends on (No) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency No in Dockerfile has a known vulnerability (DS-0026: No HEALTHCHECK defined). Update it to a patched version: 1. Run: npm update No (or yarn upgrade No) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
Your project is missing a recommended best practice. Following best practices makes your project more professional, maintainable, and easier for others to contribute to.
Your project is missing: "No SECURITY.md file". Please add this to follow software development best practices. This improves project maintainability, collaboration, and professionalism.
Your project is missing a recommended best practice. Following best practices makes your project more professional, maintainable, and easier for others to contribute to.
Your project is missing: "No CODEOWNERS file". Please add this to follow software development best practices. This improves project maintainability, collaboration, and professionalism.
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmnbds73e000vif04b11sp274)