AI Assessment
VERDICT
Based on automated scanner findings, this codebase shows production-ready fundamentals in secrets management and dependencies, but contains critical security gaps in example code and substantial code quality debt that should be addressed before release.
TOP RISKS
→ SQL injection vulnerability flagged in examples/route-map/index.js:51 where the scanner detected user input manually constructed into a SQL string without parameterization. This is a critical security issue requiring immediate verification against actual code.
→ XSS vulnerabilities flagged across multiple example files (examples/params/index.js:67, examples/resource/index.js:46, examples/route-map/index.js:37) where the scanner detected user-defined input written directly to Response objects without HTML escaping.
→ Session cookie misconfiguration flagged in examples/auth/index.js:22, examples/cookie-sessions/index.js:13, and examples/mvc/index.js:40 where multiple security attributes (httpOnly, secure, expires, domain, path) were not set on session middleware. The scanner also flagged use of default session cookie names.
→ Hard-coded credentials detected in example files (examples/auth/index.js:25, examples/mvc/index.js:43, examples/session/index.js:19), storing secrets in source code.
→ High cyclomatic complexity flagged in lib/response.js:125 (CCN 22) indicating overly complex logic.
WHAT TO FIX FIRST
Address the SQL injection flagged in examples/route-map/index.js:51. While this appears to be example code, SQL injection is critical. Verify the actual implementation against the scanner report and ensure parameterized queries are used if this code handles real data.
Category Breakdown
Findings(4158 in 41 groups)
Tip: 4007 low-severity findings are style suggestions, not security risks.
Someone can steal or delete ALL your database data by typing special commands into your app's input fields. This is one of the most dangerous vulnerabilities possible.
In examples/route-map/index.js at line 51, there's a SQL injection vulnerability. Fix it by using parameterized queries instead of string concatenation: 1. Find where user input is inserted into a SQL query using string concatenation or template literals 2. Replace it with parameterized queries (use ? placeholders or $1, $2 for Postgres) 3. If using an ORM like Prisma or Drizzle, use its query builder instead of raw SQL 4. Never put user input directly into a SQL string
The same code is copied in multiple places. If there's a bug in one copy, all the other copies still have it. This makes fixing bugs much harder.
In .github/workflows/ci.yml at line 49, duplicated code was detected. Refactor it: 1. Identify the repeated code block 2. Extract it into a shared function with a descriptive name 3. Replace all multiple copies with calls to the new function 4. If the copies differ slightly, add parameters to the function to handle the differences 5. Make sure all existing behavior is preserved after the refactor
Someone can inject malicious code into your website that steals your users' passwords, cookies, and personal data. Every visitor to the affected page is at risk.
In examples/params/index.js at line 67, there's a Cross-Site Scripting (XSS) vulnerability. Fix it: 1. Never insert user input directly into HTML using innerHTML or dangerouslySetInnerHTML 2. Use textContent instead of innerHTML when displaying user data 3. In React, avoid dangerouslySetInnerHTML — React escapes content by default in JSX 4. If you must render HTML, sanitize it first with a library like DOMPurify
A security scanner found a potential vulnerability in your code. This should be investigated and fixed.
In examples/auth/index.js at line 22, a security issue was detected: "Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fi". Please analyze this code and fix the security vulnerability. The issue is categorized as high severity. Look for unsafe patterns like unvalidated input, insecure configurations, or missing security checks.
A security scanner found a potential vulnerability in your code. This should be investigated and fixed.
In examples/auth/index.js at line 22, a security issue was detected: "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, the". Please analyze this code and fix the security vulnerability. The issue is categorized as high severity. Look for unsafe patterns like unvalidated input, insecure configurations, or missing security checks.
A security scanner found a potential vulnerability in your code. This should be investigated and fixed.
In examples/auth/index.js at line 22, a security issue was detected: "Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.". Please analyze this code and fix the security vulnerability. The issue is categorized as high severity. Look for unsafe patterns like unvalidated input, insecure configurations, or missing security checks.
Someone can inject malicious code into your website that steals your users' passwords, cookies, and personal data. Every visitor to the affected page is at risk.
In examples/auth/index.js at line 22, there's a Cross-Site Scripting (XSS) vulnerability. Fix it: 1. Never insert user input directly into HTML using innerHTML or dangerouslySetInnerHTML 2. Use textContent instead of innerHTML when displaying user data 3. In React, avoid dangerouslySetInnerHTML — React escapes content by default in JSX 4. If you must render HTML, sanitize it first with a library like DOMPurify
A security scanner found a potential vulnerability in your code. This should be investigated and fixed.
In examples/auth/index.js at line 22, a security issue was detected: "Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.". Please analyze this code and fix the security vulnerability. The issue is categorized as high severity. Look for unsafe patterns like unvalidated input, insecure configurations, or missing security checks.
A security scanner found a potential vulnerability in your code. This should be investigated and fixed.
In examples/auth/index.js at line 22, a security issue was detected: "Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.". Please analyze this code and fix the security vulnerability. The issue is categorized as high severity. Look for unsafe patterns like unvalidated input, insecure configurations, or missing security checks.
There's a password or secret key written directly in your code. Anyone who sees your code (including GitHub) can use it to access your accounts.
In examples/auth/index.js at line 25, there's a hardcoded secret. Move it to an environment variable: 1. Create a .env file and add the secret there (e.g., MY_SECRET=actual_value) 2. In your code, use process.env.MY_SECRET instead of the hardcoded string 3. Add .env to your .gitignore so it never gets pushed to GitHub 4. If this was already pushed, the secret is compromised — rotate it immediately
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmnbds78o000zif047djd006m)