Findings & issues
A static-analysis sweep that surfaces TODOs, secrets, oversized files, unprotected routes, and deprecated patterns.
Where it runs
services/sec_scanner.py runs on:
- Project load.
- Project rescan (top-bar Refresh).
- Manual trigger from the panel.
Findings appear in the Findings tab in the right panel, with a badge showing the count by highest severity.
Severity levels
| Level | Meaning |
|---|---|
| High | Likely security issue. Investigate now. |
| Medium | Likely bug or technical-debt risk. |
| Low | Code-quality issue. |
| Info | Notable but not actionable. |
Filter checkboxes at the top of the panel toggle visibility per level. State is persisted per workspace.
What gets flagged
| Category | Example |
|---|---|
| Hard-coded secrets | aws_access_key = "AKIA…" in source. |
| TODO / FIXME / XXX | # TODO: handle null |
| Oversized files | Files > 1 MB. |
| Unprotected routes | Flask routes without auth decorator. |
| Deprecated patterns | var in JS, print debug statements in Python prod code. |
| Insecure crypto | MD5, SHA1, DES. |
| SQL injection patterns | f-strings or + in SQL. |
| Eval / exec | eval(), exec(), Function(). |
| Path traversal | Unvalidated path concatenation. |
Per-finding view
Click a finding to expand:
- File:line link (jumps the editor).
- Code preview with the offending line highlighted.
- Severity badge.
- Rule that matched.
- Suggested fix (when available).
- Ask agent to fix button — sends the finding as a task.
Suppressing findings
Add a comment on the offending line:
secret = "abc" # krowforge: ignore-findingOr add a project-level rule in .krowforge/findings-ignore.yaml:
ignore:
- rule: hard_coded_secret
paths:
- tests/**Suppressed findings still appear in the panel with a strikethrough but don't count toward the badge.
Refreshing
Findings update on every project rescan. Edits in the editor don't trigger immediate re-scan — use Refresh after substantial changes if you want fresh findings.