⚡
AI Fix Prompts for Hydra
Copy any prompt below into Claude, ChatGPT, or your AI coding assistant to automatically fix the issue. Each prompt includes full context, code location, and step-by-step fix instructions.
19
Total Prompts
0
Critical (P0)
19
High (P1)
0
Medium (P2)
0
Low (P3)
Download All (Markdown)
Download All (JSON)
Feed these prompts to any AI coder: Claude Code, Cursor, Copilot, GPT, Ollama
HIGH
⚡ quick-fix
#1
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/daemon/http-utils.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/daemon/http-utils.ts
**Line**: 84
**Severity**: HIGH
**Current code around the issue:**
```
79 | }
80 | if (body !== null) {
81 | headers['Content-Type'] = 'application/json';
82 | }
83 |
>>> 84 | const response = await fetch(url, {
85 | method,
86 | headers,
87 | body: body == null ? undefined : JSON.stringify(body),
88 | });
89 | const payload: unknown = await response.json().catch(() => ({}));
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
All rows above produced by Repobility · https://repobility.com
HIGH
⚡ quick-fix
#2
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-concierge.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-concierge.ts
**Line**: 518
**Severity**: HIGH
**Current code around the issue:**
```
513 | }
514 |
515 | async function postConciergeEvent(type: string, payload: unknown) {
516 | if (_daemonBaseUrl == null || _daemonBaseUrl === '') return;
517 | try {
>>> 518 | await fetch(`${_daemonBaseUrl}/events/push`, {
519 | method: 'POST',
520 | headers: { 'Content-Type': 'application/json' },
521 | body: JSON.stringify({ type, payload }),
522 | signal: AbortSignal.timeout(2000),
523 | });
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#3
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-dispatch.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-dispatch.ts
**Line**: 107
**Severity**: HIGH
**Current code around the issue:**
```
102 | });
103 | }
104 |
105 | async function fetchDaemonSummary(baseUrl: string) {
106 | try {
>>> 107 | const response = await fetch(`${baseUrl}/summary`, {
108 | method: 'GET',
109 | headers: { Accept: 'application/json' },
110 | });
111 | if (!response.ok) {
112 | return null;
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#4
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-google.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-google.ts
**Line**: 138
**Severity**: HIGH
**Current code around the issue:**
```
133 | }
134 |
135 | const body = buildGoogleBody(messages, cfg);
136 | const url = `https://generativelanguage.googleapis.com/v1beta/models/${cfg.model}:streamGenerateContent?alt=sse&key=${apiKey}`;
137 |
>>> 138 | const res = await fetch(url, {
139 | method: 'POST',
140 | headers: { 'Content-Type': 'application/json' },
141 | body: JSON.stringify(body),
142 | });
143 |
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#5
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-local.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-local.ts
**Line**: 136
**Severity**: HIGH
**Current code around the issue:**
```
131 | const body: Record<string, unknown> = { model, messages, stream: true };
132 | if (maxTokens != null && maxTokens !== 0) body['max_tokens'] = maxTokens;
133 |
134 | let res: Response;
135 | try {
>>> 136 | res = await fetch(`${baseUrl}/chat/completions`, {
137 | method: 'POST',
138 | headers: { 'Content-Type': 'application/json' },
139 | body: JSON.stringify(body),
140 | ...(signal == null ? {} : { signal }),
141 | });
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#6
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-mcp-server.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-mcp-server.ts
**Line**: 47
**Severity**: HIGH
**Current code around the issue:**
```
42 | let daemonAvailable = false;
43 | let baseUrl = 'http://127.0.0.1:4173';
44 |
45 | async function checkDaemon() {
46 | try {
>>> 47 | const resp = await fetch(`${baseUrl}/health`, { signal: AbortSignal.timeout(2000) });
48 | return resp.ok;
49 | } catch {
50 | return false;
51 | }
52 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#7
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-mcp-server.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-mcp-server.ts
**Line**: 879
**Severity**: HIGH
**Current code around the issue:**
```
874 | 'status',
875 | 'hydra://status',
876 | { description: 'Daemon status (if available)', mimeType: 'application/json' },
877 | async (_args: unknown) => {
878 | try {
>>> 879 | const health = await fetch(`${baseUrl}/health`, { signal: AbortSignal.timeout(2000) });
880 | const data = health.ok ? await health.json() : { available: false };
881 | return {
882 | contents: [
883 | {
884 | uri: 'hydra://status',
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#8
Remove hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-project.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data)
**File**: lib/hydra-project.ts
**Line**: 127
**Severity**: HIGH
**Current code around the issue:**
```
122 | // ── Project Detection ────────────────────────────────────────────────────────
123 |
124 | export function detectProjectName(projectRoot: string): string {
125 | try {
126 | const pkg = JSON.parse(
>>> 127 | fs.readFileSync(path.join(projectRoot, 'package.json'), 'utf8'),
128 | ) as Record<string, unknown>;
129 | if (typeof pkg['name'] === 'string' && pkg['name'].length > 0) return pkg['name'];
130 | } catch {
131 | /* ignore */
132 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#9
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-provider-usage.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-provider-usage.ts
**Line**: 318
**Severity**: HIGH
**Current code around the issue:**
```
313 |
314 | async function fetchOpenAIUsage(adminKey: string): Promise<void> {
315 | try {
316 | const today = todayKey();
317 | const url = `https://api.openai.com/v1/organization/usage/completions?start_date=${today}`;
>>> 318 | const res = await fetch(url, {
319 | headers: { Authorization: `Bearer ${adminKey}` },
320 | signal: AbortSignal.timeout(10_000),
321 | });
322 | if (!res.ok) return;
323 | const data = await res.json();
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Source: Repobility analyzer · https://repobility.com
HIGH
⚡ quick-fix
#10
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-provider-usage.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-provider-usage.ts
**Line**: 343
**Severity**: HIGH
**Current code around the issue:**
```
338 |
339 | async function fetchAnthropicUsage(adminKey: string): Promise<void> {
340 | try {
341 | const today = todayKey();
342 | const url = `https://api.anthropic.com/v1/organizations/usage_report/messages?start_date=${today}`;
>>> 343 | const res = await fetch(url, {
344 | headers: {
345 | 'x-api-key': adminKey,
346 | 'anthropic-version': '2023-06-01',
347 | },
348 | signal: AbortSignal.timeout(10_000),
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#11
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-shared/gemini-executor.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-shared/gemini-executor.ts
**Line**: 157
**Severity**: HIGH
**Current code around the issue:**
```
152 | }
153 |
154 | export async function getGeminiProjectId(token: string): Promise<string | null> {
155 | if (_geminiProjectId != null) return _geminiProjectId;
156 |
>>> 157 | const resp = await fetch(`${CODE_ASSIST_ENDPOINT}:loadCodeAssist`, {
158 | method: 'POST',
159 | headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },
160 | body: '{}',
161 | });
162 |
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#12
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-shared/gemini-executor.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-shared/gemini-executor.ts
**Line**: 263
**Severity**: HIGH
**Current code around the issue:**
```
258 | let lastError: string | null = null;
259 |
260 | for (let attempt = 0; attempt <= config.maxRetries; attempt++) {
261 | // sequential: each iteration depends on previous response (retry loop)
262 | // eslint-disable-next-line no-await-in-loop
>>> 263 | const resp = await fetch(`${CODE_ASSIST_ENDPOINT}:generateContent`, {
264 | method: 'POST',
265 | headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },
266 | body: JSON.stringify({
267 | model,
268 | project: projectId,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#13
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-statusbar.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-statusbar.ts
**Line**: 767
**Severity**: HIGH
**Current code around the issue:**
```
762 | port: url.port,
763 | path: url.pathname,
764 | headers: { Accept: 'text/event-stream' },
765 | };
766 |
>>> 767 | sseRequest = http.get(options, (res) => {
768 | if (res.statusCode !== 200) {
769 | res.resume();
770 | fallbackToPolling(baseUrl, agentList);
771 | return;
772 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#14
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
lib/hydra-statusbar.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mikecubed__Hydra'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: lib/hydra-statusbar.ts
**Line**: 876
**Severity**: HIGH
**Current code around the issue:**
```
871 | if (current.status === 'working') continue;
872 |
873 | try {
874 | const url = new URL(`/next?agent=${encodeURIComponent(agent)}`, baseUrl);
875 | // eslint-disable-next-line no-await-in-loop -- sequential processing required
>>> 876 | const res = await fetch(url.href, { signal: AbortSignal.timeout(1500) });
877 | if (!res.ok) continue;
878 | // eslint-disable-next-line no-await-in-loop -- sequential processing required
879 | const data = (await res.json()) as { next?: { action?: string } };
880 | const action = data.next?.action;
881 |
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚒ significant
#15
Address OWASP A02 compliance gap
security compliance owasp
Expected outcome: OWASP A02 compliance issues resolved
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Address OWASP A02 (Cryptographic Failures) compliance gap in 'mikecubed__Hydra'. **OWASP Category**: A02 -- Cryptographic Failures **Fix guidance**: Remove hardcoded secrets, use strong encryption (AES-256-GCM), enforce TLS, never store passwords in plaintext (use bcrypt/argon2). **Steps:** 1. Identify all code paths related to cryptographic failures 2. Apply the fixes described above 3. Add automated tests to verify the fix 4. Document any security assumptions in code comments
HIGH
⚒ significant
#16
Address OWASP A06 compliance gap
security compliance owasp
Expected outcome: OWASP A06 compliance issues resolved
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Address OWASP A06 (Vulnerable Components) compliance gap in 'mikecubed__Hydra'. **OWASP Category**: A06 -- Vulnerable Components **Fix guidance**: Update all dependencies to latest stable versions, remove unused dependencies, monitor for new CVEs. **Steps:** 1. Identify all code paths related to vulnerable components 2. Apply the fixes described above 3. Add automated tests to verify the fix 4. Document any security assumptions in code comments
HIGH
⚙ moderate
#17
Fix quality gate failures (2 conditions)
quality-gate quality
Expected outcome: All quality gate conditions pass
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Repository 'mikecubed__Hydra' is failing the quality gate. Failed conditions: - overall_score: actual 0.0 >= 50 (FAILED) - security_score: actual 0.0 >= 40 (FAILED) Fix each failing condition to make the repo pass the quality gate.
Same scanner, your repo: https://repobility.com — Repobility
HIGH
⚒ significant
#18
Resolve 10 open issues
issues bugs
Expected outcome: All listed issues resolved
Files to modify:
lib/hydra-concierge.ts, lib/hydra-dispatch.ts, lib/hydra-google.ts, lib/hydra-local.ts, lib/hydra-mcp-server.tsPrompt (copy this into your AI assistant)
Repository 'mikecubed__Hydra' has 10 open issues: - [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (lib/hydra-concierge.ts) - [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (lib/hydra-dispatch.ts) - [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (lib/hydra-google.ts) - [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (lib/hydra-local.ts) - [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (lib/hydra-mcp-server.ts) - [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (lib/hydra-mcp-server.ts) - [HIGH] Hard-coded sast: [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data (lib/hydra-project.ts) - [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (lib/hydra-provider-usage.ts) - [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (lib/hydra-provider-usage.ts) - [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (lib/daemon/http-utils.ts) Resolve each issue. For security issues, apply the appropriate fix. For quality issues, refactor the affected code.
HIGH
⚙ moderate
#19
Fix 14 SAST/security code findings
sast security code-fix
Expected outcome: All SAST findings resolved
Files to modify:
lib/hydra-dispatch.ts, lib/hydra-mcp-server.ts, lib/hydra-google.ts, lib/hydra-local.ts, lib/hydra-project.tsPrompt (copy this into your AI assistant)
Static analysis found 14 security issues in 'mikecubed__Hydra': - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at lib/daemon/http-utils.ts:84 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at lib/hydra-concierge.ts:518 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at lib/hydra-dispatch.ts:107 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at lib/hydra-google.ts:138 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at lib/hydra-local.ts:136 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at lib/hydra-mcp-server.ts:47 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at lib/hydra-mcp-server.ts:879 - [HIGH] [sast:aljefra/taint-path-traversal] Path Traversal via Tainted Data at lib/hydra-project.ts:127 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at lib/hydra-provider-usage.ts:318 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at lib/hydra-provider-usage.ts:343 For each finding: - SQL injection: use parameterized queries - Command injection: use subprocess with list args, no shell=True - Path traversal: validate and sanitize paths - Insecure deserialization: use json instead of pickle - IaC misconfigs: apply the suggested fix from the rule