📄 security-audit-report.md
⬇ Download Raw

Third-Party Software Security Review — ScorpioX Code

Software: ScorpioX Code Type: AI-Powered Development Tool / CLI Platform Language: Pure C (zero external dependencies) Audit Date: 2026-04-28 Codebase Commit: 4d61a6ad4bd4c6e535dd7f57d3eff860eaf61168 Classification: CONFIDENTIAL — For Corporate Review Only

1. Executive Summary

This report presents a comprehensive security audit of ScorpioX Code, an AI-powered development tool and CLI platform written in pure C with vendored dependencies. The audit was conducted across 11 specialized security domains by independent automated agents analyzing the same codebase at commit 4d61a6a.

Key Metrics

MetricValue
Total Source Lines398,610
First-Party Code170,860 lines (42.9%)
Vendored Code227,750 lines (57.1%)
Total Findings395
Critical10
High25
Medium70
Low123
Informational167
Overall Risk RatingHIGH

Assessment Overview

The software demonstrates strong fundamentals in several areas: zero use of unsafe C string functions (sprintf, strcpy, strcat), fully static linking, no setuid binaries, proper namespace isolation in container runtimes, and no external package manager dependencies for the core build. Two well-known vendored libraries (Mbed TLS 3.6.3, yyjson 0.12.0) are properly maintained and licensed.

However, the audit identified significant security gaps in three critical areas:

  • TLS/Certificate Verification (CRITICAL): SSL certificate verification is disabled on all token-fetching endpoints. Authentication tokens are transmitted over plaintext HTTP. The traffic proxy globally disables TLS verification for child processes.
  • Command Injection (HIGH): Despite a recent commit specifically fixing command injection (the HEAD commit), numerous residual system()/popen() calls remain where network-sourced or user-controlled data flows into shell command strings without adequate escaping — particularly in messaging integrations.
  • Memory Safety (HIGH): Systemic missing-NULL-check patterns across 495 allocation calls, several use-after-free vulnerabilities in network-facing server components, and 35 unsafe realloc() patterns that leak memory on failure.
  • The Windows deployment surface is significantly narrower: 10 Linux/macOS-only binaries (including the container runtimes and messaging bridges where the most critical command injection and privilege findings reside) are excluded from Windows builds.


    2. Deployment Scope — Windows Workstation vs. Server-Side

    2.1 Primary Deployment: Windows Workstation

    ScorpioX Code is deployed as a statically-linked Windows application distributed as a ZIP archive containing executables and bundled GNU/BusyBox Unix tools. The build uses MinGW (WinLibs POSIX UCRT) with static linking against all libraries.

    2.2 Windows Binaries (54 total)

    The following executables are compiled for and deployed on Windows:

    CategoryBinaries
    Core TUI & Shellsx.exe, scorpiox-bash.exe, scorpiox-tmux.exe, scorpiox-multiplexer.exe, scorpiox-vi.exe, scorpiox-config.exe
    AI Provider Proxiesscorpiox-gemini.exe, scorpiox-openai.exe, scorpiox-beam.exe, scorpiox-host.exe
    Token Managementscorpiox-claudecode-fetchtoken.exe, scorpiox-claudecode-refreshtoken.exe, scorpiox-codex-fetchtoken.exe, scorpiox-codex-refreshtoken.exe, scorpiox-gemini-fetchtoken.exe, scorpiox-server-fetchtoken.exe, scorpiox-claudecode-models.exe
    Tools & Utilitiesscorpiox-websearch.exe, scorpiox-fetch.exe, scorpiox-renderimage.exe, scorpiox-screenshot.exe, scorpiox-executecurl.exe, scorpiox-kql.exe
    Agent & SDKscorpiox-agent.exe, scorpiox-sdk.exe, scorpiox-tasks.exe, scorpiox-skills.exe, scorpiox-planmode.exe, scorpiox-askuserquestion.exe, scorpiox-mcp.exe, scorpiox-hook.exe, scorpiox-runtest.exe
    Session & Loggingscorpiox-conv.exe, scorpiox-rewind.exe, scorpiox-debug.exe, scorpiox-logger.exe, scorpiox-printlogs.exe, scorpiox-transcript.exe, scorpiox-systemprompt.exe
    Infrastructurescorpiox-server.exe, scorpiox-server-http2tcp.exe, scorpiox-server-email.exe, scorpiox-email.exe, scorpiox-dns.exe, scorpiox-frp.exe
    Telemetryscorpiox-usage.exe, scorpiox-emit-session.exe
    Windows-Onlyscorpiox-wsl.exe (WSL2 runtime), scorpiox-busybox.exe (Unix tools manager)
    Otherscorpiox-voice.exe, scorpiox-otp.exe, scorpiox-search.exe, scorpiox-docs.exe, scorpiox-vault-git.exe, scorpiox-mirror-git.exe, scorpiox-pwsh.exe

    2.3 Linux/macOS-Only Binaries — NOT Deployed on Windows

    BinaryPlatformReason
    scorpiox-unshareLinuxLinux user namespaces, sys/mount.h, sys/syscall.h
    scorpiox-vmLinuxLinux KVM ioctls
    scorpiox-initLinuxContainer PID 1, Linux-only syscalls
    scorpiox-sshpassUnixPTY (forkpty), Unix-only
    scorpiox-trafficUnixNetwork traffic interception, Unix sockets
    scorpiox-podmanUnixPodman container execution
    scorpiox-cronUnixCrontab wrapper
    scorpiox-whatsappUnixUses fork/pipe/select
    scorpiox-thunderbolt4macOSmacOS framework APIs
    scorpiox-imessagemacOSmacOS iMessage integration

    2.4 Windows-Filtered Findings

    When scoped to Windows workstation deployment only (excluding Linux/macOS-only binaries), the finding counts are reduced:

    SeverityAll PlatformsWindows OnlyExcluded
    Critical1073 (traffic proxy TLS bypass, WhatsApp/iMessage injection)
    High25205 (WhatsApp/iMessage/Podman/unshare injection, unshare privilege)
    Medium70628 (WhatsApp injection, namespace isolation gaps)
    Low1231194 (Linux-specific)
    Total395208187

    3. Changes Since Last Audit

    The most recent previous audit was conducted on the same date against commit f7f14b4.

    MetricPrevious (f7f14b4)Current (4d61a6a)Delta
    Overall RiskMEDIUMHIGH⬆ Increased
    Audit Agents5 (general)11 (specialized)+6
    Total Findings40395+355
    Critical510+5
    High1225+13
    Medium1470+56
    Low6123+117
    Info3167+164
    Lines of Code369,495398,610+29,115
    Interpretation: The significant increase in findings is primarily attributable to the expanded audit scope — from 5 general-purpose agents to 11 specialized agents with deeper analysis (particularly the memory safety agent which contributed 230 findings alone, including 92 LOW-severity missing-NULL-checks and 93 INFO-severity leak candidates). The HEAD commit (security: fix command injection — replace system()/popen() with fork+execvp) demonstrates active remediation of previously identified command injection vectors.

    4. Supply Chain & Dependencies

    Agent Risk Rating: LOW

    Key Findings

    The core build has zero external package manager dependencies. All third-party code is vendored in-tree:

    LibraryVersionLinesLicenseAssessment
    Mbed TLS3.6.3 (LTS)207,697Apache-2.0 / GPL-2.0+✅ Well-established, ARM-maintained
    yyjson0.12.019,556MIT✅ Widely-used JSON parser
    System dependencies (linked statically): libcurl, OpenSSL, zlib, pthreads, nghttp2/3, brotli, zstd, c-ares, libpsl, libidn2, libunistring.
    #SeverityFinding
    1MEDIUMTwo pre-built ELF binaries (bridge/scorpiox-ws2tcp, bridge/scorpiox-ws2tcp-arm64) committed to repository without reproducible build provenance
    2LOWnpm dependency tree (~104 transitive packages) in WhatsApp bridge component via community-maintained @whiskeysockets/baileys
    3LOWMSYS2 download script (vendor/gnuwin64/download.ps1) lacks package hash verification
    4INFOVendored code represents 57.1% of total codebase (dominated by Mbed TLS)
    5INFOAll vendored libraries are well-known, properly licensed, at recent versions

    5. Build System & Code Provenance

    Agent Risk Rating: LOW-MEDIUM

    Build System

    Security Hardening Gaps

    The following compiler hardening flags are absent from all build configurations:

    FlagPurposeStatus
    -fstack-protector-strongStack buffer overflow detection❌ Missing
    -D_FORTIFY_SOURCE=2Runtime buffer overflow checks❌ Missing
    -fPIE / -pieASLR (position-independent executables)❌ Missing
    -Wl,-z,relro,-z,nowFull RELRO (GOT protection)❌ Missing
    -fstack-clash-protectionStack clash prevention❌ Missing
    -fcf-protectionControl-flow integrity❌ Missing

    > Note: Static linking provides inherent protection against shared library attacks, but the absence of stack protectors and FORTIFY_SOURCE remains a gap.

    Code Provenance

    #SeverityFinding
    1MEDIUMMissing compiler security hardening flags (stack protector, FORTIFY_SOURCE, PIE, RELRO)
    2MEDIUMBuild-time Python script fetches model IDs from external API (currently frozen/disabled)
    3LOWGit history shows 99%+ single-organization commits
    4LOWstrip applied to release binaries (good practice, minor debug impact)
    5LOWNo code signing for released binaries

    6. Network Endpoints

    Agent Risk Rating: HIGH

    Endpoint Inventory

    The codebase contains 53 unique hardcoded endpoints in project code:

    CategoryCountProtocol
    Token/Auth endpoints9HTTP (plaintext) ⚠️
    Distribution/Update URLs12HTTPS ✅
    API service endpoints8HTTPS ✅
    Internal IP addresses5Various ⚠️
    Localhost bindings7TCP
    Third-party APIs12HTTPS ✅

    Critical Network Findings

    #SeverityFinding
    1HIGH9 token-fetching endpoints use plaintext http:// — authentication tokens transmitted in cleartext
    2MEDIUM5 hardcoded private IP addresses embedded in source/config (information disclosure of internal topology)
    3LOW7 hardcoded default ports and localhost bindings
    4INFO38 HTTPS URLs properly encrypted for distribution, API, and third-party services

    7. TLS/SSL Security

    Agent Risk Rating: CRITICAL

    This domain represents the most severe findings in the audit.

    Critical Findings

    IDFindingCVSSImpact
    C01SSL certificate verification disabled (CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0) on all token-fetch endpoints (Gemini, Codex, Claude Code)9.1MITM can intercept OAuth tokens
    C02Default token endpoints use plaintext HTTP (http://token.scorpiox.net/...)9.1Cleartext credential transmission
    C03Traffic proxy globally disables TLS verification via environment variables (NODE_TLS_REJECT_UNAUTHORIZED=0, CURLOPT_SSL_VERIFYPEER=0)8.1All child processes vulnerable to MITM (Linux only)

    Additional TLS Findings

    #SeverityFinding
    1HIGHmbedTLS client connections configured without certificate verification (MBEDTLS_SSL_VERIFY_NONE)
    2HIGHSMTP client (sxmail_tls.c) disables certificate verification for outbound mail relay
    3MEDIUMNo minimum TLS version enforcement via CURLOPT_SSLVERSION
    4MEDIUMRouter URL (scorpiox.net:5176) uses plaintext HTTP
    5MEDIUMSMTP server supports STARTTLS but also allows plaintext fallback
    6LOWNo certificate pinning for high-value endpoints
    7INFORefresh token endpoints (scorpiox-codex-refreshtoken, scorpiox-claudecode-refreshtoken) correctly enable verification — inconsistency with fetch endpoints
    8INFOmbedTLS server-mode VERIFY_NONE is acceptable (no mutual TLS requirement)

    8. Hardcoded Credentials

    Agent Risk Rating: MEDIUM No active credentials (real API keys, production passwords, or live tokens) were found hardcoded in the codebase. Findings relate to placeholder values and internal infrastructure details.
    #SeverityFinding
    1MEDIUMPlaceholder OpenAI API key "xxx" hardcoded as default — triggers authentication attempts with garbage value
    2MEDIUMDefault SSH username "root" hardcoded for Claude Code token fetching
    3MEDIUMInternal SSH host IP (192.168.1.6) in distributed config file with SSH_USER=root, SSH_PORT=22223
    4LOWInternal IP 192.168.1.3 for TMUX remote host in embedded config
    5LOWInternal IP addresses for OTP, voice, and server endpoints in config
    6LOWDefault SSH port 22223 and SSH key path in config
    7LOWSSH password placeholder sshpassword in config
    8LOWCodex SSH credentials pattern similar to Claude Code
    9-12INFOAPI key fields empty by default (good practice); config masking function exists; no .env files committed

    9. File I/O & Data Handling

    Agent Risk Rating: MEDIUM
    #SeverityFinding
    1HIGHEnvironment variables logged without sensitive value filtering in agent/server modules — API keys may appear in plaintext logs
    2HIGHPredictable temp file names in /tmp (e.g., /tmp/sx_voice.wav, /tmp/sx_emit_*.txt) using snprintf instead of mkstemp — symlink attacks possible
    3MEDIUMInsecure temp file creation via fopen() without O_EXCL in multiple modules
    4MEDIUMInconsistent directory permissions — some paths use 0700, others use 0755 or default umask
    5MEDIUMMissing O_CLOEXEC on file descriptors — potential leakage to child processes
    6MEDIUMConfiguration values (including sensitive ones) written to disk in plaintext
    7LOWMissing umask() before file creation in several modules
    8LOW/tmp files not cleaned on crash/signal
    9LOWTOCTOU race conditions in temp file operations
    10-12INFOAuth tokens properly redacted in traffic logs (positive); sx_config_is_sensitive() used for config logging (positive); session directories use 0700 (positive)

    10. Buffer Safety

    Agent Risk Rating: LOW

    This is a strong area for the codebase.

    Safe Function Usage (Project Code)

    FunctionCountSafety
    snprintf2,248✅ Bounded
    strncpy591✅ Bounded
    strncat14✅ Bounded
    sprintf0✅ Not used
    strcpy (bare)0✅ Not used
    strcat (bare)0✅ Not used
    gets0✅ Not used
    Safe-to-unsafe ratio: ∞ — No unsafe string functions in project code.
    #SeverityFinding
    1MEDIUMSigned int position accumulators in snprintf() loops can silently overflow, causing truncated command strings — potential for partial command execution
    2LOWLarge stack buffers (4–16 KB) with accumulation loops lack explicit truncation detection
    3LOWstrncpy usage does not always ensure NUL termination on exact-fit copies
    4-8INFOVendor code (yyjson) has single conditional sprintf fallback for pre-C99 compilers only; all mbedTLS format calls use snprintf; no format string vulnerabilities found

    11. Memory Safety

    Agent Risk Rating: HIGH

    The memory safety audit analyzed 495 allocation calls and 1,309 free() calls across 150 non-vendor source files. This domain produced the highest finding count.

    Summary

    CategoryCountSeverity
    Use-after-free in network/server paths3Critical
    Use-after-free in agent/protocol handlers7High
    Unsafe realloc (old pointer lost on failure)35Medium
    Missing NULL check after malloc/calloc/realloc92Low
    Early-return memory leak candidates93Info

    Critical Memory Findings

    IDFindingLocation
    CRIT-03Multiple unchecked malloc calls in HTTP server request handler — NULL dereference crash causes denial of servicescorpiox-server.c:2409, 2806

    > Note: Two initially-reported critical use-after-free findings (CRIT-01 in sxmail_queue.c and CRIT-02 in ws2tcp.c) were verified as false positives upon detailed analysis — control flow prevents the freed pointers from being used.

    Systemic Patterns


    12. Command Injection

    Agent Risk Rating: HIGH

    The HEAD commit (4d61a6a: security: fix command injection — replace system()/popen() with fork+execvp) demonstrates active remediation. However, residual vulnerabilities remain.

    Critical Command Injection Findings

    IDFindingCVSSNetwork?Windows?
    C1Hook data JSON injected into popen()/system() — single quotes not escaped9.8Yes (webhook events)Yes
    C2WhatsApp message content injected into system() — display name, emoji, message ID9.8Yes (any WhatsApp sender)No
    C3iMessage sender data injected into system() — phone number in folder path8.8Yes (any iMessage sender)No
    C4is_safe_shell_arg() does not block single quotes — all callers using single-quote delimited system() calls are bypassable9.0VariousYes

    High Severity

    IDFindingNetwork?Windows?
    H1WSL command construction with user-controlled project names into system()NoYes
    H2Server config values interpolated into system() for agent spawningConfigYes
    H3iMessage attachment path injectionYesNo
    H4WhatsApp OGG conversion with unsanitized pathsNoNo
    H5Podman image/container names into system()NoNo
    H6Unshare overlay paths into system()NoNo
    H7Server OTP generation with query parameters (partially fixed)YesYes
    H8SSH proxy hostname injection in TMUXConfigYes

    Recommendations

  • Replace all remaining system() calls with fork() + execvp() — the codebase already demonstrates this pattern correctly in scorpiox-websearch.c and the editor launch.
  • Fix is_safe_shell_arg() to block single quotes — add ' to the rejected character list.
  • Implement proper shell escaping for any remaining system()/popen() usage.

  • 13. Privilege & Access Control

    Agent Risk Rating: MEDIUM

    Positive Findings

    Findings

    #SeverityFinding
    1HIGHWSL2 runtime executes all container operations as root (wsl.exe -d -u root)
    2HIGHShell command strings built via snprintf() and passed to system() in WSL module
    3HIGHContainer runtime retains root-capable code paths when getuid() == 0 (skips user namespace)
    4MEDIUMGPU passthrough (--gpu) bind-mounts all /dev/nvidia and /dev/dri/ into container
    5MEDIUMMissing IPC namespace isolation (CLONE_NEWIPC not set) — shared memory leakage between container and host
    6MEDIUMTAP networking requires CAP_NET_ADMIN in VM runtime
    7MEDIUMcgroup v2 memory limits require delegation (often root)
    8MEDIUMWSL overlay runs as root inside WSL distribution
    9-12MEDIUMVarious system()-based command execution patterns in container/WSL modules
    13-16LOWUID/GID map manipulation (standard rootless pattern), /dev/kvm access, /proc mount without MS_NOEXEC fallback
    17-19INFOStandard Unix domain socket usage, pipe-based IPC, proper signal handling

    14. Windows Deployment Analysis

    Agent Risk Rating: LOW

    Windows-Specific Implementation

    The Windows build demonstrates good cross-platform hygiene:

    FeatureImplementation
    Process executionCreateProcess + CREATE_NO_WINDOW for background commands; ConPTY for terminal
    NetworkWinsock2 with WSAStartup/WSACleanup; WinINet for WSL image downloads
    Screen captureGDI (BitBlt, GetDIBits, EnumDisplayMonitors)
    File transferTransmitFile (zero-copy Winsock)
    TerminalConPTY (CreatePseudoConsole) on Windows 10 1809+
    TLSStatic libcurl with bundled curl-ca-bundle.crt

    Windows-Specific Findings

    #SeverityFinding
    1-5INFOStandard Windows API usage patterns; proper #ifdef _WIN32/SX_WINDOWS guards; no Windows-specific backdoors or novel attack surfaces beyond the general codebase findings
    Assessment: No additional Windows-specific vulnerabilities were identified beyond those already documented in the cross-platform audit sections. The Windows deployment surface is narrower due to the exclusion of 10 Linux/macOS-only binaries.

    15. Telemetry and Tracking

    Note: The telemetry-tracking audit branch was not available for merge. Assessment is based on static analysis of telemetry-related binaries identified in other audit reports.

    Identified Telemetry Components

    BinaryEndpointData Sent
    scorpiox-usagehttps://code.scorpiox.net/usage-sendToken usage metrics
    scorpiox-emit-sessionhttps://code.scorpiox.net/sessions-sendSession event data

    Observations


    16. Consolidated Risk Matrix

    AreaFindingSeverityStatusWindows?Recommendation
    TLSSSL cert verification disabled on token-fetch endpointsCRITICALOpenYesEnable CURLOPT_SSL_VERIFYPEER=1, CURLOPT_SSL_VERIFYHOST=2; use CURLOPT_CAINFO for CA bundle
    TLSToken endpoints use plaintext HTTPCRITICALOpenYesMigrate all http://token.scorpiox.net/ to https://
    TLSTraffic proxy global TLS bypassCRITICALOpenNoRemove NODE_TLS_REJECT_UNAUTHORIZED=0 and similar env overrides
    Cmd InjectionHook data JSON in system() — single quotes unescapedCRITICALOpenYesUse fork()+execvp() instead of system()
    Cmd InjectionWhatsApp message injection via system()CRITICALOpenNoReplace system() with fork()+execvp()
    Cmd InjectioniMessage sender injection via system()CRITICALOpenNoReplace system() with fork()+execvp()
    Cmd Injectionis_safe_shell_arg() missing single-quote blockCRITICALOpenYesAdd ' to rejected characters
    MemoryUnchecked malloc in HTTP server — DoSCRITICALOpenYesAdd NULL checks after all allocations in server path
    MemoryUse-after-free in agent/protocol handlersHIGHOpenYesAudit and fix free/use ordering
    Memory35 unsafe realloc patternsMEDIUMOpenYesUse tmp = realloc(ptr, size); if (tmp) ptr = tmp;
    Memory92 missing NULL checks after allocationLOWOpenYesAdd systematic NULL checks
    Network9 plaintext HTTP token endpointsHIGHOpenYesEnforce HTTPS-only
    Network5 hardcoded internal IP addressesMEDIUMOpenYesRemove from distributed config; use empty defaults
    BuildMissing compiler hardening flagsMEDIUMOpenYesAdd -fstack-protector-strong -D_FORTIFY_SOURCE=2
    CredentialsPlaceholder API key "xxx" triggers auth attemptsMEDIUMOpenYesSet default to empty string ""
    CredentialsSSH root user + internal IP in shipped configMEDIUMOpenYesShip config with empty values
    File I/OSensitive env vars logged in plaintextHIGHOpenYesApply sx_config_is_sensitive() filtering
    File I/OPredictable temp files without mkstempHIGHOpenYesUse mkstemp()/tmpfile() for temp file creation
    File I/OMissing O_CLOEXEC on file descriptorsMEDIUMOpenYesAdd O_CLOEXEC to all open() calls
    PrivilegeWSL runtime executes as rootHIGHOpenYesUse non-root WSL user where possible
    PrivilegeMissing IPC namespace isolationMEDIUMOpenNoAdd CLONE_NEWIPC to clone flags
    Supply ChainPre-built ELF binaries in repositoryMEDIUMOpenNoBuild from source in CI
    BufferSigned int accumulators in snprintf() loopsMEDIUMOpenYesUse size_t with bounds clamping

    17. Conclusion & Recommendations

    Overall Assessment

    ScorpioX Code demonstrates a mature C codebase with strong fundamentals — zero unsafe string functions, comprehensive static linking, no privilege escalation vectors, and careful namespace isolation in container components. The HEAD commit shows active security remediation.

    However, three systemic issues elevate the overall risk to HIGH:

  • TLS verification bypass is the most urgent issue — authentication tokens are transmitted in cleartext and certificate verification is disabled on critical endpoints.
  • Residual command injection via system()/popen() calls remains widespread despite recent fixes.
  • Memory safety gaps (unchecked allocations, unsafe realloc patterns) are typical of C codebases but create denial-of-service risk in network-facing components.
  • Priority Remediation

    PriorityActionImpact
    P0 — ImmediateEnable TLS certificate verification on all token-fetch endpointsPrevents credential interception
    P0 — ImmediateMigrate token URLs from http:// to https://Encrypts authentication traffic
    P1 — HighReplace remaining system()/popen() with fork()+execvp()Eliminates command injection class
    P1 — HighFix is_safe_shell_arg() single-quote bypassCloses escaping gap
    P2 — MediumAdd NULL checks after allocations in server/agent pathsPrevents DoS via NULL dereference
    P2 — MediumEnable compiler hardening flagsDefense-in-depth against memory corruption
    P2 — MediumUse mkstemp() for temp file creationPrevents symlink/race attacks
    P3 — LowRemove internal IPs from distributed configReduces information leakage
    P3 — LowFix unsafe realloc patternsPrevents memory leaks under pressure

    Windows Workstation Risk Rating

    For the scoped Windows workstation deployment: MEDIUM-HIGH — The most severe findings (TLS bypass, credential plaintext transmission, hook command injection) apply to Windows. However, the highest-CVSS command injection vectors (WhatsApp/iMessage message injection) are Linux/macOS-only.


    18. Appendix: Audit Methodology

    Audit Framework

    This audit employed 11 specialized automated agents, each analyzing the complete codebase from a specific security domain:

    AgentDomainMethod
    supply-chainDependencies, vendored code, package managersDependency tree analysis, license check, binary detection
    build-provenanceBuild system, compiler flags, code signingCMake/Makefile analysis, flag inventory
    network-endpointsURLs, IPs, ports, protocolsStatic string extraction, protocol classification
    tls-securityTLS configuration, certificate verificationlibcurl option audit, mbedTLS config review
    credential-hardcodeAPI keys, passwords, tokens, secretsPattern matching, entropy analysis, config review
    file-ioFile operations, temp files, permissionsSyscall audit, permission analysis, race condition detection
    buffer-safetyBuffer overflows, format strings, bounds checkingFunction census, pattern analysis, accumulator audit
    memory-safetymalloc/free correctness, use-after-free, leaksAllocation tracking, free-order analysis, realloc patterns
    command-injectionsystem()/popen()/exec() with user inputTaint analysis, shell metacharacter flow
    privilege-accessSetuid, namespaces, capabilities, process spawningPrivilege API audit, namespace isolation review
    windows-deploymentWindows binaries, APIs, platform-specific risksBinary inventory, Win32 API audit, cross-platform guard review

    Scope

    Severity Classification

    LevelDefinition
    CRITICALExploitable remotely without authentication; direct credential/data compromise
    HIGHSignificant security weakness; requires specific conditions for exploitation
    MEDIUMSecurity concern with mitigating factors; defense-in-depth gap
    LOWMinor issue; best-practice deviation with minimal direct impact
    INFOObservation or positive finding; no direct security impact