Public scan reportRepository
gitbutlerapp/gitbutler
Scanned on Jun 16, 2026
Risk score/ 100
Low risk
Summary
The repository shows 59 critical findings, all related to SHA-1 usage within Git operations via the gix library. However, all identified instances are in test files, API macros, and Git object handling code where SHA-1 is used for Git compatibility, not cryptographic security. The actual business risk is low as these are inherent to Git's design and not used for authentication, encryption, or security-critical operations.
59
0
0
0
Top findings
- CriticalSHA-1
crates/but-api-macros/tests/tests/ui/fail/base_invalid_attr_key.rs:10
SHA-256 or SHA3-256
Raw evidence
Ok(gix::ObjectId::null(gix::hash::Kind::Sha1)) - CriticalSHA-1
crates/but-api/src/json.rs:119
SHA-256 or SHA3-256
Raw evidence
let expected = gix::ObjectId::from_str(hex_str).expect("valid SHA1 hex-string"); - CriticalSHA-1
crates/but-core/src/commit/mod.rs:45
SHA-256 or SHA3-256
Raw evidence
let bytes: Vec<_> = commit_id.as_bytes()[4..gix::hash::Kind::Sha1.len_in_bytes()] - CriticalSHA-1
crates/but-core/tests/core/commit.rs:30
SHA-256 or SHA3-256
Raw evidence
.expect("valid sha1 object id"); - CriticalSHA-1
crates/but-core/tests/core/commit.rs:44
SHA-256 or SHA3-256
Raw evidence
.expect("valid sha1 object id");
+ 54 more findings in the full report
Scan your own repository
Free. Results in ~90 seconds. CBOM + DORA/NIS2 PDF included.