This repository collects security audits produced by the Swival Security Scanner, an automated code review tool.
Each audit was generated by typing /audit in the Swival REPL and pointing it at the target codebase, with no further human input during analysis.
The goal is to track how a tool-driven audit performs against real, widely deployed software, and to share the resulting findings with the projects that maintain them.
Each audited project lives in its own directory and has its own README.md indexing the findings. Inside, every finding comes as a pair:
- A markdown write-up describing the issue, its impact, and the affected code.
- A
.patchfile with a suggested fix, suitable forgit apply.
Findings are numbered and grouped by component or subsystem when there are enough of them to warrant it. Severities follow the usual High / Medium / Low scheme.
| Project | Findings | Description |
|---|---|---|
| apache-httpd | 56 | Apache HTTP Server |
| boringssl | 12 | Google's fork of OpenSSL |
| bunnycdn-cli | 25 | BunnyCDN command-line client |
| bunnycdn-tokenauthentication | 8 | BunnyCDN token authentication library |
| go/crypto | 54 | Go standard library crypto/* packages |
| h2o | 19 | HTTP/1, HTTP/2 and HTTP/3 server |
| libinjection | 5 | SQL injection and XSS detection library |
| nginx | 12 | High-performance HTTP server and reverse proxy |
| pcre2 | 4 | Perl-compatible regular expressions library |
| picotls | 11 | TLS 1.3 implementation in C |
| quicly | 1 | QUIC protocol implementation in C |
| rust-stdlib | 151 | Rust standard library and supporting crates |
| viceroy | 30 | Local development server for Fastly Compute |
| vsftpd | 3 | Secure FTP daemon for Unix-like systems |
| wasmer-wasix | 44 | WASIX runtime in Wasmer |
| wasmtime-wasi | 5 | WASI implementation in Wasmtime |
| wasmtools-wasmparser | 2 | WebAssembly binary parser from wasm-tools |
| zig-stdlib | 78 | Zig standard library |
| zig-ziglibc | 9 | Zig's libc implementation |
| zlib | 18 | zlib compression library and ports |
These audits are shared as-is. Some findings have already been reported upstream and fixed, others are still being triaged.
Additional codebases have been audited where the tool surfaced serious vulnerabilities. Those results are not published here. The findings have been shared privately with the affected maintainers, and will only be made public once fixes have shipped.
No private models, internal tools, or non-public data were involved in producing any of these findings. Everything here was generated with Swival running against publicly available source code, using GPT-5.4, GPT-5.5 and Qwen-3.6-27B, all of which anyone can access.
Anyone with the same setup has had, and still has, the ability to reproduce the same analysis and reach the same conclusions. For that reason, the issues described in this repository should be assumed to be already known to anyone who cares to look, including parties whose interests may not align with the upstream maintainers.