Home / bitwarden / server
Repository Analysis

bitwarden/server

Bitwarden infrastructure/backend (API, database, Docker, etc).

0.4 Likely human-written View on GitHub
0.4
Adjusted Score
0.4
Raw Score
100%
Time Factor
2026-05-30
Last Push
18,995
Stars
C#
Language
1,754,774
Lines of Code
6071
Files
637
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 11HIGH 1MEDIUM 3LOW 622

Pattern Findings

637 matches across 7 categories. Click a row to expand file-level details.

Over-Commented Block536 hits · 536 pts
SeverityFileLineSnippet
LOW…/Sso.IntegrationTest/Utilities/SuccessfulAuthResult.cs1using System.Security.Claims;
LOW…/IdentityServer/DistributedCachePersistedGrantStore.cs1using Bit.Sso.Utilities;
LOW…arden_license/src/Sso/Utilities/OpenIdConnectScopes.cs1namespace Bit.Sso.Utilities;
LOW…arden_license/src/Sso/Utilities/OpenIdConnectScopes.cs21 /// OPTIONAL. This scope value requests access to the End-User's default
LOW…arden_license/src/Sso/Utilities/OpenIdConnectScopes.cs41 /// phone_number_verified Claims.
LOW…arden_license/src/Sso/Controllers/AccountController.cs461 var providerUserId = userIdClaim.Value;
LOW…grationTest/Auth/Repositories/DeviceRepositoryTests.cs581 // Act
LOW…grationTest/Auth/Repositories/DeviceRepositoryTests.cs801
LOW…ationTestCommon/Factories/WebApplicationFactoryBase.cs81 /// </summary>
LOW…ationTestCommon/Factories/WebApplicationFactoryBase.cs101 /// <summary>
LOW…OrganizationDuoUniversalTwoFactorTokenProviderTests.cs241 // Assert
LOW…s/EmergencyAccess/DeleteEmergencyAccessCommandTests.cs361 mail.ToEmails.Contains(bobAliceRecord.GrantorEmail) &&
LOW…est/Platform/Push/Engines/AzureQueuePushEngineTests.cs721 // [Fact]
LOWtest/Core.Test/AutoFixture/AutoFixtureExtensions.cs1using System.Linq.Expressions;
LOWtest/Core.Test/AutoFixture/AutoFixtureExtensions.cs21 var rnd = new Random(seed);
LOW…igration/ValueObjects/MigrationPathIdsSnapshotTests.cs1using Bit.Core.Billing.Enums;
LOWtest/Identity.Test/Wrappers/UserManagerTestWrapper.cs61 return Task.FromResult(TWO_FACTOR_ENABLED);
LOW…ty.IntegrationTest/Endpoints/IdentityServerSsoTests.cs61 // "HasMasterPassword": true,
LOW…ty.IntegrationTest/Endpoints/IdentityServerSsoTests.cs141 // they can decrypt with either option
LOW…ty.IntegrationTest/Endpoints/IdentityServerSsoTests.cs181 // "UserDecryptionOptions": {
LOW…ty.IntegrationTest/Endpoints/IdentityServerSsoTests.cs241 Name = "Android",
LOW…ion/VaultAccess/ResourceOwnerPasswordValidatorTests.cs61
LOW…i.Test/Utilities/ControllerAuthorizationTestHelpers.cs21
LOW…i.Test/Utilities/ControllerAuthorizationTestHelpers.cs41 /// </description>
LOW…st/Api.Test/Dirt/OrganizationReportsControllerTests.cs121 // {
LOWtest/Common/AutoFixture/SutProvider.cs41 /// <summary>
LOWtest/Common/AutoFixture/SutProvider.cs81
LOW…Common/AutoFixture/Attributes/BitCustomizeAttribute.cs1using AutoFixture;
LOW…ure/Attributes/RepeatingPatternBitAutoDataAttribute.cs1#nullable enable
LOW…ure/Attributes/RepeatingPatternBitAutoDataAttribute.cs21/// 1st example:
LOW…st/Common/MockedHttpClient/MockedHttpMessageHandler.cs41 }
LOW…st/Common/MockedHttpClient/MockedHttpMessageHandler.cs81
LOW….IntegrationTest/Controllers/AccountsControllerTest.cs421
LOW….IntegrationTest/Controllers/AccountsControllerTest.cs601 var response = await _client.SendAsync(message);
LOW…ationTest/Controllers/EmergencyAccessControllerTest.cs121 /// Scope: end-to-end through the V2 path; also asserts the grantor's KDF is
LOW…/Api.IntegrationTest/Helpers/PerformanceTestHelpers.cs1using System.Net.Http.Headers;
LOWtest/SeederApi.IntegrationTest/HttpClientExtensions.cs1using System.Diagnostics.CodeAnalysis;
LOWutil/EfShared/MigrationBuilderExtensions.cs1using System.Runtime.CompilerServices;
LOWutil/Seeder/IQuery.cs1namespace Bit.Seeder;
LOWutil/Seeder/IQuery.cs21 /// Executes the query based on the provided request object.
LOWutil/Seeder/IQuery.cs41 /// <summary>
LOWutil/Seeder/IScene.cs1namespace Bit.Seeder;
LOWutil/Seeder/IScene.cs21 /// </summary>
LOWutil/Seeder/IScene.cs41 /// </summary>
LOWutil/Seeder/IScene.cs61 }
LOWutil/Seeder/IScene.cs81 /// <returns>A scene result containing the typed result data, mangle map, and entity tracking information.</returns>
LOWutil/Seeder/Options/DensityProfile.cs21 public double MembershipSkew { get; init; }
LOWutil/Seeder/Options/DensityProfile.cs41 public double EmptyGroupRate { get; init; }
LOWutil/Seeder/Options/DensityProfile.cs61 /// </summary>
LOWutil/Seeder/Options/DensityProfile.cs81 /// </summary>
LOWutil/Seeder/Options/IndividualUserOptions.cs1namespace Bit.Seeder.Options;
LOWutil/Seeder/Options/IndividualUserOptions.cs21 /// Optional email.
LOWutil/Seeder/Options/OrganizationVaultOptions.cs21 public required string Domain { get; init; }
LOWutil/Seeder/Options/OrganizationVaultOptions.cs41 /// </summary>
LOWutil/Seeder/Options/OrganizationVaultOptions.cs61
LOWutil/Seeder/Options/OrganizationVaultOptions.cs81 /// <summary>
LOWutil/Seeder/Options/OrganizationVaultOptions.cs101 public string? Password { get; init; }
LOWutil/Seeder/Pipeline/BulkCommitter.cs21/// Flushes accumulated entities from <see cref="SeederContext"/> to the database via BulkCopy.
LOWutil/Seeder/Pipeline/EntityRegistry.cs1namespace Bit.Seeder.Pipeline;
LOWutil/Seeder/Pipeline/EntityRegistry.cs21 internal record UserDigest(Guid UserId, Guid OrgUserId, string SymmetricKey);
476 more matches not shown…
Hallucination Indicators11 hits · 110 pts
SeverityFileLineSnippet
CRITICAL…Organizations/InitPendingOrganizationValidatorTests.cs429 OrganizationKeys = new Bit.Core.KeyManagement.Models.Data.PublicKeyEncryptionKeyPairData(
CRITICAL…entity.IntegrationTest/Login/ClientVersionGateTests.cs79 var error = Bit.Test.Common.Helpers.AssertHelper.AssertJsonProperty(errorBody.RootElement, "ErrorModel", JsonVal
CRITICAL…entity.IntegrationTest/Login/ClientVersionGateTests.cs80 var message = Bit.Test.Common.Helpers.AssertHelper.AssertJsonProperty(error, "Message", JsonValueKind.String).Ge
CRITICAL…onsole/Controllers/OrganizationUsersControllerTests.cs710 .Returns(new Bit.Core.AdminConsole.Utilities.v2.Results.CommandResult(new OneOf.Types.None()));
CRITICAL…onsole/Controllers/OrganizationUsersControllerTests.cs735 .Returns(new Bit.Core.AdminConsole.Utilities.v2.Results.CommandResult(
CRITICAL…onsole/Controllers/OrganizationUsersControllerTests.cs736 new Bit.Core.AdminConsole.OrganizationFeatures.AccountRecovery.v2.PasswordUpdateFailedError("Error messa
CRITICAL…ks/Identity/IdentityServer/PersistedGrantStoreTests.cs51 new Bit.Core.Auth.Repositories.Cosmos.GrantRepository(cosmosConnectionString),
CRITICAL…ks/Identity/IdentityServer/PersistedGrantStoreTests.cs52 g => new Bit.Core.Auth.Models.Data.GrantItem(g)
CRITICAL…erver/RequestValidators/CustomTokenRequestValidator.cs104 || context.Result.ValidatedRequest.Client.AllowedScopes.Contains(ApiScopes.ApiSecrets))
CRITICAL…erver/RequestValidators/CustomTokenRequestValidator.cs106 if (context.Result.ValidatedRequest.Client.Properties.TryGetValue("encryptedPayload", out var payload) &&
CRITICALsrc/Admin/AdminConsole/Models/OrganizationEditModel.cs34 Plan = Core.Billing.Enums.PlanType.TeamsMonthly.GetDisplayAttribute()?.GetName();
Fake / Example Data67 hits · 66 pts
SeverityFileLineSnippet
LOW…nse/test/SSO.Test/Controllers/AccountControllerTest.cs312 var user = new User { Id = Guid.NewGuid(), Email = "user@example.com" };
LOW…nse/test/SSO.Test/Controllers/AccountControllerTest.cs556 var email = "user@example.com";
LOW…nse/test/SSO.Test/Controllers/AccountControllerTest.cs619 var email = "user@example.com";
LOWtest/Billing.Test/Controllers/BitPayControllerTests.cs233 var user = new User { Id = userId, Email = "user@example.com" };
LOWtest/Billing.Test/Controllers/BitPayControllerTests.cs248 await _mailService.Received(1).SendAddedCreditAsync("user@example.com", 100.00m);
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs151 var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs194 Arg.Is<IEnumerable<string>>(emails => emails.Contains("user@example.com")),
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs236 var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs298 email.ToEmails.Contains("user@example.com") &&
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs1059 var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs1114 Arg.Is<IEnumerable<string>>(emails => emails.Contains("user@example.com")),
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs1205 var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs2479 var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs2530 Arg.Is<IEnumerable<string>>(emails => emails.Contains("user@example.com")),
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs2565 var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs2621 Arg.Is<IEnumerable<string>>(emails => emails.Contains("user@example.com")),
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs2656 var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs2702 email.ToEmails.Contains("user@example.com") &&
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs2745 var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs2796 Arg.Is<IEnumerable<string>>(emails => emails.Contains("user@example.com")),
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs2826 var user = new User { Id = _userId, Email = "user@example.com", Premium = true };
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs2952 var organization = new Organization { Id = _organizationId, PlanType = PlanType.TeamsAnnually, BillingEmail = "t
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs3039 var organization = new Organization { Id = _organizationId, PlanType = PlanType.TeamsAnnually, BillingEmail = "t
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs3085 var user = new User { Id = _userId, Email = "test@test.com", Premium = true };
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs3171 var user = new User { Id = _userId, Email = "test@test.com", Premium = true };
LOW…t/Billing.Test/Services/UpcomingInvoiceHandlerTests.cs3217 var user = new User { Id = _userId, Email = "test@test.com", Premium = true };
LOW…pi/Request/Accounts/RegisterFinishRequestModelTests.cs325 Email = "user@example.com",
LOW…pi/Request/Accounts/RegisterFinishRequestModelTests.cs356 Email = "user@example.com",
LOW…pi/Request/Accounts/RegisterFinishRequestModelTests.cs377 Email = "user@example.com",
LOW…pi/Request/Accounts/RegisterFinishRequestModelTests.cs398 Email = "user@example.com",
LOW…pi/Request/Accounts/RegisterFinishRequestModelTests.cs416 Email = "user@example.com",
LOW…pi/Request/Accounts/RegisterFinishRequestModelTests.cs441 Email = "user@example.com",
LOW…pi/Request/Accounts/RegisterFinishRequestModelTests.cs468 Email = "user@example.com",
LOW…pi/Request/Accounts/RegisterFinishRequestModelTests.cs495 Email = "user@example.com",
LOW…pi/Request/Accounts/RegisterFinishRequestModelTests.cs522 Email = "user@example.com",
LOW…/UserFeatures/Registration/RegisterUserCommandTests.cs578 user.Email = "user@example.com";
LOW…ore.Test/Platform/Mailer/HandlebarMailRendererTests.cs49 var view = new TestMailView { Name = "Jane Doe" };
LOWtest/Core.Test/Utilities/EmailValidationTests.cs12 [InlineData("user@example.com", "example.com")]
LOWtest/Core.Test/Utilities/CoreHelpersTests.cs445 [InlineData("user@example.com")]
LOWtest/Core.Test/Utilities/DomainNameAttributeTests.cs52 [InlineData("user@example.com")] // email format
LOWtest/Core.Test/Dirt/Services/SlackServiceTests.cs198 var email = "user@example.com";
LOWtest/Core.Test/Dirt/Services/SlackServiceTests.cs231 var email = "user@example.com";
LOWtest/Core.Test/Dirt/Services/SlackServiceTests.cs263 var email = "user@example.com";
LOWtest/Core.Test/Dirt/Services/SlackServiceTests.cs289 var email = "user@example.com";
LOWtest/Core.Test/Dirt/Services/SlackServiceTests.cs310 var email = "user@example.com";
LOWtest/Core.Test/Services/HandlebarsMailServiceTests.cs325 [InlineData("Acme Corp", "Acme Corp")]
LOW…ccounts/TrialSendVerificationEmailRequestModelTests.cs41 [InlineData("user@example.com")]
LOW…nds/CreatePremiumSelfHostedSubscriptionCommandTests.cs126 Email = "user@example.com",
LOW…t/Core.Test/Billing/Services/SubscriberServiceTests.cs88 Feedback = "Lorem ipsum"
LOW…t/Core.Test/Billing/Services/SubscriberServiceTests.cs134 Feedback = "Lorem ipsum"
LOW…t/Core.Test/Billing/Services/SubscriberServiceTests.cs180 Feedback = "Lorem ipsum"
LOW…t/Identity.Test/Controllers/AccountsControllerTests.cs79 var response = await _sut.PostPasswordPrelogin(new PasswordPreloginRequestModel { Email = "user@example.com" });
LOW…t/Identity.Test/Controllers/AccountsControllerTests.cs117 var email = "user@example.com";
LOW…t/Identity.Test/Controllers/AccountsControllerTests.cs172 var response = await _sut.PostPasswordPrelogin(new PasswordPreloginRequestModel { Email = "user@example.com" });
LOW…t/Identity.Test/Controllers/AccountsControllerTests.cs181 var email = "user@example.com";
LOW…t/Api.Test/Auth/Controllers/AccountsControllerTests.cs107 var email = "user@example.com";
LOW…t/Api.Test/Auth/Controllers/AccountsControllerTests.cs837 Email = "user@example.com"
LOW…Import/ImportOrganizationUsersAndGroupsCommandTests.cs186 Email = "test@test.com",
LOWtest/SeederApi.IntegrationTest/RustSdkCipherTests.cs255 CardholderName = "John Doe",
LOWtest/SeederApi.IntegrationTest/RustSdkCipherTests.cs270 Assert.Equal("John Doe", RustSdkService.DecryptString(card.GetProperty("cardholderName").GetString()!, orgKeys.K
7 more matches not shown…
Verbosity Indicators15 hits · 26 pts
SeverityFileLineSnippet
LOWtest/SharedWeb.Test/DataProtectionServicesTests.cs240 // Step 1: We deploy a new version of our app but with NO config changes
LOWtest/SharedWeb.Test/DataProtectionServicesTests.cs254 // Step 2: We generate a new certificate and upload it to a DIFFERENT blob in azure
LOWtest/SharedWeb.Test/DataProtectionServicesTests.cs267 // Step 3: Start apps that have that new cert as able to Unprotect ONLY, this step
LOWtest/SharedWeb.Test/DataProtectionServicesTests.cs293 // Step 4: This is where real config changes start to happen, we actually start protecting
LOW…c/Core/HostedServices/ApplicationCacheHostedService.cs71 // Step 1: Signal ExecuteAsync to stop gracefully
LOW…c/Core/HostedServices/ApplicationCacheHostedService.cs74 // Step 2: Wait for ExecuteAsync to finish cleanly
LOW…c/Core/HostedServices/ApplicationCacheHostedService.cs80 // Step 3: Now safely dispose resources (ExecuteAsync is done)
LOW…c/Core/HostedServices/ApplicationCacheHostedService.cs84 // Step 4: Clean up subscription
LOW…cies/PolicyEventHandlers/SendOptionsSyncPolicyEvent.cs28 // Step 1: sync SendOptionsPolicy.Data.DisableHideEmail -> SendControlsPolicy.Data.DisableHideEmail
LOW…cies/PolicyEventHandlers/SendOptionsSyncPolicyEvent.cs42 // Step 2: sync Enabled status. SendControlsPolicy is enabled if either legacy policy is enabled
LOW…cies/PolicyEventHandlers/DisableSendSyncPolicyEvent.cs28 // Step 1: sync DisableSend.Enabled -> SendControlsPolicy.Data.DisableSend
LOW…cies/PolicyEventHandlers/DisableSendSyncPolicyEvent.cs51 // Step 2: sync Enabled status. SendControlsPolicy is enabled if either legacy policy is enabled
LOWsrc/Api/Tools/Controllers/ImportCiphersController.cs134 // we need to check if the user has permission to create collections
LOW…zations/Handlers/RecoverAccountAuthorizationHandler.cs39 // Step 1: check that the User has permissions with respect to the organization.
LOW…zations/Handlers/RecoverAccountAuthorizationHandler.cs51 // Step 2: check that the User has permissions with respect to any provider the target user is a member of.
AI Slop Vocabulary3 hits · 9 pts
SeverityFileLineSnippet
MEDIUM…IntegrationTest/MailKitSmtpMailDeliveryServiceTests.cs90 // this test can be copied, and changed to utilize that new feature and instead of
MEDIUM…th/Identity/TokenProviders/DuoUniversalTokenService.cs17/// have this class injected to utilize these methods
MEDIUM…ore/Auth/UserFeatures/UserEmail/IChangeEmailCommand.cs23 /// perform robust verification before invoking it, including (at minimum):
Synthetic Comment Markers1 hit · 8 pts
SeverityFileLineSnippet
HIGH…arden_license/src/Sso/Controllers/AccountController.cs486 /// <exception cref="Exception">An exception if the user cannot be provisioned as requested.</exception>
Redundant / Tautological Comments4 hits · 6 pts
SeverityFileLineSnippet
LOW.claude/hooks/rust-sdk-surface-check.sh30# Check if the RustSdk Cargo.toml was modified.
LOW.claude/hooks/rust-sdk-surface-check.sh35# Check if the API surface reference was already updated.
LOW.claude/hooks/seeder-docs-check.sh46# Check if any Seeder .md files were already modified.
LOW.github/workflows/repository-management.yml104 # Check if version is newer.