Admin route with no Depends() dependency
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A route whose path contains /admin has no Depends() anywhere in its function signature, so this handler carries no per-route authentication or authorization check. Heuristic: a router-level or app-level dependencies=[Depends(...)] applied globally would not show up here, so check for that before assuming the route is unprotected.
Why it matters
A route whose path contains /admin with no Depends() anywhere in its signature has no per-route authentication or authorization check that FastAPI's dependency-injection system would show. If nothing else in the app enforces access control for this path (no global middleware, no router-level dependency), anyone who finds the URL can call it with the same access as an admin, which is a common way admin panels end up reachable by an unauthenticated request.
How to fix it
Add a Depends() dependency that verifies the caller is authenticated and authorized for admin access (for example Depends(require_admin_user), following whatever auth dependency the rest of the app already uses), either on the route itself or via dependencies=[Depends(require_admin_user)] on the APIRouter these admin routes are registered on. If the auth check is already applied at the router or app level, add a code comment noting that so a future reader (and this scanner) does not need to re-derive it.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo