markitdown
Python tool for converting files and office documents to Markdown.
Scanned: February 20, 2026
Report Version: 1.0.0
How does your project compare?
Scan your repo free →Overall Grade
B2,108 total findings
Architecture
F1253
Correctness
B218
Performance
A247
Security
B390
What Traditional Tools Missed
| Category | Colosseum | Bandit | Semgrep |
|---|---|---|---|
| Total | 2,108 | 0 | 0 |
2,108 findings (100%) were not detected by Bandit or Semgrep. These include compound vulnerabilities, logic errors, and context-dependent security issues that rule-based scanners aren't designed to catch.
Notable Findings
CriticalArchitecture
Function '_evaluate_all_alerts' has complexity 16
Impact: Function '_evaluate_all_alerts' has complexity 16
Recommended Fix: Review and remediate.
CriticalArchitecture
Function '_evaluate_all_alerts' has complexity 16
Impact: Function '_evaluate_all_alerts' has complexity 16
Recommended Fix: Review and remediate.
CriticalArchitecture
The code stores llm_client and llm_model parameters but never passes them to PptxConverter or ImageC
Impact: The code stores llm_client and llm_model parameters but never passes them to PptxConverter or ImageConverter during registration, so they cannot use these parameters for LLM-based descriptions.
Recommended Fix: Review and remediate.
HighSecurity
Function 'do_f' has 4 missing defense layers (input_validation, type_safety, error_handling, logging
Impact: Function 'do_f' has 4 missing defense layers (input_validation, type_safety, error_handling, logging) around dangerous operation(s): c_dict.get, c_dict.get. Hard barrier gap detected — Aligned holes a
Recommended Fix: Add input validation (isinstance checks, bounds checking, or sanitization calls) before dangerous operations. Add error handling with proper recovery — log errors, re-raise, or return safe defaults (n
HighSecurity
Function 'do_acc' has 4 missing defense layers (input_validation, type_safety, error_handling, loggi
Impact: Function 'do_acc' has 4 missing defense layers (input_validation, type_safety, error_handling, logging) around dangerous operation(s): CHR_DEFAULT.get. Hard barrier gap detected — Aligned holes allow
Recommended Fix: Add input validation (isinstance checks, bounds checking, or sanitization calls) before dangerous operations. Add error handling with proper recovery — log errors, re-raise, or return safe defaults (n
HighSecurity
Function '_handle_output' has 4 missing defense layers (input_validation, type_safety, error_handlin
Impact: Function '_handle_output' has 4 missing defense layers (input_validation, type_safety, error_handling, logging) around dangerous operation(s): open. Hard barrier gap detected — Aligned holes allow thr
Recommended Fix: Add input validation (isinstance checks, bounds checking, or sanitization calls) before dangerous operations. Add error handling with proper recovery — log errors, re-raise, or return safe defaults (n
HighSecurity
Module 'packages/markitdown/tests/test_cli_vectors.py' has 4/4 kill chain phases enabled (100% compl
Impact: Module 'packages/markitdown/tests/test_cli_vectors.py' has 4/4 kill chain phases enabled (100% complete): Deliver (reachable, dist=0), Exploit (5 ops), Install (3 ops), Actions (5 ops). COMPLETE CHAIN
Recommended Fix: CRITICAL: This module has a complete kill chain — all phases from delivery to exploitation are enabled. Add defense at the weakest phase: input validation before dangerous ops, sandboxing for exec/eva
Responsible Disclosure
This public report is intended to demonstrate the depth of analysis possible with modern code scanning tools and to help the broader open source community understand common vulnerability patterns.
Scan Your Python Repo Free
Find vulnerabilities traditional tools miss. Deep analysis of Python codebases with side-by-side tool comparison.
Embed This Badge
[](https://battleharden.dev/reports/markitdown)