{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 613 lines (recommend <300)", "shortDescription": {"text": "Average file size is 613 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 30 more): Same pattern found in 30 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_req", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/760"}, "properties": {"repository": "denoland/deno", "repoUrl": "https://github.com/denoland/deno", "branch": "main"}, "results": [{"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 63354, "scanner": "repobility-agent-runtime", "fingerprint": "a50608b23ba5de1149efb8e3d484ca7c207b5688e3a0a724b232672aac568ae3", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a50608b23ba5de1149efb8e3d484ca7c207b5688e3a0a724b232672aac568ae3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 28}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 63344, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63315, "scanner": "repobility-threat-engine", "fingerprint": "0bf4010a917e79d18205f7edb1fabb7bf386504e3177abaf9e65a41f3110af4b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|cli/tsc/99_main_compiler.js|98|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/tsc/99_main_compiler.js"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63314, "scanner": "repobility-threat-engine", "fingerprint": "0d6bad89a8f987de7a167af840a91ec7180ebf42ecc9989695499ff1fcca382d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|cli/tools/doc/prism.js|3|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/tools/doc/prism.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63313, "scanner": "repobility-threat-engine", "fingerprint": "7e9f5bdc3e4d0bd18833c461edc4fab29a3abb6830ad496d02c0adc66c3abece", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|142|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/mtime_cache/action.js"}, "region": {"startLine": 142}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 613 lines (recommend <300)"}, "properties": {"repobilityId": 63311, "scanner": "repobility-core", "fingerprint": "f5e68bc468a69410a9cb4214e565398ec9fd7d8856da521f6cc18d23fa55b6fb", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|f5e68bc468a69410a9cb4214e565398ec9fd7d8856da521f6cc18d23fa55b6fb"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63353, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4d89db7e702eb9c548813b0a4dd112c622df9218d27c7defd59b8ae85edbeae8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/tools/run/mod.rs", "duplicate_line": 234, "correlation_key": "fp|4d89db7e702eb9c548813b0a4dd112c622df9218d27c7defd59b8ae85edbeae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/tools/serve.rs"}, "region": {"startLine": 153}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63352, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b6fa7ffa56afd68d69e76cd812e55715a5aa9afeefe415510a34429b303bef8e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/tools/clean.rs", "duplicate_line": 175, "correlation_key": "fp|b6fa7ffa56afd68d69e76cd812e55715a5aa9afeefe415510a34429b303bef8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/tools/pm/cache_deps.rs"}, "region": {"startLine": 179}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63351, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8746389ace69315632e88a4c2dd6b7188e31d9c2e49fc309d66f75871989074a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/ops/bench.rs", "duplicate_line": 38, "correlation_key": "fp|8746389ace69315632e88a4c2dd6b7188e31d9c2e49fc309d66f75871989074a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/ops/testing.rs"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63350, "scanner": "repobility-ai-code-hygiene", "fingerprint": "908499c3a1d48a534838776d134c72dd1fea4d1f486e4149f0cb3ac653bba658", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/lsp/jsr.rs", "duplicate_line": 383, "correlation_key": "fp|908499c3a1d48a534838776d134c72dd1fea4d1f486e4149f0cb3ac653bba658"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/lsp/npm.rs"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63349, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47ab27d718b22bf694f2779c6f17c7e711b15c061fccfdf04e92a35e4813c33d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/workflows/cargo_publish.ts", "duplicate_line": 15, "correlation_key": "fp|47ab27d718b22bf694f2779c6f17c7e711b15c061fccfdf04e92a35e4813c33d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/version_bump.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63348, "scanner": "repobility-ai-code-hygiene", "fingerprint": "054480305993e8b698244c9cc3907b030a36b87295ebc63c5e99d77274697a3f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/workflows/cargo_publish.ts", "duplicate_line": 16, "correlation_key": "fp|054480305993e8b698244c9cc3907b030a36b87295ebc63c5e99d77274697a3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/start_release.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63347, "scanner": "repobility-ai-code-hygiene", "fingerprint": "907e50102c4b4f1293787f54884aa7560e619d45d1184006157987c08c00c441", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/workflows/ecosystem_compat_test.ts", "duplicate_line": 33, "correlation_key": "fp|907e50102c4b4f1293787f54884aa7560e619d45d1184006157987c08c00c441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/promote_to_release.ts"}, "region": {"startLine": 135}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63346, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70a0e5dda631bfdf5ed52961f1004ca58381574a2834e835aef066c953bbf8e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/workflows/ecosystem_compat_test.ts", "duplicate_line": 33, "correlation_key": "fp|70a0e5dda631bfdf5ed52961f1004ca58381574a2834e835aef066c953bbf8e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/post_publish.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63345, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f2feada821a515af631bc3950b40448ad899b0b673e96e49b2a01b8b038b93f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/workflows/cargo_publish.ts", "duplicate_line": 21, "correlation_key": "fp|8f2feada821a515af631bc3950b40448ad899b0b673e96e49b2a01b8b038b93f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create_prerelease_tag.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 63343, "scanner": "repobility-threat-engine", "fingerprint": "9d28651373447d8caa0269927d2d1ca19f11366798b8968e86fd40a06987bf1d", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'\\\\s])(?:\"+a+\")\\\\s*=\\\\s*(?:\\\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d28651373447d8caa0269927d2d1ca19f11366798b8968e86fd40a06987bf1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/tools/doc/prism.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 63342, "scanner": "repobility-threat-engine", "fingerprint": "80d15060c69b3bb96073e0a3bf487cb259709ad203c4e438751d7311bee9c7c5", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Sanitization detected ('textcontent') \u2014 output is likely sanitized", "evidence": {"match": ".innerHTML=s", "reason": "Sanitization detected ('textcontent') \u2014 output is likely sanitized", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|cli/tools/doc/prism.js|3|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/tools/doc/prism.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 63341, "scanner": "repobility-threat-engine", "fingerprint": "4e412bf576271f452d8d53a380314293ad150630a073e041a292c54ddebe44eb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4e412bf576271f452d8d53a380314293ad150630a073e041a292c54ddebe44eb", "aggregated_count": 2}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 63340, "scanner": "repobility-threat-engine", "fingerprint": "2db18e9b7cecda981472c01db560b34808c6870af7bfbe53e1712c4adcfcd3d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2db18e9b7cecda981472c01db560b34808c6870af7bfbe53e1712c4adcfcd3d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/lsp/urls.rs"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 63339, "scanner": "repobility-threat-engine", "fingerprint": "2ec937cce16161d2e0a0401e40c8f16b055cb82124ede45fd42053ab17ca8bc8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ec937cce16161d2e0a0401e40c8f16b055cb82124ede45fd42053ab17ca8bc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/lsp/parent_process_checker.rs"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 63338, "scanner": "repobility-threat-engine", "fingerprint": "8d1e777e0a230852a7e76235aac80f4b6dcffe57f047333b9ee76ae6959cc24b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d1e777e0a230852a7e76235aac80f4b6dcffe57f047333b9ee76ae6959cc24b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/lsp/logging.rs"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 63337, "scanner": "repobility-threat-engine", "fingerprint": "7fb1e7c7fc33ac4ca04c001d812ab93a4d99c0b56ebb4384bf34b02c532689c1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7fb1e7c7fc33ac4ca04c001d812ab93a4d99c0b56ebb4384bf34b02c532689c1", "aggregated_count": 2}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 63336, "scanner": "repobility-threat-engine", "fingerprint": "2cf6b6cab71e5a7207def27c3c0f8108442665c8a143c155bee07336b172b49d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2cf6b6cab71e5a7207def27c3c0f8108442665c8a143c155bee07336b172b49d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/lsp/performance.rs"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 63335, "scanner": "repobility-threat-engine", "fingerprint": "3e2ffabafbbbaf111393509c2f89c01132fc9a807adc22690305db8380157129", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e2ffabafbbbaf111393509c2f89c01132fc9a807adc22690305db8380157129"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/lsp/compiler_options.rs"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 63334, "scanner": "repobility-threat-engine", "fingerprint": "6d61018ad5dc457461be891c92f956745d606c3d6861d3bb76ca0039182646f9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d61018ad5dc457461be891c92f956745d606c3d6861d3bb76ca0039182646f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/lsp/cache.rs"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 63333, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 63329, "scanner": "repobility-threat-engine", "fingerprint": "a19c177945e2389b8d1bc43526ddafd294e37dbff6a5516b030dc334cc8edf02", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a19c177945e2389b8d1bc43526ddafd294e37dbff6a5516b030dc334cc8edf02", "aggregated_count": 7}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 63328, "scanner": "repobility-threat-engine", "fingerprint": "e2376075cd80dafe1dec34967f7ecee5dfc2fce36dfe981889ea7d1316c6f062", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e2376075cd80dafe1dec34967f7ecee5dfc2fce36dfe981889ea7d1316c6f062"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/cache/code_cache.rs"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 63327, "scanner": "repobility-threat-engine", "fingerprint": "8c8a43822e05c6304f087e4d424434be6b147be2c41ee20185cc97b854aeadfa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c8a43822e05c6304f087e4d424434be6b147be2c41ee20185cc97b854aeadfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/cache/check.rs"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 63326, "scanner": "repobility-threat-engine", "fingerprint": "e70d06274cfd83cb1df5778152d6016aea8a37ee2e6c8a92ce7c93603fe9963d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e70d06274cfd83cb1df5778152d6016aea8a37ee2e6c8a92ce7c93603fe9963d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/build.rs"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 63325, "scanner": "repobility-threat-engine", "fingerprint": "4822ad05fb353d90a2db71fd75c3be0dda202d14a14fa1afb3e09e6e2beac9cd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4822ad05fb353d90a2db71fd75c3be0dda202d14a14fa1afb3e09e6e2beac9cd", "aggregated_count": 30}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 63321, "scanner": "repobility-threat-engine", "fingerprint": "01a2e93bd46996d489bd7e9ed668c5568ef723c5a41a1c50c7ee580b96cf723d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01a2e93bd46996d489bd7e9ed668c5568ef723c5a41a1c50c7ee580b96cf723d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/tools/serve.rs"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 63320, "scanner": "repobility-threat-engine", "fingerprint": "357a0b6336fa5382c2ce90479c359e410b9c5b2e926951790bebbdd748806ada", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|357a0b6336fa5382c2ce90479c359e410b9c5b2e926951790bebbdd748806ada"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/promote_to_release.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63319, "scanner": "repobility-threat-engine", "fingerprint": "cad91056b2cdf2d80b420941c2fa2ee69f5d703a618e7c88b4deedf924de3af7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cad91056b2cdf2d80b420941c2fa2ee69f5d703a618e7c88b4deedf924de3af7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/tsc/_analyze_types_node.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63318, "scanner": "repobility-threat-engine", "fingerprint": "b6c9c267bdcbd9aa90c4fb223c4c92ebc809dec0fc7f086efeed6e111d263880", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6c9c267bdcbd9aa90c4fb223c4c92ebc809dec0fc7f086efeed6e111d263880"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/mtime_cache/action.js"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63332, "scanner": "repobility-threat-engine", "fingerprint": "2fb303df19e7047438d01e1eac091c656697a833d8f9c337570b75f5175f1c42", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2fb303df19e7047438d01e1eac091c656697a833d8f9c337570b75f5175f1c42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/lsp/urls.rs"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63331, "scanner": "repobility-threat-engine", "fingerprint": "e229a2dc7c4cf75186cec411f971c27f2e3f4e725fa36969d76c022eee432d00", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e229a2dc7c4cf75186cec411f971c27f2e3f4e725fa36969d76c022eee432d00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/lsp/cache.rs"}, "region": {"startLine": 135}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63330, "scanner": "repobility-threat-engine", "fingerprint": "cbb5b0f28364d5a3fbd9a1d35040d25aed7d9ab1641ce15e15b9480e12103e52", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cbb5b0f28364d5a3fbd9a1d35040d25aed7d9ab1641ce15e15b9480e12103e52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/jsr.rs"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 63324, "scanner": "repobility-threat-engine", "fingerprint": "3eb87cab755ea9794fb0cf04ee269b43527c6870c3e7f193ec7383ca31313707", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3eb87cab755ea9794fb0cf04ee269b43527c6870c3e7f193ec7383ca31313707"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/cache/code_cache.rs"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 63323, "scanner": "repobility-threat-engine", "fingerprint": "b0f4e9775186977d66e097ebd72467f8ba78d3472a141237536217213e231a27", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0f4e9775186977d66e097ebd72467f8ba78d3472a141237536217213e231a27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/build.rs"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 63322, "scanner": "repobility-threat-engine", "fingerprint": "53d77751bc248db4f3f40bee428ead75a4bf5cbd66ca55e03fc2a6495f0411c9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53d77751bc248db4f3f40bee428ead75a4bf5cbd66ca55e03fc2a6495f0411c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/args/flags_net.rs"}, "region": {"startLine": 170}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 63317, "scanner": "repobility-threat-engine", "fingerprint": "40d94fa909869a53aad87dc3ef74cc4f12e677970b3d1b92e46fa49208620bde", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|40d94fa909869a53aad87dc3ef74cc4f12e677970b3d1b92e46fa49208620bde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/tools/doc/prism.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 63316, "scanner": "repobility-threat-engine", "fingerprint": "9d6485ac4e737c4ca9ff204430cf87c87acf0f4bfba925a2cfb96a83d466c7c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(entry", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d6485ac4e737c4ca9ff204430cf87c87acf0f4bfba925a2cfb96a83d466c7c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/mtime_cache/action.js"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 63312, "scanner": "repobility-threat-engine", "fingerprint": "f7102615c51f6f5d1310581062803b85e064b7a2ebbd1ed7c7c1562d171b4547", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `* ${k}: ${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f7102615c51f6f5d1310581062803b85e064b7a2ebbd1ed7c7c1562d171b4547"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/mtime_cache/action.js"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63379, "scanner": "repobility-supply-chain", "fingerprint": "35d31a6633743547b75882f7ce77d41182c37be07e9b5eb7584ab03b93a36001", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35d31a6633743547b75882f7ce77d41182c37be07e9b5eb7584ab03b93a36001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 6074}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DENOBOT_PAT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DENOBOT_PAT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63378, "scanner": "repobility-supply-chain", "fingerprint": "7a0c7095b6a59ffbd03bd4569f78907992b44065105dbd39c80fc76b6510b4df", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a0c7095b6a59ffbd03bd4569f78907992b44065105dbd39c80fc76b6510b4df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 4658}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.WPT_FYI_PW` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WPT_FYI_PW }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63377, "scanner": "repobility-supply-chain", "fingerprint": "1d1076b04a51a5a9cb3ef7c5a75367a010aa16899db3e435c8dcf75f9172f3c7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1d1076b04a51a5a9cb3ef7c5a75367a010aa16899db3e435c8dcf75f9172f3c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 4657}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63376, "scanner": "repobility-supply-chain", "fingerprint": "30f1459553e6950f4d9d0239cb2c776c03657360e1a8fab6867f7e5188a28899", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|30f1459553e6950f4d9d0239cb2c776c03657360e1a8fab6867f7e5188a28899"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 4643}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63375, "scanner": "repobility-supply-chain", "fingerprint": "b3058fab28d6177b36a97a3d17426069ba08498520965f7e036089ea31bff5d6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b3058fab28d6177b36a97a3d17426069ba08498520965f7e036089ea31bff5d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 4174}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63374, "scanner": "repobility-supply-chain", "fingerprint": "c1f3f4dea47228a3540dc31432a453db5a34ee5d08515f54be2e6a9926052d04", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1f3f4dea47228a3540dc31432a453db5a34ee5d08515f54be2e6a9926052d04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 4130}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63373, "scanner": "repobility-supply-chain", "fingerprint": "65cb9a3df60f4d46c14ffd5389cff2ba007d0132c65719f4a1ef399a0b5a6331", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65cb9a3df60f4d46c14ffd5389cff2ba007d0132c65719f4a1ef399a0b5a6331"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 3648}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63372, "scanner": "repobility-supply-chain", "fingerprint": "2879c28872fe33aadae24e09cc3b3c636a8aabb012978b36ef0923b5c46e061a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2879c28872fe33aadae24e09cc3b3c636a8aabb012978b36ef0923b5c46e061a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 3602}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63371, "scanner": "repobility-supply-chain", "fingerprint": "af27e668ea4a4ae6bf003a8ce98b42929402faf9fcc16d9762293934d2563279", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af27e668ea4a4ae6bf003a8ce98b42929402faf9fcc16d9762293934d2563279"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 3544}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63370, "scanner": "repobility-supply-chain", "fingerprint": "1e6808dae856f6be6415c5e4502e20b2d502df44463ac40065e7420faa82a36e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e6808dae856f6be6415c5e4502e20b2d502df44463ac40065e7420faa82a36e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 3543}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63369, "scanner": "repobility-supply-chain", "fingerprint": "9cda02aac0f8d74d06d10e7982669b16b2cf60567df0578499e0b3eecf24d5aa", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9cda02aac0f8d74d06d10e7982669b16b2cf60567df0578499e0b3eecf24d5aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 3542}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63368, "scanner": "repobility-supply-chain", "fingerprint": "6930ccb2bb12450cfcddb97e2a378a39ede87a24e9d3e089704579c315a98195", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6930ccb2bb12450cfcddb97e2a378a39ede87a24e9d3e089704579c315a98195"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 2828}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63367, "scanner": "repobility-supply-chain", "fingerprint": "a102705b079436a06468494a4409fc5940d52ad6bbf550332c5d6d79c66427e5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a102705b079436a06468494a4409fc5940d52ad6bbf550332c5d6d79c66427e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 2782}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63366, "scanner": "repobility-supply-chain", "fingerprint": "8b8ce354d7adce69d324cc0f9ab817e808af840ded42b1b8c5c6e5509c85cfdf", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b8ce354d7adce69d324cc0f9ab817e808af840ded42b1b8c5c6e5509c85cfdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 2724}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63365, "scanner": "repobility-supply-chain", "fingerprint": "1ef9cfcac10542155ebd314a1edebd57b6fb0424d3ed6b24d71c014741155fe7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ef9cfcac10542155ebd314a1edebd57b6fb0424d3ed6b24d71c014741155fe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 2723}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63364, "scanner": "repobility-supply-chain", "fingerprint": "05340461ce51f42b14c151a9f68b63a1720db5149c28c9a75b4e894e12d6dcb1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05340461ce51f42b14c151a9f68b63a1720db5149c28c9a75b4e894e12d6dcb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 2722}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63363, "scanner": "repobility-supply-chain", "fingerprint": "0dfa62ec0d3dece6bfc83bc6edfd03dda8263c427cb01ed6d683e64c7bae1181", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0dfa62ec0d3dece6bfc83bc6edfd03dda8263c427cb01ed6d683e64c7bae1181"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 1867}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63362, "scanner": "repobility-supply-chain", "fingerprint": "54e03cf7fe8c45149e47f68afc73f81f38fb425d4856ca30d31cd6708b609118", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54e03cf7fe8c45149e47f68afc73f81f38fb425d4856ca30d31cd6708b609118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 1821}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_CODESIGN_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_CODESIGN_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63361, "scanner": "repobility-supply-chain", "fingerprint": "93ea59b892410d17f7073d2b8e40138867b37ff3407062021ede59e892b3e829", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93ea59b892410d17f7073d2b8e40138867b37ff3407062021ede59e892b3e829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 1790}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_CODESIGN_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_CODESIGN_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63360, "scanner": "repobility-supply-chain", "fingerprint": "eb69e09c3a3bdae9d8570a2e72826e5126a4581fb89b3d59dbeae2e237ccdf89", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb69e09c3a3bdae9d8570a2e72826e5126a4581fb89b3d59dbeae2e237ccdf89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 1789}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63359, "scanner": "repobility-supply-chain", "fingerprint": "1f7c8118ffed395028c4732ce0260c206f42b1ae0be931bc7536a2365b741559", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f7c8118ffed395028c4732ce0260c206f42b1ae0be931bc7536a2365b741559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 860}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.S3_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.S3_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63358, "scanner": "repobility-supply-chain", "fingerprint": "85dcb01100cc6bd22348e747f130d2b158227c53d0bdaba184d7d5519e8e0e65", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85dcb01100cc6bd22348e747f130d2b158227c53d0bdaba184d7d5519e8e0e65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 814}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_CODESIGN_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_CODESIGN_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63357, "scanner": "repobility-supply-chain", "fingerprint": "8591a6d1b25fa57b31122d9b8825640c4a00bf4bda18e123f2264f15d1425a6f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8591a6d1b25fa57b31122d9b8825640c4a00bf4bda18e123f2264f15d1425a6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 783}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_CODESIGN_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_CODESIGN_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63356, "scanner": "repobility-supply-chain", "fingerprint": "b6ef69826e9f5665ffca57b4720897326712ea594d0f448b108f31f64494cde8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6ef69826e9f5665ffca57b4720897326712ea594d0f448b108f31f64494cde8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 782}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DENOBOT_PAT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DENOBOT_PAT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63355, "scanner": "repobility-supply-chain", "fingerprint": "75807e7f26713f21723263bb91eee5d22ae538adb77a08f4468b06560d8400a2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75807e7f26713f21723263bb91eee5d22ae538adb77a08f4468b06560d8400a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.generated.yml"}, "region": {"startLine": 244}}}]}]}]}