{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /User-Agent."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 33.9% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 33.9% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "XSS001", "name": "Cross-site scripting \u2014 dangerouslySetInnerHTML", "shortDescription": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "fullDescription": {"text": "dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"scanner": "repobility", "category": "injection", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "Add a valid manifest.json or site.webmanifest and reference it from the document head. Include name, icons, start_url, display, and theme colors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `minio` image uses the latest tag", "shortDescription": {"text": "Compose service `minio` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "QUAL005", "name": "Cluster of TODOs in one file", "shortDescription": {"text": "Cluster of TODOs in one file"}, "fullDescription": {"text": "Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "low", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "QUAL004", "name": "Placeholder default username (admin/admin)", "shortDescription": {"text": "Placeholder default username (admin/admin)"}, "fullDescription": {"text": "foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "low", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC019", "name": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or servic", "shortDescription": {"text": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files."}, "fullDescription": {"text": "Replace the value with a placeholder, revoke or rotate the exposed token, and store live values only in a masked secret store."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 30 more): Same pattern found in 30 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 40 more): Same pattern found in 40 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 26 more): Same pattern found in 26 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED009", "name": "[MINED009] Floats For Money (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED009] Floats For Money (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED033] Go Recover Without Log (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 103 more): Same pattern found in 103 ad", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 103 more): Same pattern found in 103 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 52 more): Same pattern found in 52 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `relay` image is selected through a build variable", "shortDescription": {"text": "Compose service `relay` image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` re", "shortDescription": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-fi"}, "fullDescription": {"text": "Replace with: `uses: bazel-contrib/setup-bazel@<40-char-sha>  # 0.9.1` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `debian:trixie-slim` not pinned by digest: `FROM debian:trixie-slim` resolves the tag at buil", "shortDescription": {"text": "[MINED118] Dockerfile FROM `debian:trixie-slim` not pinned by digest: `FROM debian:trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production"}, "fullDescription": {"text": "Replace with: `FROM debian:trixie-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:id."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC113", "name": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impe", "shortDescription": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "fullDescription": {"text": "Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SUPC001", "name": "Supply chain \u2014 curl | bash anti-pattern", "shortDescription": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "fullDescription": {"text": "curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"scanner": "repobility", "category": "supply_chain", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SECR004", "name": "Password embedded in URL", "shortDescription": {"text": "Password embedded in URL"}, "fullDescription": {"text": "https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"scanner": "repobility", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "SECR001", "name": "Hardcoded secret in source", "shortDescription": {"text": "Hardcoded secret in source"}, "fullDescription": {"text": "API key, AWS access key, password, or private key embedded directly in source. AI assistants frequently leak demo creds."}, "properties": {"scanner": "repobility", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC008", "name": "Compose service mounts the Docker socket", "shortDescription": {"text": "Compose service mounts the Docker socket"}, "fullDescription": {"text": "Avoid mounting docker.sock. Use a narrow proxy, rootless build service, or provider-native deployment credentials."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/229"}, "properties": {"repository": "AgentsMesh/AgentsMesh", "repoUrl": "https://github.com/AgentsMesh/AgentsMesh", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 46794, "scanner": "repobility-journey-contract", "fingerprint": "c5b31e4f7cae23c227a70f25621bcaa18fafb973e5d4eb003b29ded0743408b3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/admin/dashboard/stats", "correlation_key": "fp|c5b31e4f7cae23c227a70f25621bcaa18fafb973e5d4eb003b29ded0743408b3", "backend_endpoint_count": 118}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web-admin/src/lib/api/adminDashboard.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 46793, "scanner": "repobility-journey-contract", "fingerprint": "2f5d5749bcad52939b6e2963774aa10001541713d6af398ec300d214f2cc5161", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/admin/audit-logs", "correlation_key": "fp|2f5d5749bcad52939b6e2963774aa10001541713d6af398ec300d214f2cc5161", "backend_endpoint_count": 118}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web-admin/src/lib/api/adminAuditLogs.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 46792, "scanner": "repobility-journey-contract", "fingerprint": "0315b76005e0f488a7f261025267bec686645e8bfa9b8dd8f921e2923074e31e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/orgs/{param}/billing/usage", "correlation_key": "fp|0315b76005e0f488a7f261025267bec686645e8bfa9b8dd8f921e2923074e31e", "backend_endpoint_count": 118}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/lib/viewModels/billing.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 46791, "scanner": "repobility-journey-contract", "fingerprint": "f7a38ef376009b030158626818e12d86ff537400696007ee62f8bbb4f83edc08", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/push/preferences", "correlation_key": "fp|f7a38ef376009b030158626818e12d86ff537400696007ee62f8bbb4f83edc08", "backend_endpoint_count": 118}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/components/pwa/push-notification-store.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 46790, "scanner": "repobility-journey-contract", "fingerprint": "51cf0be06f21eb72f2ce5bf8f05571d89259c0cf98d5ddbfac63b9eeb4c01d07", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/push/unsubscribe", "correlation_key": "fp|51cf0be06f21eb72f2ce5bf8f05571d89259c0cf98d5ddbfac63b9eeb4c01d07", "backend_endpoint_count": 118}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/components/pwa/push-notification-store.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 46789, "scanner": "repobility-journey-contract", "fingerprint": "3e32f76812ccd117e85c26e5635ccaa085419c9fce9a3d7d16816381eabd1a93", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/push/subscribe", "correlation_key": "fp|3e32f76812ccd117e85c26e5635ccaa085419c9fce9a3d7d16816381eabd1a93", "backend_endpoint_count": 118}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/components/pwa/push-notification-store.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 46788, "scanner": "repobility-journey-contract", "fingerprint": "00befbd779f23e6ef32ff464f0543ceb1f08b1f2b3e0b69394ca752d7a35a22e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/pods", "correlation_key": "fp|00befbd779f23e6ef32ff464f0543ceb1f08b1f2b3e0b69394ca752d7a35a22e", "backend_endpoint_count": 118}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/sitemap.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 46787, "scanner": "repobility-journey-contract", "fingerprint": "9ac06d782a9c2ba8386cadfd47a718f317bb7794ee82ea41dba53756269b7333", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/authentication", "correlation_key": "fp|9ac06d782a9c2ba8386cadfd47a718f317bb7794ee82ea41dba53756269b7333", "backend_endpoint_count": 118}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/sitemap.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 46786, "scanner": "repobility-journey-contract", "fingerprint": "f6590dece2f324992c07468c2273840c820e9399eae58657e2d22a9a6798d5f4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/webhooks/mock/complete", "correlation_key": "fp|f6590dece2f324992c07468c2273840c820e9399eae58657e2d22a9a6798d5f4", "backend_endpoint_count": 118}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/mock-checkout/page.tsx"}, "region": {"startLine": 76}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 46785, "scanner": "repobility-journey-contract", "fingerprint": "a0f0742d0fd4885633cf1e06adc876203b293e88dded73c5568b3a936ffd5c8d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/webhooks/mock/session/{param}", "correlation_key": "fp|a0f0742d0fd4885633cf1e06adc876203b293e88dded73c5568b3a936ffd5c8d", "backend_endpoint_count": 118}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/mock-checkout/page.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /:relay_id."}, "properties": {"repobilityId": 46784, "scanner": "repobility-access-control", "fingerprint": "b683a56f697fd7f84378c7ae96243cfd9e9fa692b0905ea13fd9512265278257", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:relay_id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|51|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /:relay_id."}, "properties": {"repobilityId": 46783, "scanner": "repobility-access-control", "fingerprint": "9cf9ac0d785b2adcd4490e2e53fe0331a4586558c89d09b6c5e9010c4dfa1f20", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:relay_id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|50|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /stats."}, "properties": {"repobilityId": 46782, "scanner": "repobility-access-control", "fingerprint": "f3fa53657a062cd7eef99c8f76471663be424024d040f7512415c68c1f0f495d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/stats", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|48|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 48}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Authorization."}, "properties": {"repobilityId": 46781, "scanner": "repobility-access-control", "fingerprint": "81f890b844c06b9d5eebb44cdf2b3f68d8b288c70554d2f314b0203b24edf289", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Authorization", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|145|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/auth/auth_password.go"}, "region": {"startLine": 145}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Authorization."}, "properties": {"repobilityId": 46780, "scanner": "repobility-access-control", "fingerprint": "17e3eb5b46ab978175c0d58b00b4fbc50e328169ec37f3f3d5d0bfd97ebca533", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Authorization", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|74|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/interceptors/auth.go"}, "region": {"startLine": 74}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /User-Agent."}, "properties": {"repobilityId": 46779, "scanner": "repobility-access-control", "fingerprint": "f5a71be2876e9a2b5ba4cf83d4de32e04989e6ebce974278ca1127f8c9dbfd74", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/User-Agent", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|70|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/promocode/promocode_handlers.go"}, "region": {"startLine": 70}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /User-Agent."}, "properties": {"repobilityId": 46778, "scanner": "repobility-access-control", "fingerprint": "5d111cf98b6e02dcf41ebf0e22f4a24f0f24197eb6dbe321d2d60468ee39747d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/User-Agent", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|113|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/handlers_relays.go"}, "region": {"startLine": 113}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /User-Agent."}, "properties": {"repobilityId": 46777, "scanner": "repobility-access-control", "fingerprint": "f2581000df52755cc3dea60251edb6356fe7727c1525f22651a6259eb33cc391", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/User-Agent", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|152|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/handlers_users_actions.go"}, "region": {"startLine": 152}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /User-Agent."}, "properties": {"repobilityId": 46776, "scanner": "repobility-access-control", "fingerprint": "6984c5b5c86d4b8d233ebb5b29ebe8aac0335aafa1a718cdf51ef46941c9086f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/User-Agent", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|129|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/handlers_users_actions.go"}, "region": {"startLine": 129}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /User-Agent."}, "properties": {"repobilityId": 46775, "scanner": "repobility-access-control", "fingerprint": "34f8cbc751e06afef03e93e390de3e0178c95dd694de2bbac45789fa9eafd644", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/User-Agent", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|106|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/handlers_users_actions.go"}, "region": {"startLine": 106}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /User-Agent."}, "properties": {"repobilityId": 46774, "scanner": "repobility-access-control", "fingerprint": "3f532490f9ad97573e6602e12ecd01731c49c026917b6d12b67b434001cd1110", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/User-Agent", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|83|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/handlers_users_actions.go"}, "region": {"startLine": 83}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /User-Agent."}, "properties": {"repobilityId": 46773, "scanner": "repobility-access-control", "fingerprint": "df3a510619f0a59dc46114ec9bfd0df345cb831a1204332d7b75e82d18b79ece", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/User-Agent", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|60|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/handlers_users_actions.go"}, "region": {"startLine": 60}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /User-Agent."}, "properties": {"repobilityId": 46772, "scanner": "repobility-access-control", "fingerprint": "aba2961fcd1ab7873743885b42f02a658917f4d61bb041c81ed34959338a6b7e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/User-Agent", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|37|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/handlers_users_actions.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin_user_id."}, "properties": {"repobilityId": 46771, "scanner": "repobility-access-control", "fingerprint": "a12e548a6799699f68f1611a61014c809452fb91324617e1a058cc202f908ad8", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin_user_id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|52|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/middleware/admin.go"}, "region": {"startLine": 52}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin_user."}, "properties": {"repobilityId": 46770, "scanner": "repobility-access-control", "fingerprint": "810b518fe58a523d0238321c90d09aea91d69d863857ca60f2b56cfc52d0bb1c", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin_user", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|43|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/middleware/admin.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /user_id."}, "properties": {"repobilityId": 46769, "scanner": "repobility-access-control", "fingerprint": "dcf73f9fa0bc24f502f8ca05ebc34ac563ea411d216f149276bd33c9acbb0e7a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/user_id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|13|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/middleware/admin.go"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 33.9% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 46758, "scanner": "repobility-access-control", "fingerprint": "6b2d0f90e27f5fbd2a9a704bf92dc7e7786400db7325d5ed524b203944486dbe", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 118, "correlation_key": "fp|6b2d0f90e27f5fbd2a9a704bf92dc7e7786400db7325d5ed524b203944486dbe", "auth_visible_percent": 33.9}}}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 46757, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "backend/migrations/000155_remove_e2e_echo_from_prod.up.sql", "size_mb": 0.0}, {"path": "backend/migrations/000155_remove_e2e_echo_from_prod.down.sql", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 46756, "scanner": "repobility-agent-runtime", "fingerprint": "c31a3bff56b00ff2276573d70f66934aa8564808d0d26d93693f7a57bcf88abe", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c31a3bff56b00ff2276573d70f66934aa8564808d0d26d93693f7a57bcf88abe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 46727, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4a392fd49c1966efff5a6ec4ee35932aabab7d8be607bcebb0845d937be185c7", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "update", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "backend/internal/api/connect/ticket/ticket.go", "correlation_key": "fp|4a392fd49c1966efff5a6ec4ee35932aabab7d8be607bcebb0845d937be185c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/ticket/ticket_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 46726, "scanner": "repobility-ai-code-hygiene", "fingerprint": "117b6bfe7832780359ae5b64d85a87b28a94bc49e8bbd6323f39ad9322be3d4b", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "update", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "backend/internal/api/connect/repository/repository.go", "correlation_key": "fp|117b6bfe7832780359ae5b64d85a87b28a94bc49e8bbd6323f39ad9322be3d4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/repository/repository_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 46719, "scanner": "repobility-threat-engine", "fingerprint": "9902919f909772011df60ac6ad38b8b46a1cea3226134252806e737cbc514ac9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9902919f909772011df60ac6ad38b8b46a1cea3226134252806e737cbc514ac9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/components/channel/MemberSelector.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 46718, "scanner": "repobility-threat-engine", "fingerprint": "9b22454b5868a59cada27285a46947a42f03c1000026e244fd1720b10c5aa086", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9b22454b5868a59cada27285a46947a42f03c1000026e244fd1720b10c5aa086"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/e2e-playwright/helpers/pod-cleanup.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 46716, "scanner": "repobility-threat-engine", "fingerprint": "be8cd72ef6022cf065a51ad428593052579512000f5333d3dc13e60c0cc47d3d", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, \"_blank\", \"noopener,noreferrer\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|6|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/shims/electron-shell.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 46701, "scanner": "repobility-threat-engine", "fingerprint": "f33d87d54891562c6ad44d2e41255fe71d5e1c4ca9c0fbeaf342cc566fe88d3c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"<your-token>\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f33d87d54891562c6ad44d2e41255fe71d5e1c4ca9c0fbeaf342cc566fe88d3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/(auth)/onboarding/setup-runner/local/components/SetupSteps.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 46700, "scanner": "repobility-threat-engine", "fingerprint": "8d478f23d8a8ec4c500c00158bb44cd7f53162c3ad6b5e007dec1868d9975266", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"<your-token>\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8d478f23d8a8ec4c500c00158bb44cd7f53162c3ad6b5e007dec1868d9975266"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/auth/onboarding/setup-runner/local/components/SetupSteps.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 46699, "scanner": "repobility-threat-engine", "fingerprint": "cd7d2bd396a37eb94341defd3a21ebdb76ef7d1803fe551f020898d22197e5c2", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.location.href = response.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cd7d2bd396a37eb94341defd3a21ebdb76ef7d1803fe551f020898d22197e5c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/components/billing/CheckoutFlow.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 46698, "scanner": "repobility-threat-engine", "fingerprint": "8adc2b5903267111a2a525721b83f7fa33549af01ab3f30e471b8d34ccf07a74", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = fullUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8adc2b5903267111a2a525721b83f7fa33549af01ab3f30e471b8d34ccf07a74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/auth/login/OAuthButtons.tsx"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 46657, "scanner": "repobility-threat-engine", "fingerprint": "54f15260dfc139089fe96216acd1ebfb13f222d94edb5508961ff39d59a37645", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server {\n\tsrv := &http.Server{\n\t\tAddr:         cfg.Server.Address,\n\t\tHandler:      handler,\n\t\tR", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|54f15260dfc139089fe96216acd1ebfb13f222d94edb5508961ff39d59a37645"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/server/server.go"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 46635, "scanner": "repobility-threat-engine", "fingerprint": "dbf2760d822724f9c5ddd170d3490be3e9c10a1301b566b33eca30cd43f3b125", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|87|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/backfill-identifiers/users.go"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 46634, "scanner": "repobility-threat-engine", "fingerprint": "2f60422fe47c56e052e7665ff326aa9ed73f107b04b94390562260afdb27cba3", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|13|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/backfill-identifiers/audit.go"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 46633, "scanner": "repobility-threat-engine", "fingerprint": "3ff5e06902ad7afcab27a9d375c3546dc48d2ec172bd628bc2d54d91a76eff57", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|agentfile/eval/evaluator.go|16|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agentfile/eval/evaluator.go"}, "region": {"startLine": 16}}}]}, {"ruleId": "XSS001", "level": "warning", "message": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "properties": {"repobilityId": 13434, "scanner": "repobility", "fingerprint": "5842a37d302b1ec35bfdd67294b61fab", "category": "injection", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "dangerouslySetInnerHTML", "aljefra_cwe": ["CWE-79"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "react-dangerously-set-html"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/app/docs/faq/page.tsx"}, "region": {"startLine": 149}}}]}, {"ruleId": "XSS001", "level": "warning", "message": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "properties": {"repobilityId": 13433, "scanner": "repobility", "fingerprint": "87af7e2e23373adb406f9352ded693c7", "category": "injection", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "dangerouslySetInnerHTML", "aljefra_cwe": ["CWE-79"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "react-dangerously-set-html"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/app/blog/[slug]/page.tsx"}, "region": {"startLine": 73}}}]}, {"ruleId": "XSS001", "level": "warning", "message": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "properties": {"repobilityId": 13432, "scanner": "repobility", "fingerprint": "e6a161d377870d697bc8811dfaa10564", "category": "injection", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "dangerouslySetInnerHTML", "aljefra_cwe": ["CWE-79"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "react-dangerously-set-html"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/app/blog/page.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "XSS001", "level": "warning", "message": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "properties": {"repobilityId": 13431, "scanner": "repobility", "fingerprint": "6c28617f2f749415bfe1b55d87899fd4", "category": "injection", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "dangerouslySetInnerHTML", "aljefra_cwe": ["CWE-79"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "react-dangerously-set-html"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/app/page.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 7412, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 7411, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 7410, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7398, "scanner": "repobility-journey-contract", "fingerprint": "96ea2480f02a2fa611af676f11c0de75534d3a7fb6ec4e27a5a0ea7e199c2d7a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/config/deployment", "correlation_key": "fp|96ea2480f02a2fa611af676f11c0de75534d3a7fb6ec4e27a5a0ea7e199c2d7a", "backend_endpoint_count": 412}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/lib/public-api.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7397, "scanner": "repobility-journey-contract", "fingerprint": "2ef831205a240dfeef948e7b1b0508be2160797237835a0c6697b3e09fac98bc", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/config/pricing", "correlation_key": "fp|2ef831205a240dfeef948e7b1b0508be2160797237835a0c6697b3e09fac98bc", "backend_endpoint_count": 412}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/lib/public-api.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7396, "scanner": "repobility-journey-contract", "fingerprint": "58fcf36743fd6d33b659dada104f0ea114fb4699153269eaa9e5580c00fb81e8", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/users/search", "correlation_key": "fp|58fcf36743fd6d33b659dada104f0ea114fb4699153269eaa9e5580c00fb81e8", "backend_endpoint_count": 412}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/lib/api/user.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7395, "scanner": "repobility-journey-contract", "fingerprint": "da7fdc570a23236dad9ab5f97dbad007abfc0c2523903e27808daddb07528fa1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/runners/latest-release", "correlation_key": "fp|da7fdc570a23236dad9ab5f97dbad007abfc0c2523903e27808daddb07528fa1", "backend_endpoint_count": 412}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/hooks/useLocalRunnerOnboarding.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7394, "scanner": "repobility-journey-contract", "fingerprint": "861539d0564915c6f5fb6ea704392d8ef8bdf64f4e798ac6034588f89360c78c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/push/preferences", "correlation_key": "fp|861539d0564915c6f5fb6ea704392d8ef8bdf64f4e798ac6034588f89360c78c", "backend_endpoint_count": 412}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/components/pwa/push-notification-store.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7393, "scanner": "repobility-journey-contract", "fingerprint": "07d24bbdace7c245568a488c927bbb95c734b20773f634f825ccc4496773e015", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/push/unsubscribe", "correlation_key": "fp|07d24bbdace7c245568a488c927bbb95c734b20773f634f825ccc4496773e015", "backend_endpoint_count": 412}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/components/pwa/push-notification-store.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7392, "scanner": "repobility-journey-contract", "fingerprint": "92c02204742f0d429a0792b69e62e75a59bc5bb2de4c6a60eff2419b1e9d55bb", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/push/subscribe", "correlation_key": "fp|92c02204742f0d429a0792b69e62e75a59bc5bb2de4c6a60eff2419b1e9d55bb", "backend_endpoint_count": 412}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/components/pwa/push-notification-store.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7391, "scanner": "repobility-journey-contract", "fingerprint": "3b03c16a05fc2eabd4fa188e66a0539a0f12376bee2c1652415830f0a0947c05", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/repositories", "correlation_key": "fp|3b03c16a05fc2eabd4fa188e66a0539a0f12376bee2c1652415830f0a0947c05", "backend_endpoint_count": 412}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/sitemap.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7390, "scanner": "repobility-journey-contract", "fingerprint": "f72e616132a11190cf2b75f63b00fd78b267fba8015da134372b5b5eab1987de", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/authentication", "correlation_key": "fp|f72e616132a11190cf2b75f63b00fd78b267fba8015da134372b5b5eab1987de", "backend_endpoint_count": 412}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/sitemap.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7389, "scanner": "repobility-journey-contract", "fingerprint": "dde1358489bd6af5abfbabbb8199c48575b940004763b70acd31743bb864d41a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/webhooks/mock/complete", "correlation_key": "fp|dde1358489bd6af5abfbabbb8199c48575b940004763b70acd31743bb864d41a", "backend_endpoint_count": 412}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/mock-checkout/page.tsx"}, "region": {"startLine": 79}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7388, "scanner": "repobility-journey-contract", "fingerprint": "0e37822740ae4c24b64d10a37b2dd9b94555ce377c0b2d30fbb4433eb2df02f6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/webhooks/mock/session/{param}", "correlation_key": "fp|0e37822740ae4c24b64d10a37b2dd9b94555ce377c0b2d30fbb4433eb2df02f6", "backend_endpoint_count": 412}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/mock-checkout/page.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /:key/perpetual."}, "properties": {"repobilityId": 7385, "scanner": "repobility-access-control", "fingerprint": "792c6528ea7b0eca1631e1620defc19634a0131c5ea362c995e424fd7693b316", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:key/perpetual", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|30|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_pods.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /:key/alias."}, "properties": {"repobilityId": 7384, "scanner": "repobility-access-control", "fingerprint": "eb43bda99ddd1aa1cecd22c9c955bf668739432712da7f1080e1fb6be7e0e310", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:key/alias", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|29|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_pods.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /:relay_id."}, "properties": {"repobilityId": 7383, "scanner": "repobility-access-control", "fingerprint": "983c48fc36f67b61d691b2c902df5ccf43dd7e64216d62ecf9f6048f4b49d31f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:relay_id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|56|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /:relay_id."}, "properties": {"repobilityId": 7382, "scanner": "repobility-access-control", "fingerprint": "6d1150fdc4b0b1bd588c49a737dd4ea5086de0cc258237295816c31548056521", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:relay_id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|55|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 55}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /stats."}, "properties": {"repobilityId": 7381, "scanner": "repobility-access-control", "fingerprint": "17d41067801b22390364552a666702da659b41bfaa15dcd0d9392bd76ab441f4", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/stats", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|53|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 53}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /events."}, "properties": {"repobilityId": 7380, "scanner": "repobility-access-control", "fingerprint": "4b46fd2acd4b96996f5a418eca589d653d62194b85e08eb0cfc34e6852f18496", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|192|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/router.go"}, "region": {"startLine": 192}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /token."}, "properties": {"repobilityId": 7379, "scanner": "repobility-access-control", "fingerprint": "2a1120acbb272b80b5321c33c4880b689a29457b5abe2926efe80d5aa49e9d70", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/token", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|118|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runner/internal/relay/local_server_pod.go"}, "region": {"startLine": 118}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /pod."}, "properties": {"repobilityId": 7378, "scanner": "repobility-access-control", "fingerprint": "6b657f4e823780fe0c21b531e1ce76c7e41e45dd0e0b7ec792bc7562a2e24395", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/pod", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|117|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runner/internal/relay/local_server_pod.go"}, "region": {"startLine": 117}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /token."}, "properties": {"repobilityId": 7377, "scanner": "repobility-access-control", "fingerprint": "ca62dfe54561341e6c33d871a45d3b4a3d3d0d85a3491f33dd54bce8a0c375ba", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/token", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|124|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "relay/internal/server/handler.go"}, "region": {"startLine": 124}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /token."}, "properties": {"repobilityId": 7376, "scanner": "repobility-access-control", "fingerprint": "86cc7881e8a349e3f0ca58d4d6c7976cbdb2205a7b3e6fd81b46da94217c1ba3", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/token", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|60|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "relay/internal/server/handler.go"}, "region": {"startLine": 60}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /:id."}, "properties": {"repobilityId": 7375, "scanner": "repobility-access-control", "fingerprint": "6ae0e221ff70d89396f114d981d696f7cc9252988ea53507e9e93dae4ad307c3", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|20|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/apikey_routes.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings."}, "properties": {"repobilityId": 7374, "scanner": "repobility-access-control", "fingerprint": "4cf65bd7b4a59fa0e01fc6d948d06334bbee08ea4958b0876baf56d996607fe4", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings", "method": "PUT", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|41|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_user.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings."}, "properties": {"repobilityId": 7373, "scanner": "repobility-access-control", "fingerprint": "1ba4188961d36fa51ff9df0d44707da8a1a303c129ac5500b19686d8d289a3c1", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|40|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_user.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /:key/grants/:grant_id."}, "properties": {"repobilityId": 7372, "scanner": "repobility-access-control", "fingerprint": "ef389e73e6160e4523112148f6471279837b319b88aa2d46211d90a32ccbcc33", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:key/grants/:grant_id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|35|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_pods.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /:key/grants."}, "properties": {"repobilityId": 7371, "scanner": "repobility-access-control", "fingerprint": "5c5b302b10afbf8c17292565125b98180517ca4cbd0683233a9f18ec8b8aefd4", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:key/grants", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|34|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_pods.go"}, "region": {"startLine": 34}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /:key/grants."}, "properties": {"repobilityId": 7370, "scanner": "repobility-access-control", "fingerprint": "5c43da4474db56f3abbb313144a3c0d88415c00040452acbe9faa7e562d091b7", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:key/grants", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|33|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_pods.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /register."}, "properties": {"repobilityId": 7369, "scanner": "repobility-access-control", "fingerprint": "0b82e3dd29de23aa3585e862b14ef8d780ae88d2d1b6a352edf797f5554370ce", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/register", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|50|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin_user_id."}, "properties": {"repobilityId": 7368, "scanner": "repobility-access-control", "fingerprint": "50919ff7d8ed5b484c07977318b61e3cd59ef12d3eea833ef462affc07ec643f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin_user_id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|61|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/middleware/admin.go"}, "region": {"startLine": 61}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin_user."}, "properties": {"repobilityId": 7367, "scanner": "repobility-access-control", "fingerprint": "04a83095aefa4a2cbc40ef23bd528057594a40e1cd34f38685015d593f333074", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/admin_user", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|51|cwe-285", "duplicate_count": 1, "identity_targets": ["unknown", "admin"], "duplicate_rule_ids": ["AUC004"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["04a83095aefa4a2cbc40ef23bd528057594a40e1cd34f38685015d593f333074", "364336ebff94137e63725ed793b9fc68373cd9e98ef77ce265dc6e1c8de8b715"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/middleware/admin.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 18.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 7356, "scanner": "repobility-access-control", "fingerprint": "a52a29b2d9104d78ecf39c48ec51f30484c471109381deb57abec9bf25418ef5", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 412, "correlation_key": "fp|a52a29b2d9104d78ecf39c48ec51f30484c471109381deb57abec9bf25418ef5", "auth_visible_percent": 18.4}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 7355, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js", "Gin"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `minio` image uses the latest tag"}, "properties": {"repobilityId": 7348, "scanner": "repobility-docker", "fingerprint": "73ff71023c8e2149a40c4ecffcce56d227cc9351647554d6985cb49587822598", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "pgsty/minio:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|73ff71023c8e2149a40c4ecffcce56d227cc9351647554d6985cb49587822598"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/selfhost/docker-compose.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `minio` image uses the latest tag"}, "properties": {"repobilityId": 7339, "scanner": "repobility-docker", "fingerprint": "43ebdd84fe810ce92397e88ed3c94056566a7b7765985ad4cfbebe8ecac1d9d3", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "pgsty/minio:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|43ebdd84fe810ce92397e88ed3c94056566a7b7765985ad4cfbebe8ecac1d9d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/onpremise/docker-compose.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 7330, "scanner": "repobility-docker", "fingerprint": "8d225b8574312183db276fced41872b1c81d18135a2d97eee68354394c66a8d8", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "runner-2", "variable": "ANTHROPIC_API_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|8d225b8574312183db276fced41872b1c81d18135a2d97eee68354394c66a8d8", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 188}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 7328, "scanner": "repobility-docker", "fingerprint": "6f57430dc97f7d4ac9d77b7caf511a350ff0d7f69a11e25a4d32cc3e71a83d80", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "runner", "variable": "ANTHROPIC_API_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|6f57430dc97f7d4ac9d77b7caf511a350ff0d7f69a11e25a4d32cc3e71a83d80", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 7327, "scanner": "repobility-docker", "fingerprint": "d6cf25098e31965fa95cb25c7b0ab59f95ebb9e384a75e0e3829551ae9c1a0d6", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "adminer", "dependency": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|d6cf25098e31965fa95cb25c7b0ab59f95ebb9e384a75e0e3829551ae9c1a0d6", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `adminer` image uses the latest tag"}, "properties": {"repobilityId": 7324, "scanner": "repobility-docker", "fingerprint": "abdf2f0ffe9ee684565389469507e656ce7b6de2e50003620a1d9c324ea4a380", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "adminer:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|abdf2f0ffe9ee684565389469507e656ce7b6de2e50003620a1d9c324ea4a380"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 7320, "scanner": "repobility-docker", "fingerprint": "4f5ffbf38abba18a6b5219166bb1042e6fa4ab8e71e262ae155630dfcda54e12", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "minio", "variable": "MINIO_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|4f5ffbf38abba18a6b5219166bb1042e6fa4ab8e71e262ae155630dfcda54e12", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `minio` image uses the latest tag"}, "properties": {"repobilityId": 7319, "scanner": "repobility-docker", "fingerprint": "4770599416f73e51883193e8966ed335e0eef3eabe808dd19ece200154d519e2", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "pgsty/minio:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4770599416f73e51883193e8966ed335e0eef3eabe808dd19ece200154d519e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 7317, "scanner": "repobility-docker", "fingerprint": "c1ffbda1a29742c090cc8a1d79ad39963e904e34d6681cb31e8601234cf3ed3b", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|c1ffbda1a29742c090cc8a1d79ad39963e904e34d6681cb31e8601234cf3ed3b", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 7315, "scanner": "repobility-threat-engine", "fingerprint": "d8d2a7c7ac8c7d9fc7cae6b0927a43696857fa3de924e625c340ac0dc5fb1268", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d8d2a7c7ac8c7d9fc7cae6b0927a43696857fa3de924e625c340ac0dc5fb1268"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/electron-adapter/src/auth.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 7306, "scanner": "repobility-agent-runtime", "fingerprint": "548d901a5016adbab5c0fd639bc516d9588b35116fe4e8f8389469d1080abe78", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|548d901a5016adbab5c0fd639bc516d9588b35116fe4e8f8389469d1080abe78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/docs/tutorials/runner-setup/_sections/UpdateMethods.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 7305, "scanner": "repobility-agent-runtime", "fingerprint": "7decd0f6320b2c611b408f73ea28194f40e25c3a836d82868eb8123cdb8a437c", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7decd0f6320b2c611b408f73ea28194f40e25c3a836d82868eb8123cdb8a437c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/docs/getting-started/page.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 7304, "scanner": "repobility-agent-runtime", "fingerprint": "a67fd80a70f4daf45768bf75f197955403f89a4baa8c82d8f23d603d29a0269d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a67fd80a70f4daf45768bf75f197955403f89a4baa8c82d8f23d603d29a0269d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/(dashboard)/[org]/runners/components/AddRunnerModal.tsx"}, "region": {"startLine": 109}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 7303, "scanner": "repobility-agent-runtime", "fingerprint": "2c6f307dc35d008eba6ae29ec52911d25947e98295d51eec7e7868db634e55c5", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2c6f307dc35d008eba6ae29ec52911d25947e98295d51eec7e7868db634e55c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/(auth)/onboarding/setup-runner/local/components/SetupSteps.tsx"}, "region": {"startLine": 89}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 7302, "scanner": "repobility-agent-runtime", "fingerprint": "9eb143d655a51348d98ac641e1a6f204c5de815620498308711d8aba7c7d9f5e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9eb143d655a51348d98ac641e1a6f204c5de815620498308711d8aba7c7d9f5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/auth/onboarding/setup-runner/local/components/SetupSteps.tsx"}, "region": {"startLine": 89}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 7301, "scanner": "repobility-agent-runtime", "fingerprint": "d2cbbbbf824f2dca17933c9aa8e098af57a062224edb00bfeee0397493f78510", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d2cbbbbf824f2dca17933c9aa8e098af57a062224edb00bfeee0397493f78510"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7300, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa70d3cf8b02b5b407e507918ca746ef9a8fff8bc7517eb3de802b8fb21fa406", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/runner_grants.go", "duplicate_line": 83, "correlation_key": "fp|aa70d3cf8b02b5b407e507918ca746ef9a8fff8bc7517eb3de802b8fb21fa406"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/runners_crud.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7299, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cbcf6809f1a18a82769f6ae4cd5daa31b7d5b44288c1a464be480f4da1b443ac", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/repositories_branches.go", "duplicate_line": 42, "correlation_key": "fp|cbcf6809f1a18a82769f6ae4cd5daa31b7d5b44288c1a464be480f4da1b443ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/repository_grants.go"}, "region": {"startLine": 83}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7298, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f73376ee4ea8c93b249f3ba08612b5cab1454f30c8d98efddda9053508324544", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/repositories_crud.go", "duplicate_line": 124, "correlation_key": "fp|f73376ee4ea8c93b249f3ba08612b5cab1454f30c8d98efddda9053508324544"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/repositories_webhook.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7297, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5bab249af27fe0e3c317f85abf8580783fe818d5e567a7a3b6f268aa7149d401", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/repositories_branches.go", "duplicate_line": 42, "correlation_key": "fp|5bab249af27fe0e3c317f85abf8580783fe818d5e567a7a3b6f268aa7149d401"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/repositories_crud.go"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7296, "scanner": "repobility-ai-code-hygiene", "fingerprint": "935aa1d9164dc16dde0dd84f4d15b7cd795b2deb4e6ef628d2c3e195bbe90171", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/admin/promo_codes.go", "duplicate_line": 59, "correlation_key": "fp|935aa1d9164dc16dde0dd84f4d15b7cd795b2deb4e6ef628d2c3e195bbe90171"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/promocode.go"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7295, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ab6288fab804aafba85f3780675efcc686fb4076efdf0feb95423b51379a519", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/pod_actions.go", "duplicate_line": 13, "correlation_key": "fp|3ab6288fab804aafba85f3780675efcc686fb4076efdf0feb95423b51379a519"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/pod_commands.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7294, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47f9e55ce629129748d52b8d07067a26827207aa0ed6331d5ba64a431d54c42d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/pod_actions.go", "duplicate_line": 13, "correlation_key": "fp|47f9e55ce629129748d52b8d07067a26827207aa0ed6331d5ba64a431d54c42d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/pod_alias.go"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7293, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73411583e721ebbc66b9667544ede475d3fe0169b3c0e485606d500ee41161e1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/organizations_crud.go", "duplicate_line": 77, "correlation_key": "fp|73411583e721ebbc66b9667544ede475d3fe0169b3c0e485606d500ee41161e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/organizations_members.go"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "696ffe8a86458643948aa6bde17c8247b6f4b3efd839c0465f8d2fbc127b7a26", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/channel_members.go", "duplicate_line": 13, "correlation_key": "fp|696ffe8a86458643948aa6bde17c8247b6f4b3efd839c0465f8d2fbc127b7a26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/messages_query.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e8f18f8c3b20eaffa41239bd75208d450e0eb5523abf10a1f49f9307334fdcfe", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/channel_members.go", "duplicate_line": 13, "correlation_key": "fp|e8f18f8c3b20eaffa41239bd75208d450e0eb5523abf10a1f49f9307334fdcfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/messages_dlq.go"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 7288, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dddb98889b2eab6cdb8529109354643b87f3f42170e2b7a36f0bc49b512d3420", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|dddb98889b2eab6cdb8529109354643b87f3f42170e2b7a36f0bc49b512d3420"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/loop/loop_service_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 7287, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30f4d83449446f3d37945b783315a20341b118750e0132a56b0f3497928c4ee4", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "backup", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "runner/internal/updater/updater.go", "correlation_key": "fp|30f4d83449446f3d37945b783315a20341b118750e0132a56b0f3497928c4ee4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runner/internal/updater/updater_backup.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 7283, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fef7f8eb77cda0f91b1a511e9fa41158f0a77f7f22f5457ede033f7ea4fe321a", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "update", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "backend/internal/service/loop/loop_service.go", "correlation_key": "fp|fef7f8eb77cda0f91b1a511e9fa41158f0a77f7f22f5457ede033f7ea4fe321a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/loop/loop_service_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46755, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70296e2e1918f5639f675a4c5864a9b8704abe82dc12220e698b16aef3177acc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/domain/apikey/apikey.go", "duplicate_line": 38, "correlation_key": "fp|70296e2e1918f5639f675a4c5864a9b8704abe82dc12220e698b16aef3177acc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/domain/billing/subscription.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46754, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af11be8ed8df352a96f68f0445aad47d0a71d2d42db7754f39cc070d66025153", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/domain/apikey/apikey.go", "duplicate_line": 38, "correlation_key": "fp|af11be8ed8df352a96f68f0445aad47d0a71d2d42db7754f39cc070d66025153"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/domain/billing/plan.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46753, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5fce5722ec86460973a7e83c9e529bde5fac223d6499c0d7c0e1df9623b627b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/domain/apikey/apikey.go", "duplicate_line": 38, "correlation_key": "fp|5fce5722ec86460973a7e83c9e529bde5fac223d6499c0d7c0e1df9623b627b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/domain/billing/order.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46752, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6ea56b83f33d3310a7a3083a545c0d2aefeb683f644d104e5ac21b2c50bbaab3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/domain/apikey/apikey.go", "duplicate_line": 38, "correlation_key": "fp|6ea56b83f33d3310a7a3083a545c0d2aefeb683f644d104e5ac21b2c50bbaab3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/domain/billing/invoice.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46751, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22b57a442cb846eeca980c7e166e8dcfaa63aa952cc3d7625b90ee30e2a018c9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/domain/agent/agent.go", "duplicate_line": 38, "correlation_key": "fp|22b57a442cb846eeca980c7e166e8dcfaa63aa952cc3d7625b90ee30e2a018c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/domain/agent/message.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46750, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0319115a1626335f92d8c215cb385c08182a90f46bb9f5062ded661f183d0de0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/repositories_branches.go", "duplicate_line": 11, "correlation_key": "fp|0319115a1626335f92d8c215cb385c08182a90f46bb9f5062ded661f183d0de0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/repositories_crud.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46749, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c53ae72881593a9f073fbb264c6a31f6f35d201591ce3c3d7e755c85570363c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/ticket/ticket_mount.go", "duplicate_line": 2, "correlation_key": "fp|4c53ae72881593a9f073fbb264c6a31f6f35d201591ce3c3d7e755c85570363c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/ticket_relations/ticket_relations_mount.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46748, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa4233a481a6fee71b8854b3e1301fb88cec3b2f4333bb69d09081977fe07721", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/repository/repository_convert.go", "duplicate_line": 127, "correlation_key": "fp|aa4233a481a6fee71b8854b3e1301fb88cec3b2f4333bb69d09081977fe07721"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/ticket_relations/ticket_relations_convert.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46747, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83d20bac5fb009b4032698e947d7036c15eefb00efdd51f5b5770ceb3ed4bfdb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/extension/repo_skill_upload.go", "duplicate_line": 68, "correlation_key": "fp|83d20bac5fb009b4032698e947d7036c15eefb00efdd51f5b5770ceb3ed4bfdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/support_ticket/support_ticket_attachments.go"}, "region": {"startLine": 130}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46746, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff5b274ef3ae2fdea99a4048710c3874bcaf492c16c8216f1819e500e2f04acf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/runner/handlers_crud.go", "duplicate_line": 59, "correlation_key": "fp|ff5b274ef3ae2fdea99a4048710c3874bcaf492c16c8216f1819e500e2f04acf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/runner/handlers_ops.go"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46745, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7efe907cc0246dc8401f264a418363130c87d265d197adde992943e10f933a2a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/pod/connection.go", "duplicate_line": 23, "correlation_key": "fp|7efe907cc0246dc8401f264a418363130c87d265d197adde992943e10f933a2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/pod/queries.go"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46744, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d3dbf7c6233e98e05cfd5746d6766be69922d2e39027499cc3e863dda160fc60", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/pod/connection.go", "duplicate_line": 22, "correlation_key": "fp|d3dbf7c6233e98e05cfd5746d6766be69922d2e39027499cc3e863dda160fc60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/pod/mutations.go"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46743, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b6edc763d55bf3d7745566b78824f3d3cb670817c629e572de01f5358bfa47c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/agent/agent_convert_custom.go", "duplicate_line": 21, "correlation_key": "fp|b6edc763d55bf3d7745566b78824f3d3cb670817c629e572de01f5358bfa47c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/org/org.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46742, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c91576cd0bf0e578319d65d09a35a73ef8a99d60e7d85ca92cd0f17e9aaa284", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/invitation/invitation_errors.go", "duplicate_line": 11, "correlation_key": "fp|5c91576cd0bf0e578319d65d09a35a73ef8a99d60e7d85ca92cd0f17e9aaa284"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/org/org.go"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46741, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2a12412fe852a45045ec843c9905feb626904076854e4b67e87a0609709f8ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/loop/loop.go", "duplicate_line": 143, "correlation_key": "fp|b2a12412fe852a45045ec843c9905feb626904076854e4b67e87a0609709f8ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/loop/loop_runs.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46740, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5f963a9c8f43e2de8520ee05c8229be4b8c0710742713183007cd63794d4991", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/loop/loop_actions.go", "duplicate_line": 61, "correlation_key": "fp|d5f963a9c8f43e2de8520ee05c8229be4b8c0710742713183007cd63794d4991"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/loop/loop_runs.go"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46739, "scanner": "repobility-ai-code-hygiene", "fingerprint": "595a9375621ec0698f79869346e368de3804475b735c98e27ac0f708eb42bf20", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/loop/loop.go", "duplicate_line": 143, "correlation_key": "fp|595a9375621ec0698f79869346e368de3804475b735c98e27ac0f708eb42bf20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/loop/loop_actions.go"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46738, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eeffa6393faf54672f950ac8f82280d95eaadb010c43bc953325d9054bee542f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/agent/agent_convert_custom.go", "duplicate_line": 21, "correlation_key": "fp|eeffa6393faf54672f950ac8f82280d95eaadb010c43bc953325d9054bee542f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/invitation/invitation_errors.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46737, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6aeaeca7c13ddc23df4282155d1919045e9cd0af816ff933b219561509fcac2c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/admin/skill_registry/server.go", "duplicate_line": 24, "correlation_key": "fp|6aeaeca7c13ddc23df4282155d1919045e9cd0af816ff933b219561509fcac2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/extension/skill_registry.go"}, "region": {"startLine": 189}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46736, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1dbbd6d6a70e821b98dbf4109ad25d74079e6faea15ada0e8e8ae5f85abaf8f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/apikey/apikey_errors.go", "duplicate_line": 11, "correlation_key": "fp|1dbbd6d6a70e821b98dbf4109ad25d74079e6faea15ada0e8e8ae5f85abaf8f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/extension/skill_registry.go"}, "region": {"startLine": 164}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46735, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da2a77d53e6968eda26ddce36589b987a0d080be37a723b202777027788da9f2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/agent/agent_convert_custom.go", "duplicate_line": 19, "correlation_key": "fp|da2a77d53e6968eda26ddce36589b987a0d080be37a723b202777027788da9f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/extension/skill_registry.go"}, "region": {"startLine": 161}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46734, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c0a4065168e25179556d5ac5abf5cea9a019578818ed8075c6ca143ae33753ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/binding/binding_lifecycle.go", "duplicate_line": 49, "correlation_key": "fp|c0a4065168e25179556d5ac5abf5cea9a019578818ed8075c6ca143ae33753ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/binding/binding_scopes.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46733, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4451b9b4f7284bd114409e0eb681b5c7c697a2863ffbde684888059e0510d50a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/binding/binding_lifecycle.go", "duplicate_line": 104, "correlation_key": "fp|4451b9b4f7284bd114409e0eb681b5c7c697a2863ffbde684888059e0510d50a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/binding/binding_query.go"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46732, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0707a45d1229b1a8d737c5990732147ad5f7c48e84fa66cfb297b3390011f2b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/agent/agent_convert_custom.go", "duplicate_line": 20, "correlation_key": "fp|b0707a45d1229b1a8d737c5990732147ad5f7c48e84fa66cfb297b3390011f2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/apikey/apikey_errors.go"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46731, "scanner": "repobility-ai-code-hygiene", "fingerprint": "360442d7599eced5aef4347aa1f92568600d36940ef1ff09075c0f4ffd2f2cdc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/admin/sso/handlers_query.go", "duplicate_line": 12, "correlation_key": "fp|360442d7599eced5aef4347aa1f92568600d36940ef1ff09075c0f4ffd2f2cdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/support_ticket/handlers_query.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46730, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3fe3c9c773e64b3b39fdfd6a478cda9d259b0403ba9f78870c069e1f18e45cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/admin/audit.go", "duplicate_line": 2, "correlation_key": "fp|c3fe3c9c773e64b3b39fdfd6a478cda9d259b0403ba9f78870c069e1f18e45cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/support_ticket/audit.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46729, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b78c2a783dcc8417acb97b9c95a35f4b4069e7941ba0e7886d0f7b1ee18707d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/admin/audit.go", "duplicate_line": 2, "correlation_key": "fp|b78c2a783dcc8417acb97b9c95a35f4b4069e7941ba0e7886d0f7b1ee18707d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/subscription/audit.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46728, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8857ca3c4f69c3369293df3a0e78bc79517fa112af8cd49520db268cb5ed808", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/connect/admin/audit.go", "duplicate_line": 2, "correlation_key": "fp|f8857ca3c4f69c3369293df3a0e78bc79517fa112af8cd49520db268cb5ed808"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/sso/audit.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 46660, "scanner": "repobility-threat-engine", "fingerprint": "3aca87ecac826b7f6645ff34987b7241e98cbc23badfc95a23b36eb2c70a6a2c", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = c.ShouldBindJSON(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3aca87ecac826b7f6645ff34987b7241e98cbc23badfc95a23b36eb2c70a6a2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/loop_handler_actions.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 46659, "scanner": "repobility-threat-engine", "fingerprint": "a3f9925ec8cf1f8ff3b7aee69e8913fe69b35c7b9106dc270b43a5f0b5079f8b", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = url.Parse(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a3f9925ec8cf1f8ff3b7aee69e8913fe69b35c7b9106dc270b43a5f0b5079f8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/auth_sso.go"}, "region": {"startLine": 83}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 46658, "scanner": "repobility-threat-engine", "fingerprint": "56be179c27e98731c546957530d759b6e35c6b63a4d2bacb54663b848a53a908", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = worker.SyncSingle(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|56be179c27e98731c546957530d759b6e35c6b63a4d2bacb54663b848a53a908"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/connect/admin/skill_registry/handlers_mutations.go"}, "region": {"startLine": 87}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22174, "scanner": "repobility", "fingerprint": "b621bac7b093aa7af735282450730f03", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "TODO: Implement", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/app/(auth)/onboarding/page.tsx"}, "region": {"startLine": 84}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22059, "scanner": "repobility", "fingerprint": "18fd02af33d1c1763233600dfd549ab1", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "test@test.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/stores/__tests__/pod-guards.test.ts"}, "region": {"startLine": 248}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22058, "scanner": "repobility", "fingerprint": "ee908a6ee9ca3a4a7dcb85f7e50ec721", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "test@test.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/stores/__tests__/pod-guards.test.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 7409, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 7408, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 7407, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 7406, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 7346, "scanner": "repobility-docker", "fingerprint": "bc1018b7fca8f4cfd1c3bbc5f349217e1db5f2760c31309f052a308e18c96b99", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "web-admin", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bc1018b7fca8f4cfd1c3bbc5f349217e1db5f2760c31309f052a308e18c96b99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/onpremise/docker-compose.yml"}, "region": {"startLine": 207}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 7345, "scanner": "repobility-docker", "fingerprint": "034575f297109d6c9b38dfb44f9cf4f8f9768b430d1646135110426785d5d850", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "web-admin", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|034575f297109d6c9b38dfb44f9cf4f8f9768b430d1646135110426785d5d850"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/onpremise/docker-compose.yml"}, "region": {"startLine": 207}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 7337, "scanner": "repobility-docker", "fingerprint": "8a88acc5041439005f6667c5f5e1f9e8ea29669ed2335ed5802e9f8e2cb1d7d9", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8a88acc5041439005f6667c5f5e1f9e8ea29669ed2335ed5802e9f8e2cb1d7d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/onpremise/docker-compose.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 7336, "scanner": "repobility-docker", "fingerprint": "28621e54b937a119d5dba7f943aed1d87f29e728efda31936b899242f1d3acc3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|28621e54b937a119d5dba7f943aed1d87f29e728efda31936b899242f1d3acc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 275}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 7335, "scanner": "repobility-docker", "fingerprint": "24b71f83ffc99708ff39f5a7b9a7aeb0e07d8dd80e96c9e90060e4ac4aa86077", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|24b71f83ffc99708ff39f5a7b9a7aeb0e07d8dd80e96c9e90060e4ac4aa86077"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 275}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 7334, "scanner": "repobility-docker", "fingerprint": "c70c28e526949ac579abb629487b38efed08be03241cb03ce601f46f4dd73662", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c70c28e526949ac579abb629487b38efed08be03241cb03ce601f46f4dd73662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 258}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 7333, "scanner": "repobility-docker", "fingerprint": "84c3a44db20518f0c0b85b24048e07616be385c9ff043ff025e48bd65a9e7e39", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|84c3a44db20518f0c0b85b24048e07616be385c9ff043ff025e48bd65a9e7e39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 258}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 7331, "scanner": "repobility-docker", "fingerprint": "384cb414d435ce9df085c94c25a8fa8e21961f52e43340e963e0ea30a7ca22d2", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "runner-2", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|384cb414d435ce9df085c94c25a8fa8e21961f52e43340e963e0ea30a7ca22d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 188}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 7329, "scanner": "repobility-docker", "fingerprint": "15534715885f328b44bf51fbc40fc70343195cc3517fb02609c3e61107db2534", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "runner", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|15534715885f328b44bf51fbc40fc70343195cc3517fb02609c3e61107db2534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 7326, "scanner": "repobility-docker", "fingerprint": "3df5aa51d26b7d4ebf3cdd031eb8ef8ae51fbda22281a5b021f869b7d06c9a82", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "adminer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3df5aa51d26b7d4ebf3cdd031eb8ef8ae51fbda22281a5b021f869b7d06c9a82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 7325, "scanner": "repobility-docker", "fingerprint": "3df57e7d06a1e8bcd4166569f552d22785c9cf2c253d0e970c8b722a122f3743", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "adminer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3df57e7d06a1e8bcd4166569f552d22785c9cf2c253d0e970c8b722a122f3743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 7323, "scanner": "repobility-docker", "fingerprint": "0e454514b43e2a3c58dfbf19749e45db6b46085168e6a4542a593afb7159a7c0", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "gitea", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0e454514b43e2a3c58dfbf19749e45db6b46085168e6a4542a593afb7159a7c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 7322, "scanner": "repobility-docker", "fingerprint": "e17e113e766ede7a72d05b4de9ea4f7e2afd01e6e47e22fedc71ce500cb3d59b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "gitea", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e17e113e766ede7a72d05b4de9ea4f7e2afd01e6e47e22fedc71ce500cb3d59b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 7316, "scanner": "repobility-docker", "fingerprint": "c6bb00e03e1261621d132dc65338ea4e760775a05b97070d2611806dc4d64213", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c6bb00e03e1261621d132dc65338ea4e760775a05b97070d2611806dc4d64213"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 7309, "scanner": "repobility-threat-engine", "fingerprint": "bfc9eb9336ec7b530efa3d36754d4ca41ca040374ad6068f206d39a6104bb9ae", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = c.addSubscriberInternal(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bfc9eb9336ec7b530efa3d36754d4ca41ca040374ad6068f206d39a6104bb9ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "relay/internal/channel/channel_lifecycle.go"}, "region": {"startLine": 13}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 7308, "scanner": "repobility-threat-engine", "fingerprint": "318a6df10912b36d6d744e37af001e98ae77407e258e82c1ed36bf5fdfd72bbb", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = conn.Close(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|318a6df10912b36d6d744e37af001e98ae77407e258e82c1ed36bf5fdfd72bbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "relay/internal/channel/channel_events.go"}, "region": {"startLine": 46}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 7307, "scanner": "repobility-threat-engine", "fingerprint": "a02a89e62a5828691989c6d9e95ac5b9687d76d961585d1cebb9829af0b893e0", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = conn.SetWriteDeadline(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a02a89e62a5828691989c6d9e95ac5b9687d76d961585d1cebb9829af0b893e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "relay/internal/channel/channel.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e51ea74ec707db659a9053de34b8ba2d2eb0517bd42cdf02d70eef0449570487", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/rest/v1/auth_sso_oidc.go", "duplicate_line": 13, "correlation_key": "fp|e51ea74ec707db659a9053de34b8ba2d2eb0517bd42cdf02d70eef0449570487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/auth_sso_saml.go"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7289, "scanner": "repobility-ai-code-hygiene", "fingerprint": "acb0d316c42498610c0a62dbc504f5f8b2a8decdae7e95e39c247feb06609292", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/internal/api/grpc/runner_adapter_mcp_channel.go", "duplicate_line": 127, "correlation_key": "fp|acb0d316c42498610c0a62dbc504f5f8b2a8decdae7e95e39c247feb06609292"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/grpc/runner_adapter_mcp_channel_msg.go"}, "region": {"startLine": 208}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 7286, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d3779305e269dad09b18724a10dab175468702ccf7bc6103901d85dee20f267e", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|d3779305e269dad09b18724a10dab175468702ccf7bc6103901d85dee20f267e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/user/repository_provider_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 7285, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76db54c811626501675adfc21589d64365b07abd15f69218285af1f953e1f44a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|76db54c811626501675adfc21589d64365b07abd15f69218285af1f953e1f44a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/ticket/ticket_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 7284, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3b03c6318d8094ca2b664feb580063973d1f3e14d5db592776c3a1455e02538", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c3b03c6318d8094ca2b664feb580063973d1f3e14d5db592776c3a1455e02538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/sso/config_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 7282, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70ae9360cfb4747eddeaadc2fe5f7f31481a9ef1573f3463096f4ebc2b6025e5", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|70ae9360cfb4747eddeaadc2fe5f7f31481a9ef1573f3463096f4ebc2b6025e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/blockstore/ref_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 7281, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e4ebf0e8eb670ec8454c6a9bee3ee0c881a6d6d28922ac5a514b51c7ac9eb41", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|3e4ebf0e8eb670ec8454c6a9bee3ee0c881a6d6d28922ac5a514b51c7ac9eb41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/blockstore/block_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 7280, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be5dbda2ac5f5f5967416f263aa69a8b7c9832a338df0d8a890f236994847227", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|be5dbda2ac5f5f5967416f263aa69a8b7c9832a338df0d8a890f236994847227"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/apikey/apikey_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 7279, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6888ccd36fa30a7eb6dc2818e31d72d0ffb5341138f5236c7545c56ef6aeca99", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6888ccd36fa30a7eb6dc2818e31d72d0ffb5341138f5236c7545c56ef6aeca99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/agentpod/pod_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 7278, "scanner": "repobility-ai-code-hygiene", "fingerprint": "960a5e006b945bef090454b61def458c5bf9903da86be1a852fac82ccf01ba57", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|960a5e006b945bef090454b61def458c5bf9903da86be1a852fac82ccf01ba57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/agent/credential_profile_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 46725, "scanner": "repobility-threat-engine", "fingerprint": "9b4f0b2a7b3d14b5db63eef047c6e60957f9c8901ffba4fc5785b8071183e055", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b4f0b2a7b3d14b5db63eef047c6e60957f9c8901ffba4fc5785b8071183e055"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/docs/concepts/agentfile/_sections/DeclarationKeywords.tsx"}, "region": {"startLine": 154}}}]}, {"ruleId": "SEC019", "level": "none", "message": {"text": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files."}, "properties": {"repobilityId": 46724, "scanner": "repobility-threat-engine", "fingerprint": "f36a03251d46099f7d1837e45671d061741792f62ab30605134e190a745426c4", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "Authorization: Bearer <redacted>", "reason": "Safe context pattern detected", "rule_id": "SEC019", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|4|authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/docs/api/authentication/page.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 46723, "scanner": "repobility-threat-engine", "fingerprint": "b00d577a1057957f67ad2302cbc95a6a91a9ef4fe2a39ce058aadf87e6fd4ded", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b00d577a1057957f67ad2302cbc95a6a91a9ef4fe2a39ce058aadf87e6fd4ded", "aggregated_count": 4}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 46722, "scanner": "repobility-threat-engine", "fingerprint": "b5ea0aa50a702bbf3dcc22cbfdb85932596243ef96d14110adc1f2c97f17e7ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b5ea0aa50a702bbf3dcc22cbfdb85932596243ef96d14110adc1f2c97f17e7ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/docs/faq/page.tsx"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 46721, "scanner": "repobility-threat-engine", "fingerprint": "c881a881ae4746729909ba6e5287d00230949af9dfa949cbbe516361aec3825d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c881a881ae4746729909ba6e5287d00230949af9dfa949cbbe516361aec3825d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/blog/page.tsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 46720, "scanner": "repobility-threat-engine", "fingerprint": "23870e0640e6e13a1b77a1c9dc967bbd9ef7ce640eb3e35792fe7dc104f368d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23870e0640e6e13a1b77a1c9dc967bbd9ef7ce640eb3e35792fe7dc104f368d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/blog/[slug]/page.tsx"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 46717, "scanner": "repobility-threat-engine", "fingerprint": "1e02fc284a468f612f17b94541bf979026303881e4ded5362d607505c584d9cb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1e02fc284a468f612f17b94541bf979026303881e4ded5362d607505c584d9cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web-admin/src/app/(dashboard)/organizations/[id]/_components/use-subscription-actions.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 46715, "scanner": "repobility-threat-engine", "fingerprint": "e4cf1ae882258af2794391576f18dc3b23cf0b85086378e8d928ac6a7e188d34", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4cf1ae882258af2794391576f18dc3b23cf0b85086378e8d928ac6a7e188d34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/shims/electron-shell.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 46714, "scanner": "repobility-threat-engine", "fingerprint": "f5d7d134f03e0f1f3a73956b421aac4932a2139e2cd36559e91ac086592dd498", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5d7d134f03e0f1f3a73956b421aac4932a2139e2cd36559e91ac086592dd498"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/shims/electron-ipc.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 46713, "scanner": "repobility-threat-engine", "fingerprint": "53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "aggregated_count": 7}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46712, "scanner": "repobility-threat-engine", "fingerprint": "37f7e7a990123aa97da9ed07b01bcb51272c00e3a88d636240bcd7239f9c2cfc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37f7e7a990123aa97da9ed07b01bcb51272c00e3a88d636240bcd7239f9c2cfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/e2e-playwright/pages/modals/create-pod.modal.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46711, "scanner": "repobility-threat-engine", "fingerprint": "de24c1d1ea5c1e71113c133f3c0b6aa80af7f9046a2b09da11701e9f0e0188dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de24c1d1ea5c1e71113c133f3c0b6aa80af7f9046a2b09da11701e9f0e0188dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/dashboard/repository-detail/components/capabilities/MarketTab.tsx"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46710, "scanner": "repobility-threat-engine", "fingerprint": "c50b57c7ebc0d6cb72f694ba5ed706414fcc6f096b366aeabc1fa0b4e015e8b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c50b57c7ebc0d6cb72f694ba5ed706414fcc6f096b366aeabc1fa0b4e015e8b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/dashboard/repository-detail/components/capabilities/EditMcpEnvVarsDialog.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 46709, "scanner": "repobility-threat-engine", "fingerprint": "083c83d3dbef3a6ec3bd0e13c37238fca8e9a4f708de1c372301f0d80a845d42", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|083c83d3dbef3a6ec3bd0e13c37238fca8e9a4f708de1c372301f0d80a845d42", "aggregated_count": 30}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 46708, "scanner": "repobility-threat-engine", "fingerprint": "2a3eb0727afc116b4d0b28353df97f39bb8613db0e552695b5cc6332430705d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a3eb0727afc116b4d0b28353df97f39bb8613db0e552695b5cc6332430705d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/support/SupportPage.tsx"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 46707, "scanner": "repobility-threat-engine", "fingerprint": "fd266bdd1571d30f6c09339b8fa1fb46f4633c98209a4718294de4de225c9440", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd266bdd1571d30f6c09339b8fa1fb46f4633c98209a4718294de4de225c9440"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/dashboard/repository-detail/components/capabilities/EditMcpEnvVarsDialog.tsx"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 46706, "scanner": "repobility-threat-engine", "fingerprint": "93c552f427d1dd349a59baa62e9c465e1b38bbe78b1efeae582997e36a631817", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|93c552f427d1dd349a59baa62e9c465e1b38bbe78b1efeae582997e36a631817"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/dashboard/repository-detail/components/capabilities/CustomTab.tsx"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED012", "level": "none", "message": {"text": "[MINED012] Curl Pipe Bash (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 46705, "scanner": "repobility-threat-engine", "fingerprint": "3dceda26bcc2e437df7269e65014fb642b284d5a6e62b28b9f3f1adf98efcb3f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3dceda26bcc2e437df7269e65014fb642b284d5a6e62b28b9f3f1adf98efcb3f", "aggregated_count": 3}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 46697, "scanner": "repobility-threat-engine", "fingerprint": "1bb93c00b2cf787264989c2e93eb87d205274ef4f3febbbc4adafa6242027646", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1bb93c00b2cf787264989c2e93eb87d205274ef4f3febbbc4adafa6242027646"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/core/crates/logging/src/sinks/file.rs"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 46696, "scanner": "repobility-threat-engine", "fingerprint": "23d59a64a9d16993d513982f4fde60e8156bd5cab687415bb6262890b472cd55", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23d59a64a9d16993d513982f4fde60e8156bd5cab687415bb6262890b472cd55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/core/crates/local-runner/src/service.rs"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 46695, "scanner": "repobility-threat-engine", "fingerprint": "30767e91b73f2b7f156ad96e0105bde90f8f88c953109768c65da6103e8fca43", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30767e91b73f2b7f156ad96e0105bde90f8f88c953109768c65da6103e8fca43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/core/crates/local-runner/src/lib.rs"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 46694, "scanner": "repobility-threat-engine", "fingerprint": "f2bf68dbf6d5f27d881fbdf44465eef3a6c230779270894ac9898491470c27b0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f2bf68dbf6d5f27d881fbdf44465eef3a6c230779270894ac9898491470c27b0", "aggregated_count": 6}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 46693, "scanner": "repobility-threat-engine", "fingerprint": "42ccecc5ba28a50ad49579fbc072728cd75242e71d96f2716975d43434fa4c77", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|42ccecc5ba28a50ad49579fbc072728cd75242e71d96f2716975d43434fa4c77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/core/crates/auth/src/auth_api_error_tests.rs"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 46692, "scanner": "repobility-threat-engine", "fingerprint": "21effe71c0a71a20a8f794ad4e703b6c383af8fc379d7e83485615f33fea4775", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21effe71c0a71a20a8f794ad4e703b6c383af8fc379d7e83485615f33fea4775"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/core/crates/api-client/src/error.rs"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 46691, "scanner": "repobility-threat-engine", "fingerprint": "15b62ad010053000daadcaefcab1b1d90bceaa7be73fc45c6078fda920d37ee9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15b62ad010053000daadcaefcab1b1d90bceaa7be73fc45c6078fda920d37ee9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/core/crates/api-client/src/connect_stream_frames.rs"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 46690, "scanner": "repobility-threat-engine", "fingerprint": "d763668abc362df74774cf593c0f9d21665702c0fed325ee2273fa158a56dc95", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d763668abc362df74774cf593c0f9d21665702c0fed325ee2273fa158a56dc95", "aggregated_count": 40}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 46686, "scanner": "repobility-threat-engine", "fingerprint": "48b05db1c8accd9b071a4f82ba7c48348ada6f0f4c20bc02001ac9a24c7e392b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|48b05db1c8accd9b071a4f82ba7c48348ada6f0f4c20bc02001ac9a24c7e392b", "aggregated_count": 26}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 46685, "scanner": "repobility-threat-engine", "fingerprint": "15ea911d4cd986350994aa8ae327701e778d46ca74246efb0c0875b115a947fb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15ea911d4cd986350994aa8ae327701e778d46ca74246efb0c0875b115a947fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/auth/login/ServerSettingsModal.tsx"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 46684, "scanner": "repobility-threat-engine", "fingerprint": "12942f77fa624be37da320e5a8e9b511afdcc99e3c03bccfbf69a7e0e10d2f65", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|12942f77fa624be37da320e5a8e9b511afdcc99e3c03bccfbf69a7e0e10d2f65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/main.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 46683, "scanner": "repobility-threat-engine", "fingerprint": "0b2eaaff7d54162b376f59839149fda0640d1766b8cf9cba5e9d063aade0b8b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b2eaaff7d54162b376f59839149fda0640d1766b8cf9cba5e9d063aade0b8b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build_defs/web/next_bazel_wrapper.mjs"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 46681, "scanner": "repobility-threat-engine", "fingerprint": "a2f1cce14826c19e7006b17ebecb438f16db817564124c2160a4a852693e9703", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.Info(\"token usage report had no usable records (no pod_started_at; legacy or buggy runner)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|logger.info token usage report had no usable records no pod_started_at legacy or buggy runner"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/tokenusage/service.go"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED009", "level": "none", "message": {"text": "[MINED009] Floats For Money (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 46680, "scanner": "repobility-threat-engine", "fingerprint": "0df4cb2fbea220f3202f6f25a9fdf12664cf406497984bbe6567ae142c57ddcf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0df4cb2fbea220f3202f6f25a9fdf12664cf406497984bbe6567ae142c57ddcf", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 46674, "scanner": "repobility-threat-engine", "fingerprint": "0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 46673, "scanner": "repobility-threat-engine", "fingerprint": "402ad892c7487fbb6348dd2eb4224adcd9867a1a11912e60b4a94f27ef3fb9cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|402ad892c7487fbb6348dd2eb4224adcd9867a1a11912e60b4a94f27ef3fb9cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/core/crates/auth/src/auth_api_error_tests.rs"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 46672, "scanner": "repobility-threat-engine", "fingerprint": "d92dcda8252ef7bcd1446819aee5a42a009103cfe07f03b484910364ed700879", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d92dcda8252ef7bcd1446819aee5a42a009103cfe07f03b484910364ed700879"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/repository/service_create.go"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 46671, "scanner": "repobility-threat-engine", "fingerprint": "b2fe4711ff78c417566932f8184d0e7b2c78f64c619761ff06037850f94a4867", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b2fe4711ff78c417566932f8184d0e7b2c78f64c619761ff06037850f94a4867"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/infra/git/github_client.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED033", "level": "none", "message": {"text": "[MINED033] Go Recover Without Log (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 46670, "scanner": "repobility-threat-engine", "fingerprint": "909365c57e86ddaeea3c7604d82fc6d2fc9a74d50a7c1f80f96128447c1d7463", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|909365c57e86ddaeea3c7604d82fc6d2fc9a74d50a7c1f80f96128447c1d7463", "aggregated_count": 4}}}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 46665, "scanner": "repobility-threat-engine", "fingerprint": "5bff9459929a86a3b1de3030b6af3e36cf03f083a5a63de3ebd8e5c8c3ee60ef", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5bff9459929a86a3b1de3030b6af3e36cf03f083a5a63de3ebd8e5c8c3ee60ef", "aggregated_count": 19}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 46661, "scanner": "repobility-threat-engine", "fingerprint": "762be3892429d7792438b78cee1dc282d41a951d84b3401fe8c7091cbd12783f", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|762be3892429d7792438b78cee1dc282d41a951d84b3401fe8c7091cbd12783f"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 46656, "scanner": "repobility-threat-engine", "fingerprint": "fe63a0c3db36cbf73bb9f04d5837f9f34863a99ac7da05df7321980a56d87019", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fe63a0c3db36cbf73bb9f04d5837f9f34863a99ac7da05df7321980a56d87019"}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 46652, "scanner": "repobility-threat-engine", "fingerprint": "8bb0ebc095a92cb2e8b1efc716d249a36801c5052651ea8c6cf690985bc87637", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8bb0ebc095a92cb2e8b1efc716d249a36801c5052651ea8c6cf690985bc87637", "aggregated_count": 2}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 46651, "scanner": "repobility-threat-engine", "fingerprint": "922a63e61a7264ed24b96184aae29cee65e42d8c520efe6a02226072c0a9a4c9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|922a63e61a7264ed24b96184aae29cee65e42d8c520efe6a02226072c0a9a4c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/agent/config_builder.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 46650, "scanner": "repobility-threat-engine", "fingerprint": "098b61011243b35a73d8faccfa52763fbfb76a3629d1f60bfb2cc86305c2ea8c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|098b61011243b35a73d8faccfa52763fbfb76a3629d1f60bfb2cc86305c2ea8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 46649, "scanner": "repobility-threat-engine", "fingerprint": "c16c7dd25b027f215a515290b74a40464f0f79e10f48eeba6e36c15ae13572f4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c16c7dd25b027f215a515290b74a40464f0f79e10f48eeba6e36c15ae13572f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/server/main_startup.go"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 103 more): Same pattern found in 103 additional files. Review if needed."}, "properties": {"repobilityId": 46648, "scanner": "repobility-threat-engine", "fingerprint": "cd82d10085300c2af2ba86673b7fa166c7a87579e2f5318ae0119f29538130a6", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 103 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 103 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|cd82d10085300c2af2ba86673b7fa166c7a87579e2f5318ae0119f29538130a6"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "properties": {"repobilityId": 46644, "scanner": "repobility-threat-engine", "fingerprint": "f1fc3641eda91975143de8c7fe6c0a14225358556f7c291734ff43c937338e6d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 52 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f1fc3641eda91975143de8c7fe6c0a14225358556f7c291734ff43c937338e6d", "aggregated_count": 52}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 46643, "scanner": "repobility-threat-engine", "fingerprint": "18826997ba20c9ad69f36e85b8f1aeeb8fbb08a07755aa322c40712905673e06", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|18826997ba20c9ad69f36e85b8f1aeeb8fbb08a07755aa322c40712905673e06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/server/eventbus_perpetual.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 46642, "scanner": "repobility-threat-engine", "fingerprint": "fa84b7998f570e7d934192816c6483da016e658ef6473afc99717c0ca849182e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa84b7998f570e7d934192816c6483da016e658ef6473afc99717c0ca849182e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/server/eventbus_loop.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 46641, "scanner": "repobility-threat-engine", "fingerprint": "476c8cf84e9aeeeba98b99b2acd32c2643d0c3f955b1af07d08b3d70ba04b814", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|476c8cf84e9aeeeba98b99b2acd32c2643d0c3f955b1af07d08b3d70ba04b814"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/backfill-identifiers/main.go"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 46640, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 46636, "scanner": "repobility-threat-engine", "fingerprint": "11c1ac2c2701254762d74bbeb51c35ad880c4c72ab240f29dfc4a34dd68295d0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|11c1ac2c2701254762d74bbeb51c35ad880c4c72ab240f29dfc4a34dd68295d0"}}}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `relay` image is selected through a build variable"}, "properties": {"repobilityId": 7354, "scanner": "repobility-docker", "fingerprint": "8c36c463a648da080090d1d13035bde9bad34ea448424047f6928f3f34237e9e", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "agentsmesh/relay:${VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8c36c463a648da080090d1d13035bde9bad34ea448424047f6928f3f34237e9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/selfhost/docker-compose.yml"}, "region": {"startLine": 182}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `web-admin` image is selected through a build variable"}, "properties": {"repobilityId": 7353, "scanner": "repobility-docker", "fingerprint": "9794d520d8c3b6a02ecbf6dc6746a8022cbf7efe0095df15c466d529c5736b39", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "agentsmesh/web-admin:${VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|9794d520d8c3b6a02ecbf6dc6746a8022cbf7efe0095df15c466d529c5736b39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/selfhost/docker-compose.yml"}, "region": {"startLine": 162}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `web` image is selected through a build variable"}, "properties": {"repobilityId": 7352, "scanner": "repobility-docker", "fingerprint": "539d732d0445f24945bfedaac4cca4b2b0dfc7bf7aa9ac47eecbc4f918c3b921", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "agentsmesh/web:${VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|539d732d0445f24945bfedaac4cca4b2b0dfc7bf7aa9ac47eecbc4f918c3b921"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/selfhost/docker-compose.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `backend` image is selected through a build variable"}, "properties": {"repobilityId": 7350, "scanner": "repobility-docker", "fingerprint": "e45f004f287b413a3f46ed5994ad00bd54245bc54c79048768b37dfc28ae554c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "agentsmesh/backend:${VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e45f004f287b413a3f46ed5994ad00bd54245bc54c79048768b37dfc28ae554c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/selfhost/docker-compose.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `relay` image is selected through a build variable"}, "properties": {"repobilityId": 7347, "scanner": "repobility-docker", "fingerprint": "40f4154544682e268dbec3925b099e69a62211065c1749b90f2ee49c1847b457", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "agentsmesh/relay:${VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|40f4154544682e268dbec3925b099e69a62211065c1749b90f2ee49c1847b457"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/onpremise/docker-compose.yml"}, "region": {"startLine": 231}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `web-admin` image is selected through a build variable"}, "properties": {"repobilityId": 7344, "scanner": "repobility-docker", "fingerprint": "1b88e5c65b8c3953e9d41945905814845840766aac95fb192194f3ab53eb3069", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "agentsmesh/web-admin:${VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1b88e5c65b8c3953e9d41945905814845840766aac95fb192194f3ab53eb3069"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/onpremise/docker-compose.yml"}, "region": {"startLine": 207}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `web` image is selected through a build variable"}, "properties": {"repobilityId": 7343, "scanner": "repobility-docker", "fingerprint": "461620ee167b5b28cec2001b6ec6ba5b56c6feb475fb16aa94b1349fff61201a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "agentsmesh/web:${VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|461620ee167b5b28cec2001b6ec6ba5b56c6feb475fb16aa94b1349fff61201a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/onpremise/docker-compose.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `backend` image is selected through a build variable"}, "properties": {"repobilityId": 7341, "scanner": "repobility-docker", "fingerprint": "cb28777c5c1aa0c712e87d07da4a3099b8d9d98ce2840925791bac1e6b472744", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "agentsmesh/backend:${VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|cb28777c5c1aa0c712e87d07da4a3099b8d9d98ce2840925791bac1e6b472744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/onpremise/docker-compose.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 7314, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7313, "scanner": "repobility-threat-engine", "fingerprint": "e5fb74e26bf958d7c6dbf5bdd902804164add77b1fa332364b3b30bffe0282bd", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "Print(\"Waiting for authorization\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|17|print waiting for authorization"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runner/internal/client/grpc_registration.go"}, "region": {"startLine": 171}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7312, "scanner": "repobility-threat-engine", "fingerprint": "dfaeb4f919f33384321dfadbf673e8e8a0370bfa3052bd923e28cb686cb410f7", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "logger.Warn(\"Runner connection missing token\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|logger.warn runner connection missing token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "relay/internal/server/handler.go"}, "region": {"startLine": 63}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 7310, "scanner": "repobility-threat-engine", "fingerprint": "6cb54a6ac3424c804429f4ede903f344df26e0db6167077556b30835ec236c09", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6cb54a6ac3424c804429f4ede903f344df26e0db6167077556b30835ec236c09"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46825, "scanner": "repobility-supply-chain", "fingerprint": "0e4b1bb42e54a3c2c668d7f4ec0b7829f68d290a693cffd6b89a165cac32055e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e4b1bb42e54a3c2c668d7f4ec0b7829f68d290a693cffd6b89a165cac32055e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 533}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46824, "scanner": "repobility-supply-chain", "fingerprint": "56c139e7efbeb6d65cd190795697f8ce08cf49a71a08de0bb07a8f1c5156f8b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|56c139e7efbeb6d65cd190795697f8ce08cf49a71a08de0bb07a8f1c5156f8b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 532}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46823, "scanner": "repobility-supply-chain", "fingerprint": "88fce25398b7a37949c37b0dc5d536dd881eb878256f0f094ca549cd42820b70", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88fce25398b7a37949c37b0dc5d536dd881eb878256f0f094ca549cd42820b70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 487}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46822, "scanner": "repobility-supply-chain", "fingerprint": "5a835f4820826ab9481ef8edb91b191b292dfd3498afb18f3789596395bed75d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a835f4820826ab9481ef8edb91b191b292dfd3498afb18f3789596395bed75d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 443}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46821, "scanner": "repobility-supply-chain", "fingerprint": "bce1ae49841e9eec090220aaec965a681b2584afc1440e84c38552f7e956c4e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bce1ae49841e9eec090220aaec965a681b2584afc1440e84c38552f7e956c4e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 428}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46820, "scanner": "repobility-supply-chain", "fingerprint": "665790bda81b4c0f2afc776732417e626313fc84d75679a666f5537fa299c0d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|665790bda81b4c0f2afc776732417e626313fc84d75679a666f5537fa299c0d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46819, "scanner": "repobility-supply-chain", "fingerprint": "8c283917640e33f01bb3d0e22a9ca9c896258f10e463937dd25f638fd118ee6e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c283917640e33f01bb3d0e22a9ca9c896258f10e463937dd25f638fd118ee6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 354}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46818, "scanner": "repobility-supply-chain", "fingerprint": "85ebd028430639a1cb7159abdd1271027ed6144bfa275afb210d08fea4370db2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85ebd028430639a1cb7159abdd1271027ed6144bfa275afb210d08fea4370db2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 338}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46817, "scanner": "repobility-supply-chain", "fingerprint": "9472eb70d55374cdfed0290f0d664b56ef4fdf55d35a68b6e26b9a34e82cdea9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9472eb70d55374cdfed0290f0d664b56ef4fdf55d35a68b6e26b9a34e82cdea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 337}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46816, "scanner": "repobility-supply-chain", "fingerprint": "2bf50661dc3f1b37d74495ff120528d323aa2185a57da7fe31cdb1f87c286489", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2bf50661dc3f1b37d74495ff120528d323aa2185a57da7fe31cdb1f87c286489"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 298}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46815, "scanner": "repobility-supply-chain", "fingerprint": "8061449e7ce32d3f12c87b54bd7b78153badc19afbdbc1ea9ba77d1d57c7ef74", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8061449e7ce32d3f12c87b54bd7b78153badc19afbdbc1ea9ba77d1d57c7ef74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 297}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46814, "scanner": "repobility-supply-chain", "fingerprint": "48169f431a9f7f3d173ae5bd5599938db5afff2894ef60c593d1d77e7ae7eee0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48169f431a9f7f3d173ae5bd5599938db5afff2894ef60c593d1d77e7ae7eee0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 282}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46813, "scanner": "repobility-supply-chain", "fingerprint": "d4b5b7e13964e9694d9eb55f9750facfb0f1bdc47ddf56bc8860d6675fadcad3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d4b5b7e13964e9694d9eb55f9750facfb0f1bdc47ddf56bc8860d6675fadcad3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 281}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46812, "scanner": "repobility-supply-chain", "fingerprint": "65ec7d0ee30a504701fd6a0e5339f7af7d2fad867ceb2a6b5efd6d9243d9491d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65ec7d0ee30a504701fd6a0e5339f7af7d2fad867ceb2a6b5efd6d9243d9491d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46811, "scanner": "repobility-supply-chain", "fingerprint": "e6921fd6755f8158ee2029274a92e3ef879c014425a0191a3209d7c13e96acdf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6921fd6755f8158ee2029274a92e3ef879c014425a0191a3209d7c13e96acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46810, "scanner": "repobility-supply-chain", "fingerprint": "c1e4c9174133a4aaecadf44683dbc7687c23a7c61f0d4518c163ce50eb9fc04b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1e4c9174133a4aaecadf44683dbc7687c23a7c61f0d4518c163ce50eb9fc04b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46809, "scanner": "repobility-supply-chain", "fingerprint": "98327494a987014cdce3364aeed42cb644687bbd2de44c078d5a930f42386d3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98327494a987014cdce3364aeed42cb644687bbd2de44c078d5a930f42386d3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46808, "scanner": "repobility-supply-chain", "fingerprint": "08b6d48d4c334cbabfbf6e29b0e71b0a95acb05b4d1571f903e22941f5b11922", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|08b6d48d4c334cbabfbf6e29b0e71b0a95acb05b4d1571f903e22941f5b11922"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46807, "scanner": "repobility-supply-chain", "fingerprint": "d9bb3052c5b8d7542844c273b2a67bb7c997146940e78e6e1c142db95d58ebea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9bb3052c5b8d7542844c273b2a67bb7c997146940e78e6e1c142db95d58ebea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46806, "scanner": "repobility-supply-chain", "fingerprint": "c766738c79578ee709dbaff94cc2d3f3d8eddbd036ea83e4848aeadb167d479f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c766738c79578ee709dbaff94cc2d3f3d8eddbd036ea83e4848aeadb167d479f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46805, "scanner": "repobility-supply-chain", "fingerprint": "def6af814e1c1d6cc5f1689cf637092355016a40886fd98309b06f5a9b2db219", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|def6af814e1c1d6cc5f1689cf637092355016a40886fd98309b06f5a9b2db219"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46804, "scanner": "repobility-supply-chain", "fingerprint": "5c6c44167fb135a13d6ff0665e8e3f69113f4f6dfa8bc9b3eadcd6bea5a4332b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c6c44167fb135a13d6ff0665e8e3f69113f4f6dfa8bc9b3eadcd6bea5a4332b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46803, "scanner": "repobility-supply-chain", "fingerprint": "9787527db0bd1b149ff326028883d05cb394eb08d5b50e0553a29cdf99269a1a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9787527db0bd1b149ff326028883d05cb394eb08d5b50e0553a29cdf99269a1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bazel-contrib/setup-bazel` pinned to mutable ref `@0.9.1`: `uses: bazel-contrib/setup-bazel@0.9.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46802, "scanner": "repobility-supply-chain", "fingerprint": "61bcc60fa12500ed212ff7f9658a9f3352b31ce14da91278b22f7c3f0d04e4c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61bcc60fa12500ed212ff7f9658a9f3352b31ce14da91278b22f7c3f0d04e4c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46801, "scanner": "repobility-supply-chain", "fingerprint": "52dfde5177ddd963dd8d5ecc5d0977a2007b36ce75e2f50cbbe23e54fcd68203", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52dfde5177ddd963dd8d5ecc5d0977a2007b36ce75e2f50cbbe23e54fcd68203"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:trixie-slim` not pinned by digest: `FROM debian:trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 46800, "scanner": "repobility-supply-chain", "fingerprint": "e0fdb6d22c28748f3b13bfcf76a110513d5ece47e66a54faaa8e2378eb426b6c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e0fdb6d22c28748f3b13bfcf76a110513d5ece47e66a54faaa8e2378eb426b6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/runner.Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 46799, "scanner": "repobility-journey-contract", "fingerprint": "fc336045688af378c45e5fafe68b34d48580a04e8ecf4e824166a5e1ff3a923a", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clients/web/src/app/ auth /reset-password/page.tsx|190|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/(auth)/reset-password/page.tsx"}, "region": {"startLine": 190}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 46798, "scanner": "repobility-journey-contract", "fingerprint": "0393641def201138b11c3b5faa8f70a542a5ef6b5dcf828a5dac12adc6937d06", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clients/web/src/app/ auth /register/page.tsx|122|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/(auth)/register/page.tsx"}, "region": {"startLine": 122}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 46797, "scanner": "repobility-journey-contract", "fingerprint": "32e03f55f40ddba802e142b60007bbc5a80103cd55c8c0e902895e9a1a5b76c8", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clients/web/src/app/ auth /login/page.tsx|166|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/(auth)/login/page.tsx"}, "region": {"startLine": 166}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 46796, "scanner": "repobility-journey-contract", "fingerprint": "07debe9976370a366861cc249aef095d4245014a2edd098b11f6193e31709237", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|178|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/auth/reset-password/ResetPasswordPage.tsx"}, "region": {"startLine": 178}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 46795, "scanner": "repobility-journey-contract", "fingerprint": "4ba578d2327cf61e2f1509dd45913fbf3f055f3ca6b06d12b83911875ce36340", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|154|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/auth/register/RegisterPage.tsx"}, "region": {"startLine": 154}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:id."}, "properties": {"repobilityId": 46768, "scanner": "repobility-access-control", "fingerprint": "5ddb5f41cf983adc32ee85c630f8aece59e1e047cce922df4820fc53280f8bbb", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|100|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_ext.go"}, "region": {"startLine": 100}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:id/pods."}, "properties": {"repobilityId": 46767, "scanner": "repobility-access-control", "fingerprint": "144c2a47a33c13d18352d079c86f2f3acc976e02faa0a88807f6d96979a3eadb", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id/pods", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|90|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_ext.go"}, "region": {"startLine": 90}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:id."}, "properties": {"repobilityId": 46766, "scanner": "repobility-access-control", "fingerprint": "2f531c8bd723c523543e14aaefdb87087f0ed91a36911c6e0d04348f7b3725f3", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|88|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_ext.go"}, "region": {"startLine": 88}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /:id/messages."}, "properties": {"repobilityId": 46765, "scanner": "repobility-access-control", "fingerprint": "dd903541cb4e4be5d611ed307a85cff1cee5b11b6ebeab4b38342b7756802225", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id/messages", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|71|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_ext.go"}, "region": {"startLine": 71}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /:id."}, "properties": {"repobilityId": 46764, "scanner": "repobility-access-control", "fingerprint": "1c9c86726487173ffca6a9797a0ecf12ac432cec99c1df262b424adb186fa278", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "PUT", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|70|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_ext.go"}, "region": {"startLine": 70}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:id/messages."}, "properties": {"repobilityId": 46763, "scanner": "repobility-access-control", "fingerprint": "c5dc56d0da4ba36aa4cdeb25d94a0e14c3c9168e274b29647224dd46a6cb47cc", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id/messages", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|64|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_ext.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:id."}, "properties": {"repobilityId": 46762, "scanner": "repobility-access-control", "fingerprint": "7510f44cc79ed830a6604c92da87a1cfcf64a8800eb0edd36f5be92d991d02dc", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|63|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_ext.go"}, "region": {"startLine": 63}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /:id/reactivate."}, "properties": {"repobilityId": 46761, "scanner": "repobility-access-control", "fingerprint": "f1d7c6d7e2d5dc7cc6d199b1f871ea7302b786be3cba3395a4e285c43f0ea521", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id/reactivate", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|221|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/runners_grpc.go"}, "region": {"startLine": 221}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /:relay_id."}, "properties": {"repobilityId": 46760, "scanner": "repobility-access-control", "fingerprint": "d13458852aefc138331d8c8d5b2f3c6b0ac707455fcaa38bedb9c037dba822a3", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:relay_id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|51|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:relay_id."}, "properties": {"repobilityId": 46759, "scanner": "repobility-access-control", "fingerprint": "dde7787be2120360ab09686f8dc6f391e22887333bafa9a4dbc701c8cf1a7651", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:relay_id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|50|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 46704, "scanner": "repobility-threat-engine", "fingerprint": "779c86539d299549639a6ba948f276a7ab5395adddfea54f1a86eccc53509404", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|779c86539d299549639a6ba948f276a7ab5395adddfea54f1a86eccc53509404"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/docs/runners/setup/page.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 46703, "scanner": "repobility-threat-engine", "fingerprint": "cc3151c571963413b6c1620a911eaf64b610389705ad7f6ac0cea0667a2c7984", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cc3151c571963413b6c1620a911eaf64b610389705ad7f6ac0cea0667a2c7984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/(auth)/onboarding/setup-runner/local/components/SetupSteps.tsx"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 46702, "scanner": "repobility-threat-engine", "fingerprint": "d06e3455e1a7e320ae076b72f147c3ad297a8fd98e90861d49f5677838ad7499", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d06e3455e1a7e320ae076b72f147c3ad297a8fd98e90861d49f5677838ad7499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/auth/onboarding/setup-runner/local/components/SetupSteps.tsx"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 46689, "scanner": "repobility-threat-engine", "fingerprint": "73cf6e7649f8b6158ad5d198fa9cc99427967adb0f5e107b2c634476b07df577", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|73cf6e7649f8b6158ad5d198fa9cc99427967adb0f5e107b2c634476b07df577"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/core/crates/api-client/src/connect_stream_frames.rs"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 46688, "scanner": "repobility-threat-engine", "fingerprint": "385c117eec5a47ab8bdd82eec4a5c7a44e9b55886cf064a2f38b47cebf516323", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|385c117eec5a47ab8bdd82eec4a5c7a44e9b55886cf064a2f38b47cebf516323"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/core/crates/api-client/src/api_core_tests.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 46687, "scanner": "repobility-threat-engine", "fingerprint": "725a4fc59ea815991e81b2568d9b7367ad6187ee0e609e095cf10ed39cbbbf57", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|725a4fc59ea815991e81b2568d9b7367ad6187ee0e609e095cf10ed39cbbbf57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/core/crates/api-client/src/api_agent_billing_tests.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 46679, "scanner": "repobility-threat-engine", "fingerprint": "41ca3fc04508f531b2e718bf80c906cdec9c91856106055cfc98d5eef49b9c85", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41ca3fc04508f531b2e718bf80c906cdec9c91856106055cfc98d5eef49b9c85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/payment/stripe/provider_manage.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 46678, "scanner": "repobility-threat-engine", "fingerprint": "13d4eb9766a24785ee4316dd0e8646e135c301b8aa475fcbaea0de5c1d596dfa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|13d4eb9766a24785ee4316dd0e8646e135c301b8aa475fcbaea0de5c1d596dfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/payment/stripe/provider.go"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 46677, "scanner": "repobility-threat-engine", "fingerprint": "381664e26894b1e8f35d43679ba0d7aa736d581b4344565f0a6b12f838ed9e59", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|381664e26894b1e8f35d43679ba0d7aa736d581b4344565f0a6b12f838ed9e59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/payment/lemonsqueezy/webhook.go"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC113", "level": "error", "message": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "properties": {"repobilityId": 46676, "scanner": "repobility-threat-engine", "fingerprint": "f4ad84d0c02fd8aaf28fcd81bcadd37fdcbd7cb38d3279535c45e7d6762a34d1", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "StrictHostKeyChecking=no", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC113", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|103|sec113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/extension/skill_importer_git.go"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 46675, "scanner": "repobility-threat-engine", "fingerprint": "d5e265f76b5c652d7824ac2a99c1757ff70576fa7042ce17ed8a8b2381df1211", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d5e265f76b5c652d7824ac2a99c1757ff70576fa7042ce17ed8a8b2381df1211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/extension/skill_importer_git.go"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 46669, "scanner": "repobility-threat-engine", "fingerprint": "00a56fe1764c0976f82cd9473443c8aaacc032f84d6c1818ded1e303427f220d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|00a56fe1764c0976f82cd9473443c8aaacc032f84d6c1818ded1e303427f220d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/infra/tasks/worker.go"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 46668, "scanner": "repobility-threat-engine", "fingerprint": "4a25ea672c66a2edd6355ba10e36d777d36b5c63c4c506af5c7236ff5b49d878", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4a25ea672c66a2edd6355ba10e36d777d36b5c63c4c506af5c7236ff5b49d878"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/infra/tasks/scheduler_exec.go"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 46667, "scanner": "repobility-threat-engine", "fingerprint": "ace525213c587367aa4c40ed3d3b94d618b8f1eafe28cfe174c2dd08eb36079c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ace525213c587367aa4c40ed3d3b94d618b8f1eafe28cfe174c2dd08eb36079c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/infra/eventbus/eventbus_publish.go"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 46666, "scanner": "repobility-threat-engine", "fingerprint": "620791693fbb3e2d7c344f8878c0f8c13b6b71ba1e2c2d16404869b31d9fe302", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|620791693fbb3e2d7c344f8878c0f8c13b6b71ba1e2c2d16404869b31d9fe302"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/infra/dns/aliyun_request.go"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 46664, "scanner": "repobility-threat-engine", "fingerprint": "7a6186480cf5baaa1838bea2f3fe673134cb341b86a70ab962c7cb2bac966600", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a6186480cf5baaa1838bea2f3fe673134cb341b86a70ab962c7cb2bac966600"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/grpc/runner_adapter_mcp_ticket.go"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 46663, "scanner": "repobility-threat-engine", "fingerprint": "697913b18169c202f97ebc831fbd15e388a008ca7d2a66d490c69bdcb5e11a37", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|697913b18169c202f97ebc831fbd15e388a008ca7d2a66d490c69bdcb5e11a37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/grpc/runner_adapter_mcp_loop.go"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 46662, "scanner": "repobility-threat-engine", "fingerprint": "2c2fda0ca4f5bf5a83be8d39feb2c22338147cec039267f6ac1db6b2ef2c3404", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c2fda0ca4f5bf5a83be8d39feb2c22338147cec039267f6ac1db6b2ef2c3404"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/grpc/runner_adapter_mcp_discovery.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 46655, "scanner": "repobility-threat-engine", "fingerprint": "c6823aa704f20ed2df6d7cce8cc976dd5e5c6a71d2f1190c580a06c474ef4481", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ticketsWrite.DELETE(\"/:ticket_slug\", ticketHandler.DeleteTicket)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c6823aa704f20ed2df6d7cce8cc976dd5e5c6a71d2f1190c580a06c474ef4481"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_ext.go"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 46654, "scanner": "repobility-threat-engine", "fingerprint": "c16d089f07394e90d108a8e93565b28e83b3d8ccc93e68217796557a617cdab2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.DELETE(\"/:relay_id\", handler.ForceUnregister)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c16d089f07394e90d108a8e93565b28e83b3d8ccc93e68217796557a617cdab2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 46653, "scanner": "repobility-threat-engine", "fingerprint": "91a2d4fb71c6522aea5b3e0b68030974c2443b8ebc4c51e8f41badadd3c679a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "oscNotifDedup.Delete(key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|91a2d4fb71c6522aea5b3e0b68030974c2443b8ebc4c51e8f41badadd3c679a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/server/notif_dedup.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 46647, "scanner": "repobility-threat-engine", "fingerprint": "0168d9faf763158caf3d9c523de123e7548597d7b8e6c2a707871676d0536a53", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0168d9faf763158caf3d9c523de123e7548597d7b8e6c2a707871676d0536a53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/server/infra_init.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 46646, "scanner": "repobility-threat-engine", "fingerprint": "1a6c79efdd05e0f0ea0e883107604a2ad6ecd1ba6d5d4fb098263d87254a6d6a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a6c79efdd05e0f0ea0e883107604a2ad6ecd1ba6d5d4fb098263d87254a6d6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/server/connect_mount.go"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 46645, "scanner": "repobility-threat-engine", "fingerprint": "d2fc2b16bc0f2e71803c22123884ee709455f0432c381e52a18a909b5cfeef12", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d2fc2b16bc0f2e71803c22123884ee709455f0432c381e52a18a909b5cfeef12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/server/cmd_migrate.go"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 46639, "scanner": "repobility-threat-engine", "fingerprint": "c96fceb78d490d5aa399f8cd04288149cc4cb3dcd27e6f0e10d0ab60a96b7090", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c96fceb78d490d5aa399f8cd04288149cc4cb3dcd27e6f0e10d0ab60a96b7090"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/runner/heartbeat_record.go"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 46638, "scanner": "repobility-threat-engine", "fingerprint": "24a0a6db1032980d3ae5b7cfa5dc84eb0042adb07356ca56d53da975df62d987", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|24a0a6db1032980d3ae5b7cfa5dc84eb0042adb07356ca56d53da975df62d987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/service/relay/store_redis_relay.go"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 46637, "scanner": "repobility-threat-engine", "fingerprint": "26e5546ccb4bdea2f93bda41ff425efcecd3497cdcb9ef894bb1bb0b898caae5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(updateSQL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|26e5546ccb4bdea2f93bda41ff425efcecd3497cdcb9ef894bb1bb0b898caae5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/backfill-identifiers/audit.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15546, "scanner": "repobility", "fingerprint": "10b30d2205e8b6e12e08a0ce5931898b", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl -fsSL ${serverUrl}/install.sh | sh", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/ide/modals/AddRunnerModal.tsx"}, "region": {"startLine": 143}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15545, "scanner": "repobility", "fingerprint": "5e7055f682c704a0f3151ea0781155c5", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl -fsSL ${serverUrl}/install.sh | sh", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/ide/modals/AddRunnerModal.tsx"}, "region": {"startLine": 141}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15544, "scanner": "repobility", "fingerprint": "634f0786eebb5c6cbe17b52a824ee2d8", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl -fsSL ${serverUrl}/install.sh | sh", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/app/docs/runners/setup/page.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15543, "scanner": "repobility", "fingerprint": "ddeded03ddefede1c8bebe0474f087ce", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl -fsSL ${serverUrl}/install.sh | sh", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/app/docs/getting-started/page.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15542, "scanner": "repobility", "fingerprint": "a190978a5233301ac83f8cc5cbf89926", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl -fsSL {serverUrl}/install.sh | sh", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/app/(auth)/onboarding/setup-runner/local/page.tsx"}, "region": {"startLine": 286}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15541, "scanner": "repobility", "fingerprint": "fa22e1bf98fd2662df67741af69453cf", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl -fsSL ${serverUrl}/install.sh | sh", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/app/(dashboard)/[org]/runners/components/AddRunnerModal.tsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15540, "scanner": "repobility", "fingerprint": "33e893d85aa9dd2e6a41cd9f5b26f2d0", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl -fsSL ${serverUrl}/install.sh | sh", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/app/(dashboard)/[org]/runners/components/AddRunnerModal.tsx"}, "region": {"startLine": 109}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15539, "scanner": "repobility", "fingerprint": "39d50775ddb3978324f03b3d80f851e6", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl -fsSL https://agentsmesh.ai/install.sh | sh", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/public/install.sh"}, "region": {"startLine": 3}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 7405, "scanner": "repobility-journey-contract", "fingerprint": "6c7378f1ab85373a1cda02f845fa25ed41cb633411f20a3866e7569d0d55b3a8", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|82|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web-admin/src/app/login/page.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 7404, "scanner": "repobility-journey-contract", "fingerprint": "84153836ee20d5e617e9c755f0ad5b1fc816ecca51e5187ed62eab31fea55500", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clients/web/src/app/ auth /reset-password/page.tsx|191|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/(auth)/reset-password/page.tsx"}, "region": {"startLine": 191}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 7403, "scanner": "repobility-journey-contract", "fingerprint": "5d14acabb8c2b3d87b386c4cc15e05244cad662d131381319e4b7c5009e09b41", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clients/web/src/app/ auth /register/page.tsx|128|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/(auth)/register/page.tsx"}, "region": {"startLine": 128}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 7402, "scanner": "repobility-journey-contract", "fingerprint": "cf52c62008dfd7838c1f99428a70cae37171b3614104d316c95e694744f868f5", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clients/web/src/app/ auth /login/page.tsx|171|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/web/src/app/(auth)/login/page.tsx"}, "region": {"startLine": 171}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 7401, "scanner": "repobility-journey-contract", "fingerprint": "45438821a4b93dcd2a3c996b3db2c1e2cc8bff71803c0189207cd94d61740095", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|187|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/auth/reset-password/ResetPasswordPage.tsx"}, "region": {"startLine": 187}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 7400, "scanner": "repobility-journey-contract", "fingerprint": "7d57c5f6cabbe15b1c98a9f9a14c31dbba64681c306fc7e698759674e2f44047", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|159|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/auth/register/RegisterPage.tsx"}, "region": {"startLine": 159}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 7399, "scanner": "repobility-journey-contract", "fingerprint": "85f3faa7506e622349eaa5f5198b46abef30549868fc33091c0b0c3528411d23", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|162|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/auth/login/LoginPage.tsx"}, "region": {"startLine": 162}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /:id."}, "properties": {"repobilityId": 7366, "scanner": "repobility-access-control", "fingerprint": "924d68e357214c8527ba30ae3b9cbbd25f3a7c1781881b68a92e150fb710019b", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "PUT", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|48|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_user.go"}, "region": {"startLine": 48}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /me/agent-configs/:slug."}, "properties": {"repobilityId": 7365, "scanner": "repobility-access-control", "fingerprint": "132cc0be2e59ca0f7c141d8d99b53b9226fccc52195de278b77b0472132b62b0", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/me/agent-configs/:slug", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|32|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_user.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /me/agent-configs/:slug."}, "properties": {"repobilityId": 7364, "scanner": "repobility-access-control", "fingerprint": "9c0aa2ee078c7c8abb71e3201b41d1e44d8d5b6283e853c4d1aa0a31b39385f6", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/me/agent-configs/:slug", "method": "PUT", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|31|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_user.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /me/agent-configs/:slug."}, "properties": {"repobilityId": 7363, "scanner": "repobility-access-control", "fingerprint": "7226f68abdde72fd5d353d7908f49ea5eeeb2e97d5283c5792fe7ca33f4a4d83", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/me/agent-configs/:slug", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|30|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_user.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /:id."}, "properties": {"repobilityId": 7362, "scanner": "repobility-access-control", "fingerprint": "00b3d3857f0474029d4f4edcf923a58fc8970dcc4ef1b643e7874dfdbb2b22cf", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|40|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/user_git_credentials.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /:id."}, "properties": {"repobilityId": 7361, "scanner": "repobility-access-control", "fingerprint": "8d4db73e8c93e265672c46b93919fe2a2f3a9ad90f97b9eff32d529a68a76b53", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "PUT", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|39|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/user_git_credentials.go"}, "region": {"startLine": 39}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:id."}, "properties": {"repobilityId": 7360, "scanner": "repobility-access-control", "fingerprint": "2072f67eacad9aee375653c386059c3cd803fb9a5318b503957b30e95b2e42d1", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|38|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/user_git_credentials.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /:key/grants/:grant_id."}, "properties": {"repobilityId": 7359, "scanner": "repobility-access-control", "fingerprint": "e30aaccfe9870c806485f01652c3efc887be911016302c68f1e61ee27f64af9e", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:key/grants/:grant_id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|35|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/v1/routes_pods.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /:relay_id."}, "properties": {"repobilityId": 7358, "scanner": "repobility-access-control", "fingerprint": "860a03cd738d60ce1e9e9bb68cedb5a16491b92a9cc212c97c08cb9a760189df", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:relay_id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|56|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:relay_id."}, "properties": {"repobilityId": 7357, "scanner": "repobility-access-control", "fingerprint": "57341170561ad7e7861c32511cb722a6a01de6138b6b50e6981be4b8e298fe60", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:relay_id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|token|55|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/internal/api/rest/internal/relay_routes.go"}, "region": {"startLine": 55}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 7349, "scanner": "repobility-docker", "fingerprint": "247163c1480623e38b5336ea9d4e92e9b45be6a628c65329c9714b7d9d9321ef", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${MINIO_CONSOLE_PORT:-9001}:9001", "target": "9001", "host_ip": "${MINIO_CONSOLE_PORT", "published": "-9001}"}, {"raw": "${MINIO_API_PORT:-9000}:9000", "target": "9000", "host_ip": "${MINIO_API_PORT", "published": "-9000}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|247163c1480623e38b5336ea9d4e92e9b45be6a628c65329c9714b7d9d9321ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/selfhost/docker-compose.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 7340, "scanner": "repobility-docker", "fingerprint": "8aa2373e80f8c151cdcdff1c8dabe440ce76e1f0208f06e95ee60625b3359f7b", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${MINIO_API_PORT:-9000}:9000", "target": "9000", "host_ip": "${MINIO_API_PORT", "published": "-9000}"}, {"raw": "${MINIO_CONSOLE_PORT:-9001}:9001", "target": "9001", "host_ip": "${MINIO_CONSOLE_PORT", "published": "-9001}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|8aa2373e80f8c151cdcdff1c8dabe440ce76e1f0208f06e95ee60625b3359f7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/onpremise/docker-compose.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 7338, "scanner": "repobility-docker", "fingerprint": "1870616932725c3349ff40d8ca101c39de750ddc9f8caf0a2f18ab7fe5d8145b", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${REDIS_PORT:-6379}:6379", "target": "6379", "host_ip": "${REDIS_PORT", "published": "-6379}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|1870616932725c3349ff40d8ca101c39de750ddc9f8caf0a2f18ab7fe5d8145b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/onpremise/docker-compose.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 7321, "scanner": "repobility-docker", "fingerprint": "32d0892ef11053957b01d350308ebaae2719b56b1cda30b7e161724d3460586f", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${MINIO_API_PORT:-9000}:9000", "target": "9000", "host_ip": "${MINIO_API_PORT", "published": "-9000}"}, {"raw": "${MINIO_CONSOLE_PORT:-9001}:9001", "target": "9001", "host_ip": "${MINIO_CONSOLE_PORT", "published": "-9001}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|32d0892ef11053957b01d350308ebaae2719b56b1cda30b7e161724d3460586f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 7318, "scanner": "repobility-docker", "fingerprint": "257ec834730d8b476724cc41441aad5e12257c87a737dad03d6294acc7ddc07d", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${REDIS_PORT:-6379}:6379", "target": "6379", "host_ip": "${REDIS_PORT", "published": "-6379}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|257ec834730d8b476724cc41441aad5e12257c87a737dad03d6294acc7ddc07d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7311, "scanner": "repobility-threat-engine", "fingerprint": "1f4abe8857af7415bf2b7e7b8f2e92c9bc621174deeef2ca04e670a561367fca", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.Info(\"Handshake failed, requesting new token from Backend\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|12|logger.info handshake failed requesting new token from backend"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runner/internal/relay/client_reconnect.go"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 46682, "scanner": "repobility-threat-engine", "fingerprint": "e1f3004e22561c638199ad29f43f267662b2a8a1dd3466a46d02e789f60f4ca1", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.3 bits) \u2014 likely real secret", "evidence": {"match": "PASSWORD=\"<redacted>}\"", "reason": "High entropy value (4.3 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/scripts/blockstore_smoke.sh"}, "region": {"startLine": 12}}}]}, {"ruleId": "SECR004", "level": "error", "message": {"text": "Password embedded in URL"}, "properties": {"repobilityId": 16770, "scanner": "repobility", "fingerprint": "9df6fae5b4d92f263f4d69664cd93865", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "postgres://test:test@", "aljefra_cwe": ["CWE-200"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "password-in-url"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gitlab-ci.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16625, "scanner": "repobility", "fingerprint": "43dca9f22c1c77107725e355c8d32ae9", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/settings/git/AddCredentialDialog.tsx"}, "region": {"startLine": 134}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16624, "scanner": "repobility", "fingerprint": "4e8fdc41f8006e0a11efdf9cfc70e4bc", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/es/settings.json"}, "region": {"startLine": 267}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16623, "scanner": "repobility", "fingerprint": "1013e9d2f4585c83550730007d5c1c84", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/es/extensions.json"}, "region": {"startLine": 98}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16622, "scanner": "repobility", "fingerprint": "7ab666369e19dda9a1aac7797fc7d0a4", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/fr/extensions.json"}, "region": {"startLine": 98}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16621, "scanner": "repobility", "fingerprint": "7a3a735fbc3e3f0690e15644a2fca114", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/fr/settings.json"}, "region": {"startLine": 267}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16620, "scanner": "repobility", "fingerprint": "72027a21eb4b293dfbb1904a7167b4a0", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/en/extensions.json"}, "region": {"startLine": 98}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16619, "scanner": "repobility", "fingerprint": "97fdafd32d50687e431901adb8438569", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/en/settings.json"}, "region": {"startLine": 407}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16618, "scanner": "repobility", "fingerprint": "3267ba66ab0a5963a3f56f1e0d5df913", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/de/extensions.json"}, "region": {"startLine": 98}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16617, "scanner": "repobility", "fingerprint": "9f87b0ffb65af8969c014c9d87759b3c", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/de/settings.json"}, "region": {"startLine": 267}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16616, "scanner": "repobility", "fingerprint": "939ef367a5c9df95c3407715b65895e9", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/ja/settings.json"}, "region": {"startLine": 267}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16615, "scanner": "repobility", "fingerprint": "1189a72d6b0c980bba988e74e46f80cc", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/ja/extensions.json"}, "region": {"startLine": 98}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16614, "scanner": "repobility", "fingerprint": "7d416032fe01292b62f9d87161c1a0b9", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/ko/settings.json"}, "region": {"startLine": 267}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16613, "scanner": "repobility", "fingerprint": "87f070fefb4981746232413a75e53ae1", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/ko/extensions.json"}, "region": {"startLine": 98}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16612, "scanner": "repobility", "fingerprint": "a18f3624de5d8b5d9664179eaaf082b9", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/pt/extensions.json"}, "region": {"startLine": 98}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16611, "scanner": "repobility", "fingerprint": "3921f11e677822be6686e4bbaf4f9ab7", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN OPENSSH PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/messages/pt/settings.json"}, "region": {"startLine": 267}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 7387, "scanner": "repobility-journey-contract", "fingerprint": "51168b413f9169487c4af7b20dbca0d3f90e79a9529ee490c11b8f6e1da575f6", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|40|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/pages/auth/login/OAuthButtons.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 7386, "scanner": "repobility-journey-contract", "fingerprint": "02710201f42af570a325777e14aaf540b062e6f0ae3852b17c0036ef47c302d7", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|19|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clients/desktop/src/renderer/main.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 7351, "scanner": "repobility-docker", "fingerprint": "c67e0614693109e8547a34d8530f35f0517c9c52ff32e71d0133c740e059f932", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "backend", "variable": "STORAGE_ACCESS_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|c67e0614693109e8547a34d8530f35f0517c9c52ff32e71d0133c740e059f932", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/selfhost/docker-compose.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 7342, "scanner": "repobility-docker", "fingerprint": "9817510c9fb8e1f29153054cd640bb607d9680cae490f3f8d698fe41ece79e9a", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "backend", "variable": "STORAGE_ACCESS_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|9817510c9fb8e1f29153054cd640bb607d9680cae490f3f8d698fe41ece79e9a", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/onpremise/docker-compose.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 7332, "scanner": "repobility-docker", "fingerprint": "45fb0772167e9e32964651c581093084e6bcf44e65ab1a489875783918523a12", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "traefik", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|45fb0772167e9e32964651c581093084e6bcf44e65ab1a489875783918523a12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dev/docker-compose.yml"}, "region": {"startLine": 238}}}]}]}]}